Data breach survey: Data during a downtime

This year's data breach survey shows that budgets will remain stagnant as threats continue to evolve. Illena Armstrong reports.

While there are some who think 2011 will prove just as challenging on many fronts for information security executives, others are a bit more optimistic. Numerous market indicators are hinting at slow but steady moves away from the worst economic recession seen in some eight decades. Such hopeful signals, no matter how muted, point to a possible renewal of essential information security projects only partially undertaken or altogether deferred during the last 12 months.

Not only did U.S. retailers see positive shifts in consumer spending during the days surrounding Black Friday and Cyber Monday in late 2010, the Federal Reserve's Summary of Commentary on Current Economic Conditions report, which is released eight times a year and provides a profile of economic conditions across all major markets, confirmed a restrained trending upward.

As well, 93,000 private sector jobs reportedly were added last November, somewhat improving woefully low unemployment rates and boosting investor confidence. In turn, the stock market became more positive, with the Dow and Nasdaq showing measured gains late in the year.

“2010 has been a year of recovery and maturation,” says Jon Gossels, president and CEO of Massachusetts-based consultancy System Experts. “In 2009, many security organizations simply hunkered down to survive. It wasn't idle time. They let weaker staff members go, refined strategic plans and positioned themselves to provide superior operations security at lower staffing levels in the future.

Yet, even during 2010, budgets were tight and, if any projects came to fruition, they were cherry-picked from a long list of IT security priorities. Yes, many businesses have seen and will continue to experience improvements, but the economy still has a long way to go, says Maurice Hampton, the former information security program manager with the General Electric Company, who now leads the security and privacy services practice with Ohio-based Clark Schaefer Consulting.

“Even though everyone knows that organizations need to do everything possible to protect data, the harsh reality of shareholder value takes precedence, and budget dollars continue to be inadequate to truly accomplish the task at hand,” he says.

This sentiment is reflected in findings from SC Magazine's fourth annual Guarding Against a Data Breach survey, which was conducted by SC Magazine and ArcSight with research firm CA Walker.

Out of the 468 information security leaders participating in the survey, 36 percent expect their budgets for IT security projects and data leakage prevention efforts to increase this year, compared to 41 percent out of 399 last year. The great majority of respondents – close to 60 percent – expect budgets to stay the same. On the positive side, only six percent face a drop in funding this year compared to 12 percent last year.

While many economic indictors forecast some positive growth in coming months, other recent world happenings make it evident that moving beyond these severe and long-lasting economic doldrums will be slow. Tough economic conditions in Europe – with Spain and Portugal likely next in line to seek aid from the EU after the multibillion dollar bailout of Ireland – are bound to impact U.S. markets, say many experts. As well, the driving motivation behind the controversial bipartisan deal brokered between President Obama and Republicans in late 2010 to extend expiring income tax cuts for all citizens for two years, renew jobless benefits for the long-term unemployed, grant a one-year reduction in Social Security taxes, and provide tax breaks for businesses contributing to the economic recovery, indicates that those in the highest rungs of federal government fear slipping backwards, says Andy Purdy, the co-director of George Mason University's International Cyber Center (ICC), which helps lead efforts to better identify and address global cyber issues, and the chief cybersecurity strategist for Virginia-based business consultancy and service provider CSC.

To him, the deal [which, at the time of this edition's printing was awaiting approval from Congress] attested to still lingering major concerns that the economy is far from turning the corner. “Pressures on security budgets will continue if not heighten,” he says. “Spending is going to be flat at best and very well might go down.”

The road ahead

Some experts are optimistic that business leaders will continue to evolve in their thinking about the need for robust and holistic security and privacy plans, viewing them more as drivers to help grow their companies and bottom lines. From this viewpoint, investment in the development of strong risk management and information security strategies will rise.

“Leaders should shift their view of security and privacy from an operational or financial burden and leverage them into strategic business drivers that can help increase the long-term market competitiveness of the organization,” says Jaime Chanaga, a former CISO in the health care industry and founder and president of The CSO Board, a consultancy focusing on management and organizational development. “Leaders that make security and privacy programs a top business technology priority are soundly investing in the future of their organizations. In a poor economy, it is important for organizations not to cut corners on security and privacy organizations.”

