1. Charting the Path: Enabling the Hyper-ExtendedEnterprise in the Face of Unprecedented RiskRecommendations from Global 1000 ExecutivesReport based on discussions with the Security for Business Innovation Council1. Anish Bhimani, Managing Director, Risk and Security Management, JP Morgan Chase2. Bill Boni, Corporate Vice President, Information Security and Protection, Motorola3. Roland Cloutier, Vice President, Chief Security Officer, EMC Corporation4. Dave Cullinane, Vice President and Chief Information Security Officer, eBay Marketplaces5. Dr. Paul Dorey, Former Vice President, Digital Security and Chief Information Security Officer, BP; and Director, CSO Confidential6. Renee Guttmann, Vice President, Information Security and Privacy Officer, Time Warner7. David Kent, Vice President, Security, Genzyme8. Dr. Claudia Natanson, Chief Information Security Officer, Diageo9. Craig Shumard, Chief Information Security Officer, Cigna Corporation10. Andreas Wuchner, Head IT Risk Management, Security and Compliance, NovartisAn industry initiative sponsored by RSA, the Security Division of EMC

2. Business Innovation Defined Enterprise strategies to enter new markets; launch new products or services; create new business models; establish new channels or partnerships; or achieve operational transformation.The Security for Business Innovation Initiative Business innovation has reached the top of the agenda at most enterprises, as the C-suite strives to harness the power of globalization and technology to create new value and efficiencies. Yet there is still a missing link. Though business innovation is powered by information; protecting information is typically not considered strategic; even as enterprises face mounting regulatory pressures and Table of Contents escalating threats. In fact, information security is often an afterthought, tacked on at the end of a project or even worse not I. Executive Summary1 addressed at all. But without the right security strategy, business innovation could easily be stifled or put the organization at great risk. II.Introduction to the Fourth Report2 III. The Dawn of the Hyper-Extended Enterprise3 At RSA, we believe that if security teams are true partners in the business innovation process, they can help their organizations achieveIV.The Unprecedented Risk Environment 4 unprecedented results. The time is ripe for a new approach; securityV. The Need for a New Information Security Paradigm 8 must graduate from a technical specialty to a business strategy. While VI.Recommendations for Updating the Information Security Model 10 most security teams have recognized the need to better align security1. Rein in the protection environment9 with business, many still struggle to translate this understanding into concrete plans of action. They know where they need to go, but are 2. Get competitive12 unsure how to get there. This is why RSA is working with some of the 3. Proactively embrace new technology on your terms 14 top security leaders in the world to drive an industry conversation to4. Shift from protecting the container to protecting the data 16 identify a way forward.5. Adopt advanced security monitoring techniques17 RSA has convened a group of highly successful security executives6. Collaborate to create industry standards 17 from Global 1000 enterprises in a variety of industries which we call the Security for Business Innovation Council. We are conducting a7. Share risk intelligence20 series of in-depth interviews with the Council, publishing their ideas VII. Conclusion21 in a series of reports and sponsoring independent research that explores this topic. RSA invites you to join the conversation. Go toAppendix: Security for Business Innovation Council Biographies 22 www.rsa.com/securityforinnovation/ to view the reports or access the References 23 research. Provide comments on the reports and contribute your own ideas. Together we can accelerate this critical industry transformation. 3. Where we are at today in information securityI. Executive Summarymakes me think about Andy Groves concept ofa strategic inflection point. When the old The traditional boundaries surrounding ournew business value could create dangerousstrategic picture dissolves, it can mean an organizations, assets and information are exposure to risk. rapidly dissolving. At the same time, theopportunity to rise to new heights or it can be This is not a time to sit back and see whatdeadly. Trying to conduct business as usual isnt difficult economic climate is forcing enterprises happens, or alternately to rush forward to achieve extreme levels of efficiencies andgoing to fly. But the good thing is a strategic without careful thought in the interest of speed of operations. In this environment,inflection point does not always lead to a being opportunistic. Now is the time to chart a business innovation means faster and cheaper strategic path, to capitalize on new possibilities disaster. It creates opportunities for players ways to reach customers, identify new markets, come up with new products, and collaborate while avoiding the potential pitfalls that could who are adept at operating in a new way. throw your organization off course. across a vast array of partners.Council Member Based on in-depth conversations with some of Promising new technologies such as cloud the worlds top security officers, this report The biggest business driver for security is computing, virtualization, and social looks at where information security is headed networking are being touted for their powernow innovation enabling the business to and offers specific recommendations for to help achieve corporate objectives. Andbe rapid, flexible and adaptive in this developing an updated information security outsourcing continues to gain favor as a model that reflects the emerging opportunities environment. Its sort of the antithesis of strategy to reduce costs and drive and dangers at hand. It provides tangiblewhat security traditionally has been, but organizational focus on core business. But advice that will help you tap the hyper- building a new model of security means also many security leaders are realizing that extended enterprise for business advantage, without a strong vision for the end destinationbeing rapid, flexible and adaptive. even in the face of unprecedented risk. and an acute awareness of the changing threatDave Cullinane environment, well-intentioned actions to driveVice President and Chief Information Security Officer1eBay Marketplaces 4. II. Introduction to the Fourth ReportRecent events have given rise to what many time-to-market and stay competitive. These are the most urgent and criticalare calling the new economy; one in whichUnderstanding these trends is essential toissues facing CISOs beyond the activeenterprises are confronted by immensedeveloping a strategy that will protectintruders, the botware, the malware, thechallenges. This new economy has arrived justinformation while enabling the hyper-extendedas several key transformational technologies enterprise to operate successfully.things that were already fighting today.are entering the scene and being heralded asThis is an area thats going to come up very This fourth report in the Security for Businesshighly-charged engines of efficiency andquickly on people. All of a sudden theyre Innovation series looks at how informationgrowth. At the same time, outsourcing has going to realize that their IP is no longer in security programs must respond to thesecome of age. It has gained enormous credibility trends, given the dramatically changing risk their data store within their environment,as a business strategy for reducing costs andsustaining competitive advantage. The stage is picture. As the hyper-extended enterpriseits in some service providers. Or their attains higher levels of openness and reachescustomer data is now in a CRMnow set for enterprises to accelerate the new terrain, it has the potential to driveadoption of new web and communicationsinfrastructure outsourced by another third enormous business benefits. Yet at the sametechnologies and more deeply integrate aparty. And they dont have any security time, it exposes organizations to higher levelsmuch larger number of third-parties into their of risk. Mix in the desperation created by the insight into those resources at all. This isoperations. economic downturn and the growinggoing to happen faster than I thinkWhat does all of this mean? The enterprise issophistication of insider threats, fraudsters, anybody in the industry believes.extending well beyond the already-expanded and attackers, and you have a complex and Roland Cloutierfrontiers ushered in by the Internet age.treacherous risk environment without Vice President, Chief Security OfficerCoined several years ago, the term extended precedent. And what makes it all the more EMC Corporationenterprise, acknowledged that organizations perilous is that these risks are increasingare no longer just made up of employees