David Jarvis

Cybersecurity Education: The struggle to develop the future workforce

2013-05-13T12:30:00Z

Sometimes time and space conspire to create an opportunity that you weren't expecting. That was the case for me last week. Near where I live, the University of Rhode Island (URI) hosted their third Cybersecurity Symposium on education and workforce development. Speakers included the entire Rhode Island Congressional delegation, the director of the U.S. Defense Intelligence Agency, the CIO for the U.S. Department of Defense and a number of industry practitioners, including IBM’s VP for Cyber Security Innovation Marisa Viveros. Marisa was the co-author of the paper that we recently published on leading practices for cybersecurity education.

...(read more)

Cybersecurity Education: Improving Protection through Global Connections

2013-04-29T20:35:00Z

This blog was originally posted on IBM.com.

In a world of increasing and varying information security threats, academic initiatives focused on cybersecurity are proliferating - yet, there is still the danger of falling short in addressing the long-term threat. To avoid becoming too focused on near-term issues, programs must be more collaborative across their own institutions, with industry, government, and among the global academic community. Only by working in concert can we meet today’s demand while educating the next generation to create a more secure future.

There have been a lot of recent reports, blog posts and news articles discussing the cybersecurity skills gap. It has been an ongoing issue for a while, and will continue into the future. We wanted to tackle this problem, not from the demand side, but from the supply side. So, the IBM Center for Applied Insights and IBM’s Cyber Security Innovation team selected 15 academic programs in 6 different countries from the over 200 institutions we monitor and work with. We conducted interviews with faculty members, department chairs and others. This week, we released a synthesis of those interviews in our latest security insights paper,“Cybersecurity education for the next generation: Advancing a collaborative approach” .

Through our interviews it was confirmed that cybersecurity is top of mind for students, educators, industry and government. Industry and government are currently facing a significant skills gap and this is causing the programs we interviewed see extremely high demand for their students, both undergraduate and graduate.

But, not all is rosy with the increased demand and attention. Programs are expected to provide more of everything – courses, graduates, opportunities, research – which has caused programs to face a number of organizational and technology challenges. Stained programs are addressing these challenges in different ways, taking different approaches to cybersecurity education, but still sharing similar common principles.

The trends, challenges, issues and differing perspectives cannot be fully addressed by each academic program on its own; cybersecurity is a global problem and should have global solutions. A set of leading practices promoting a longer-term and more collaborative approach is needed. We identified three general areas that the leading programs we talked to excelled at, all dealing with collaboration and connection.

1. Collaborate within your own institution – Cybersecurity programs should embed security practices and principles in computer science and engineering courses and take a holistic technical approach. They should work with other disciplines and schools in the university (e.g., business, law, ethics, medicine, policy). They should offer diverse education options for students and professionals (graduate, undergraduate, professional development, etc.).

2. Co-evolve with industry and government – Academic programs should have deep ties with industry and government – partnering and collaborating on research, curriculum development, and opportunities for students. A hands-on, practical, approach is also extremely important. Laboratory work, projects, special-interest groups, and internships should all be cultivated.

3. Connect across the global academic community – A number of the programs we talked with discussed the need for building a “science of security” to anticipate security problems and a cross-discipline lingua franca among scientists, engineers and policy makers. Fundamental concepts and common vocabulary can only be developed with participation of the entire global cybersecurity community.

To read more about leading cybersecurity education practices, case studies, and IBM’s recommendations, download ourreport . The paper is part of our ongoing security insights series which includes the 2012 IBM CISO Assessment and theSecurity Essentials for CIOs series.

Read the original article on IBM.com here.

Breaking through the wall – Security highlights from Tech Trends 2012

2013-02-07T11:00:00Z

There are four pivotal information technologies that are rapidly reshaping how enterprises operate: mobile technology, business analytics, cloud computing, and social business. All four of these technologies are potentially disruptive, and they also come with unique security concerns. Many people fear the security implications of employees bringing their own mobile devices to work, or storing mission critical databases in public cloud environments. Fear shouldn’t drive organizations away from these potentially transformative technologies. How are organizations overcoming their fears? How are they breaking though the “security wall”?

...(read more)

The future of information security – will it be like today, only more so?