The majority of respondents to SC Magazine's survey, 87 percent, say that their company is taking the right steps to prevent critical data from being stolen, exposed or lost. For another 83 percent, it is the threat of a data breach, leakage or exposure that is greatly influencing their organization's current security initiatives – a statistic that closely mirrors previous years' findings.

The problem with this, though, is that such fears of exposure do little “to increase management's support for increasing expenditures on security initiatives,” says Bryan Cline, director of information security and information services at Catholic Health East (CHE), a multi-institutional health system based in Pennsylvania. “Budgets appear to be relatively stable and modest despite these threats.”

Still, the fact that the possibility of such incidents occurring is actually helping to drive security projects is a plus to Michael Higgins, CSO with The New York Times Company.

“Threat of public disclosure of a failure to manage a customer's private information is powerful,” says Higgins. “Exposure that a company betrayed the trust that a customer has with a company is the driver. Trust is hard won and easy to lose. This translates directly to reputation protection.”


Compelling reasons

Just as in past years, regulatory mandates continue to drive security planning and implementations. For about 76 percent of the respondents to SC Magazine's data breach survey, compliance needs lead in pushing their companies to better safeguard customer/client and other critical corporate data. An interesting change this year, though slight, was that tied with the compliance driver was possible negative impact to the corporate brand and reputation. Other reasons pushing for better security mechanisms included customer demand (41.4 percent), possible profit loss (40.9 percent), executive board demand (37 percent), investor demand (11 percent) and other reasons, such as doing the right thing or personal paranoia (9 percent).

Higgins says it is expected that regulatory and brand pressures top the drivers for information security planning as they often “impact the bottom line the most visibly.” Further, if organizations make the right moves, they can be successful in getting compliant with the variety of regulations to which they're beholden and move beyond the checkbox security model to really safeguard their systems at the same time.

“The Maginot Line and the Great Wall of China both proved that perfect protection is a dream,” he explains further. “The companies that build adaptive, risk-based security programs, while meeting compliance requirements, will be the companies that will be the best protected and experience the lowest number of breaches involving the smallest number of records.”

But, this success means getting the necessary backing of your executive leaders, says Jeff Bardin, VP and chief security strategist at professional services organization XA Systems.

“Most business leaders still do not understand that security is a full-time, continuous activity. They look at it from a purely IT perspective and, therefore, believe that the purchase of some new technology is the end game,” he says.

CHE's Cline agrees, noting that “too often risk is poorly understood by leadership and is subsequently overlooked.” Subsequently, this results in management getting exacerbated or confused, Cline adds, leading them to ask: “We've given you all this money to implement security, so why aren't we secure yet?”

It is important that lead security officers convey to executive leaders that implementing a comprehensive plan to meet both compliance requirements and security needs must go beyond the mere updating of tools and processes. “It is about ensuring you implement a comprehensive set of security controls that manage risk to a level deemed acceptable by the enterprise,” says Cline.

The regulatory conundrum

Some IT security executives are relying on regulatory mandates to help develop security strategies, an interesting trend given that regulations also drive them to better their risk management stance.

Still, organizational leaders must realize that “no mandate – no matter how prescriptive – can take the place of a robust, comprehensive information security risk management program designed to protect the information with which we are entrusted,” says XA Systems' Bardin. “If it were, compliance would equal security and ‘check the box' would be enough.”

Regulations, however, have been and always will be viewed as major drivers of security plans and budgets. This year's compliance priorities – as they relate to safeguarding customer/client and other critical corporate data stored or shared electronically – include HIPAA for 45 percent of respondents, the Sarbanes-Oxley Act (SOX) and PCI for 44 percent, state data breach notification laws for 38 percent, the Federal Information Security Management Act (FISMA) for 32 percent and the Gramm-Leach-Bliley Act (GLBA) for 27 percent. Another 29 percent of those responding to the survey cited e-discovery legislation, 18 percent pointed to Red Flag Rules and 10 percent noted other regulations, such as military regulations or The Family Educational Rights and Privacy Act (FERPA).