andexponentially while the resources available tomanagement, but also encompass partners, mitigate them are on the decline.suppliers, service providers and customers. The ability to define the perimeter of the At this juncture, a new paradigm forenterprise has now firmly disappeared.Taken to the next level, the hyper-extendedinformation security is sorely needed. ThisThats both in a technical and businessenterprise is exchanging information withreport offers an analysis of this emergingmore constituencies in more ways and moreterrain and puts forth some recommendationssense, with the level of third-party workers,places than ever. And the tools of connectivity, for charting a path forward. The guidelines in outsourcing, supply chain, and "in thecollaboration and communication are enabling this report do not provide the completecloud" services. All of these are making itoperating speeds never thought possible. answer, but rather suggest concrete stepsmuch harder to define where one enterprise which can be taken to align informationThis is all becoming a reality faster thanends and where another begins. security to intense business innovation,anyone imagined. This transformation is reduced levels of resources, an unprecedentedDr. Paul Doreyaccelerating out of necessity, as enterprises doFormer Vice President risk environment and the relentless pace ofwhatever it takes to reduce costs, decreaseDigital Security and Chief Information Security change. Officer, BP; and Director, CSO Confidential2 5. III. The Dawn of theThe enterprise is drastically changing, not just who we connect to or how we connect to Hyper-Extended Enterprisethem or who has access to what information, but the basic premise that our enterprise orcorporate operating environment is now migrating outside of our basic operational control The hyper-extended enterprise is defined byinfrastructure. extreme levels of connectivity and information Roland Cloutier exchange, as the enterprise assimilates a rangeVice President, Chief Security Officer of new web and communications technologies EMC Corporation and distributes more business processes to even more service providers.According to Deloitte,5 2009 will be the economic downturn is expected to boostbreakout year for social networks in the demand for business process outsourcing10 and Cloud computing is one of the technologiesenterprise.IT outsourcing.11 that is taking the enterprise by storm. IDC predicts that in just three years cloudThe enterprise is also accelerating the adoption Although things look gloomy for the larger computing will move from "early adopters"of mobile devices. North American enterprisesglobal economy, outsourcing is a growth stage to mainstream market adoption.1 Also will be supporting more mobile phones than market. Service providers globally have reached according to IDC, spending on IT cloud servicesdesktop phones by 2011.6 By then, close to 75new levels of process specialization and will grow almost threefold by 2012, reaching percent of the U.S. workforce will be mobile,sophistication. More outsourcing will be $42 billion and capturing 25% of IT spending with workers increasingly dependent on adopted by more organizations as they focus growth.2 Virtualization is another technologydevices like the consumer-oriented Apple on their core businesses, and work through on the rise. According to the Goldman SachsiPhone or the Palm Pre. 7 financial and competitive challenges. Group, Fortune 1000 companies will have virtualized 34 percent of their servers within a Another way consumer technology is takingAnother significant trend in outsourcing is year double the current level of 15 percent. 3 hold in the enterprise is the increasing use ofenterprises are seeking partners in newconsumer VoIP services such as Skype, as locations. Some enterprises are now reversing Enterprises are also moving quickly to capture businesses seek lower cost communication.their previous offshoring strategies and forging the power of social networking. Facebook,With a total head count of 405 million relationships with new partners on-shore. with 175 million users, is on track to surpass registered members (as of the end of last year), Others are considering service providers 300 million by the end of 2009.4 Globally, socialSkype is adding 380,000 members per day. outside of traditional offshoring centers such networking has enjoyed a 25 percent growth inAlready 62 percent of business subscribers are as Bangalore and Chennai and instead turning unique visitors in the last year, with some sitesusing Skype to better communicate with their to new locations such as Belfast, Sofia and doubling their user base. And the demographiccustomers. 8 Cairo. These destinations are among a group of profile is quickly changing. Social networking is approximately 30 new locations to watch, no longer a tool just for high school andWhile technology is being quickly adopted in according to some analysts. And these new college students. On some networks around 40 the enterprise, outsourcing is also being locations may take up a larger proportion of percent of users are over 35. So its no wonderaggressively pursued. Enterprises are expected the new outsourcing work, as more traditional that businesses have taken notice; given to intensify outsourcing in an effort to locations rapidly approach a saturation point.12 shrinking budgets, most are eager to takestreamline costs, do more for less with their advantage of that kind of reach. And they will.budgets, and increase competitiveness.9 The 3 6. IV. The Unprecedented Risk EnvironmentSeveral factors are coalescing to create anBeyond malware, security professionals alsounprecedented risk environment; and it ishave to deal with an alarming number of databecoming much more difficult to assess risk. breaches and identity thefts, with incidents affecting organizations of all sizes and types,The threats: faster than ever and more including governments and companies. Theseunpredictableevents, in which thousands or even millions ofThis report does not intend to provide an in-records have been compromised, are regularlydepth analysis of current threats; there are featured in the headlines. They are the work ofmany other sources for that information. insiders and external hackers, or both workingInstead, a few striking examples are presented together.that characterize todays threats anddemonstrate how rapidly they are evolving. It is now a common mantra in security that the nature of the threats has changed. Gone areThe pace of malware has reached staggering the days of script kiddies looking for fame andlevels. Security professionals are actuallynotoriety; now enterprises face a verygetting used to numbers such as: a new sophisticated worldwide fraud machine run byinfected web page is discovered every 4.5organized crime; with many players, eachseconds; there are over 20,000 new samples ofhaving their own niche. This system is verymalware every day13; and botnets change theiradaptable, changing tactics quickly to outwitmalware signatures every 10 minutes.14 any attempt to foil their operations.Malware is infecting not only traditionaloperating systems, but also mobile devices.The end result is that there are more threatsWeb sites are the new favorite vector andcoming faster than ever before and they aremalware is also being spread through socialchanging all the time. It is no wonder thatnetworking. So its no wonder current defenses some security professionals feel outpaced.against malware are no longer effective. For What security professionals are expected toexample, a recent study shows some signature-absorb on a day-to-day basis has reached nearbased anti-virus technology, a major part of impossible levels. And the evolution of thesecurity infrastructure, now only detects 30 threats is constant. The threats are morepercent of all malware. 