1. The Rise of User-driven IT: Re-calibrating Information Security for Choice Computing Recommendations from Global 1000 ExecutivesReport based on discussions with the Security for Business Innovation Council 1. Anish Bhimani, Chief Information Risk Officer, JP Morgan Chase2. Bill Boni, Corporate Information Security Officer (CISO), VP Enterprise Information Security, T-Mobile USA3. Roland Cloutier, Vice President, Chief Security Officer, Automatic Data Processing, Inc4. Dave Cullinane, Chief Information Security Officer and Vice President, eBay5. Professor Paul Dorey, Founder and Director, CSO Confidential and Former Chief Information Security Officer, BP6. Renee Guttmann, Vice President, Information Security and Privacy Officer, Time Warner Inc.7. David Kent, Vice President, Global Risk and Business Resources, Genzyme8. Dave Martin, Chief Security Officer, EMC Corporation9. Dr. Claudia Natanson, Chief Information Security Officer, Diageo 10. Vishal Salvi, Chief Information Security Officer and Senior Vice President, HDFC Bank Limited 11. Craig Shumard, Chief Information Security Officer, CIGNA Corporation 12. Denise Wood, Chief Information Security Officer and Corporate Vice President, FedEx CorporationAn industry initiative sponsored by RSA, the Security Division of EMC

2. The Security for Business Innovation InitiativeBusiness innovation has reached the top of the agenda at most Business Innovation Definedenterprises, as the C-suite strives to harness the power ofglobalization and technology to create new value and efficiencies.Enterprise strategies to enter new markets; launch new productsor services; create new business models; establish new channelsYet there is still a missing link. Though business innovation isor partnerships; or achieve operational transformation.powered by information; protecting information is typically notconsidered strategic; even as enterprises face mounting regulatorypressures and escalating threats. In fact, information security isoften an afterthought, tacked on at the end of a project or even worse not addressed at all. But without the right securitystrategy, business innovation could easily be stifled or put theorganization at great risk. At RSA, The Security Division of EMC, we believe that if security Table of Contentsteams are true partners in the business innovation process, they canIntroduction1help their organizations achieve unprecedented results. The time isripe for a new approach; security must graduate from a technicalUser Demands3specialty to a business strategy. While most security teams haveThe Timeline5recognized the need to better align security with business, manyThe Roadmap 9still struggle to translate this understanding into concrete plans ofaction. They know where they need to go, but are unsure how to 1. Shift Minds to the Times9get there. This is why RSA is working with some of the top security2. Reframe Users as Assets11leaders in the world to drive an industry conversation to identify a 3. Support Calculated Risk-Taking 13way forward. 4. Get in Front of Technology Trends16RSA has convened a group of highly successful security executives 5. Own the Future 18from Global 1000 enterprises in a variety of industries which we callthe Security for Business Innovation Council. We are conducting6. Collaborate with Vendors 20 a series of in-depth interviews with the Council, publishing theirConclusion 21ideas in a series of reports and sponsoring independent researchAppendix: Security for Business Innovation Council Biographies 22that explores this topic. RSA invites you to join the conversation.Go to www.rsa.com/securityforinnovation/ to view the reports oraccess the research. Provide comments on the reports andcontribute your own ideas. Together we can accelerate thiscritical industry transformation. 3. Security for Business InnovationReport Series The Time is Now: MakingInformation Security Strategic toBusiness InnovationRecommendations from Global 1000Executives Mastering the Risk/Reward Equation:Optimizing Information Risks WhileMaximizing Business InnovationRewards Introduction Recommendations from Global 1000ExecutivesAn unstoppable force is knocking at the doorsSome call it consumerization. While its trueof enterprise Information Technology (IT)the rapid adoption of consumer technologies Driving Fast and Forward: Managingdepartments worldwide. Users are demanding everything from smartphones to social media Information Security for Strategica voice; and attempting to wrest away control. is powering this transformation; its more thanAdvantage in a Tough EconomyThe traditional model whereby IT dictates all of that. Something else is going on. Its not justRecommendations from Global 1000the technology used in the enterprise is quickly the IT department determining how consumer Executivescrumbling. technologies will be used in the enterprise. TheCharting the Path: Enabling the users are taking the reins.With years, even decades, of PC and InternetHyper-Extended Enterprise in theexperience now under their belts, most users User-driven IT has the potential to deliver huge Face of Unprecedented Risktoday are no longer satisfied being passivebenefits to users and their organizations. The Recommendations from Global 1000recipients of technology. Computing is now enterprises which figure out how to unleashExecutivescentral to their lives; not just something theythe power of user know-how and consumerBridging the CISO-CEO Dividedo at the office. They want to choose thetechnologies while managing the risks will winRecommendations from Global 1000technologies that will make them mostthis high stakes game. Information securityExecutivesproductive and bring them into the enterprise. teams could be the most valuable players.www.rsa.com/securityforinnovation1 4. Over the past few years, information security This sixth report in the Security for Business has been shifting from a technical specialty to Innovation series looks at how user-driven IT a business imperative. The challenges posed byis forcing information security professionals to user-driven IT are, like never before, testingrecalibrate their approach to align with a the new skills that information security teamsrapidly changing environment. The guidance in have been building. Making the transition tothis report was derived from conversations user-driven IT requires the ability to expertly with a group of top information security manage risks to enable business innovation leaders from the Global 1000 the Security all at accelerated speeds. Being out in front offor Business Innovation Council. The report these trends is critical for information security lays out a roadmap for protecting information professionals; it could mean the difference in a way that provides more choice for users between being strategic or irrelevant.while delivering business value for the enterprise. Theres a head-on collision coming The pressure was building even pre- IT security teams will never be able to stop between our personal and professional iPhone. If users didnt have a corporate the pace technology is on a roll. Every one lives, and it is consumer technology that portable computing device, they startedof the conversations weve had about is going to cause it. Information securitybuying their own and wanting to connectsecurity not being a business barrier but needs to be the advocate for a more it to the enterprise. Now its exploding rather an enabler if anyone still thought engineered journey into this integrated because there are so many differentthey were theoretical have to move from place that were going to, where ourplatforms, the prices are coming downtheory right into practice now. personal and professional lives converge.and their friends have shown them howDr. Claudia Natanson Denise Wood great it is to have one.Chief Information Security Officer Chief Information Security Officer and CorporateDiageoDave MartinVice President Chief Security Officer FedEx Corporation EMC Corporation 2 5. User Demands Todays users know what works for them. InFor example, they pay their bills while they aresome cases, they are way ahead of the ITtraveling in the back of a cab thousands ofdepartment; especially in understanding how miles from home. They check inventories andto leverage consumer technologies for their make arrangements for a car purchase throughparticular jobs. Admittedly, some of theirthe salespersons mobile device while standingfascination with the latest technology is the on the car lot. With one click on theircoolness factor. But enterprises that dismiss smartphone, they order a taxi, which meetsusers demands as frivolous do so at their peril. them at the curb seconds later.There are real business benefits to be had.So its no wonder they are asking questionsUltimately, users want to use the samelike, Why cant I use my own netbook insteadpowerful productivity tools that help themof the antiquated PC Ive got on my desk?,lead their personal lives to conduct business.Why cant I carry a thin tablet rather thanTo date enterprises have not exactly been schlep a fat laptop across the country?, Whyignoring consumer technologies. Over thecant I find new customers as fast as I find newyears, enterprises have enabled the use ofrestaurants with the latest smartphone app?,mobile phones and e-mail devices (albeitand Why cant I go to my favorite