Meanwhile, PCI mandates are viewed as the most helpful in providing details about the proper safeguards to enlist to protect critical data for 39 percent of respondents, while 31 percent cited HIPAA and 27 percent considered SOX the most helpful. FISMA (23 percent), state data breach notification laws (21 percent), e-discovery legislation (14 percent). GLBA (13 percent), FFIEC guidance (12 percent) and Red Flag Rules (9 percent) followed.

According to Rick Caccia, VP of product marketing at ArcSight, the breakdown of those mandates proving the most helpful in risk management planning makes sense, especially the perceptions about HIPAA and PCI as they “lay out specific types of actions to be completed, versus SOX and its call for ‘internal controls.'”

“As you move down the list, the requirements become more vague, which means that organizations aren't sure if their efforts and expense will pass audit,” he adds. “I have seen examples where two different audit firms have given an organization directly conflicting verdicts on compliance with certain regulations. This is a nightmare for any IT department.”

It is true that some mandates do help in the development of overall security programs more than others, agrees Clark Schaefer's Hampton, pointing out that almost everyone in the United States understands PCI requirements because of how heavily credit and debit cards are used here. “Most cardholders have had some experience with someone they know being affected by the loss of data,” he explains. “As such, I think that when you mention PCI and explain to people its purpose, people tend to identify and act. Additionally, the penalties associated with the regulation make people take note.”

The problem is that there are still executive leaders who think that by investing in compliance efforts, their organizations and their infrastructures are safe.

“Those familiar with information security know this not to be true,” Hampton says. “The compliance program is just one layer to the information security program designed to protect organizational data.”


The threat landscape

In addition to adhering to various industry and government regulations, IT security teams also must address existing and new threats, ensuring that they continually attend to the protection of all the newest applications and tools that staff and executive leaders rely on to conduct business. Most concerning to security executives participating in this year's survey were risks posed by mobile devices. Mobile security (at 46 percent), including everything from encryption to secure authentication, topped the list of security solutions respondents are looking to deploy in the next year to safeguard critical data, compared to 41 percent last year. Email management and content filtering came in second (44 percent) and 42 percent are looking to deploy both database security and email encryption solutions or services. Others deployments planned for 2011 include data leakage prevention solutions/services (41 percent), web application security and secure coding solutions (37 percent), two-factor authentication for some customers (32 percent) and cloud security services (21 percent). Another 17 percent of survey participants are forecasting the implementation of secure web services for customers/clients; 10 percent are looking at solutions, such as USB monitoring, security backup, third-party assessments, laptop encryption and more; and 9 percent will rely on outsourcing security.

Those deployments survey respondents have planned and those that already have happened (see graph, pg. xx) seem to follow the maturity of the overall market, says ArcSight's Caccia. For instance, email security is a mature and commodity market, so it is expected that many companies already have these kinds of solutions in place. On the other hand, DLP, though having been around for some time now, is still an area that is far from being widely embraced by companies and, of course, cloud security “doesn't even have a common definition yet.”

Still, because there are more than a few organizations making moves to either virtualize their environments or move some of their applications into the cloud to reduce network complexity and save money, corporate-wide security may actually improve, says ICC's Purdy. Such efforts could drive cybersecurity initiatives like never before and ultimately give some organizations a competitive advantage. He predicts that with all the focus on security issues raised by the cloud that there's going to be a lot more attention paid to identity management and other IT security standards. “Cloud-based guys will have greater security, whereas legacy enterprises still will have difficulty adding security on after the fact,” he says.

Meanwhile, for ArcSight's Caccia, the problem of mobile security, is an “interesting” area. “Even though organizations have used mobile phones for years, it is the smartphone that really changed the game for security,” he explains. “Smartphones are still new in corporate use; the iPhone was introduced only three years ago, and it didn't have apps until mid 2008, so the broad phenomenon of millions of corporate users running around with little computers in their pockets accessing the corporate network is a security issue companies are just beginning to deal with.”

