The future is nowA look at some exciting new security technology

developments being developed within HP Labs and beyond. Innovation is key.

Shoulder to shoulderDespite having a common goal of keeping enterprise networks

secure, CIOs and CISOs still need to get along better. We find out how.

Security Sans FrontièresThe borders have gone forever but merged work and

leisure activities are blurring the lines still further. How can you cope?

www.vistorm.com

Inform - Issue 2 | 2010 17

People are the new perimeter

16 2010 | Inform - Issue 2

PerimeterPeople

thenew

are

Although the Jericho Forum is credited with inventing the phrase “deperimeterisation” in 2004, in reality the IT world was moving to borderless environments long before they neatly encapsulated the trend. Globalisation and the opening of new markets, the need to drive down costs and outsourcing of IT functions have been key drivers since the 1990s.

The emergence of the Internet economy in the late 1990s accelerated the ending of traditional network borders as businesses moved to where their customers were rather than the other way round. If anyone was playing catch up, it was the information security profession, still looking at securing data within the perimeter or behind company firewalls.

More recently, life has become more challenging. The blurring of home and work activities is a social trend affecting us all. In the corporate world this is likely see leisure activities such as social networking on Facebook or Twitter, online shopping or web browsing conducted on company laptops. Many employees will also mix personal and work related email via the enterprise Exchange server.

Complicating the picture still further is the emergence of “consumerisation” - employess are using their own devices such as iPhones and laptops to access and transit business data -- without security controls or knowledge of the IT department. None of this would matter much if robust controls were put in place to regulate this activity.

“It has always been the case that the single weakest link is people. The problem now is that it’s got worse.”

says Jason Hart, SVP of authentication specialists CRYPTOCard. For Hart the problem lies in an over use of access management tools over reliant on passwords and user names that are increasingly blurred across personal and business life. Hack one account and you are likely to be able to get into another.

The problem, according to Hart, is that in the rush to embrace open networks in response to competitive pressures, businesses are relying on outdated access controls that simply cannot hope to deal with the threats ranged against them. “They can’t see the risks any more” he says.

The shift to web applications has made the problem worse.

“These are all protected by password/user name. All a hacker has to do is target those. We don’t educate or make people aware of the dangers. You can get keylogger instructions on YouTube these days”

says Hart. However, it is an environment that is not going away and one that information security professionals must now adapt. The genie is out of the bottle, your data is everywhere so how are you going to protect it - especially in the hands of fallible human beings who are careless with data, will fall prey to social engineering and who are mostly incapable of remembering

multiple passwords and user names, tending to write them down or use easily guessed combinations.

“If we can solve the password problem, we can solve all the security problems”

says Hart. Businesses are spending all kinds of security dollars on hardware and software security only to to have it undermined by access systems protected only by weak user name and passwords.

One possible solution to manage data on multiple access points and shared networks is to adopt a two-factor authentications system.

As an example, some of the leading UK retails banks have introduced two-factor authentication systems

Most security professionals understand that network perimeters have gone but now they have to cope with employees blurring the lines still further. What’s the best way to cope?

from Vistorm, an HP company

Issue 3 2010

MobileUpwardly

Adrian Gorham, General Manager Group and UK Fraud and Security with Telefónica O2 talks about online security and the explosion in demand for mobile services.

www.vistorm.com

When you have finished with this magazine please recycle it.

Issue 2 | 2010

Published by Vistorm™ LimitedVistorm House, Daresbury Park, Warrington, Cheshire WA4 4BU

Tel: 0870 410 5500 Fax: 0870 410 7200 Web: www.vistorm.com

Produced by Wilson Miller www.wilsonmiller.co.uk Cover photography: Ivan Jones

In this edition

The third party views expressed in this magazine are those of the contributors, for which Vistorm accepts no responsibility. Readers should take appropriate professional advice before acting on any issue raised. Reproduction in whole or in part without permission is strictly prohibited. © 2010, Vistorm Ltd. All Rights Reserved. Vistorm and the Vistorm logo are both trademarks of Vistorm Ltd. in the UK and other countries. All other trademarks are held by their respective companies.

4 NewsLatest announcements, products and updates from leading security vendors.

6 Is Your DataWorth It? Building business cases and justifying budget for Data Loss Prevention systems.

9 Adrian Gorham We chat with the man responsible for the challenging task of managing Telefónica O2’s fraud and security.

13 CIO vs CISO Investigating the meteoric rise of the CISO and their role in shaping corporate strategy.

16 People Are TheNew Perimeter How the blurring of home and work activities and the rise of “consumerisation” are raising the stakes.

20 Innovation Central Martin Sadler discusses the challenges, trends and development of new tools in the fight against computer crime.

22 Q&A: Adrian Seccombe The former CISO of Eli Lilly talks about the role of government, cloud computing and his love of gadgets.

Foreword

Welcome to Issue 2, 2010 of Inform. Looking throughthe contents of this issue one word sticks out for me: data. It’s been said before but it’s worth repeating that information security is really a complicated set of tasks pursued by people charged with the single aim of protecting the data that flows through a business.

Along with our valuable partners, it’s our ambition at Vistorm to provide you with the products and advanced services to help achieve that aim. This issue of Inform is very much part of that.

Two articles are about placing data at the centre of your business. We’ve moved on from simple malware detection and prevention into more sophisticated security thinking and practice. In fact calling it security is a little limiting. We need secure business information systems that provide real-time intelligence about what’s happening to data across your networks and beyond.

Central to this is the behaviour of employees and how they handle data in the new federated work environments. These days your key people are more likely to be accessing data from the local Starbucks than within the office walls. So how do you manage this trend effectively and productively? The feature “People are the New Perimeter” (page 16-17) should set you thinking.

Data loss is a huge concern and most security professionals understand the value and need for effective DLP systems but getting the message across to the board, or even to the CIO can be difficult. Getting round this conundrum is the theme of “Is your data worth it?” (page 6-7).

Speaking of CIOs, just how different are they from the breed we call the

CISO? We’ve been looking at the two (page 13 - 15) and it seems they have more in common than you might imagine. After all, both have the security of the business at heart.

Our interview this month features another security big-hitter with the safety and reputation of a major corporation in his hands. We ventured to Slough to meet Adrian Gorham, General Manager Group and UK Fraud and Security at Telefónica O2 (page 9-11). He’s got years of experience under his belt but you get a sense that his enthusiasm is greater than ever in his role at one of the world’s biggest mobile operators.