micromostly company-issued) and have used social blogging site to get the latest buzz on ournetworking for narrow applications such as HR industry? To top it all off, since computingrecruiting, PR campaigns and internal devices and applications have become ascollaboration among employees. But usersindividual as the clothes people wear and thewant more more choice in computingcars they drive users are also asking, Whyplatforms, increased use of smarter mobiledoes IT have to tell users how to interact anddevices and better access to social networkingcommunicate?sites.The demands arent just coming from theThe draw of the mobile social web fresh-out-of-college new recruits or themarketing department; senior executives fromProbably the biggest factor in ramping up userevery corporate department are beginning todemands has been the recent extraordinarymake requests. For example, the CEO wants togrowth of the mobile social web. Enterprisemove his whole C-level team from laptops toemployees come across examples from thetablets so they can easily carry the deviceconsumer world every day that make them ask,around with them to make timely decisions.Why cant we use this technology for work? 3 6. The sales force wants to access their customeremployees use their personal smartphones toprovide real-time market data for faster relationship management (CRM) application text and tweet their way to some possibledecisions; and even generate revenue. while they are on the road from their answers before the meeting is over.Of course the potential risks including legal smartphones. Executives want smartphone The potential payoff of user-driven IT is huge.issues, data leaks, privacy breaches, malware access to approve travel expenses and purchase Choice computing would enable users to explosions are also substantial. But smart orders. choose the computing platforms and information security teams will not stand in the Even old school bosses who used to thinkapplications best-suited to them; therebyway of progress; instead they will listen to user social media was just a time-suck are startingfueling productivity. If users supply their owndemands to figure out a strategy that balances to come around. They are witnessing their corporate/personal machines, the cost savingsthe risks and rewards. And theyll act fast. tech-savvy employees in action. Scenarios likecould be significant. Increased use of mobileBecause the longer it takes, the more likely it is this one are playing out: Executives sit around devices like smartphones, tablets, or netbooks that users will simply go around information the boardroom table coordinating a market could create tremendous efficiencies. Increasedsecurity and do what they want anyway, research study to determine what features toaccess to applications from the latest micro violating the security policy and exposing add to their new product; meanwhile blogging site to the latest smartphone app organizations to risk. has the potential to cut time-to-market; These personal productivity andSmartphones are here to stay and they Youve got to treat users as grownups. collaboration tools are just so easy to use are proliferating. When employees areThe nanny state of IT cant continue and so powerful that everybodys got to given the choice to upgrade theirwhere the attitude is, IT end-users cannot have one. Were trying to understand: corporate handset by making an additionalbe trusted, we will therefore make the what happens when you want to leverageinvestment, most of them upgrade to adecisions for them. You cannot expect these powerful, consumer platforms forsmartphone. to manage end-users that way anymore. unbridled collaboration at work?Control is largely gone, you may not like it, Vishal Salvi Denise WoodChief Information Security Officer andbut youre stuck with it. So make sure thatChief Information Security Officer and Senior Vice Presidentusers understand their responsibilities and Corporate Vice PresidentHDFC Bank Limitedenable them to be grownups. FedEx CorporationProfessor Paul Dorey Founder and Director, CSO Confidential and Former Chief Information Security OfficerBP 4 7. The TimelineThe exact trajectory for user-driven IT is respondents (IT professionals) said that at leastanybodys guess. But the general consensus of60 percent of employees at their companiesCouncil members is that the use of consumerwill be smartphone-equipped in the nexttechnologies in the enterprise will ramp quickly 24 months. And the bulk of these newly-as demand swells and the business case gains connected devices perhaps as much ascredence. Also, the availability of new80 percent will be employee owned.1virtualization technologies now makes the Choice computing is becoming more popularroll-out of consumer devices and applications as enterprises are motivated by the potentialmore feasible. Therefore, information security for decreased costs. Studies show that well-teams need to start planning now. managed employee-owned notebook programsTo keep up with rising user demand, thecan deliver significant savings. According toongoing risk assessment and management Gartner, Compared with less-managedprocess must be designed to operate at top deployment scenarios, a managed virtualspeeds. The world of consumer technology machine on an employee-owned notebookoperates at a much different pace than offers total cost of ownership (TCO) savings oftraditional enterprise technology. Product between 9 percent and 40 percent whenlifecycles are extremely fast. And as consumers, compared with company provided notebooks.2users are accustomed to instant gratification. In certain geographies such as India, there mayUsers will continue to make new requests be less incentive to move to employee-ownedas new mobile devices and social media devices. This is because enterprises often rentapplications are constantly introduced.PCs from a service provider, which configuresEnterprises will also want to take businessand maintains the machines. Under this model,advantage of the new technologies as quickly computers are already an operational ratheras possible. than capital expenditure. But elsewhere, many organizations are recognizing the benefitsThe invasion of consumer devices of moving to employee-owned devices. ForRecent research provides some indication ofexample, Kraft Foods, the second largest foodjust how fast consumer technologies maycompany in the world, recently announced ainvade the enterprise. For example, thebring your own computer (BYOC) programadoption rate for new mobile devices could for employees with the intention of decreasingbe dramatic. In a recent survey, half of all costs and increasing flexibility.3 5 8. Increased revenue could also drive adoptionStudies suggest that new Internet-enabled The inevitable shift towards social media of consumer technologies in the enterprise.mobile devices may rival the PC as the chiefMost information security leaders accept that For example, innovative new enterprise computing platform in the enterprise. A surveybroader use of social media in the enterprise is applications either off-the-shelf or custom- of mobile employees found that 63 percent a matter of when not if. However at the designed could become powerful sales tools.prefer a smartphone over a laptop as theirmoment, many enterprises still do not provide Manufacturers might increase retail coverage primary mobile device.5 Smartphones are set tousers with completely unfettered access to by arming their sales teams with new mobileoutpace sales of desktop computers by 2012; social media. A common concern, which has apps; or services firms could increase the value with sales of smartphones predicted to more nothing to do with security but is a human of customer engagements with powerfulthan triple to over 491 million units.6 And resource management issue, is that workers smartphone apps for their consultants. according to analyst firm IDC, the numberwill spend too much time on social sites and The incentive for investing in enterpriseof mobile devices accessing the Internet will productivity will suffer. Many companies are applications will increase as there are more surpass the one billion mark over the next four opting for selective access based on perceived consumer success stories like the new eBay years.7 This doesnt mean the death of the business benefits. app for the iPhone device which went live inPC is looming, but for some users, its days August 2009 and rapidly generated more thanare numbered. But the reality is that the sheer volume of $600M in 2009 revenue in just 4 months.4 people on social networking sites makes thema powerful communication channel that may6 9. be hard for enterprises to resist. After triple over 800,000 fans of the brand. American enabling more choice and access to mobile and digit growth throughout 2009, FacebookExpress OPENs Open Forum has increasedsocial computing. Enterprises that dont include is poised to hit the 500 million subscriber unique visitors by 525 percent in a year toit in their IT strategy may begin to see milestone in June, 2010.8 Twitter is at 105 nearly 1 million.14shadow IT; as users will buy consumer million9 and LinkedIn at 65 million subscribersdevices, applications and/or services on their Beyond marketing applications, analysts predict globally. Besides having vast numbers of 10own and start using them for