Tighter regulation and higher levels of cyber attacks will increase the role of the CSO in 2004. Marcia Savage reports
During the past year, a host of companies has been hit by devastating computer worms and began to succumb to growing regulatory pressures. According to leading companies in the IT industry, we can expect more of the same in 2004.
Executives at IBM, Sun, Oracle, Microsoft and Hewlett-Packard say the number of internet threats is not likely to subside anytime soon, with insider attacks and identity theft remaining top concerns for companies. The growing threats, combined with an increasingly regulated environment, will continue to make security a priority for enterprises, they say.
With companies doing more business on the internet and cybercriminals becoming ever more sophisticated, the number of information security risks will continue to mount in 2004. Joe Pato, a distinguished scientist at HP Labs and former chief technology officer for HP’s internet security solutions division, says the rate of cybersecurity incidents has been on the rise for a while and shows no sign of waning.
“We’re running at quite a clip, and I don’t see that slowing down at all. Probably more significant than just the number of incidents being reported is the decrease in time from vulnerability discovery to exploit existence and exploit use,” he says.
In addition, use of newer and faster technologies is also having an impact on how easily systems are affected by the latest attack method. As cybercriminals become more and more skilled at exploiting vulnerabilities, the growing use of technologies, such as broadband or wireless, is helping to speed the spread of malicious code.
“Criminal hackers are becoming a lot more sophisticated and the proliferation of high-speed broadband connections and more mobile users, which is a very positive thing in all other respects, creates an environment in which a virus or worm can spread incredibly fast, impacting businesses and consumers more quickly and significantly,” says Amy Carroll, director of product management for the Microsoft Security Business Unit.
But while most people view malicious payloads as the next threat, a virus cannot propagate equally well on all OSs, claims Oracle’s chief security officer, Mary Ann Davidson. Not surprisingly, she takes aim at rival Microsoft.
“If you have some diversity in your IT organization, you are less likely to be impacted by a single virus,” she says. “Given the ubiquity of Microsoft’s products and their proprietary nature – only running on the Microsoft operating system – they are a prime target for malicious virus writers.”
But while the external threat looms large, the internal threat will remain a key problem in 2004, executives note.
As Ed Glover, director of the security expertise center and services at Sun Microsystems, says: “I still see that to be probably the biggest issue, especially in today’s economy with a lot of layoffs and really tough times. Companies often focus on the external threats, instead of the internal threats, which are probably more damaging because of the fact that people internally have access to information already.”
As companies grapple with increasing cyberthreats from inside and out, they will also continue to feel the weight of privacy mandates, such as HIPAA and Gramm-Leach-Bliley, IT leaders say. CIOs are “coming under incredible pressure to answer boardroom-level concerns, not just about budgetary concerns, but how they are responding to regulatory and privacy demands,” says Chris O’Connor, director of corporate security strategy at IBM.
Privacy of data is a fundamental of security that companies haven’t really addressed, but now the legislation is pushing them to do so, believes Glover. “Privacy is turning out to be the biggest issue that we have to face going forward, especially with more people doing more and more business over the internet,” he points out.
In fact, governmental pressure to regulate IT security is likely to grow next year, predicts Pato. He cites an effort by Rep. Adam Putnam, R-Fla, chairman of the House Government Reform Committee’s Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census.
This fall, Putnam circulated draft legislation called the Corporate Security Accountability Act of 2003, which would require public companies to submit and certify that they have a cybersecurity plan. The legislation is now on hold, pending the results of a workgroup convened by the subcommittee.
The proposal, although raw, “represents a concrete realization that companies need to take responsibility for the safety of their networks,” says Pato.
Lawmakers’ interest in regulating IT security is “partially a reflection of looking at the increased rate of incidents on the network and the lack of confidence that industry is moving to protect itself adequately,” he adds.
For companies that conduct business worldwide, regulatory compliance isn’t just national, but international in its scope.”There are many regulations throughout the world governing everything from security controls on your financial data to national privacy laws,” notes Davidson. “Companies cannot say: ‘Sorry, we only had time to worry about Sarbanes-Oxley and couldn’t get to E.U. privacy directives’.”
Ultimately, these growing regulatory demands – when combined with a post-9/11 world and a rise in cybercrime such as identity theft – are highlighting the role of the chief security officer, says O’Connor. “A couple years ago there was a debate about whether they will ever have any power. We’re starting to see them rise to a point where they are getting considerable clout,” he adds.
Along with the increased role of the CSO, companies will spend more money on security next year, some IT executives predict. Regulatory requirements will continue to push CFOs and CIOs to spend dollars on secure technologies, believes Davidson. Moreover, privacy mandates and other regulations are driving adoption of identity management solutions, which can show a cost saving in addition to increased security, she adds.