15 significant today than they were six months ago or last year, and they will be more4 7. significant six months or a year from now. best-selling novels to become reality. Nation The historic models are insufficient andThere is also the unpredictability of todaysstates may believe developing information should not be relied on to predict theattacks. Zero-day (or zero-hour) attacks and warfare capabilities is critical, but the future. We are entering unknownviruses, which work to exploit unknown,downside of this strategy is that not everyone information security and risk managementundisclosed or patch-free computer application who gains these capabilities stays within thevulnerabilities, are now commonplace.control of the nation state under which theyve territory. trained. Its a relatively recent skill set. Over Council MemberVulnerabilities have also increased through the the last 20 years or so, militaries andproliferation of information on social intelligence agencies all over the world havenetworking sites. Although social media is layers between the original client and the trained agents in cyber-warfare activities. Atgreat for collaboration, its also a great way for organization that is actually handling the some point, some of the people with thesethe bad guys to learn all about the companyinformation. skills start leaching out into the criminaland its personnel, including real-time location economy. This is increasingly putting the globalupdates. This potentially paves the way forCloud computing is a relatively new concept. economy at risk.novel types of social engineering attacks or According to Forrester Researchs glossary,even blended attacks. These attacks could usecloud computing is, "a pool of abstracted, High levels of risk tolerancedata obtained electronically to commit crimeshighly scalable, and managed compute Todays economic conditions are creating anagainst information assets, physical property or infrastructure capable of hosting end-customer atmosphere in which business people may bepeople. Its hard to keep up with theapplications and billed by consumption."16 It much more willing to take on potentiallypossibilities for new attacks. creates a new category of service providers and dangerous levels of risk. Many cash-strapped a new set of risks. Because the cost savings areWhen enterprises are operating in geographiesbusiness units are rushing ahead and leaping so compelling and it is very easy to start usingand cultures that they have never done before they look, rapidly entering cloud computing in stealth mode, manybusiness in before, such as new locations forrelationships with cloud vendors and/or businesses may be lured in before all of theoutsourcing or off-shoring, its a lot harder to outsourcers. With the intention of squeezing security issues have been addressed.predict behaviors or develop possible scenarios. timelines, decreasing costs, and/or making theirGlobalization increases the complexity of risk quarterly numbers, they may forgo thoroughFor example, it is now possible for developersassessment. It requires factoring in different due diligence or comprehensive security to do production scale tests without evennorms and ethics, which may not be fully reviews. All the while, enterprise data ishaving to involve IT. Infrastructure services inunderstood.spinning out of enterprise control. the cloud are built on the notion of renting virtualized machines so that infinite capacity is An added dimension to the problem is thatThe increasing skill set of the bad guys available on very short time scales. The service providers often sub-contract the workIt is well-known that countries andcustomer can acquire and release resources on or elements of it to other service providers,corporations use cyberspace to spy on each demand, and only get charged for what they who then push it off to their own sub-other for political and commercial gain. Evenuse. Previously, developers needed to work contractors. Ultimately, there can be manycyber-warfare has transcended the realm of with IT to configure hundreds of servers for an 5 8. Why are the risks increasing? Without aarchitectural experiment which would takeHow does it meet requirements for detaileddoubt, it is the pace of change in theseveral months and a huge capital expendituresecurity assessments or penetration testing? Into complete. Now developers can use theiraddition, cloud vendors are reluctant to revealenvironment. You can wake up tomorrow and acredit cards to rent cloud services and get thethe details of their security as they consider itrisk that wasnt there yesterday is there today.required computing power for $10$50, andproprietary information. Many of todays There is no period of development; there isget it all done in one afternoon. Computingprivacy regulations mandate wherenothing necessarily on the horizon that will letpower is now very accessible but it is also no information must be stored or processed. Howyou say, I can see whats coming.longer exclusively under the control of thewill customers know the geographic location ofenterprise.their data as it is moves around the globe Dr. Claudia Natanson using available capacity in the cloud? This is all Chief Information Security OfficerThe newness of cloud services means that Diageo still unclear. But despite this lack of clarity,enterprise customers have not yet defined all many enterprises might just decide to take theof their security, privacy and compliance risk in an effort to tap the enormous costrequirements and that cloud vendors have notBusiness is now inherently on a global scale savings, flexibility and other benefits thatadequately addressed all the related issues; andwith the complexity of different cultures and cloud computing promises.there are many. Just to name a few: If cloudnormative behaviors, and the breadth ofservices are processing data from multiple Business process outsourcing (BPO) is anotherethics around the world. In this context, its aenterprises, how will the cloud vendors ensure area where enterprises might just take the risk.the integrity of co-mingled data? How is itAs cost pressures mount, enterprises looking totremendous challenge to ascertain, whats thesegregated from other customers data? If aremain competitive may be forced to follow true risk of doing business as a globalbusiness process moves to the cloud, how doesother enterprises as they move more business enterprise?an enterprise meet compliance obligations? processes to service providers and new on-David KentVice President, Security6 Genzyme 9. There is a new dimension now that affects the risk picture. I think well see a behaviorshore and off-shore locations. Service providers The shifting moral compass change in how people do business undermay be able to entice a few Global 1000In desperate times, people do desperate things.customers with extremely low-cost contracts. Tohigh economic pressure when every deal, In a tough economy, disgruntled and laid-offmake their offerings look attractive, some BPO employees and contractors may be much moreno matter how small, is an important deal.companies try to present an a la carte menuwilling to pursue malicious acts that are Business people will be more open andinstead of a full meal deal. Beyond their very outside the realm of their normal behavior. The willing to take risks because the pressurelow-cost core services, they offer a menu of reality is that desperation can trigger otherwise on them to reach targets is higher givenoptions, including security controls. Thelaw-abiding and rule-following people toproblem is that companies often put together this economic downturn. engage in criminal activities. For example,their business case based on the initial sticker according to a recent survey 9 out of 10 IT Andreas Wuchnerprice. All the rest is additive cost, includingadministrators would take company secrets andHead IT Risk Management,security controls. Blinded by the initialremote access credentials with them if theySecurity & Compliancepromised savings, customers may accept were fired.17 Novartisuntested security assurances or forgo the moreexpensive security options. The serviceAdding to the dangers, security departmentsproviders may then use these brand names asare becoming resource-constrained. Thisproof of the level of trust they have earned toenvironment opens up increased opportunitiesentice other Global 1000 customers.for people to take advantage of gaps in What will happen is people will talk in security. By way of analogy, when you can no terms of risk acceptance. And essentiallyThe significant issue of service provider risk has longer afford to have a security guard at thefaced large enterprises for years now; it is not door 24/7, people will determine when the theyll move the bar to satisfy whatevera new concern. The sheer volume of service guard is not around and target that timeframe they want to spend as opposed toproviders and the increasing number of to gain entry.necessarily looking at it from a risk stand-business areas they touch were already making point. I think there will be a very high riskit very difficult to manage the security, privacyTodays enterprises are operating in an environment with unprecedented levels oftolerance when they dont want to spendand compliance issues. In the new economy,the proliferating number of service providersuncertainty. This kind of setting may makethe money on security.and their deep reach into enterprise businessBlack Swan events more conceivable. MostCraig Shumardprocesses may be kicked into overdrive.security professionals are familiar with so- Chief Information Security Officer called Black Swan events, which are defined as Cigna Corporation large-impact, hard-to-predict, and rare events that go beyond the realm of normal expectations. How do you realistically anticipate these types of events in a risk assessment? In a rapidly-changing world, the value of using historical data to predict possible scenarios, impacts and losses is called into question.7 10. V. The Need for a New Information Security Paradigm The current security model is ill-equipped