enterprise that well start to see social media used as a subscribers, social media sites now controlbusiness. A better approach is to plan for it general communications tool. For example, more online traffic. A recent study by now so as these trends gain momentum, Gartner estimates that, By 2014, social Network Box looked at 13 billion URLs used information security teams are ready to networking services will replace e-mail as the by businesses and discovered that in the first manage the risks. primary vehicle for interpersonal quarter of 2010, 6.8 percent of all business communications for 20 percent of business Internet traffic goes to Facebook.11 This means users.15 As Gen-Y young adults make up more that employees are visiting Facebook from the of the workforce, they will not accept the workplace more than any other internet site, limitations of email and will expect their including Google. This is happening in a world business communications to have the same where many enterprises still block or at least functionality as social media. Workforce restrict access to social networking sites. And aThe demand keeps building and demographics have the potential to bring a study in late 2009 found that 57 percent of U.S. building. Meanwhile information tidal wave of change. employees who do have access to social mediasecurity is doing research trying are using it for business purposes.12 Consider that after Gen-Y, the first wave of to figure out the requirements. Millenials (born around 2000) will enter the Most enterprises plan to increase their use of You have to able to keep up. You workforce. Millenials have only ever known social media in 201013: 72 percent of companieshave to know whats coming next social media and smartphones. Its how they plan to invest more in recruiting through social interact with each other and the world.year so you can figure out what to networks; and 79 percent of the largest fortune 500 firms plan to use Twitter, put in place now. So are enterprises starting to plan for the Facebook, YouTube or corporate blogs to inevitable onslaught of consumer communicate more with customers and otherDave Cullinane technologies? It is still early in the game, but Chief Information Security Officer and stakeholders. Social media is quickly becomingsome Council members estimate that currentlyVice President, eBay the dominant channel for branding campaigns.about 2530 percent of enterprises have For example, through its Keep It Coolattaalready started integrating specific plans for Sweepstakes, Dunkin Donuts has attracteduser-driven IT into their IT strategy, including7 10. If new consumer devices are rolled out as company-provided equipment, it requires additional investment, so growth could be slow. But for companies that can perfect allowing people to use their own consumer devices securely, the adoption rate will be faster. Dave Martin "I think in the past 12 months, the Chief Security Officer recession has limited a lot of EMC Corporationinvestment spending on new technologyso enterprise use of consumertechnology is lagging, and as anindustry we're still at the innovator or Adoption of social networking is goingearly adopter stages when it comes to to be completely driven based on thesecurity. But a tidal wave of change is business case and how does it add valueabout to erupt over a three-year to the business? So far none of thetimeframe, when enterprises in every business guys have come to me saying, Iindustry are going to see significant need access because it will increase myimpact. And over the next three years, revenue. But the day that startswe're going to find a lot of land mines." happening, as soon as there is a need, we will have to have a solution. Its not Bill BoniCorporate Information Security Officer (CISO), something the CISOs or any security VP Enterprise Information Security teams are going to control. It will beT-Mobile USA business driven. CISOs and security teams need to be agile to these changing business dynamics.Vishal SalviChief Information Security Officer and Senior Vice President HDFC Bank Limited 8 11. The RoadmapEven if users are clamoring for more,types of cars; but explaining what roads areIT and security dictate everything to users is enterprises are not just going to open the safe to drive on, providing safety requirements now changing. Increasingly users will actually gates and let everything in. The adoption of for their vehicles, educating them on safetybe making decisions about how technology is consumer technologies in a particularprocedures, and putting up guardrails so they used in the enterprise. enterprise will be affected by many factors, dont go over a cliff. The following six stepsDe-perimeterization has been discussed in such as the companys culture, user population,provide a roadmap for information securitysecurity circles for years. User-driven IT further industry, geography, business climate, existingteams that will position them to give userserodes the notion of protecting the perimeter infrastructure, threat landscape, regulatory more choice in computing partnering withand demands laser-like focus on data and environment and ultimately the companys key players across the organization toapplications. Also recognize that certain basic appetite for risk. proactively weigh the business benefits againstassumptions about information security nothe risks and determine the right The key is not to be in denial. User-driven IT islonger apply. For example, the concept ofimplementation strategy. real start figuring it out now. Dont let thecontrolling the end-point and not allowing users control the plan by going around security1. Shift Minds to the Times personal assets to connect to corporate systems to bring in restricted devices and accesshas been a standard pillar of the securityEnabling user-driven IT requires a shift in unauthorized applications. As users take the model for years. But in the age of user-driveninformation security thinking. This shift has drivers seat, information security must IT, these assumptions are no longer valid.actually been in the works for several years. navigate allowing users to choose their ownIdeas like aligning to the business, taking arisk-based approach and moving to a data-centric model are nothing new. Now they arejust more urgent. The rapid adoption of Information security has to be completelyIt is very difficult for organizations toconsumer technologies, compounded withplugged into the organizations businesscarte blanche just say, Okay, were justother mega trends like cloud computing, isand direction. You have to understand thegoing to give everybody access and open upforcing information security teams onto anpain, gaps and challenges; so whenever aour boundaries to allow the use of anyeven steeper learning curve.new technology arises, youll have thedevice. Because the enterprise still has theFirst and foremost, information securityability to balance the control instinctresponsibility for the protection of its data.professionals (and their counterparts in IT) willwith an informed understanding of theSo even with the best intentions we have to have to get comfortable with relinquishingbenefit and needs.guardedly introduce things so that werecontrol. Your role becomes less about controlmanaging the risk as we roll it out. and more about oversight. Understand what Bill Bonithe business is trying to do and then help Corporate Information Security Officer, Dr. Claudia Natanson manage the risks. The traditional model where VP Enterprise Information Security Chief Information Security OfficerT-Mobile USADiageo 9 12. Shift your thinking from To This shift in thinking also calls for are-evaluation of what is important to protect; Security specialist Business risk consultantyou simply wont be able to protect everything.Work with the business to identify the Control Oversightorganizations true information crown Paternalistic relationship with users Partnership with usersjewels. For example there may be a level ofprotection applied to certain types of data that Perimeter defense Data and applications protectionis simply not necessary, such as day-to-daye-mail and general office content (depending End-point could be anything: smartphone, End-point is a PC or laptopon legal and regulatory obligations). Based on tablet, netbook, kiosk, home PC an understanding of the business processes, End-point is owned and controlled byEnd-point is not necessarily owned andinformation security should also be questioning the enterprisecontrolled by the enterprisewhy certain data is even being collected orretained in the first place. If it doesnt need Users dont know anything about Users know a lot about consumer technologiescollecting or storing, it wont need protecting. technologyand how to use them to be more productiveProtect everythingFocus on a more selective set of crown jewels For us as security people working in thisI think its a situation where weve got to new world, its about, how do we relinquish sit back and take another look at, what are control? Security and control historicallyreally the crown jewels. What are really the have been linked together. If I know wherethings that youre trying to protect and my perimeter is where my data is, the why are you trying to protect them? physical location of things, I feel confident.Craig Shumard As a security person, it feels like youre Chief Information Security Officer flying blind, but one of the things that you CIGNA have to get used to is losing control of your perimeters. Dr. Claudia NatansonChief Information Security Officer 10Diageo 13. 