Finally, don’t miss our new regular look at what’s happening at HP Labs and beyond (page 20-21). Researchers around the world are looking at ways to make your job easier and deliver tangible business benefits. Inform is one way to get a jump on that.

I hope you enjoy this issue.

Stuart Bladen Chairman and CEO, Vistorm, an HP company info@vistorm.com

More, means higher levels of security. Less, means estate consolidation and cost reduction. And if you can simplify processes and management systems and reduce the number of your vendor relationships, all the better for your return on security investment.

Apply the power of 2, with the combination of

Vistorm and McAfee, and you have a solution for

every security situation.

Vistorm delivers availability, integrity, confidentiality,

compliance and accountability. McAfee offers a uniquely

comprehensive security portfolio covering networks,

systems, data and Internet. Together, we create an

optimised security architecture that provides greater

protection and a more cost-effective solution than

multi-vendor systems. In other words, more for less.

‘Doing more for less’ is the new agenda for security.

an HP company

Discover how the ‘power of 2’ can be applied to your security. Visit www.mcafee.comor call 01753 217 500

apply

powerof 2

the

Do more for less.

4 2010 | Inform - Issue 2 Inform - Issue 2 | 2010 5

www.vistorm.com

NewsCyber-Ark

Cyber-Ark announces its new Privileged Identity Management Suite Cyber-Ark has released version 6.O of its Privileged Identity Management Suite. It says that the addition of the new On-Demand Privileges Manager into the integrated Cyber-Ark Suite will allow “global organisations to benefit from the most advanced, proven solution for uniformly managing security policies, compliance, reporting and administration for all privileged users and accounts from a common user interface.”

The On-Demand Privileges Manager is designed to enable organisations to implement an effective “least privilege” policy and reduce existing insider threat vulnerabilities by provisioning super users’ rights on an as-needed basis, at the individual command level.

In addition, the On-Demand Privileges Manager records this detailed command level activity in order to better track activity for security, auditing and forensic purposes.

For further information visit: www.cyber-ark.com

RSA Security

RSA survey reveals that businesses are neglecting corporate assetsRSA and Microsoft have announced the results of a global survey conducted by Forrester Consulting. The survey, entitled “The Value of Corporate Secrets: How Compliance and Collaboration Affect Enterprise Perceptions of Risk”, interviewed 305 IT security decision-makers worldwide.

It’s major finding was that enterprises are investing heavily in compliance and protection against accidental leaks, but under-investing in protection against theft of far more valuable corporate secrets.

According to Forrester’s study: “Nearly 90% of enterprises we surveyed agreed that compliance with PCI-DSS, data privacy laws, data breach regulations, and existing data security policies are the primary drivers of their data security programs. Significant percentages of enterprise budgets (39%) are devoted to compliance-related data security programs. But corporate secrets comprise 62% of the overall information portfolio’s total value, while compliance- related custodial data comprises just 38%.”

The full report can be downloaded from: www.rsa.com/document.aspx?id=10844

Websense

Websense wins ‘Best Enterprise Security’ at SC Awards Europe 2010Websense products achieved an accolade in all five categories for which they were nominated at the 2010 SC Awards Europe. Websense Web Security Gateway won the award for Best Enterprise Security solution and was highly commended for Best Content Security, Best Anti-Malware and Best Integrated Security solution while Websense Data Security Suite was highly commended in the Best DLP solution category.

The European SC Magazine Awards are universally recognised as the most coveted and prestigious awards for the European information security industry.

News

Citrix

Citrix unveils client-side desktop virtualisation solution and McAfee partnershipCitrix has announced XenClient, a new client-side virtualisation solution, developed in collaboration with Intel, that allows centrally managed virtual desktops to run directly on corporate laptops and PCs, even when disconnected from the network. The product is designed to provide the highest levels of performance, security and isolation through its integration with Intel® vPro™ hardware virtualisation technologies. XenClient Express, a free trial and evaluation kit that lets IT professionals begin experiencing the benefits of desktop virtualisation for their mobile users, is available for download to users.

“Current client-side technologies that run virtual desktops on top of an existing operating system have not been able to match these requirements. XenClient is built on the same virtualisation technology as Citrix XenServer, and is the first solution to offer no compromise control and security with performance and flexibility users expect.”

said a Citrix spokesperson. Citrix has also announced a partnership with McAfee to make virtual desktop security simpler and more scalable for large enterprise deployments. The collaboration is planned to enable Citrix XenDesktop customers to extend management of desktop security to virtual environments using the McAfee ePolicy Orchestrator platform.

The first results of the collaboration are planned for release late in the second half of 2010 and will be designed to secure XenDesktop deployments on any of the three leading hypervisors – Citrix XenServer, Microsoft Hyper-V or VMware ESX

For further information visit: www.citrix.com/lang/English/home.asp

Check Point

Get a magic wand for secure remote working, says Check PointCheck Point has introduced its new Abra USB device which it describes as a “magic wand” for secure remote working. The device is designed to plug into a Windows-based PC and turn it into a fully protected corporate desktop.

The Abra device provides users with access to company emails, files and applications anywhere, whether offline or online, using an existing Check Point gateway at the corporate offices. It loads itself automatically on any PC, and contains local encrypted storage to protect data stored on the device.

The USB device utilises several advanced security measures. Hardware and software encryption protects data at rest and when in use. A Program Control regulates the types of applications used by the Abra device to protect the corporate network from malware. Furthermore, virtualisation technology isolates an Abra work session from the host PC, ensuring sensitive data remains on the device preventing data loss.

Check Point Abra is available in 4GB or 8GB storage capacities.

For further information visit: www.checkpoint.com/products/abra/index.html

Sourcefire

Sourcefire expands its IPS capability with new SSL appliance Sourcefire has announced an SSL extension to its Intrusion Protection System (IPS) which, it says, will block malicious traffic previously masked by encryption. The SSL Appliance decrypts traffic before sending it to the IPS and then places inspected SSL-encrypted traffic back on the network, with minimal latency and without altering SSL packets.

It’s claimed that the appliance allows users to maintain the highest levels of data security with SSL encryption without worrying about malware. The company also says that unlike one-box SSL decryption solutions that use shared hardware resources for inspection, its architecture permits the IPS and SSL processes to run on separate systems, offloading all encryption and decryption requirements from the Sourcefire IPS.