“Today, much of security is viewed as ‘risk avoidance’ or ‘risk management’, making it difficult to quantify a traditional ROI, but identity management can pay for itself fairly quickly,” she says, citing the deployment of single sign-on.
Efficiency and cost savings, offered by identity management as well as the convergence of logical and physical security, are things that tend to loosen budgets, says O’Connor. “Effective security has been a discussion point for years. To the degree that business owners and CIOs are going to be able to translate that to an efficiency discussion with today’s IT resources, we’ll see the purse strings loosen up.”
Having an efficient system for provisioning and deprovisioning users will be key in coming months, adds O’Connor, not only because of regulatory pressures, but also due to the rise of web services, which require a more dynamic business model.
Many of the privacy regulations focus on having clear controls over access to information, which will undoubtedly accelerate demand for enterprise-wide identity systems in 2004, comments Pato. Another factor driving adoption of secure identity mechanisms and access-control technology is the growth of identity theft, which is increasing at an “alarming rate,” he adds.
Yet Glover doesn’t expect companies to spend any more on security in 2004, despite the increase in security risks and regulations. “People are being driven to do more with less. They’re not expanding their security budgets,” he says.
O’Connor predicts big changes for the security industry as regulatory demands push commoditization of security technologies. More and more, capabilities such as anti-virus, firewall filtering, and intrusion detection will become an embedded part of IT infrastructure, as opposed to standalone products.
“What was envisioned as this great windfall of revenue opportunity for vendors around an add-on security blade or chip is already starting to commoditize as a basic component, largely because of the pressures of HIPAA, GLB, and a privacy-oriented world,” he says.
Glover also foresees a consolidation trend, primarily because companies are looking to simplify their security. “There’s a lot of confusion out there. With all these standalone products, it’s like putting together different bricks, eventually there’s no structure… As a customer, I want something to address my end-to-end security problems and do it in a way where it’s fully integrated, fully compatible, and it’s at a reasonable cost,” he says.
What do companies need to protect themselves from the threats and regulatory demands looming on the horizon? Aside from the basic steps of ensuring anti-virus is up to date,
software patches are deployed, and firewalls are configured correctly, some IT executives believe that companies need to change the way they approach security.
“A major cultural shift needs to occur in the enterprise,” explains Davidson. “Security is not merely the firewall administrator’s job or the gate guard’s job or the security administrator’s job. Everyone needs to be good security citizens, or they run the risk of subjecting themselves, as well as their colleagues, to vulnerabilities.”
Companies need to look beyond technology as the solution, says Glover. “The biggest problem with security isn’t from a technical perspective. It’s from people not following the policies and procedures, and letting people get access via social engineering. That’s still the biggest problem out there,” he adds.
Protecting the enterprise hasn’t changed much during the past 20 years, he believes. It still comes down to understanding the threats your company faces and mitigating the risk by developing and implementing policies and procedures – and making sure employees are educated about those policies. “What I don’t see is the day-to-day security program that needs to be established in an organization… That’s really where the rubber hits the road,” he says.
For their part, the big IT vendors all have multi-faceted efforts under way to address growing enterprise security demands, particularly in the area of identity management.
IBM, for example, released new versions of its Tivoli software this fall that ties identity information into core business processes. It also announced a partnership with GE Interlogix that aims to provide a solution for addressing both physical and IT security needs.
And in September, HP boosted its identity-management capabilities with its acquisition of the SelectAccess assets of Baltimore Technologies.
Another focus for HP is in the area of security management. Among the tools the company has developed in its lab is a throttle that slows the rate of virus propagation, says Pato.
More broadly, HP, IBM, and Microsoft joined with chipmakers Intel and AMD in launching the Trusted Computing Group (TCG) earlier this year. TCG, which Sun joined in September, aims to develop open standards that can be used in multiple computing platforms to enable secure computing.
Key role for Microsoft
Microsoft – whose security effort is probably the most closely watched and critiqued – is dedicated to addressing customers’ security needs in 2004, says Carroll. “We recognize that Microsoft can play a key role in improving computer security. We need to continue to invest and deliver against security at a higher level and we need to simplify security and drive the intelligence of security protections deeper into our software to reduce the demands on users and IT administrators,” she says.
Specifically, the vendor aims to improve patch management processes; provide better guidance and tools for securing systems through global educational programs, and offer updates to Windows XP and Server 2003 with new safety technologies that will make them more resistant to attack, even if patches aren’t installed or available.
According to Pato, there are grounds for optimism, despite the cyberthreats ahead. “We have yet to see the ‘cyber Pearl Harbor’ predicted by former federal cybersecurity czar Richard Clarke, although his concern is well-founded,” he says, “but I’m still optimistic we’re not on the brink of a meltdown.”