for a of doing something like this has increased, as hyper-extended enterprise operating in anhas the number of Internet-enabled devices unprecedented risk environment. Security that make these systems more vulnerable to teams are often still fighting yesterdays battles attack. and focused on tactics like securing theAnother potential scenario is a major attack for perimeter with firewalls, updating anti-viruseconomic gain, such as extortionists signatures, pushing out patches, andthreatening to take down a companys entire encrypting laptops. All of these things may stilloperations or revealing the personal data of be necessary, but they are not sufficient tomillions of customers. Blackmail and extortion match todays world.have been realities in the online world for If we do not figure out a better information years. While the perpetrators used to target security model and fast, there could befringe industries such as online gambling and devastating consequences. The possible worse-pornography sites located in offshore locations, case scenarios are actually nothing new to this is quickly changing. Extortionists are now security professionals. They have outlined these targeting mainstream businesses. Take for types of events for ages. What is new is the example the situation facing a pharmacy likelihood of these kinds of incidents occurring benefits management company in November and the magnitude of their potential impact. 2008.18 The company received a letter with thenames and vital information of 75 members. For example, on a national security scale The sender of the note threatened to release terrorists could take a hold of a countrysmillions more if they were not given an electricity grid. The number of people capableundisclosed amount of money. 8 11. With more and more enterprises relying onitineraries, criminals can use this information to My concern is that security practitionerscloud vendors and outsourced service track down the geographic location ofwill fail to appreciate the singularity thatproviders, a major outsourcer or cloud vendorcompany personnel in order to steal laptops orweve approached here. If they dontgoing down could result in large-scale much worse, kidnap executives. And for theunderstand their crucial role of being thedisruptions to the business operations of huge companies that do experience a data breach innumbers of companies. We have alreadytodays environment, the consequences couldrisk specialist, the advisors to thewitnessed the fall of a major outsourcer inbe grave. Its one thing for a company to face management, the wheels could come offIndia. Satyam Computer Services, a hugeregulatory fines, law suits, and loss of share globalization and the global internet. Atinformation technology outsourcing firm basedprice when it is healthy financially; but if it isthis moment in time, security bears a hugein Hyderabad, India, serves many blue-chip unstable financially, it could be entirely wipedresponsibility for the benefits that areclients. Satyam is currently under investigation out.after the CEO admitted to a decade of ongoing possible, that are necessary for the survival In aggregate, if competitive pressures force and success of their enterprises.fraud. In cases such as this, what if the local enterprises across the globe to take on higherlaw enforcement decides to seize operations inBill Boni levels of operational risk, the level of riskorder to investigate? What happens to all of Corporate Vice President within the entire economy could reachthe customers business processes? WhatInformation Security and Protection unsustainable levels. Unfortunately, thishappens to their data? Motorola situation has eerie parallels to the bankingThe current risk environment also raises the industry reaching unsustainable levels ofstakes for security breaches. For example, withfinancial risk.social networking, the impact goes well beyondthe loss of IP because developers collaborateacross company lines. Since it is nowcommonplace to twitter about travel9 12. VI. Recommendations for Updating the Information Security Model Updating the approach to information security,Especially if the security team has been part of including the management of people, process the design and operation of a set of systems, and technology, is essential to successfullythey will be in a strong position to overcome protect information. It must be stressed that any attempts at subversion. its not all doom and gloom. Information That being said, during a time of upheaval, it is security teams are not starting from scratch; essential to take a step back to consider where they will be building on all the work they have information security is headed. As the terrain already done to protect against threats and dramatically shifts, so must information defend the enterprise. security. Developing an updated information Also, it is important to remember that most security model that is better-equipped for the systems are assumed to be running securelytimes at hand represents an evolution, but in most of the time. It is easy to subscribe to athe current climate time is of the essence. This pessimistic view, given the daunting risk evolution must progress more rapidly than environment. But security teams do have the many in IT history. The following section advantage of knowing the architecture of theirprovides some recommended steps to take for systems better than any potential attackers.moving forward. One of the challenges for security At this particular point in time, when we professionals is to be able to make have such a rapidly-changing environment, informed triage choices that are necessarywe need to absolutely cry, Time out! We when youre dealing with such a fast-paced, need to step away from it, and we need to dynamic, global set of threats, challenges, examine if our program has all the right risks and domains. So you have to develop gears. Does it have the flexibility it needs? this ability.Does it have not only the technological Bill Boni capability, but the resources, the stayingCorporate Vice President,power? Is your program road-ready for theInformation security and Protectionrough ride that you may be about to embarkMotorola on? Because only the most agile, only the fittest, only the most flexible will make it to the end.Dr. Claudia Natanson10Chief Information Security Officer Diageo 13. 1. Rein in the protection environmentAlso take a close look at data retention. Many enterprises continue to retain data for manyIn the current economic climate, information years beyond its usefulness or requiredsecurity programs are resource-constrained. retention. Storing confidential data forFigure out ways to use resources more inordinate amounts of time is a security andefficiently. For example, curtail the use of privacy risk. Find the sensitive data that issecurity resources for protecting extraneous being stored for unnecessary periods of timeinformation assets, stored data, and devices. If and retire this data. This will reduce theMany enterprises dont typically get rid ofyou can reduce your protection environment, amount of data that the information securitylegacy systems, they hold on to them foryou will not only reduce risk but also free up team must protect.no good reason for a hundred years justresources that can be reallocated to highpriority projects and/or achieve operational Another opportunity to achieve efficiencies is because somebody might need them.cost savings that can be used for strategicto reduce the number of different desktops, You dont have the luxury anymore ofinvestments. devices and servers that security supports. For protecting systems that dont get fired example, analyze the variety of desktop up every year. Get rid of them.Asset management configurations that your enterprise supportsTake a complete inventory of the assetsand reduce it down to a manageable number Council Memberprotected by the security department;that meets your business needs. If a user needsincluding who has access to them and how e-mail, Word, PowerPoint, and Excel for ninetyoften they are actually used. In mostpercent of what they do, it is no longerDont support every server or PDA knownenterprises, there are many systems andrealistic to provide them with that extra special to humankind. Cut down the flavors andapplications that are rarely used, yet they areapplication that is used just once a year.the colors that you are required to support.not retired just in case. Now is the time to Security departments no longer have the You dont have the resources to be ableget rid of them. It simply costs too much to resources to support so many custom desktops.protect them at this point. Work with the IT to give everybody their personal While it may have been difficult to clampgroup to determine which legacy systemsdown on customizations in the past when users customized X.should be retired. Asset management is a net felt they were entitled to custom desktops or Council Membergain for security and IT, since it reduces the devices, in this economy, it should not benumber of applications and systems thatexpected given the cost considerations. Cutsecurity is protecting and IT is maintaining.down the flavors of desktops, devices, and servers that security supports and create a set of solid enterprise standards.11 14. 