For further information visit: www.sourcefire.com/products/3D/ssl

McAfee

McAfee announces new version of Gateway solution Announcing version 7.O of its Gateway product, McAfee described it as

“a next generation web gateway for today’s most demanding web-centric enterprises”.

New features include a new, anti-malware engine for real-time content inspection with cloud-based intelligence powered by McAfee Labs including real-time Artemis technology.

McAfee is also claiming a powerful new policy engine that enables

“unmatched flexibility and control in creating and applying policy”.

McAfee Gateway also provides detailed control over how web applications are used, including popular instant messaging applications. Organisations can enable or disable specific functionality as needed, controlling who uses the application, and how it is used.

Finally, a new 64-bit operating system and re-designed connection are said to result in greater scalability and overall robustness, while expanded deployment capabilities include support for VMware and additional transparent proxy options for added flexibility and enhanced control.

For further information and a FREE trial visit: www.mcafee.com/uk/downloads/index.html

6 2010 | Inform - Issue 2 Inform - Issue 2 | 2010 7

As a security professional you understand that it’s a pretty good idea to keep company data within the business, it’s fundamental. You also know that there are Data Loss Prevention (DLP) systems available to assist. worth it?Is yourdataThe problem, in an age of budgetary restraint and the need for CISOs to justify every spend though detailed business cases and ROI calculations, is that arguing for investment in DLP can prove tricky. A sceptical management team may well demand that data loss prevention is covered with existing resources. Too often they fail to see, or are not convinced of the value of DLP.

George Kurtz, the respected CTO at McAfee says that senior management are often complacent and don’t know how to stop data leaving. “Their attitude is: ‘I build tractors, I don’t have data worth anything’. But every business has data that is valuable to someone - HR data, vendor details, customer and credit card details.

It’s all of some use to someone and bad guys have figured out a way to sell data. They don’t even need the

data themselves to sell it on the black market.” he says. There are numerous documented cases of data loss and its consequences in the security and national press.

You may well say:

“Well I understand that, but how do I convince the board or the CIO of it and make my life easier?”

One way may be to use “scare” tactics and make management supremely aware of some bold facts of modern business functions. Customer data that falls into the wrong hands will result in brand damage, loss of customer trust and now, thanks to new powers at the Information Commissioner’s Office (ICO), hefty fines if negligence is proved in the case of data loss. These can be up to £500,000.

If that doesn’t convince them, you may want to point out that data loss resulting from employee negligence is also likely to increase exponentially as mobile working intensifies and people bring their own (unprotected) devices into the hardware mix. Keeping on top of that without DLP is a tall order, however, be careful not to promise too much in your pitch.

“DLP is not a silver bullet against intentional or unintentional data leakage. It’s very important to stress that. It must be part of an overall risk management strategy. It’s a great technology for risk mitigation. But in the age of consumerisation the enterprise can no longer just say no”

says Kurtz. The opposite way to build a case is of course to look at the benefits, and nothing appeals more to the board than the prospect of saving money through careful investment. Kurtz tells how a senior CSO once thanked him for saving the company $20m. He continued,

“That was the calculated value of the data that was on a lost laptop that was thankfully encrypted, including the cost of disclosure.” This is a powerful argument but its a tough call. You are making the case for preventing a costly incident which may or may not happen. The question you need to put to the board is: “Can you afford to believe that it will never happen, given what I have now told you about the risks facing the data

flows in our business?” Ensure you have your facts together and have a crystal-clear illustration of how data moves within your business.

There is another advantage that the best DLP systems bring to the enterprise. If the worst happens DLP gives you some forensic advantage in piecing together how it happened.

“Data loss is like a murder. Without the body you can’t solve the murder. Without DLP you cannot see the data or that which is lost”

says Kurtz. Ultimately the most robust business case may be made through a sensible combination of both carrot and stick, based on a sober assessment of how your own business accesses and processes data throughout the organisation and beyond.

Management are more likely to respond to a properly researched and costed proposal that makes cases for potential threats and financial benefits. It’s worth leaving the final thought to George Kurtz.

“Data is the crown jewels. It’s the currency of the 21st century”

he says. If you can convince your board of that you will have gone a long way to sealing the DLP deal - to everyone’s benefit

www.vistorm.com Is your data worth it?

Secured connection solutions

Portable, plug-and-playsolutions

Securevirtualization

anHPcompany

Check Point

• InstantlyturnsanyPCintoyourowncorporatedesktop

• Providesvirtualworkspacethatkeepsmobiledatasecure

• Deliversidealsolutionsformobileworkers,contractorsanddisasterrecovery

Putyourinyourpocket.office

Abra

Vistorm01925 665500www.vistorm.com

Inform - Issue 2 | 2010 9

GorhamAdrian

Paul Fisher interviews General Manager Group and UK Fraud and Security with Telefónica O2

Paul Fisher interviews the General Manager Group and UK Fraud and Security with Telefónica O2

Photography: Ivan Jones

He obviously likes it, he’s been with the company for eight years and, when we meet, he enthusiastically tells me about O2’s latest marketing plans involving a series of cartoon characters that add a glimpse into the future of the world of O2 in 2014.

This is unusual for a security professional - but refreshing. Especially so from someone who’s been in the security business for as long as he has - 25 years. But he has evidently lost none of his enthusiasm for what he is paid to do as he recalls his early days.

“I was an investigation manager at BT looking into attacks against BT and its customers. Anything from people teeing into a phone line, stealing money from payphones through to computer fraud, computer hackers and Private Branch Exchange (PBX) fraud.” he explains.

To my youngish and naive ears it seems surprising that there was hacking activity back then. But as Adrian explains it was a different world to that which confronts us today.

Adrian Gorham is the General Manager Group and UK Fraud and Security with O2, now part of the Telefónica group.

10 2010 | Inform - Issue 2 Inform - Issue 2 | 2010 11

www.vistorm.com Paul Fisher interviews General Manager Group and UK Fraud and Security with Telefónica O2

Photography: Ivan Jones

“It was donkeys’ years ago, but yes, I used to interview phone freakers and hackers who were misusing the networks and went into PBX fraud. The Investigations Department in BT was a bit like its own police force. Many of those in it were former police officers or from Customs and Excise.” he says.

Then, there was a change. Having spent ten years simply trying to stop and catch fraudsters he thought it might be a good idea to spend some time looking at ways of preventing them even getting started. This led onto a stint abroad as BT expanded aggressively overseas.