2. Reframe Users as Assets sales person is able to find 60 customers a day well. Other user groups such as call center The average person has become a sophisticatedon Facebook, it wouldnt make sense for the workers have little need for smartphones; their technology user; easily configuring devices, security team to shut down that access. Instead needs could continue to be met with a synchronizing data, downloading apps,they should do everything in their power to standard desktop. Employees in sales and spinning up websites and navigating social enable it. If employees are willing to make marketing may legitimately need access to space. Although some users apply their skills in themselves available 24/7 to help drive the social media to communicate with customers ways they shouldnt, like circumventing security business forward, dont make it tougher for whereas those in the accounting department controls (and a few may even be malicious),them by asking them to carry two devices. dont have the same pressing business need. most are looking to work faster or serve Make it easier by supplying one device forUser needs will undoubtedly change over time customers better. Information security personal and business use.as ways of working and communicating evolve. professionals who embrace user-driven IT willTailor your approach to the various userIn the past, user education was a one-way see user know-how as a potential asset andgroups; each will have different needs. For street. Now it needs to be re-invented as a figure out how to leverage it for the enterpriseexample, knowledge workers may increasingly two-way conversation. You know about and security team.want to use smartphones as their primaryinformation security and users know about Listen carefully to what users want to do andcomputing device so they can take advantage consumer technologies and how to use them to determine which requests could translate intoof all the mobile applications. But since manyfuel productivity. Think of your user population real business value; then focus on enablingof their jobs require traditional documentas a powerful tech-savvy army that can educate them to realize that value. For example, if acreation, theyll probably opt for a laptop asyou about the latest gadgets and applications. As technology matures, well have to ration One of the problems with training andIts like needing both a belt and out more access and platforms; while tryingawareness today is that often there isnt suspenders. Users need training they to keep everyone happy. So you might haveenough customization to reach specificneed to be given the chance to do the right a happy user who has access to everythinggroups. All too often training is packagedthing; and told what the right thing is. But and the performance they want, but we also as a one-size-fits-all, but its got to bethen occasionally people forget or make a need to make IT happy by maintaining packaged to target a specific constituencymistake, or theres someone who tries to reasonable cost of ownership and group in the way that they learn andcircumvent things, so thats why you need supportability and keep security happy byoperate. If its done in a fashion that makes other controls to catch that when it managing the risk during this wholesense to them and is meaningful to them, it happens. process.will have a much greater impact. David KentCraig Shumard Vice President, Global RiskDave Martin Chief Information Security Officerand Business Resources Chief Security OfficerCIGNA Genzyme EMC Corporation11 14. Rethinking users asinformation security partners Leverage users knowledge Open up two-way education Manage their expectations Make a deal with them: more choice for increased responsibility Overhaul training so its relevant to themConsider setting up a process where users keep not a winning strategy. Its better to start withyour team informed of new developments inless and allow a little bit more at a time.consumer technologies. Set up an internalMany Council members believe that enabling Make the tradeoffs clear: more choice means user-driven IT requires an overhaul of usersocial networking platform to enable users to more responsibilities. For example, users willtraining. Go beyond teaching securityhave collaborative discussions on new need to have a thorough understanding of theprocedures and rules. The education processproductivity tools and the corresponding enterprises information protection and should provide a fundamental understandingbusiness benefits and security issues. acceptable use policies, and be accountable for of what information needs to be protected,Recognize that its not an all or nothingupholding these policies. Also, the ability tohow it needs to be protected and whyproposition. Users may want everything now,use a particular device may be accompanied by protecting information is not only important tobut it can be a phased approach. The trickiest specific requirements for that devices the company but also to users themselves. Topart will be to manage their expectations. Dooperating system, browser, apps and securitybe successful, user training should bethis consciously and be transparent. features. Clear policies need to be established customized to each user group, andCommunicate why certain technologies are regarding who users should call if their devicesreinforcement is essential. Although userallowed and when others might be adopted.break; users may have to take ontraining is crucial, all Council members stressedYou wont be able to say no but perhapsresponsibilities for arranging support services.that you cant just rely on user training; it hasnot yet and heres why. Be aware that just Users must be ready and willing to understand to be balanced with other controls such as dataopening up the flood gates and counting on the terms and conditions of enjoying more leak prevention to ensure users dontyour ability to close them later if you need to is choice in computing.unintentionally make mistakes or insiders arent able to do something malicious.12 15. 3. Support Calculated Risk-Takingstrategy for user-driven IT has to meet these As defined in a previous report, information various legal and compliance requirements risk management is identifying and measuringwhile simultaneously loosening up control. ThisA big security fear with choice com- the risks to information, and ensuring that theis a tall order. And at this stage, there are stillputing is: what if data gets on a device, security controls implemented keep those risks many questions.the device gets stolen and the datas at an acceptable level to protect and enableIssues of ownership and representationnow in the open? But virtualization of the business.16 Therefore, to help keep the risks of user-driven IT to an acceptable level,Allowing employees or contractors to use theirthe user environment makes a lot of you have to know the risks and yourown personal mobile devices for work createsthe concerns a moot point. Through organizations risk appetite. Opening up accesssome challenging issues around rights ofvirtualization, users can do their work to computing platforms and social applications ownership. Some legal questions will be: Whoowns the company data when its on a personal but not actually be touching the data. introduces a whole new set of risks that are compounded by escalating compliance anddevice? What are the legal responsibilities of Roland Cloutier legal obligations and an evolving threat the corporation and the user for maintaining Vice President, Chief Security Officer landscape. the device? In the case of a breach, for theAutomatic Data Processing, Inc.purposes of an investigation, would the user be Consumer technologies represent enormous forced to give up the device? In some cases, it opportunity, but there are still manymay be necessary to have users sign legal uncertainties about the risks. Given the current agreements regarding ownership of a mobileYou worry about idea ownership; environment, some enterprises will decide to device and the data on the device. Technology because social networking is inherent- increase their risk appetite to reap the solutions like virtualization and thin computingly outside the management and gover- potential rewards. Information securitys role may help with these issues since the corporate will be to truly understand the risks, carefully data would not be stored on the device.nance structures that we use in our and thoroughly communicate them to the day-to-day work life. By definition, it business, and help the business make informedWhen it comes to social networking, mostgets you beyond a comfort zone. So risk/reward decisions. general counsels shudder at the thought ofthen it comes down to, Who ownsworkers out there representing the The legal and compliance issues around user- corporation. Imagine a scenario whereby a the ideas? driven IT will be some of the thorniest. pharmaceutical company employee sets up a Denise Wood Virtually every global enterprise has to protect social media site to discuss a particular diseaseChief Information Security Officer