Brian J. Truskowski, general manager of Internet Security Systems (ISS), IBM Global Technology Services
Q. What are the best ways organizations can address compliance and data security issues this year, given the challenging economic climate in which we all find ourselves?
A. The single best way to address compliance and data security issues in this down economy is by adopting a holistic view of compliance and security. Too often, compliance and security are separate efforts with teams that work in silos. If companies take a holistic view of risk by balancing the people, process and technology that make up a company's security posture, they have more control.
We also urge clients to look holistically at the five ways security is changing today. There are evolving threats, evolving compliance demands, evolving economics, evolving technologies and evolving business needs. We see both security professionals and some security vendors focus their attention on maybe one or two of these areas. But companies need a balanced, holistic view of all of these changes to adequately protect their businesses.
More than ever companies owe it to themselves to consider outsourcing some security tasks to a reliable partner that has experience, understands the threat landscape and allows retained staff to focus on other more critical projects. The cost savings can be significant and bring an organization even greater piece of mind.
Q. What problems or challenges is your company facing in the face of a declining economy and how are you and your executives going to overcome these?
A. Within IBM Internet Security Systems, the down economy is helping us streamline our efforts to help cut costs and complexity of security for our clients and help them achieve smarter security. We also see more clients adopting outsourcing in order to reduce the costs of securing the business and also to access skilled staff. This puts a renewed focus for us on security management and visibility tools that allow customers to draw services on demand (Cloud Models) and to access business intelligence reporting that provides a view of security and compliance.
From the perspective of our customers, there is a growing concern that the market will focus on compliance at the expense of very real sources of risk. We know that a CIO is always working with limited budgets and these economic times only exacerbate the problem. Some of our clients are struggling to choose between spending their resources on a compliance audit and remediation because they have to in order to meet compliance deadlines or spending that same amount of money on a solution that truly mitigates calculated risk. We help our clients prioritize their budgets so they can meet compliance and be secure.
Lower budgets and decreased staff also perpetuate the challenge in retaining staff with the right skills that can address emerging risk and compliance concerns. On top of that, clients are expecting more from their vendors. The economic situation is providing an opportunity for businesses to pause many IT investments, which then allows them to rethink security strategies, their approach with vendors, and to look more at vendors who can bring a broader set of integrated security functionality to the table.
The luxury of deploying and supporting many point products from a variety of vendors is not practical in this economy. We are focused on helping customers consolidate what they have for better control and cost management without adding exposure to risk. We're helping our clients simplify their security responsibly. This means cutting the costs out of security either by adopting products that solve real business issues or through outsourcing as much security as they can.
I like to remind clients that if they're going to spend the money on compliance, they should also keep their name out of the front pages. Remember, compliance in and of itself is not a bad thing. But compliance in and of itself does not equal security. Compliance is supposed to raise the minimum standard of security, but all too often it just gets us to do what we are required to do and nothing else.
Q. According to SC Magazine's research and many experts in the industry, the information security market may not see as difficult a time in this degraded economy as others since protection of data has become so critical to bottom lines. What are your thoughts on this?
A. The downturn in the economy doesn't negate the fact that businesses have to meet compliance demands and still have to deal with security issues. However, we do see clients taking a more strategic look towards risk management, figuring out where they're over-investing and under-investing so they can find ways to be more efficient and we're helping clients find ways to do more with less.
Compliance was already a heavy driver of security and we see it now driving the lion's share of spending. The other driver is streamlining cost to be more efficient.
On the product side, we're seeing clients moving away from point products and best-of-breed solutions to security platforms and products developed to solve real business problems. And as our clients are also charged with doing more security with less money and less budget, there is greater emphasis on augmenting internal IT staff with professional security services and strategic outsourcing.
From a threat landscape perspective we have to remember that the primary motivation for most of the criminal activity we see on the Internet today is financial. We live in a world where sophisticated, international criminal organizations are engaged in widespread fraud and identity theft, and are constantly developing more advanced attack tools and technologies. Disruptions in the global economy are only going to contribute to the problem, as a certain percentage of displaced people with advanced skills turn to these kinds of crimes. This is certainly not a good time for organizations to let their guard down.
Q. Speaking of data protection, we're still seeing a great many exposures of personal and critical information, the most recent and largest being the Heartland incident. Where do companies keep making the biggest mistakes in protecting their customers' data?
A. The primary mistake that we see companies making is that, in an effort to reconcile their security complexity, strategies and mounting costs, many companies are defaulting to the compliance regulations as the roadmap to secure their business. But, as we've seen from many recent security breaches, compliance does not equal security, and security does not equal compliance.
In fact, many of the recent security breaches involved insider threats. It's as much about people as it is about compliance. There is a tendency to focus only on vulnerabilities. But real risk management is a balance of people, process and technology.
Security needs to become part of the culture of doing business, starting with a strong assessment of the risks, an understanding of the mandates, the creation of corporate policies, an implementation of solutions, an audit of affectivity and then, constant repetition of this process.
Q. As we move through 2009, what will be the biggest threats IT security practitioners will need to be mindful of and what are the ways to best address these?
A. Your own organization is actually the biggest threat to your business. Businesses are going to be forced to do more with less. There are fewer people and less money and organizations are looking to cut costs. The biggest risk is organizations making rash decisions without properly taking into account a holistic view of risk. We advocate simplification, but it needs to be informed and risk driven.
Looking at the threat landscape, our recently published X-Force Trend Report clearly demonstrates that there is a need for increased focus on web application vulnerabilities. Over half the vulnerabilities we cataloged in 2008 affected web applications with the majority unpatched. And we've seen SQL injection attacks increase from a few thousand each day to a few hundred thousand. Businesses that fail to eliminate these vulnerabilities from their web sites are putting their own customers at risk.
Q. What about the newest technological advances that companies are taking advantage of, such as virtualized environments or cloud computing, and other newer ways to conduct business – how should the ensure they are managing their data safely and securely?
A. We help our clients identify gaps in existing security capabilities as new technologies and business models are introduced. For example, most of our clients will adopt virtualization this year. But virtualization and cloud computing may require new levels of isolation, transparency and trust, and therefore, businesses need to take the time to understand how to properly integrate, deploy, and manage security in these environments.
We also advise organizations to embrace repeatable, measurable planning processes and solutions to manage security in a way that supports scalability and growth. This allows them to better understand and prioritize today's risks, as well as build a strong security posture that positions them to reap the rewards of emerging technology trends moving forward.
By taking security expertise and technology innovation and marrying them together, IBM is pioneering these technologies. Last year we introduced our PHANTOM virtual research product to protect virtualized environments at the hypervisor level and we've started to introduce virtual appliances like our Virtual IPS.
Q. If there's one thing security practitioners and their bosses should be mastering when safeguarding their business, what would you say it is?
A. For the past 25 years, security has been about what you can't do. Information security was either an afterthought or seen as a barrier to new projects. If there's one thing security practitioners should master this year it should be a new attitude towards security and openness to embrace change. Security isn't all about what we can't do, but by thinking about it upfront and as part of the business design, it can be a true business enabler and differentiator for businesses.
In IBM's CEO study last year we found that CEO's are looking to the CIO to be the master of change. But up until this point CIO's have been resistant to change, because change introduces risk. By transforming how we think about security and our approach to security, businesses will be poised for success in a smarter planet.