“I had some great years travelling around the world looking after BT’s joint ventures in New Zealand, Korea, Japan, Singapore and various places in Europe. I went around acting as a security consultant to the joint ventures as they compete with the large in county incumbents and often the venture partners had no security expertise. I was supporting them with security input, trying to put security infrastructure in place and giving them advice” he says.

He ended up as Head of Security for Europe and then Asia. BT however decided to spin off its mobile business and Adrian was asked to set up the group security function for a new company called mmO2. Which of course was branded O2 and subsequently purchased by Telefónica for £18 billion in 2006.

Given his long experience how does he apply all that accumulated knowledge to a fast moving business like O2?

“We've taken a different approach to how we do security. We don’t have silos. Five years ago we brought all of our security functions – including physical security of our 400 shops - together into one team. It covers the full range of security services delivered by a team of 100 security professional ranging from Policy, Awareness, Bid Support, Criminal Investigations, Fraud Management, Child Protection, Nuisance Call Bureau, all disclosures to the authorities under RIPA, Health & Safety and more. I have IT security consultants working on all new products and services giving input to ensure they are secure and that we understand the risks.” he says .

Like its rivals, O2 has a heavy responsibility to look after the online security of its customers which you would imagine brings extra pressure to Adrian's already packed workday, especially as these days, O2 is much more than just a mobile phone business – it offers broadband, fixed services, prepaid debit cards and travel insurance. Adrian seems pretty relaxed about it all. “I wouldn’t say it makes it more stressful. I think it makes it more interesting. The fundamentals remain the same. We focus on communicating with our customers to ensure we’re supporting them. You never would have imagined a couple of years ago that you'd be buying your travel insurance from O2, but for me that's just another security challenge.”

“We probably are in one of the fastest moving industries in the way that things change but it’s great for our people because they get the opportunity to look at products and services which are outside of their comfort zone, and have to acquire new skills, and you can't always take your learning from mobile into some of these products.” he says.

Back to more prosaic matters. No matter how many added value services you can get from your handset, there is always the threat of mobile malware simmering away in the background. It's an old question but I have to ask it: is it a realistic fear?

“It doesn’t seem to have taken off. You get a lot of speculation in the press, but a lot of work is done at an industry level with the GSM Association looking at these kinds of threat. We certainly need to be in a position that we can protect our customers. It’s slightly different from a PC. On mobile phones you tend to have to accept things and push buttons, while on the PC you just don’t see what's happening in the background.” he says.

“A mobile is the one device that people always carry with them. As new services come along there's always going to be new risks and we have to ensure that we mitigate those but also make it very easy for customers, because customers aren’t actually worried about the technology. They just want it to work and, as always, it’s a balance between usability and security.” he says.

And that of course is a constant challenge for any customer-facing business built around an advanced technology offering that is also fiercely competitive. But as Adrian explains the biggest challenge he has faced recently is the rapid growth of the business itself.

“It's just how fast we have grown and the numbers of customers we have acquired. You're talking about 21 million customers in the UK. We also own 50% of a joint venture with Tesco. Across Europe we've got 54 million customers, and Telefónica

has 273 million customers globally. You can develop systems and have people on your fraud function, but then within three months you’ve signed up another half a million customers. Quite a challenge.” he says.

The industry has seen an unprecedented surge in mobile data. O2 was the exclusive operator of the iPhone for two years, and as a result, now has more smartphone customers than all other operators combined. We know how customers use smartphones better than anyone else.

In terms of network transaction, watching a YouTube video on a smartphone is the equivalent of sending 500,000 text messages simultaneously. The key going forward is to invest to depth and quality of experience as opposed to simply covering the land mass with masts. We are spending £1m a day doing just that.he says.

So, it’s a rapidly changing industry working to meet rapidly developing consumer expectations - underpinned by secure and fast mobile experience. Are there lessons for those working in other sectors? What kind of security people can meet those expectations?

“Again, we put the customer at the heart of everything we do, so I don't want security nerds who just get sucked in by technicalities. It must be: 'What do the customers want?' One of the things we do is we get insights from customers

when it comes to security, so we bring customers in.

They're interviewed by researchers, and we ask them about what level of security they would expect, what information do we hold on you that actually is the most important? What do you want us to do if there was a security breach? If you fall victim to fraud, how do you want it to be dealt with?

You can't be an internal bunch of security professionals. You have to talk all the time to customers, understand their experiences, and then look at how you can make things better.” he says.

Adrian explains that it's about emotional intelligence, or business intelligence as much as knowing that this firewall works. It's clear that here is a security professional totally tuned into the business and the customer experience who understands completely that security is not just part of the business, it is the business.

"Absolutely, i've got loads of people on my team who know far more than I do about technology. That’s their job, but if you're looking at the CISO role, the top guy, you’ve got to be able to manage budgets, motivate and lead a team. We want more business leaders in security. I don’t need people who are really, really techie.

If you can't communicate and talk the business language then you can't make your point. You have to understand the business to be completely linked in. You can learn the security stuff." he says

CISOvsCIO

Inform - Issue 2 | 2010 13

CIO vs CISO

According to consultants PricewaterhouseCoopers (PwC), 42% of US businesses now have a CISO, 37% in the UK and 28% in Germany. Interestingly Chinese and Indian companies beat those figures with well over 50% in each country, which may indicate some foresight on their part. There’s no doubt however that the figures demonstrate that the role of a CISO is becoming firmly established.

“Never before have information security officers been in such a strong position to help their companies take the right risks in the right ways”

says the Security for Business Innovation Council, a body set up to promote the security function in business.

Even so the CISO remains some way short of being one of the lynch pins of the enterprise. One of the reasons is, that in the rush to appoint CISOs and beef up information security, little attention has been paid as to how they can communicate with their immediate superior, the Chief Information Officer, not to mention the board and beyond.

The 2008 PwC Global State of Information Security report showed that security funding was also shifting from the IT to functional budgets - in other words, other parts of the business. That puts more pressure on the CISO to respond and prove an effective ROI. The report also showed that CISOs are likely to report to more than one executive.

So the CISO has got him or herself in a valuable position but how do

they start communicating and partnering effectively with the CIO, an established figure at C-level?

The problem according to one senior CISO at a major UK bank is that the CIO is much more in tune with costs and the business while CISOs still tend to come from a technology background. They have a tendency to speak in the language of technology, because of that background.