and the privacy of personal information, ensure theand ends up unwittingly doling out medicalCorporate Vice President integrity of proprietary financial data andadvice. Or a financial services employee starts a FedEx Corporation safeguard customer data such as credit cardblog to discuss investments but goes over the numbers. The information risk management line and ends up in a conflict of interest13 16. situation. It is a slippery slope. An effort that Then there are privacy issues. What privacy The cyber criminals are taking the experiencebegins with good intentions to exchange rights can an employee expect when using atheyve built within the PC and web world andpublic or non-sensitive information could personal device for work? A recent court case applying it to this new mobile space. Securitysuddenly veer into information that has in New Jersey shows how privacy issues couldresearchers believe it will take much less timeobligations around it. Doing business in theplay out. In a dispute between an employeefor mobile phone viruses to become money-world of social media will require that users and employer, the court ruled in favor of the making operations than computer viruses did.understand their responsibilities in upholdingemployees right to privacy. Certain emails Over the next year, they expect to see the,the companys legal obligations and operate were not allowed as evidence as they were industrialization of smartphone malware.19under the companys code of conduct.considered private communications, evenAs choice computing takes hold, many usersthough they were stored on corporate servers.17The e-discovery conundrum may choose the Mac computer. Until now,This case involved personal data on companyMac computers have been relatively immuneE-discovery also presents some challenges.assets; what will happen when its companyto the onslaught of attacks targeting OS flaws.Typically when a company gets served with data on personal assets? How will privacy beAs the Mac computer becomes increasinglya subpoena for data, the courts ask for paper affected? The information security team willpopular in the enterprise, it may spur on thefiles and any electronic records associated need to work closely with the legal team todevelopment of new malware; for examplewith the matter. Now beside e-mail or instant think through all of the potential privacythe OSX.Iservice Trojan that targeted Macmessaging (IM), increasingly records couldissues.computers in 2009.20be contained in many other places such asBlackberry servers or Twitter micro blogs.The growth of mobile malwareSocial networks might also become moreWhat if a forensic image of a disk is requested,Other risks that need to be carefully assessedprone to malware attacks. As social networksbut the device is owned by the employee? What include new forms of malware. So far, viruses encourage application development on theirif a court case involves a disputed transaction on the PC platform far outweigh viruses onplatforms to feed the insatiable appetite offor which the communications took place onmobile phones, but that will likely change. users, cyber criminals are developingFacebook? If the data requested is on a socialAs the number of smartphones grows, the applications that target these generallynetworking site, how will the corporation devices get more capable and the informationtrusting users, turning social networks intoretrieve it? In general, if data is not onon them more valuable; they will become another vector for malware. Already 57corporate servers but on user devices or social more attractive targets. Hackers are alreadypercent of users report they have beenmedia sites, how does the enterprise meet working hard at cracking all types of devices.spammed (a rise of 70.6 percent from last year)standard record keeping requirements such asBlackberry, iPhone, Android devices andand 36 percent reveal they have been sentthe need to retain data for a specified timethe like are all at risk. And some have already malware via social networking sites (a riseperiod (like seven years)? As with the adoption succeeded such as the 2009 Sexy Space botnetof 69.8 percent from last year).21of any new technology, enterprises will need to which was aimed at the Symbian mobile devicerevamp their record-keeping policies andoperating system.18 Another growing concern is the so-calledprocesses to include new types of records.were-laptop. Similar to a werewolf, user- 14 17. owned systems seem clean and healthy duringapplications on those platforms will grow on users, creating fertile ground for phishing the day but become malware-laden at nightdramatically. Many application developers are attacks. Googles recent attack originating in while they prowl the Internet from the usersfrom small business start-ups that create eye-China was perpetrated based on an elaborate home. When employees bring them back intocatching applications on small budgets and aresocial engineering scheme that began with work, the machines broadcast viruses across theoften willing to overlook security. extensive research on Google employees and enterprise.Unfortunately, some device manufacturers or leadership.22 Criminals are using methodssocial media platforms have only a minimal, ifhoned in the spamming world and adapting While current signature-based anti-virusany, application vetting process and may allowthem; taking advantage of the speed and solutions have difficulties catching much of theposting of applications that leave usersopenness of individuals communicating via current malware; next-generation anti-malwareexposed to vulnerable and/or malicioussocial media. Besides the risk that users will solutions are emerging that employ newsoftware. The good news is that this is expose credentials, there is also the risk that techniques such as behavior-basedchanging. Looking to increase adoption in the users will get lured by fraudsters and recruited approaches that monitor the stream of systementerprise, certain device manufacturers andas money mules (individuals that transfer calls that the program issues to the operatingsocial platforms are establishing more strict stolen money as a result of online scams). The system. Over the past several years, securityrequirements to prove the viability and securitybest defense against phishers will be a well- researchers have also been leveraging theirof the applications, including the use of digital educated user population. experience battling against malware designerssignatures to validate applications. to proactively create anti-malware innovations When enabling a new innovation like user- that will help protect information on newGreat phishing on social sitesdriven IT to take root, it is impossible to gain computing platforms. rewards without taking risks. But it will beCyber criminals continue to use socialcritical for the information security team to work Developing robust applications will also beengineering to thwart security defenses andclosely with others across the company to make crucial. As the number of applications for gain access into organizations. As socialsure the enterprise is not taking undue risks. mobile systems and social networks continues networking in the workplace rises, so does the to rise rapidly, the potential for malicious availability of sensitive and private information The risk inherent in any new technology is that you dont know what might happen. And you can try to forecast or foresee as much as you can, but if somebody figures out a way to exploit a vulnerability and theres no resolution for it, theyre going to have a pretty large window to do things.Dave Cullinane Chief Information Security Officer and Vice President eBay 15 18. 4. Get in Front of Technology Trendspercent of companies plan to spend more Users may not always have connectivity;To gauge the risks and rewards of user-driven money on social media over 2010.24therefore new solutions such as distributedIT, the security team will have to get up tovirtual desktops can provide access toIn the consumer world, new apps are availablespeed on the consumer devices, applications applications even when users are not online.constantly and entirely new gadgets areand technologies that enable enterprise These solutions provide a fully-containedintroduced every six months, but consumerdeployments. Most security organizationsvirtual corporate environment; corporate datatechnologies are not built with the enterprisealready analyze technical trends. However, nowcan be protected and wiped off the mobilein mind. Simple market dynamics mean thattechnologies are coming at a fast and furious computer remotely if necessary, for example ifconsumer functionality takes precedence overpace. There is more newness to deal with than the employee or contractor is terminated.enterprise requirements since the consumerever before; including a completely new There are also new mobile security and devicemarket is much larger. Therefore one of thecomputing paradigm mobility. Eventually, themanagement solutions for smartphones thatchallenges in enabling user-driven IT is thatpredominant computing platform that mostenable enterprises to control access to andenterprise-grade features will always lagpeople will use throughout the course of theireliminate corporate data if necessary.behind. For example, not all enterpriseday will be a