Another matter that needs more attention is software assurance. Only 31 percent of respondents say they've strengthened their secure coding practices before deploying applications to customers and clients. Some 24 percent have not bettered secure coding practices and another 41 percent say they have, but not enough. About 17 percent don't know what they've done in this area, which is folly given that establishing and adhering to a strong software assurance and secure coding plan as part of an overall risk management strategy does go a long way in protecting critical data, says Stacey Halota, vice president of information security and privacy for the Washington Post Co.

“The statistics for web vulnerabilities are astounding, and there is good data to show the cost benefit of fixing a problem during development versus after development,” she says. “I think it is critical to have the developer's buy-in for the tools that you use, and to make that an ongoing conversation.”

According to CHE's Cline, the problem here is that many firms' executives don't have a good understanding of “how systems engineering is used to manage technical work or how security engineering is used to implement security throughout the systems development lifecycle (SDLC).”

The other problem, adds XA Systems' Bardin, is that “the push by the CIO to get code out the door at all costs is still king.”

Great expectations

Threats to critical data and the solutions, strategies and policies that can be implemented to address these are seemingly limitless. There are so many risks and, still it seems, too few professionals, resources and dollars on hand to eliminate them – or, in the least, drastically reduce them.

“I think you have to constantly improve and innovate,” says Halota. “The threat environment changes too fast not to. Improvement can be quantified in many ways, however.”

So, for example, information security executives can connect and communicate more effectively with business owners and lead executives to enhance the overall information security strategy for the company, she says

IT security leaders, though, must be realistic, says Bardin. The fact is, given the still teetering economy, information security budgets likely will see more cuts rather than become a top business priority.

“It is still compliance and FUD [fear, uncertainty and doubt], but my hope is that the increased management attention will allow me to provide some security education,” he says.

For now, IT security leaders can undertake activities, like maturing “existing IT processes around configuration management, program management, acquisition and development and more, so that security can be incorporated into these process from the start,” he says.

Also, it is imperative to keep senior managers in the loop and meet with them regularly to understand their priorities and concerns. “Make sure you address management's concerns – relevant or not, real or not – and try to work on what you need to be doing as much as you can. Take the ‘wins' where you can get them,” he says.

On the plus side, adds The CSO Board's Chanaga, company leaders are realizing the need and value of establishing “dedicated leadership positions for security and privacy programs.” Considering the bevy of regulatory mandates and the quickness with which threats and attack types are evolving, organizations are increasingly relying on information security professionals who understand both IT security requirements and corporate goals.

“We are seeing a shift from technical security leadership to more balanced security leadership that understands the intricacies of business operations,” he says. “I am optimistic that organizations will continue to realize the value of security and privacy programs as key business drivers.”



STANDARDS: Adopting best practices

This also involves the use of standards to help strengthen overall plans. According to this year's survey, 43 percent of respondents enlist industry standards to strengthen their overall security strategies. Another 40 percent do, but not enough, which is a sizable jump over last year's 23 percent. Some 10 percent say they use none at all

Of those industry standards most used, ISO 27001 came in at 46 percent, ISO 17799 was enlisted by 40 percent, and another 31 percent turned to the U.S. Department of Defense Trusted Computer System Evaluation Criteria, also known as the “Orange Book.” About 21 percent of security executives responding to the survey relied on other criteria, such as those from the National Institute of Standards and Technology (NIST) or The Open Web Application Security Project (OWASP) or from the more prescriptive guidance provided in the likes of the Payment Card Industry's Data Security Standard (PCI DSS) or the Health Insurance Portability and Accountability Act (HIPAA).

To Stacey Halota, vice president of information security and privacy for the Washington Post Co., the jump in responses from those who say they use standards, but not nearly enough, could reflect the persistent challenge of enlisting some of these complex benchmarks to adequately address their organizations' security problems.

“CISOs are often balancing the ‘what is enough' question, [which] is appropriate,” she says, because IT security leaders must use their “resources wisely and advise an organization on its true risk profile.” For her, the ISO standards provide the baseline she's seeking, after which she simply “augments them as necessary with more detailed technical guidance.” – IA


The methodology for this year's study was as follows: Email notification was sent to approximately 80,000 IT security professionals. A total of 468 IT security professionals completed the survey online between Oct. 22 and Nov. 3, 2010. The results are not weighted and are statistically tested at a confidence level of 90 percent.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.