A good start for the CISO looking to make a difference would be to look at the business and who they actually work for. Break out of the silo and look not just at how things work within the perimeters of the business but also the sector itself, the competition and the products or services within the vertical.

It’s been said that CEOs are from Mars while CIOs are from Venus. But what about Chief Information Security Officers (CISOs)? All too often they are perceived as being from another planet altogether, despite their increasing numbers in enterprises around the world.

www.vistorm.com

Highest-rated firewall

Antivirus

Anti-spyware

Full-disk encryption

Media encryption with port protection

Network access control

Check Point Endpoint Security. Endlessly Smarter.

The first and only single agent for total endpoint security.

You no longer need to depend on a variety of technologies to secure your PCs and laptops.

Check Point Endpoint Security is the single agent you need for data security, remote access,

malware protection and compliance. You get a solution that is far easier and cost-effective

to deploy. It is the end-all for endpoint security and the smartest way to go.

Get endlessly smarter now. Call Vistorm on 01925 665500 or write to info@vistorm.com

an HP company

information security leadersfrom Vistorm, an HP company

WHATEVERWHATEVER

supplEmEnTARy EdiTionsupplEmEnTARy EdiTionsponsoREd by

Tom scholtz, who gave the keynote address at all

four events gave a comprehensive overview of how

security professionals had to move from acting as

“dr. no” in the enterprise to embracing risk and

flexibility, change management and outsourcing

safely. most of all, he said they had to learn to

trust more. Without this, they may find themselves

marginalised as enterprises adopt new working

practices and technologies - quicker than they

might realise.

in a specially recorded interview Howard schmidt,

Cyber security Co-ordinator for the obama

administration, spoke about the geopolitical

threats that businesses may have to deal with in

the years ahead. While it may be exaggerated in

some quarters, there is no doubt that businesses

and critical infrastructure will increasingly find

themselves the target of cyber attacks, either by

hostile states or even competitors.

martin sadler was able to give the audience a taste

of business security futures with an overview of

emerging tools and technologies being developed

in Hp labs in bristol. CHAllEnGEs dEbATEd by WoRld lEAdinG businEss And sECuRiTy EXpERTs

> deploying technology that plays a leading role and doesn’t hinder business objectives

> building flexibility into thesecurity infrastructure

> making best use of managed services, outsourcing and resourcing

> Exploiting the Cloud andvirtualised security models

> managing and optimising third party and supplier relationships.

oTHER spEAKER HiGHliGHTs

> Justin urquhart stewart, director of seven investment management, gave his own unique take on the global economic conditions ahead and how those will impact security thinking

> bryan littlefair, Ciso of Vodafone, gave the audience an insight into how one very modern Ciso embraces end-to-end security at one of the world’s biggest mobile operators

> stephen bonner, Head of information Risk management at barclays, informed delegates about some of the secrets of risk management and how they could apply them in their own organisations.

muCH moRE FRom THE inFoRmATion sECuRiTy lEAdERs EVEnTs inCludinG inTERACTiVE ConTEnT, doWnloAdAblE pREsEnTATions, VidEos And bACKsTAGE inTERViEWs CAn bE Found AT:

WWW.inFoRmATionsECuRiTylEAdERs.Co.uK

Keynote speaker

Tom scholtzResearch Vp, Gartner

panellist

martin sadlerdirector of systems security lab in Hp labs

panellist

Howard schmidtFormer president and CEo, information security Forum

A truly star-studded line-up of speakers expanded on this

theme at each one of the four events. speakers included:

Earlier this year, Vistorm held the second of its highly regarded information security leaders (isl) events in manchester, Edinburgh, bristol and london. Hosted by the editor of sC magazine, paul Fisher, the theme for each roadshow was security: Whatever.

Vistorm wanted a theme that best reflected the integration of information security into the enterprise and the growing realisation that business and security cannot be separated.

At the events, delegates learned how information security strategies must continuously evolve to be flexible enough to adapt to unexpected changes in the future. With cloud and virtualisation constantly promoted as the solutions to enabling iT cost savings, the isl events looked at how these could be managed securely.

information security leaders 2011 is already taking shape and once

again will set the agenda for cutting edge security thinking. These events

have quickly established themselves as unmissable for senior business

security professionals.

The economy remains challenging, new government policies and

fiscal cuts will impact what you do. As ever the role of the information

security professional will be challenging. The isl events are an essential

intelligence gathering tool for your business. don’t miss out.

information security leaders 2011

more information will be available on www.vistorm.com

WHATEVERWHATEVER

supplEmEnTARy EdiTionsupplEmEnTARy EdiTionsponsoREd by

FoR All THE lATEsT VidEos, pREsEnTATions And inTERViEWs, VisiT:

WWW.inFoRmATionsECuRiTylEAdERs.Co.uK

CISOvsCIO

Inform - Issue 2 | 2010 13

CIO vs CISO

According to consultants PricewaterhouseCoopers (PwC), 42% of US businesses now have a CISO, 37% in the UK and 28% in Germany. Interestingly Chinese and Indian companies beat those figures with well over 50% in each country, which may indicate some foresight on their part. There’s no doubt however that the figures demonstrate that the role of a CISO is becoming firmly established.

“Never before have information security officers been in such a strong position to help their companies take the right risks in the right ways”

says the Security for Business Innovation Council, a body set up to promote the security function in business.

Even so the CISO remains some way short of being one of the lynch pins of the enterprise. One of the reasons is, that in the rush to appoint CISOs and beef up information security, little attention has been paid as to how they can communicate with their immediate superior, the Chief Information Officer, not to mention the board and beyond.

The 2008 PwC Global State of Information Security report showed that security funding was also shifting from the IT to functional budgets - in other words, other parts of the business. That puts more pressure on the CISO to respond and prove an effective ROI. The report also showed that CISOs are likely to report to more than one executive.

So the CISO has got him or herself in a valuable position but how do

they start communicating and partnering effectively with the CIO, an established figure at C-level?

The problem according to one senior CISO at a major UK bank is that the CIO is much more in tune with costs and the business while CISOs still tend to come from a technology background. They have a tendency to speak in the language of technology, because of that background.

A good start for the CISO looking to make a difference would be to look at the business and who they actually work for. Break out of the silo and look not just at how things work within the perimeters of the business but also the sector itself, the competition and the products or services within the vertical.