mobile device. Some argue thatapplications can even run on mobile devices.Security armorythis is similar to previous technology shiftsData presentation issues will need to be solved.when security personnel had to go fromOther security technologies could also play aA case-in-point is the fact that Adobe Flashsecuring mainframes to personal computers;pivotal role in enabling user-driven IT. Fordoesnt work on smartphones yet.then from PCs to networked PCs on the example, many organizations have adoptedInternet. Now they have to secure the mobileDesktop virtualization, thin computing anddata loss prevention (DLP) solutions. Just associal web. Security professionals could be incloud computing are having a big impact onthese solutions are currently used to helpfor quite a ride. enabling mobile computing in the enterprise.prevent data loss through communicationThe more processing that can be done in a methods like webmail, email and FTP as well asStaying ahead of a fast moving target centralized data center, the less has to be ondevices like USB and CD drives, they could beImagine three years ago trying to guess whatthe device, which helps to solve many of theset up to stem the loss of importantsmartphones would look like or wheresecurity issues. However these computinginformation via social networking or mobileFacebook or Twitter would be today? And, as technologies depend on having a fast anddevices.businesses vie for mind share on the mobile reliable Internet connection and availablesocial web, the pace of change will continue to bandwidth.increase substantially. There is a veritable armsrace as competitors try to outdo each other indesigning and deploying mobile and social We have people in our security organization who keep on the bleeding edge of consumerapplications to drive business. According totechnology. Through social media and gadget blogs, we try to get advance notice ifIDC, iPhone applications are expected to grow somethings coming, what it might look like, then watch for requests or see it start300 percent and Android applications 500appearing on our networks. There are a lot of cycles involved in just keeping pace with thepercent by the end of 2010.23 As well, 86speed of change. Dave Martin, Chief Security Officer, EMC Corporation16 19. Enterprise rights management (ERM) also holdstrusted device. For example, authentication position has evolved from having the promise as an enabler of user-driven IT. So far, methods could check smartphones for malicious traditional responsibilities for antivirus and ERM has been limited to speciality applications. code like a virus, key logger, or screen scraper. content filtering. The role now also owns Requirements for a next-generation ERM Risk-based or adaptive authentication can virtual desktop infrastructure (VDI) security, solution include improved scalability, agility match the level of assurance with the level ofand is tasked with understanding what a secure and better cross-platform support, including for access; so that if a user wants deeper access tomobile computing experience is going to look mobile technology. Ideally it would provide an certain applications or content, granting thatlike for users. Paying attention to the user easy-to-use wrapper that could wrap itself access will depend on higher levels of identity experience will be critical. If security around the data object independent ofassurance and vetting of the device. The more a procedures are too burdensome or too slow, document format. Security officers will also user is able to prove themselves and theirthen user productivity will suffer or users will have to figure out how to develop sounddevice, the more access theyll get.just find ways to go around them. business processes for rights management.To keep pace with all of the technology changes Advanced authentication and trusted identity and find answers to technical issues, some mechanisms will help facilitate access to more information security organizations are opting Some of the significant technical issues sensitive applications in mobile environments. for a dedicated individual or team focused onaround mobility will be delivering For example, out-of-band authentication can be research and development (R&D). Othermeaningful enterprise applications and the used to provide higher assurance onorganizations will have various people devote a smartphones before a user is allowed topercentage of their time to R&D or rely more on appropriate security controls on such a conduct a higher-value transaction, they would external resources for the information on small form factor. receive a phone call and have to implement a coming trends and emerging solutions.Roland Cloutier PIN. Increasingly, trusted identity will include Whatever the approach, a system of periodicVice President, Chief Security OfficerAutomatic Data Processing, Inc. not only validating a trusted user, but also a briefings or round tables can provide a forumfor education and brainstorming on questionssuch as, What if this particular technology When it comes to mobility, traditional IT comes to us? How are we are going to addressTo enable mobile devices to accessit? To really get ahead of the curve, actively corporate services, its all about content security thinking is going to be blown apartdevelop a threat and risk catalogue for each of and where does the content stay. Providing because a smartphone does not have thethe technology areas you are considering and same architecture as a PC. I think there are visibility to the content through a remotehold collaborative meetings on each major area still significant numbers of IT security desktop session is much more palatable forto quickly educate the stakeholders on all professionals who dont understand the new aspects of the inherent risks.enterprises than say, letting users pull downmobility platforms. a database onto their smartphone orNew end-user experience architect leadpersonal PC.Professor Paul DoreyAn exciting new development within securityDavid Kent Founder and Director, CSO Confidential and organizations is the creation of a new position Vice PresidentFormer Chief Information Security Officer, BP an end-user experience architecture lead. ThisGlobal Risk and Business Resources, Genzyme 17 20. 5. Own the Futuredeployed as well as new financialTo really know what user-driven IT involves, itInformation security leaders have always beencompensation models devised (such as stipendswill be essential for the extended team to gaintasked with protecting the environment offor users to buy their own machines). Supportexperience through pilots and smalltoday while planning for tomorrow. But mechanisms will have to be carefully planned;deployments. Pick a starting point knowthrowing consumer technologies into the mixfor example, the help desk cannot be expectedwhich user groups and applications would beadds some new challenges. In this rapidlyto suddenly support every type of mobile good initial projects. Be able to sniff out realchanging world, it is possible that by the timedevice under the sun or costs will skyrocket.business cases versus user demands based onan information risk management strategy ispreferences only. Know where there is User-driven IT makes budgeting for securityplanned and implemented, business ormanageable risk. For example, for the first trickier than ever. Consumer technologies cantechnical requirements will have changed andprojects you may want to steer clear of any change faster than traditional budgetingthe strategy will be outdated. The ability to applications involving sensitive or regulated models allow. Once a budget is in place for theanticipate changes before they happen will be data. Make sure that specific user training is year ahead, it could be difficult to change ifmore important than ever. part of any pilot project. These initial test new requirements develop. Waiting for theprojects in user-driven IT will be key toA cross-functional team will help cover all thenew budget cycle could mean increased riskknowing what the future looks like.angles. First and foremost, information security and missed opportunity for the business. Inwill be working very closely with members of addition, this all comes at the same time asthe IT team to understand technology trendsother major IT initiatives like cloud computing.and architect solutions. Other key partners in Flexible budgets with built-in contingencythis endeavor will include legal, for establishing funds can help meet future demands; andpolicy and user agreements, etc.; humancreating operational efficiencies can free-upresources and compliance for developing user resources for future investments.training; and finance for making investmentsand creating compensation models. Information security is a crucial element ofenabling user-driven IT; but it is only oneUnfortunately you dont know what it is that youre trying to secure because you dontelement. For example in most enterprises today,know whats coming out. I always tell my team that one of the characteristics that makes athe service-level agreements, vendor contracts good security person is flexibility and agility. You have to be able to quickly move in time toand support structures are all geared towardthe preeminent model whereby enterprise IT where the technology is going.controls end-user technologies. New