2. Get competitivejust by plugging into some cloud. He may come supply chain of vendors and external service back to the security team and say, Well, why providers. This will require the internal team to For many enterprises, it makes sense to move should I use your centralized security services? determine their set of security offerings and away from silos of security to centralized And security has to have a good answer. then honestly assess their own internal shared services which are provided by the capabilities. They will have to figure out what information security department to business Service-oriented program management they as the core security team will do and what customers across the enterprise. The degree of Take a service-oriented approach to program will be outsourced to external service centralization and type of services offered by management. This forces the information providers. Ultimately, it will be a mix of the central department depends on enterprise security organization to be much more nimbleinternally and externally-provided services needs and organizational structure but the in responding to the needs of the business. which are provided seamlessly and idea is that by delivering at least some Security must continually take the pulse of transparently to customers. components of information security as a set of their market and ensure that their offerings centralized services, it can achieve not only As enterprises use more external service consistently meet the demands of their increased efficiencies but also better risk providers for security, the core security team customers. The portfolio of service offerings management. should be involved in carefully managing this might include: growth. Security is in a much better position The information security department should Risk assessment and compliance management than any individual business unit to hire strive to offer such competitive services; their external service providers. The security customers would not consider looking for Third-party security assessments department has the required expertise to assess other solutions. Being competitive may be a Awareness and trainingthe service providers capabilities and challenge for a lot of core security performance; and to ensure that all security organizations. Some tend to believe that they Identity and access management activities are integrated into the enterprises are somehow different than other internal (authentication, provisioning, authorization) overall information risk management program. services because of their special role in Security hygiene (anti-malware, With a siloed approach to information security, protecting the business. But especially now, configuration and patch management) it will be increasingly difficult to assess all of security must increase the focus on quality and the myriad risks facing enterprises and to efficiency of services. As business units examine Data protection (data loss prevention, manage these risks. In addition, if the core their costs, they will be expecting the right encryption, and rights management) team manages the use of service providers product at the right price for all internal Network security (perimeter protection, across the enterprise, they can achieve services. Otherwise, they will seek a better deal firewall, and IDS)economies of scale and reduce the costs of by doing it themselves or going directly to an security to the business units. external service provider. It is now a very Looking forward, security services in many realistic scenario that a business or division enterprises will be delivered by an internal head will be on the plane and read all about team in conjunction with a tightly-integrated some fantastic security service that he can get12 15. Quality service at the right priceInformation security must be able to articulatethe value of the services they offer to theircustomers. Help your business customersunderstand the level of quality you provide forthe price. Keep in mind that if the businessesare mandated to use centralized security astheir provider, some groups will inevitably finda way to subvert the security program becausethey think they can do it better. Instead,incentivize the business to use your services byoffering quality services for a competitive price.Provide centralized shared services thatRemember, security is a product. Just like some of our business partnersare compelling enough to the business from Products today have to be at the righthave really focused on business processinga cost point of view, from a service levelscost to be competitive. So cost is always outsourcing to try to reduce their costs andpoint of view, from a controls point of view,going to be important, because youre not improve the value proposition to theirand everything else, that it would be stupid going to have the comfort of big budgetscustomers, security needs to be able to dofor the business to do anything else now. All organizations will be addressing the same thing. While there have beenbecause its such a compelling case. Not how they can scale down. And the othersome attempts, I dont think that wevebecause they have to use it, but because itpart is how you deliver that program. Soeven scratched the surface yet as to whatmakes sense for them to use it. it has to be efficiently and effectivelywe should be looking at potentially. Council Memberexecuted.Companies should be able to plug into andDr. Claudia Natanson leverage repeatable cost effective solutionsChief Information Security Officer so that we dont have to continually re- Diageoinvent things.Craig Shumard Chief Information Security OfficerCigna Corporation13 16. 3. Proactively embrace new technologyon your terms Information security departments must acceptinformation first. Once it is anonymized, that it is not feasible to simply say no to new then it can be sent for processing in the cloud. and emerging web and communications Many enterprises are large enough to develop technologies; rather they have to figure out a their own private cloud, which uses the same way to enable their secure use. Develop a technology as public cloud services without roadmap and set realistic expectations for the sharing computing resources between multiple business. Understand the risks and devise a enterprises. Instead, they are dedicated to one plan to mitigate the risks. Also, keep an eye on enterprise and managed by that enterprise. emerging technologies that are being This approach provides the benefits of implemented for other reasons, but may consolidated, scalable and flexible computing actually help decrease security risks. power while alleviating many of the security Transition plansand privacy issues of having a third-party entity process enterprise data. Information security Work with the business to create a transition can work with IT and the business to ensure plan for the use of cloud computing. If you that the enterprises private cloud is secure. havent already started these plans, get started. It must be emphasized that security To support the use of cloud computing, you professionals need to get involved early andwont necessarily need an entirely new stay involved in the business decision making technology platform; it may be possible to use process. Its too late when you discover your your existing security infrastructure in new company has already moved into the cloud andways. For example, investigate using a then you come along and ask them to put onFederated Identity Management gateway to the brakes. Move from reactive to preventiveauthenticate to cloud services. Design it so that security. the cloud vendor only accepts authenticated traffic from the enterprise. For cloud vendors One possible route is to cherry pick what goes providing infrastructure services, work with to the external cloud first, i.e., the processing them to determine if it is possible to send audit of non-sensitive or non-regulated data. Some logs for your applications in the cloud to your companies that are using the external or enterprise security information and event public cloud to manage sensitive data have management (SIEM) infrastructure for analysis, taken the approach of de-identifying the so you control the audit logging for your applications in the cloud.14 17. Another technology that must be planned forSecurity benefits of emerging IT somewhere. Since data is stored on a file shareis social networking. Security cant just blockSecurity practitioners need to be better versedas opposed to on the desktop or laptop, youthe use of social networking sites anymore. Thein general technology issues, in order