It’s been said that CEOs are from Mars while CIOs are from Venus. But what about Chief Information Security Officers (CISOs)? All too often they are perceived as being from another planet altogether, despite their increasing numbers in enterprises around the world.

www.vistorm.com

Highest-rated firewall

Antivirus

Anti-spyware

Full-disk encryption

Media encryption with port protection

Network access control

Check Point Endpoint Security. Endlessly Smarter.

The first and only single agent for total endpoint security.

You no longer need to depend on a variety of technologies to secure your PCs and laptops.

Check Point Endpoint Security is the single agent you need for data security, remote access,

malware protection and compliance. You get a solution that is far easier and cost-effective

to deploy. It is the end-all for endpoint security and the smartest way to go.

Get endlessly smarter now. Call Vistorm on 01925 665500 or write to info@vistorm.com

an HP company

www.vistorm.com

1. Initiate regular meetings The CIO is busy, but it’s important that you grab his or her time. Even 10 minutes once a week along with a concise report will keep them informed and you relevant.

2. Learn the business Understand and enjoy what your company does; it will inform you to make better decisions.

3. Learn the value of plain English Marketing departments are prone to business jargon and over complication. Don’t be like them.

4. Identify your USP and exploit it The CIO doesn’t have the knowledge you do. Distill this intelligence so they can make informed decisions.

5. Become risk-aware Risk is part of business; become an expert.

top tips 5

CIO vs CISO

for improving the CIO-CISO relationship

Inform - Issue 2 | 2010 1514 2010 | Inform - Issue 2

It’s surprising how so few CISOs actually do this, says one insider. A personal education programme may be useful. The CISO would do well to initiate communications with the HR, marketing or finance departments for example to identify how the security function could contribute to growth plans, or manage more painful processes such as layoffs. Suggestions now may save the business costly mistakes when those expansion plans are implemented.

Experts also suggest that CISOs would do well to ground themselves in an understanding of risk and risk management. Risk, after all, is the bedrock of all business - launching new products, expanding into new markets, new hires and new partners - all involve risk. CIOs and boards understand business risk. The CISO needs to additionally.

A CISO can really make themselves valuable by reporting on the set up and infrastructure of any potential partner. A report that neatly summarises the risk of sharing data with outsourced suppliers is bound to go down well with any CIO and fellow board members.

CIOs and boards understand the bottom line. CISOs need to as well. Reports and business cases for security investment need to be written in the language of business. If you can come up with a strategy or even an investment that delivers cost savings in the long term the CISO is much more likely to be taken seriously.

In the hectic business environment valuable voices and opinions can get easily drowned out. CIOs are busy and the CISO needs to ensure that any meetings exploit every minute. They should not be afraid to shout their corner, ensuring that the CIO and the rest of the business understand the CISO and its team’s function.

Information security is still considered a slightly oddball occupation by many in the enterprise (including the CIO), often because of ignorance or lack of familiarity. By being businesslike and using clear communication there is much that the CISO can do to improve on that.

The CISO role is unique and will have essential intelligence for the business. The only way to utilise this is by integrating with the CIO and beyond. The CIO may well have far less time to keep abreast of trends like virtualisation and consumersation, for example. The CISO is more likely to see the impact and benefits that these may bring to the enterprise.

By thinking ahead, using business language and delivering tangible business benefits, the CISO will not only be welcomed into the CIO’s office, but in many other parts of the business too.

How ‘Security Analytics’ is bringing CIOs and CISOs together A security problem will pose questions for both the CISO and CIO. These include investment costs, strategy choices and trade-offs between lowered risk and business disruption. The CIO will look to the CISO to present a description of the problem, a coherent business case for investment and long-term benefits. The CIO will expect this to be presented in a way that he and the rest of the board can understand. Simon Shiu is the research manager at HP Labs in Bristol.

He’s been working on a project that is designed to smooth the path of communication between the two.

“The CISO role is changing so much, but they still have to justify that spend. The tools we are working on will help their managers (the CIOs) make the right decisions. It helps the CISO be more specific in terms of justification for investment”

he says. But as Shiu points out, a report full of deep mathematics is no good. The proposal needs to be written in plain and concise English.

“As an example, we have been working on vulnerability threat management systems. It’s hard for the CISO to explain investment across many different environments and businesses.

So we can build a model to map the threats for the CIO. At the moment we can’t do financial modelling, but its already good enough for a CIO to make an informed decision on investment. We can see what will result when a change is made. A key part is that it also factors in human behaviour - most models factor only technology. We are also able to make a risk analysis and the results are intuitive for business critical systems” he says

More details on HP Security Analytics and other HP security research can be found at www.vistorm.com/519

www.vistorm.com

Inform - Issue 2 | 2010 17

People are the new Perimeter

16 2010 | Inform - Issue 2

PerimeterPeople

thenew

are

Although the Jericho Forum is

credited with inventing the phrase

“deperimeterisation” in 2004, in reality

the IT world was moving to borderless

environments long before they neatly

encapsulated the trend. Globalisation

and the opening of new markets,

the need to drive down costs and

outsourcing of IT functions have

been key drivers since the 1990’s.

The emergence of the Internet

economy in the late 1990’s

accelerated the end of traditional

network borders as businesses

moved to where their customers

were rather than the other way

round. If anyone was playing catch

up, it was the information security

profession, still looking at securing

data within the perimeter or behind

company firewalls.

More recently, life has become more challenging. The blurring of home and work activities is a social trend affecting us all. In the corporate world we are now likely to see leisure activities such as social networking on Facebook or Twitter, online shopping or web browsing conducted on company laptops. Many employees will also mix personal and work related email via the enterprise Exchange server.

Complicating the picture further still is the emergence of “consumerisation” - employees are using their own devices such as iPhones and laptops to access and transit business data - without security controls or the knowledge of the IT department. None of this would matter much if robust controls were put in place to regulate this activity.

“It has always been the case that the single weakest link is people. The problem now is that it’s got worse.”

says Jason Hart, Senior Vice President of authentication specialists CRYPTOCard. For Hart the problem lies in an over use of access management tools as well as passwords and user names that are increasingly blurred across personal and business life. Hack one account and you are likely to be able to get into another.

The problem, according to Hart, is that in the rush to embrace open networks in response to competitive pressures, businesses are relying on outdated access controls that simply cannot hope to deal with the threats they face.