service Dr. Claudia Natansonmodels will have to be created; licensing Chief Information Security Officercontracts re-negotiated; new infrastructureDiageo 18 21. Security needs to understand each environment what are the capabilities and Examples of real-world pilots and deployments* limitations? What are the vulnerabilities? What are the Corporate app for the iPhone mobile digital device attack surfaces? What are your Employees allowed to access SAP requisition approvals and options for mitigating them?Business Objects reporting with personal smartphones Do you have the right tools to Did not expose sensitive or regulated data mitigate them? If you dont, Started small, kept it simple, few applications and limited user group where are you going to get the Bring your own computer deployment for contractors money to do that? Objective was to allow thousands of contractors to use their ownDave Cullinane PCs because cost of issuing hardened laptops too highChief Information Security Officer and Vice President Mandatory training and legal agreements were required eBay Enabled by virtual machine on USB drive Full responsibility of device management and support moved to end-userIntegrated personal/corporate machine for road warriors Employees enabled to carry one device for both personal and corporate use Virtualization technology partitioned corporate/ personal dataIncreased access to social media Targeted specific user groups with business need Provided extensive user training to enable users to understand risks and responsibilitiesTablet pilot Company equipping one hundred executives with tablets Program to test if the tablet can withstand being loaded with corporate apps and data*Examples from Council members and their peers19 22. 6. Collaborate with Vendors verification services and would validate thevendors. Some of the challenges can be tackledIn an environment where technology is movingsafety of the environment as a result with mobile versions of traditional securityrapidly, working closely with vendors isdramatically increasing the confidence of the solutions such as data leakage and intrusionessential. Build collaborative relationships with mobile platform for the enterprise. prevention tools. However, many of the risksvendors of consumer and enablingwill require new products. Security leadersThe social platform vendors have control overtechnologies. Knowing mobile device and need to see what is on their vendors drawingall the data that is being transferred betweensocial media vendors plans is critical toboards and collaborate with them to developtheir millions of subscribers; they also have anknowing what the user computing experienceenterprise-class solutions that address theaggressive strategic plan to deliver enterprisewill look like. Work with vendors toneeds of enterprise security.focused functionality. It is imperative thatunderstand what is on the horizon, and also tosecurity organizations work with these vendorsCollaborating with a wide array of vendors toprovide input into enterprise requirements andto influence the roadmap as well as their dataensure solutions to such a broad range oftime frames.ownership and privacy policies. For example,challenges is not easy. Clearly, no singleThe telecommunications companies could play Facebooks recent changes to their privacyenterprise has the ability, resources, ora key role in enabling user-driven IT. They settings have generated substantial reaction in influence to steer the industry in any givencontrol the mobile networks and connectivitythe marketplace. Security organizations shoulddirection. For that reason, severalto those networks, and have the ability towork with Facebook and other social platforms organizations have expressed the need for amanage the devices. For example, they can to help them devise privacy settings to protect community forum to define the Secure Mobilereconfigure a phone, track its traffic, cancel aenterprise and user privacy. In addition, these Social Web. This would be focused oncall, and provide updates and patches to thevendors, along with mobile device vendors,ensuring that the user experience -includingdevice. As they increase capacity and have the ability (and responsibility) to controlthe devices, applications, enabling and securitybandwidth, they also have the ability to addthe quality and readiness of the applications technologies would work to provide a secureimportant services for the enterprise deployed on their platforms. Informationand seamless mobile social web experience forcommunity. One such valuable service could be security teams should provide input into theirmaximum user productivity and optimum datadevice integrity services, whereby the mobile formal vetting process for testing andprotection. With representation fromdevice would be guaranteed to be healthy, validating applications to help mitigate the risk enterprises and vendors, it would develop bestincluding all necessary security patches. Telcoof malicious and malware-susceptiblepractices for enabling user-driven enterprise IT2.0, the telecom parallel to Mobile 2.0, (driven applications that can easily penetrate theand facilitate communication so that vendorsby GSM Association, the largest mobileenterprise. Organizations must work with thesecan provide the functionality the enterprisetelecoms body), has defined Identity, vendors to demand a process that will result in needs to smooth the adoption of these newAuthentication and Security services as a major applications that can be trusted. computing technologies.business opportunity for growth. In this role 25 Of course, as security teams are challengedthe carriers, considered to be experienced,with an onslaught of new potential risks, theytrusted entities, could provide identityneed to continue to work closely with security 20 23. ConclusionRather than viewing the inevitable movementBesides this report, the previous reports from Enable secure collaboration among all of the toward user-driven IT as a threat to their the Security for Business Innovation Council26various constituencies across the enterprise. control, information security teams can use it provide relevant guidance for information See Charting the Path: Enabling the Hyper- as an opportunity to bolster their own value.security teams. They cover many aspects of howExtended Enterprise in the Face of For enterprises to reap the rewards, they have to operate at high speeds such as:Unprecedented Risk to be able to manage the risks. Meeting the Get attuned to the business. See The Time is And to really grease the wheels, get challenges of user-driven IT demandsNow: Making Information Security Strategicexecutive leadership on your side. See information security teams work to enableto Business Innovation Bridging the CEO-CISO Divide innovation at an accelerated pace. The good news is that most teams are not starting from Create self-assessment and repeatable The information security teams that scratch. After several years focused on business processes for managing risk. See Mastering successfully navigate this sea change will be alignment, most information security the Risk/Reward Equation: Optimizingbest positioned to make the right judgment organizations have the right stuff to tackle Information Risks to Maximize Businesscalls about where, when and how to embrace user-driven IT; and they have a lot of resources Innovation Rewards consumer technologies to create rich new on which to draw.sources of competitive advantage and business Focus on measuring and improvingreturn for their organizations.productivity while increasing efficiencies. SeeDriving Fast and Forward: ManagingInformation Security for Strategic Advantagein a Tough EconomyThe trend toward leveraging non-corporate-controlled assets and using social media foraccessing and distributing information is inevitable. It would be a mistake for anycompany to put its head in the sand or to dig its heels; because the tide will be workingagainst you. It would be much better to recognize it and then create the parameters tomake it work for you.David KentVice President, Global Risk and Business Resources Genzyme 21 24. Appendix: Biographies Security for Business Innovation Council Members Anish Bhimani, CISSP,Bill Boni, CISM, CPP, CISARoland Cloutier Dave Cullinane Chief Information Risk Officer Corporate Information Security Officer, Vice President, Chief Information Security Officer JPMorgan Chase VP Enterprise Information SecurityChief Security Officer, and Vice President, eBayT-Mobile USAAutomatic Data Processing, Inc.Anish has global responsibility forAn information protection specialistRoland has functional and Dave has more than 30 years of ensuring the security and resiliency for 30 years, Bill joined T-Mobile in operational responsibility for ADPssecurity experience. Prior to joining of JPMorgan Chases IT 2009. Previously he was Corporate information, risk and crisiseBay, Dave was the CISO for infrastructure and supports theSecurity Officer of Motorola Assetmanagement; and investigative Washington Mutual and held firms Corporate Risk Management Protection Services. Throughout his security operations worldwide.leadership positions in security at program. Previously, he held seniorcareer Bill has helped organizationsPreviously, he was CSO at EMC and nCipher, Sun Life and Digital roles at Booz Allen Hamilton