toneed not worry about encrypting data on thebenefits, including low-cost ways to recruit understand how developments in IT can delivermachine. If somebody steals it, theres no dataemployees, distribute marketing materials andsignificant security benefits. One such area ison it. From a recovery point of view, if theenable employee networking, are simply too virtual desktops, which are a growing trend in enterprise needs to evacuate the building (duegreat. Figure out how to allow the use of social most enterprises today.to a gas leak or other event), users dont needmedia at least for certain applications without to take their machines with them. If they haveputting the company at risk. You may alsoWith this technology, fundamentally theaccess to a PC, they can get to their virtualwant to investigate the use of tools designeddesktop is an image of a full desktop that desktop. When they log in remotely from aspecifically to allow enterprises to use actually sits in a virtual machine in a data non enterprise-owned PC, the remote machineconsumer sites securely or work with IT and thecenter somewhere. The concept is to stream can be checked to make sure it has the rightbusiness to bring in business-specific socialapplications to the desktop, rather than have acontrols on it.software.dedicated copy on it. Therefore, when the user logs in, theyre not logging into their ownFirst and foremost, youll have to attempt the desktop, theyre logging into something that isSecurity officers have to be out theredevelopment of an Acceptable Use Policyimmediately built for them on the fly. The(AUP). Put emphasis on user education and explaining to other executives and senior drivers to move to virtual desktops are mostlytraining; this is the key to securing informationcost, efficiency, and flexibility, but there are people in the company how theyre going towhen it comes to social networking. Help security bonuses as well.approach the move to the cloud, and theemployees understand the risks and therisks associated with moving faster thanrationale behind the policy; and institute a way First of all, you will no longer need to manage the gold build on everyones machine.theyre able. And if the business wants toto monitor the activity. Not that this is going tobe easy. Balancing social networkings benefitsInstead, you will make changes on the back-move faster, you better have an answerwith educating participants on what andend. The end result is that you can react a lotabout what resources youll need to get itwhere they should and should not post andmore quickly when changes are needed. It is adone faster, because if the business asks youwhat they can and cannot post is going to be lot tighter and easier to control because forWell, how we can get it done faster? andincredibly challenging particularly as peopleexample, you dont have 200,000 desktops; youyou say, I dont know, youre going to be amix their use of social networking sites for have 200,000 instances of one desktop. Instead of pushing patches to 200,000 physical former CISO.personal and business purposes. desktops that need to be rebooted, you send it Roland Cloutier to 200,000 VMs in a bank of servers Vice President, Chief Security OfficerTheres a lot of complacency in large EMC Corporationcompanies. You do it this way becauseyouve always done it this way. Well, how doyou sort of obsolete the technology youreusing now, before somebody else does?15 Council Member 18. 4. Shift from protecting the container torelationships) with multiple devices. The newwho can access it, the lifetime and appropriateprotecting the data model would let the contractor use their own protections, etc. In other words, the digital xml More and more, enterprise data is processeddevice and secure the data. This would require paper would contain the security requirements and stored in containers not controlled by the finding a way to partition the device andand applications would enforce those enterprise. For instance, the data may bedefine a trusted component. The simplest requirements. To demonstrate using a processed by service provider facilities or held approach today is to push out a virtualsimplified example, think of a situation where in a PDA used by an individual employee or inmachine. Its not the most secure and therea contractor is working for a company. While a laptop used by a contractor with multipleneeds to be advances in technology which he works for this company, he uses their digital enterprise clients. Therefore, security needs to provide better methods but its a good stop- xml paper, which is tagged with that companys shift the focus from protecting the container to gap for the moment.security requirements. Anything created with protecting the data.this digital xml paper is tagged as theRights management is another example of an companys and gets protected in accordance For example, in the old model, enterprises up-and-coming technology that focuses on with their rules. Once the project is over, all would give a contractor a corporate standard protecting the data versus the container. One the xml paper gets recalled back to the owner laptop in order to do his or her job, somethingsuch vision is digital XML paper. The and it expires. which is both expensive and which leaves the emergent model uses metadata to define the contractor (assuming s/he has multiple datas origin, attributes, level of trust,ownership, where it resides, where it can go,The security model is moving to Consumerization will force enterprises toprotecting the content not the container,allow people to bring in their own devices.because increasingly the container is notFrom the security point of view, you needowned by the enterprise. The data is being to be able to focus completely on the dataprocessed by another enterprise or held in elements and not care about the kind ofa device used by an individual for their own device or if its internal or external orpersonal use. whatever. Im not saying that all the solutions are here already today and that Dr. Paul Dorey Former Vice President, Digital Security and theyre easy to solve, but we have to focus Chief Information Security Officer, BP; and on the data. Director, CSO Confidential Andreas WuchnerHead IT Risk Management,Security & Compliance Novartis16 19. 5. Adopt advanced security monitoringThe behavior-based monitoring system is putProfessional accreditation of security techniquesbetween the application and the database. If professionalsUpdated approaches to monitoring for the application gets manipulated in an unusual Many in the information security field think itsabnormal and malicious events must moveway, the instructions to the database will looktime to mature as a profession and begin toaway from concepts such as signature-based abnormal.accredit security professionals in similar way toanti-virus and blacklisting and move towardsthe accreditation of engineers. For example, While blacklisting blocks access to knownmore accurate techniques such as behavior-when an engineer provides a piece of steel malicious sites or software, whitelisting allowsbased monitoring and whitelisting.that theyve worked on, the receiving engineer access to sites or software considered safe,knows that its come from an individual with aThe most common approach to malwareblocking all others. For examples, whitelistingrigorously defined level of capability. A similardetection is signature-based, which has majorcan be used to manage software installed on aapproach in the security industry would ensuredisadvantages. It identifies malware bycomputer. By whitelisting software, the securitya more accurate evaluation of skills.detecting malicious byte code patterns organization would only permit approvedmalware signatures. A program is scanned and software to install and run. If a software Currently many security professionals acquirecompared to a database of known malwareproduct is not explicitly on the list, it is not the Certified Information Systems Securitysignatures. If a program contains a pattern that allowed. Keep in mind that while whitelistingProfessional (CISSP) or other designation.exists within the database, it is deemed is a potentially promising way to protectProfessional accreditation would take this up amalicious. This approach cannot detect computers, it can create a very rigidlevel and involve two-tiers of assessments. First,unknown malware and is susceptible toenvironment where rules about what softwareevasion. Rather than looking for signatures, can be downloaded are too restrictive, creatingbehavior-based approaches typically monitora frustrating user experience. There is now a recognition thatthe stream of system calls that the program6. Collaborate to create industryinformation security has become tooissues to the operating system. Since behavior- standards important a subject to allow someone tobased monitoring looks at what a program There have been discussions for years aboutread a book and then carry out the work.does