“They can’t see the risks any more” he says. The shift to web applications has made the problem worse.

“These are all protected by user name and passwords. All a hacker has to do is target those. We don’t educate or make people aware of the dangers. You can get keylogger instructions on YouTube these days”

says Hart. However, it is an environment that is not going away and one that information security professionals must now adapt. The genie is out of the bottle, your data is everywhere so how are you going to protect it? especially in the hands of fallible human beings who are careless with data, will fall prey to social engineering and who are

mostly incapable of remembering multiple passwords and user names, tending to write them down or use easily guessed combinations.

“If we can solve the password problem, we can solve all the security problems”

says Hart. Businesses are spending all kinds of dollars on security hardware and software only to have it undermined by access systems protected only by weak user names and passwords.

One possible solution to manage data on multiple access points and shared networks is to adopt a two-factor authentication system.

As an example, some of the leading UK retail banks have introduced systems which ensure

Most security professionals understand that network perimeters have gone, but now they have to cope with employees blurring the lines still further. What’s the best way to cope?

People are the new Perimeter

that customers are ratified by their identities but also by a random, one-time generated password or number, accessible via a token device.

It applies one time only and cannot be hacked, repeated or socially engineered as you can’t give away that which you don’t know. The key to these systems is that the password generator is separate from the system holding the data so it cannot be cracked by hacking into the system itself.

The method can be taken further with federated ID systems. In an interconnected world where data and users switch from one place and access point to another (on previous page), businesses can ensure that only the right people are accessing data. Thus user A can only connect to data B by matching the name to a generated password at whatever point in the deperimeterised world they find themselves.

In security, nothing is perfect and nothing is uncrackable, but what is clear is that two-factor offers a leap forward over simple password and user name authentication. Prices are coming down, but be prepared to do an audit of your people, data and resources before you invest.

As the enterprise continues to fragment across boundaries and borders, security professionals need to take a long hard look at where data is and how employees are interacting with it. After all, the data is now the lifeblood of the enterprise.

The dangers of LinkedInDespite what tabloid newspapers might have you believe, people are generally trusting and like to see the best in people. It’s this trait, rather than sheer gullibility, that has been exploited by confidence tricksters for centuries through social engineering - the process of manipulating people into giving away confidential information such as passwords. In the 21st century cyber criminals have new avenues in which to exploit your employees including the highly popular professional networking site LinkedIn.

Jason Hart, the Senior Vice President of CRYPTOCard reveals how as an ethical hacker he was able to fool a newly-appointed security chief of a large multinational company. The security chief in question had announced his new position to his network. He was tracked down by Hart through a simple search of LinkedIn.

He then began to send him a series of emails that looked like they came from the IT department of his new employer. At first these were fairly innocuous requests simply to gain the new employee’s trust.

They gradually built up until the hapless security chief was fooled into logging into a bogus URL in which he divulged his access details.

“When this was revealed the individual was obviously shocked, but people have a false sense of security. The password is the invisible threat” says Hart

3. Audit your employees and partners according to data needs - you decide, not them.

4. From that information, draw up a data access management policy and what systems can be safely applied to your data.

5. Establish an Outsource Liaison Officer.

6. Don’t become complacent. Hackers will always be looking to get around systems.

18 2010 | Inform - Issue 2

1. Think about where your data and your customers’ data resides, who’s accessing it, how and when.

2. Audit your data and categorise it according to criticality and enterprise need.

Top six tips

www.vistorm.com

If a hacker or ID thief takes on the identity of a customer or employee, they are invisible to you. Authenticating your users with two-factor authentication ensures your customers and staff are who they say they are. With server based applications or cloud based services, CRYPTOCard offers: • Greatly reduced total cost of ownership • Best-in-class security • Seamless, rapid deployment and integration • Simpler, quicker and automated system administration

www.cryptocard.com 0870 707 7700

Do you really know who is accessing your systems?

20 2010 | Inform - Issue 2 Inform - Issue 2 | 2010 21

Martin Sadler, Director of the Systems Security Lab in HP Labs, discusses the challenges, trends and developments that may spur new tools in the fight against computer crime.

InnovationCentralWhen I wander around a security trade show I’m always a little disappointed. Maybe my expectations are set too high, but it’s often hard to find the innovative new ideas that hold real promise for shifting the balance firmly in favour of those defending our cyber world. But the ideas are out there, and when you find them, you start to believe that this is a fight we can win.

One of the current areas of concern is cloud computing which promises to deliver increasing variety of ways in which processing, storage, applications and services can be provided into an enterprise – all of which can challenge current thinking on policies, procedures and where responsibilities lie. All of which adds to the number of things a CISO and their team have to worry about.

For those still trying to get their heads around cloud computing, the US National Institute of Standards and Technology (NIST), is a good first port of call to understand the basic terminology, and the Cloud Security Alliance’s guidelines is an excellent primer on areas to pay attention to.

To see just how challenging information stewardship is likely to be in a cloud world: count the number of different communities in your own organisation that

have some responsibility for your information assets – from those that assess risk, those that formulate policy, those that manage operations, configure the firewalls, monitor, audit, worry about compliance and so on. Now imagine outsourcing some business need to another company who might be using platform services from a platform-as-a-service provider (PaaS) who in turn might be making use of an infrastructure-as-a-service provider (IaaS).

Each of these has their own communities, probably cutting responsibilities differently from the way you do – so take your count and multiply by roughly 4. Amongst this large collection of individuals what’s the chance that there is any shared view of responsibilities or that duty of care adds up to what it needs to be in looking after your information? Worth thinking about for a few minutes.

So in terms of governance we’re heading for a complex world in which a future adversary will potentially have a greater opportunity to mask their operations and hide their tracks. To make headway, and begin the process of providing more effective automation in how we deal with attacks we need

a better science of security and one that is suited for this multi-boundary, multi-party world.

Back to winning ideas. At HP Labs we believe that modelling holds the key.

So let me point you at work coming out of University of Illinois at Urbana-Champaign (UIUC) and Newcastle University. They’ve been extending UIUC’s Möbius toolset which was designed to model system security properties to include the way individuals are likely to behave in engaging with those systems.

What this means in practice is capturing how security processes and policies behave within the business in terms of security-related activities (patch management or incident response for example) and investigating what the impacts would be under a variety of (attack) scenarios and conditions.