and design and implement cost-effective held executive positions with Equipment Corporation. Global Integrity Corporation and programs to protect both tangible consulting and managed services Predictive Systems. Anish wasand intangible assets. He pioneered firms. He has significant experienceDave is involved with many industry selected Information Security the application of computer forensics in government and law associations including as current Executive of the Year for 2008 by and intrusion detection to deal withenforcement, having served in the Past International President of ISSA. the Executive Alliance and named incidents directed against electronic U.S. Air Force during the Gulf WarHe has numerous awards including to Bank Technology News Topbusiness systems. Bill was awardedand later in federal law enforcementSC Magazines Global Award as CSO Innovators of 2008 list. He CSO Magazines Compass Awardagencies. Roland is a member of of the Year for 2005 and CSO authored Internet Security forand Information Security Executive High Tech Crime InvestigationsMagazines 2006 Compass Award as Business and is a graduate of of the Year Central in 2007. Association, State Department a Visionary Leader of the Security Brown and Carnegie-MellonPartnership for Critical Infrastructure Profession. Universities.Security and Infragard.22 25. Security for Business Innovation Council Members Professor Paul Dorey Renee Guttmann David Kent Dave Martin, CISSP Founder and Director, CSO Confidential Vice President, Information Security Vice President, Global RiskChief Security Officer, and Former Chief Information Security& Privacy Officer, and Business Resources,EMC Corporation Officer, BPTime Warner Inc. GenzymePaul is engaged in consultancy,Renee is responsible for David is responsible for the designDave is responsible for managing training and research to helpestablishing an information risk-and management of GenzymesEMCs industry-leading Global vendors, end-user companies andmanagement program thatbusiness-aligned global security Security Organization (GSO) focused governments in developing theiradvances Time Warners businessprogram, which provides Physical,on protecting the companys multi- security strategies. Before founding strategies for data protection. SheInformation, IT and Product Security billion dollar assets and revenue. CSO Confidential, Paul was has been an information security along with Business Continuity and Previously, he led EMCs Office of responsible for IT Security andpractitioner since 1996. Previously, Crisis Management. Previously, heInformation Security, responsible for Information and Recordsshe led the Information Security was with Bolt Beranek and Newman protecting the global digital Management at BP. Previously, he Team at Time Inc., was a securityInc. David has 25 years of experienceenterprise. Prior to joining EMC in ran security and risk management analyst for Gartner and worked inaligning security with business goals. 2004 Dave built and led security at Morgan Grenfell and Barclaysinformation security at Capital OneHe received CSO Magazines 2006consulting organizations focused on Bank. Paul was a founder of theand Glaxo Wellcome. ReneeCompass Award for visionarycritical infrastructure, technology, Jericho Forum, is Chairman of thereceived the 2008 Compass Awardleadership in the Security Field.banking and healthcare verticals. He Institute of Information Securityfrom CSO Magazine and in 2007David holds a Masters degree in holds a B.S. in Manufacturing Systems Professionals and a Visiting was named a Woman ofManagement and a Bachelor of Engineering from the University of Professor at Royal HollowayInfluence by the ExecutiveScience in Criminal Justice. Hertfordshire in the U.K. College, University of London. Womens Forum.23 26. Security for Business Innovation Council MembersDr. Claudia NatansonVishal Salvi, CISMCraig Shumard Denise WoodChief Information Security Officer, Chief Information Security OfficerChief Information Security Officer, Chief Information Security OfficerDiageoand Senior Vice President,CIGNA Corporation and Corporate Vice President,HDFC Bank Limited FedEx Corporation Claudia sets the strategy, policy and Vishal is responsible for driving the Craig is responsible for corporate- Denise is responsible for securityprocesses for information securityInformation Security strategy and wide information protection atand business continuity strategies,across Diageos global andits implementation across HDFCCIGNA. He received the 2005 processes and technologies thatdivergent markets. Previously, sheBank and its subsidiaries. Prior to Information Security Executive of secure FedEx as a trusted businesswas Head of Secure Business Service HDFC he headed Global the Year Tri-State Award and underpartner. Since joining in 1984 sheat British Telecom, where she Operational Information Securityhis leadership CIGNA was ranked has held several Informationfounded the UKs first commercial for Standard Chartered Bank (SCB) first in IT Security in the 2006Technology officer positionsglobally accredited Computerwhere he also worked in IT ServiceInformation Week 500. A supporting key corporateEmergency Response Team. ClaudiaDelivery, Governance & Risk recognized thought leader, he has initiatives, including developmentis Chair of the Corporate Executive Management. Previously, Vishalbeen featured in The Wall Streetof fedex.com; and was the firstProgramme of the World Forum of worked at Crompton Greaves, Journal and InformationWeek.Chief Information Officer for FedExIncident Response and SecurityDevelopment Credit Bank and Previously, Craig held many Asia Pacific in 1995. Prior to FedEx,Teams. She holds an MSc. in Global Trust Bank. He holds a positions at CIGNA includingDenise worked for Bell South, AT&TComputer Science and a Ph.D. in Bachelors of Engineering degree inAssistant VP of International and U.S. West. Denise was aComputers and Education.Computers and a Masters inSystems and Year 2000 Audit recipient of ComputerworldsBusiness Administration in FinanceDirector. He is a graduate of Premier 100 IT Leaders for 2007from NMIMS University.Bethany College.award. 24 27. References 1. Smartphone Management Survey: An Enterprise IT Operations Perspective, BoxTone and eMedia, April 2010 2. Gartner Survey Shows 10 Percent of Respondents Say Workers Using Employee-Owned Notebooks as Their Primary Work PC in 2009, Gartner Press Release, December 7, 2009 3. BYOC: Kraft Foods Employees Can Now Bring Their Own Computers to Work, Yahoo! Finance, May 11, 2010 4. e-Bay Expands into iPhone Apps, American Consumer News, March 30, 2010 5. Understanding Enterprise Mobility Trends and Mobile Usage, The iPass Mobile Workforce Report, February 2010 6. Smartphone Surge Offers Opportunities for Business, IT Business Edge, March 11, 2010 7. Number of Mobile Devices Accessing the Internet Expected to Surpass One Billion by 2013, IDC Press Release, December 9, 2009 8. Facebook Crosses the 500-Million Threshold, ComScore Says, WSJ Blog, May 18, 2010 9. Biz Stone: Twitter has 105 million users, MacWorld, April 14, 201010. Frequently Asked Questions, Linkedin.com, May 201011. Facebook and YouTube dominate workplace traffic and bandwidth, SC Magazine, April 16, 200912. 57% of US Workers Use Social Media for Business Purposes, Social Media at Work, January 26, 201013. Social Media Statistics Socialware Compass, 201014. 5 B2B Social Media Winners, TopRank Online Marketing Blog, February 11, 201015. Gartner Reveals Five Social Software Predictions for 2010 and Beyond Gartner Press Release February 2, 201016. Mastering the Risk/Reward Equation: Optimizing Information Risks to Maximize Business Innovation Rewards, Security for Business Innovation Council Report17. Fact Sheet 7: Workplace Privacy and Employee Monitoring, Privacy Rights Clearinghouse (PRC), April 201018. Sexy New Mobile Botnet on the Move?, eWeek Security Watch, July 17, 200919. Imminent flood of smartphone malware?, Net Security, February 18, 201020. Mac OS X Trojan Found in Pirated Photoshop CS4, Information Week, January 26, 200921. Malware and spam rise 70% on social networks, security report reveals, Sophos, February 1, 201022. Hackers target friends of Google workers, Financial Times (FT.com), January 25, 201023. IDC Predicts Recovery and Transformation in 2010 Modest IT Spending Growth to be Accompanied by Fundamental Industry Transformation, IDC Press Release, December 3, 200924. 86% of Companies Plan Social Media Budget Bumps, Bigmouth Media, December 4, 200925. Telco 2.0 Manifesto, Telco2.net, 201026. For the Security for Business Innovation Report Series Go to www.rsa.com/securityforinnovation27. http://www.facebook.com/brandpermissions/index.php28. http://help.twitter.com/entries/77641-guidelines-for-use-of-the-twitter-trademark29. http://homepage.mac.com/haydock/mfn/steeringcommittee/group_services_agreement.pdf30. http://na.blackberry.com/legal/trademarks.jsp#tab_tab_guidelines31. http://www.google.com/permissions/guidelines.html25 28. www.rsa.com2010 EMC Corporation. All Rights Reserved. EMC, RSA, RSA Security and the RSA logo are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. iPhone and Mac are trademarks of Apple Inc., registered in the U.S. and other countries. All other products and services mentioned are trademarks of their respective companies.CISO RPT 0710