rather than at specific patterns in the the need for more standards in information This is especially a growing view in the UKcode, this approach is not susceptible to the security. However we have reached a criticalshortcomings of signature-based detection.and emerging throughout Europe. point where the lack of uniform standards isProfessional accreditation would ensureBehavior-based monitoring can also be appliedsimply not sustainable. Without standards, enterprises will not be able to truly evaluate that security knowledge and capabilityto databank monitoring, looking for abnormalpatterns of activity. For example, these tools security professionals, manage third party riskmeets an accepted standard and skills canare able to detect when SQL injection attacksnor reap the full benefits of new technologies be cross-recognized.are happening or when people are trying to such as cloud computing.Dr. Paul Dorey, Former Vice President, Digitaluse elevated privileges from unusual locations.Security and Chief Information Security Officer, BP; and Director, CSO Confidential 17 20. sufficient knowledge would be acquired and Standards for third-party assessments You have to have a 360 degree view of risk examined through for example, the CISSPIn an environment where the demand forover the extended enterprise and all the exam. The second tier would be gained aftercloud services and BPO is escalating, the level elements that are critical to your core in-job experience and consist of a competencyof effort required to assess service providers isbusinesss success. This is where things are assessment by peer review, similar to medicalalready reaching the breaking point. Adding or engineering professional qualifications. This headed. As companies start to cooperate onmore budget for additional assessments is actually tests through independent assessmentsimply not going to be sustainable. Ongoing these things, you may even see certification interview that a security professional has the assessments and on-site audits are laborefforts like youre seeing between some ability to apply theoretical security knowledgeintensive and costly for both enterprise security governments now, around Customs in practice. This model is already working indepartments and the service providers.programs, where if you have a certain the UK with the Institute of InformationInformation security professionals must workcertification, you get fast-laned. Security Professionals (www.instisp.org) accrediting professionals in both the public and across enterprises to create standards to enable David Kent private sectors. Stepping up as security leaders third-parties to conduct assessments. ButVice President, Security also recognizes that the successful professional traditional tools such as the SAS70 auditGenzyme is expected to perform as a business leader as process do not contain consistent measurement much as a specialist and much broader skills standards that can be widely adopted. will be required of the leaders of the future.However, this is changing and a variety ofenables a reduction of scope of the on-sitepotential approaches are promising. For audit. ISO 27001:2005 certification may also beexample, the BITS Shared Assessments Programpart of the answer. It would require enterpriseprovides third-party assessors with a set ofsecurity officers to accept certification to thestandardized best practices for evaluatingISO standard as proof of sound securityservice providers. It originated from the practices. Whatever method or methods arefinancial industry, but could be leveraged by agreed to, security practitioners need to defineother industries. The BITS program allows a a much more standard way of assessing theservice provider to present the third-party security of service providers.assessment of their systems to their clients inlieu of an on-site audit or more often, it18 21. Interoperability standardsCloud computing creates the need forinteroperability standards, since one enterprisewill want to be able to interact with manydifferent cloud vendors. As one of manyclients, one enterprise wont be able to insistthat the cloud vendor provide customizedsecurity controls. Rather, the enterprise willhave to ensure that the cloud vendor meetsthe standard for controls.Without standards, enterprises are faced withthe prospect of having to interact differentlywith each one of their cloud vendors based ona diverse set of proprietary standards. It createsa possible scenario in which the end-userwould need multiple trust-brokering agents ontheir devices to exchange information withmultiple cloud vendors. For example, anenterprise might need to load 100 agents onone machine to talk to 100 relevant serviceproviders in a trusted way. With multipleincompatible models, instead of one opencloud, there will be multiple closed clouds andthe industry will have lost the potentialbenefits offered by the cloud. It is in everyonesbest interest to create these standards anddoing so will require the cooperation of theclients as well as all of the cloud vendors.Security practitioners need to actively engagein the creation of these standards now beforeit is too late.19 22. 7. Share risk intelligence Enterprises will not be able to defend againstIn general though, information sharing is still We need to develop an intelligence international attackers and the fraudster inhibited by liability issues, privacy concerns,capability so we know whats coming, and ecosystem without cooperating with otherand competitive fears. Security officers are we can prevent things from happening in enterprises, law enforcement, and government. often advised by their general counsels to not There is now a premium on the value of threat share valuable information with other the first place. We need to be able to figure and risk intelligence. Working together isenterprises because doing so might cause theirout what these guys are going to do and essential for developing enhanced intelligenceenterprise to be subject to discovery in the case then try to stop it. It means moving to a capabilities so there is more information about of a lawsuit. Therefore, information sharingmore preventative security model and who the fraudsters/attackers are and what theyvehicles are less effective than they could be. being able to share information with each are planning. For example, working with This will need to change. other. industry experts and government bodies to get Finally, organizing an information sharing operatives to go undercover in fraudster chatDave Cullinane network requires resources, time, and money, rooms has been proven to be valuable in someChief Information Security Officer not to mention an ongoing commitment by and Vice President, eBay Marketplaces cases. some or all parties to maintain and update this In addition, enterprises need more robust central hub. In some cases, relying on stable systems for sharing information whereby theyand large third-party vendors for such work can periodically review incidents, describe enables enterprises to both support and gain exploited vulnerabilities, or name perpetrators from such infrastructure without having to so other enterprises can avoid hiring specificbother with the overhead typically associated people, protect resources and assets as needed, with such projects. and plan mitigation while simultaneously learning from one anothers experiences. Various governments and industry associations have worked to create and sponsor information exchanges. For example, the Information Sharing and Analysis Centers have been set up to establish and maintain a framework for interaction on cyber and physical security issues between and among private and public sector organizations in North America.20 23. VI. Conclusion Working towards a new information security Security is no longer optional because the paradigm will enable the hyper-extendedoperating models companies are working enterprise to operate securely and successfullytowards actually need security to sustain in the current environment. If we achieve thisthem. Whereas in the past, in some cases, goal, the enterprise will reap the rewards of globalization and technology even in the facethere was a level of optionality. If youre of unprecedented risk and severe economicrunning something in a locked data center conditions. A strategic approach to informationthats not got any wires out of it you can security will better equip organizations to dealarguably say you dont need any IT security with the constant evolution of technology andand you can do it all with a key. But the escalating pace of change. In addition, increased collaboration between enterprisesmore you decentralize and the more you will help build a stronger global business open up into public environments, the community. more its the security that gives you thelevel of certainty and integrity that youneed in order to operate.Dr. Paul DoreyFormer Vice President, Digital Security andChief Information Security