This helps evaluate the security posture of an organisation by anticipating what its’ response would be to events – before they happen. For example, when modelling patch deployment in an organisation, an outcome of the model might be estimates of the

length of the risk window for threats and vulnerabilities – that is, the amount of time elapsed between discovering a vulnerability and applying an effective patch – all under a variety of operating conditions.

This modelling involves both causal process aspects (what actually happens) and resource aspects (how much of a resource is available, how long does an activity take to do).

Perhaps what will be surprising to those who belong to the school of “because it is very hard to estimate or measure numbers associated with security it isn’t worth bothering” is that this kind of modelling often allows us to operate with quite weak estimates of the numbers involved,

and still be able to make robust conclusions about whether one IT strategy or another is likely to be better value.

When you add in how capable individuals are at performing tasks and how willing they are to do what is asked of them you have the basis to reason about our future multi-party world where it’s not going to be enough to understand system security,

we’ll need to understand the consequences of what happens to our information when someone working down the chain doesn’t or can’t do what they should.

What’s more, Bill Sanders and Aad van Moorsel and their PhD students

are all very willing to apply their techniques to real problems – so if you have an interesting challenge, drop them a line and see whether they can help.

In HP Labs, we really like this kind of research because we can link it practically with our own modelling work and we see a clear path to the next generation of

security services

www.vistorm.com Martin Sadler - HP Labs: Innovation Central

Useful web addresses:

csrc.nist.gov/groups/SNS/ cloud-computing/

www.cloudsecurityalliance.org /guidance/csaguide.pdf

Useful contacts:

whs@illinois.edu

aad.vanmoorsel@ncl.ac.uk

HP Labs:

www.vistorm.com

22 2010 | Inform - Issue 2 Inform - Issue 2 | 2010 23Inform - Issue 2 | 2010 23

Quick Fire: Adrian Seccombe Q&A

In your long career at Eli Lilly what was your proudest achievement?

By far the proudest of my achievements is the mentoring I was involved with. Some of my best mentees became my superiors, in Lilly and beyond. All of them have grown now far beyond my mentoring, but I like to think that I played a part. My engagement in an IT strategy program called Enterprise 2000 was another memorable activity. It’s vision was: extend human capability, and promote global collaboration, by providing continuous access to people and knowledge. Lilly has still to fully deliver on that vision, but those who know me vouch for the fact my strengths lie around my vision skills than implementation.

What has been the biggest change in the way security is managed in the enterprise?

It has moved from the perimeter to the heart of the organisation. This is true of traditional security departments as well as information security.

In my early years at Lilly, “Security” meant those folks at the gatehouse, who stopped people driving out with loo rolls in a box welded beneath their drivers seat. But that’s a whole other story... Today risk management and information security activities reach all the way to securing information in board meetings.

What security lessons from pharma can be applied to other industries?

Be aware that corporate information is at the heart of what’s required to create the best early examples of counterfeit products. It’s important to remember that counterfeit or “replica” products or services do not represent a victimless crime. Wealth is being shifted to those nations that are willing to aid their industries in the gathering of such information. Be careful that your products are not next on the list.

You’re now teaching at the University of Surrey. Does this experience make you optimistic about the future of your profession?

Interacting with young, bright, questioning minds can’t fail to make one optimistic. I thoroughly enjoy engaging with them, the experience is a very energising one. One thing I have sensed, is that this generation appears to have a deeper set of values than their predecessors and not so heavily focussed on money.

My goal is to strengthen that underlying set of values. The global shift to “situational values” from “sustainable values” can best be reversed by such young leaders. I am afraid that previous generations have not always shown such steadfastness in the face of the siren song of greed. In truth, this was one of the reasons behind me accelerating my retirement. Having bemoaned once too often on the Industry Advisory Board at

Surrey University, that the degree courses did not focus enough on the importance of managing information as a valuable asset, Steve Schneider, the department’s professor, turned to me and said: “why don’t you teach the subject then Adrian?” So I did.

Do you think that the government should do more to educate the public on computer security and online threats?

Actually no, I think that the suppliers of information products and services should be making it difficult for us not to be safe and secure with our information. Governments should hold suppliers accountable for the impact of providing insecure products and services. I would reverse the current expectation of software suppliers that they can write software licenses terms which remove any liability for their products.

On the other hand I do expect that government should strengthen our country’s cyber defences. When a Russian bomber flies towards our airspace to test our defences, it is intercepted miles out. When a foreign state tests our cyber defences, we rarely even notice. Such attacks are occurring far more frequently than the 20 occasions in 2009 that we intercepted Russian Bombers (http://bit.ly/aIoudX).

Finally we should make it the responsibility of the ISPs to do something about the state of the Internet. I only want clean bits from my ISP - the fact that they charge to send me dirty bits is a frustration.

Everyone’s talking about cloud computing as the saviour of the Western world, but is the hype justified?

Happily that is just hype and by definition it is neither true nor justified. Cloud Computing in which ever of the 67 definitions you choose to use, is the natural result of commoditisation. Our challenge is to surf this wave, and as with all waves it is not good to be behind, it but not good to be too far ahead either. Those that get the surfing right will bring more benefits than risks to their organisations.

You’re known as a gadget lover. What’s the best or most useful gadget you’ve ever bought?

You have made the false assumption that I have always bought my own gadgets! With my recent move to being a Research Associate with the Leading Edge Forum I have found a legitimate reason not to be buying my own gadgets again. The iPad that Research Fellow Doug Neal gave me has been the recent source of gadget joy! My most memorable gadget was a Sharp Wizard that one of my more technical friends, Rick Monroe, was able after suitable encouragement from me to connect to IBM PROFS. Thus I had my PROFS Calendar in my pocket in the early 90’s. At that time, the idea of a personal organiser was still on the horizon.

What do you do to relax?

I do enjoy playing with my gadgets and connecting as many of them together as possible, gives me great pleasure. I also garden, which translates to trying to stop the slugs and pigeons destroying my meagre

crops, and trying to remember that the plants in the greenhouse don’t water themselves. Finally, I canal boat and scuba dive, but far less frequently than I would like

Adrian Seccombe

Adrian Seccombe was formerly CISO at Eli Lilly, one of the world’s largest pharmaceutical companies. Now semi-retired, he is passing on his knowledge to a new generation of security professionals in the Department of Computing at the University of Surrey. He is also SC Magazine’s 2010 Information Security Person of the Year.