Officer, BP; andDirector, CSO Confidential 21 24. Appendix. Security for Business Innovation Council Members BiographiesAnish Bhimani, CISSP, Managing Director, Bill BoniRoland CloutierDave Cullinane, CPP, CISSPRisk and Security Management,Corporate Vice President,Vice President,Chief Information Security OfficerGlobal Technology Infrastructure Information Security and Protection, Chief Security Officer,and Vice President,JP Morgan ChaseMotorola EMC CorporationeBay MarketplacesAnish has global responsibility forBill has spent his professional career Roland has functional andDave has more than 20 years ofensuring the security and resiliency as an information protection operational responsibility for EMCs security experience. Prior to joiningof JP Morgan Chases IT infra- specialist and has assisted majorinformation, risk, crisis management eBay, Dave was the CISO forstructure. He supports the Corporate organizations in both the public and and investigative security operationsWashington Mutual, and heldRisk Management program andprivate sectors. Bill has helped a worldwide. Previously, he held leadership positions in security atparticipates in the firm-widevariety of organizations design andexecutive positions with several nCipher, Sun Life and Digitaltechnology governance board. Anish implement cost-effective programsconsulting and managed securityEquipment Corporation. Dave iswas selected Information Securityto protect both tangible and services firms, specializing in critical involved with many industryExecutive of the Year for 2008 by theintangible assets. He has pioneeredinfrastructure protection. He is associations including as currentExecutive Alliance and named tothe innovative application ofexperienced in law enforcement,Past International President of ISSA.Bank Technology News Top emerging technologies includinghaving served in the Gulf War andHe has numerous awards includingInnovators of 2008 list. Previously,computer forensics and intrusion working with the DoD. Roland is aSC Magazines Global Award as CSOAnish was a senior member of the detection to deal with incidents member of the High Tech Crimeof the Year for 2005 and CSOEnterprise Resilience practice in Booz directed against electronic business Investigations Association, the StateMagazines 2006 Compass Award asAllen Hamilton and SVP and CTO ofsystems. Department Partnership for Criticala Visionary Leader of the SecurityGlobal Integrity Corporation (an SAIC Infrastructure Security, and the FBIs Profession.Company) and Predictive Systems.Infraguard Program.Anish has written and spoken widelyon information security. He is the co-author of Internet Security forBusiness, is a U.S. patent holder, anda graduate of Brown and Carnegie-Mellon Universities. 22 25. Dr. Paul Dorey Renee Guttmann David KentDr. Claudia NatansonFormer Vice President Digital Security and Vice President, Information Security and Vice President, Security, Chief Information Security Officer,Chief Information Security Officer, BP;Privacy Officer, Genzyme Diageoand Director, CSO Confidential Time Warner Inc.Paul has responsibility for IT Renee is responsible for establishingDavid is responsible for the design Claudia sets the strategy, policy, andSecurity and Information and an information risk-management and management of Genzymes processes for information securityRecords Management Standards & program that advances Time business-aligned global securityacross Diageos global and divergentServices globally across BP, including Warners business strategies for dataprogram. His unified team providesmarkets. Previously, she was Head ofthe digital security of processprotection. She has been anPhysical, Information, IT, andSecure Business Service at Britishcontrol systems. He has 20 years information security practitionerProduct Security along with BusinessTelecom, where she founded themanagement experience in since 1996. Previously, she led theContinuity and Crisis Management. UKs first commercial globallyinformation security and established Information Security Team at TimeHe specializes in developing andaccredited Computer Emergencyone of the first dedicated Inc., was a security analyst for managing security programs forResponse Team. She has served asoperational risk managementGartner, and worked in information innovative and controversialBoard and Steering Committeefunctions in Europe. Prior to BP, he security at Capital One and Glaxoproducts, services and businesses.member of the world Forum ofset up strategy, security and risk Wellcome. Renee received the 2008Previously, he was with Bolt BeranekIncident Response and Securitymanagement functions at Morgan Compass Award from CSO Magazineand Newman Inc. David has 25 yearsTeams and is currently Chair of itsGrenfell and Barclays Bank. Paul has and in 2007 was named a Woman of experience aligning security withCorporate Executive Programme.consulted to numerousof Influence by the Executive business goals. He consults, develops She is active in a number ofgovernments, was a founder of theWomens Forum. and coordinates security plans forEuropean Initiatives involving areasJericho Forum, is the Chairman of international biotechnology trade such as privacy, e-government andthe Institute of Information Security meetings and serves as a pro-bono network and system security for theProfessionals and currently sits on security consultant to start-up and ambient population. Claudia holdsthe Permanent Stakeholders Groupsmall biotech companies. Davidan MSc. in Computer Science and aof the European Network received CSO Magazines 2006Ph.D. in Computers and Education.Information Security Agency.Compass Award for visionaryleadership in the Security Field. Heholds a Masters degree inManagement and a Bachelor ofScience in Criminal Justice.23 26. Craig Shumard Andreas Wuchner, CISO, CISA, CISSP Chief Information Security Officer, Head IT Risk Management, Cigna Corporation Security & Compliance, Novartis Craig is responsible for corporate- Andreas leads IT Risk Management, wide information protection atSecurity & Compliance right across CIGNA. He received the 2005 this global corporation. He and his Information Security Executive of team control the strategic planning the Year Tri-State Award and underand effective IT risk management of his leadership, CIGNA was rankedNovartis worldwide IT environment. first in IT Security in the 2006Andreas has more than 13 years of Information Week 500. A experience managing all aspects of recognized thought leader, he has information technology, with been featured in The Wall Streetextensive expertise in dynamic, Journal and InformationWeek.demanding, large-scale Previously, Craig held many environments. He participates on positions at CIGNA includingGartners Best Practice Security Assistant VP of International Council and represents Novartis on Systems and Year 2000 Audit strategic executive advisory boards Director. He is a graduate of of numerous security organizations Bethany College.including Cisco and Qualys. Andreas was listed in the Premier 100 IT Leaders 2007 by ComputerWorld Magazine.24 27. References1"Clouds and Beyond: Positioning for the Next 20 Years in Enterprise IT", Doc # DR 2009_GS5_FG, IDC, February 20092Clouds and Beyond: Positioning for the Next 20 Years in Enterprise IT, Doc # DR 2009_GS5_FG, IDC, February 20093Is virtualization adoption recession proof? Network World, February 5, 20094Breaking: Facebook Surpassed 175 Million Users, Growing By 480,000 Users a Day, All Facebook, February 13th, 20095Technology Predictions: TMT Trends 2009, Deloitte, January 20096Gartner Says Enterprise Mobile Phones Will Replace Desktop Phones in North America by 2011, Gartner Press Release, February 4, 20097Trust Digital Solidifies Position as Enterprise Mobility Management Leader in 2008, BNET, February 10, 20098Skype Growing by 380,000 Users a Day PC World, February 10. 20099Outsourcing Predictions for 2009, ZDNet, December 31, 200810 "Recession set to boost outsourcing", InfoWorld, October 29, 200811 Down economy fuels IT outsourcing Network World, February 13, 200912 Exploring Global Frontiers: The New Emerging Destinations, KPMG, February 200913 Sophos 2009 Threat report14 Security Now Blog, Blue Ridge Network, August 22, 200815 Security Now Blog, Blue Ridge Network, August 22, 200816 Forrester Glossary http://www.forrester.com/ER/Glossary17 Security Survey Reveals Exiting Employees Have The Power: IT Savvy Employees Likely to Steal Company Data Before They Leave CyberArk press release, August 200818 Data Breach Used in Attempted Extortion, IT Business edge, November 7, 2008 25 28. RSA Security Inc.RSA Security Ireland Limitedwww.rsa.com2009 RSA Security Inc. All Rights Reserved.RSA, RSA Security and the RSA logo are either registered trademarks or trademarks of RSA SecurityInc. in the United States and/or other countries. EMC is a registered trademark of EMC Corporation.All other products and services mentioned are trademarks of their respective companies.CISO RPT 0609