2013-01-25T21:57:00Z

In 2012 we saw significant data breaches across multiple industries and governments impacting millions of users. Will 2013 bring more of the same? Is this an uncertain future we will have to live with? Can we accept degraded privacy and security and billions of dollars in lost revenue, damage, reduction in brand value and remediation costs?

...(read more)

CISO Assessment: Retail Insights

2012-07-30T11:00:00Z

Like other industries, retail has its own set of unique security challenges. Loss prevention is a significant component of that challenge. The latest National Retail Security Survey stated that in 2011, U.S. retailers lost $34.5 billion to retail theft – combining employee theft, shoplifting, paperwork errors and supplier fraud. That accounted for approximately 1.4 percent of total retail sales last year.

...(read more)

The Other Social Security

2012-06-25T18:54:00Z

It is well known that social media holds a great deal of promise for the enterprise, but many executives and others are still struggling to get over the potential security and privacy risks. So, what is the best way to make the transition to becoming a secure social enterprise?

...(read more)

CISO Assessment: Security by Committee

2012-05-29T18:27:33Z

Some things are bad to do by committee, creating a work of art, cooking dinner, closing a baseball game – and sometimes committees are a necessity. Security and risk committees are an essential part of any enterprise’s security and risk management infrastructure. They are a sign of a mature organization. By promoting collaboration across the enterprise and making security and the associated risk discussions an integral part of senior leadership’s responsibilities, the enterprise can be better protected. Yet, even though the benefits are clear, not enough enterprises have one.

A study released last week by the Carnegie Mellon CyLab, looking at privacy and security governance in the Forbes Global 2000, reported that boards and senior leadership still are not exercising appropriate governance over the privacy and security of their digital assets. The study stated that there is still a significant gap in understanding around the fact that security, privacy and IT risk are all a part of enterprise risk management.

The study did note one encouraging sign – that more and more enterprises have cross-functional privacy/security committees – 70% of 2012 respondents versus 17% in 2008. These committees can act as a bridge to boards and senior leadership and elevate the discussion around security and risk, potentially closing the governance gap.

These findings line up very nicely with what we recently uncovered as part of our 2012 CISO Assessment. Overall, only 49% of the total sample reported that they had a security or risk committee. When we delved deeper, 68% of the most mature group of organizations, Influencers, had a security/risk committee. In comparison, only 26% of the least confident and mature group, Responders, had one.

What was interesting was, regardless of the organization’s overall security maturity level, if they had a security or risk committee they shared similar characteristics. In general, leaders of the committees tended to be Senior IT Executives (28%), CISOs (24%) or Senior Business Executives (22%). These committees met on a fairly regular basis, with 48% meeting quarterly and 27% meeting monthly.

The security and risk committees also took a comprehensive, enterprise-wide approach with both business and IT representation. From the business side, the most represented functions included Compliance (80%), Legal (65%), Business Executives (64%), Business Operations (64%), and Finance (59%). From the IT side, IT Executives (91%), IT Operations (72%), Network Operations (60%), and Data Governance (51%) were all a part of a majority of the committees.

Finally, as part of the CISO Assessment we looked at the primary objectives of the security/risk committees. Looking at the chart below we can see that, based on their top two choices, most committees were primarily focused on developing enterprise security strategy and developing action plans and recommendations. So should committees only be focused on strategic policy and governance issues? Is there more they could be doing?

At IBM, our risk management team meets quarterly with a top advisory committee, including senior vice presidents of all the business units, who report directly to the CEO. These include the leaders of many functional areas including finance, marketing, technology and others. Each of these executives must understand the security risks to his or her unit and what controls are in place. Together, they shape and decide strategy. Security, after all, is intimately tied not only to their units, but to the future of the enterprise.

Based on all this information, I think that enterprises are using security and risk committees more and more and they are adopting best practices around the leaders, members, operations, and goals of those committees. To make the next step:

Make sure your committee has both technical and business leadership representation and make sure it is connected to the highest levels of the enterprise and the board. The committee can be the gateway between the enterprise and the board with respect to information risk management.

Ensure your committee is broad and diverse. Compliance, legal, finance and IT operations representation is expected. Reach further, make sure business unit leaders are involved so new products and services are created in a secure fashion. Include human resources to help with employee education initiatives.

Set up a way to measure the progress of the committee. Using targeted metrics can help focus not only the committee, but the entire security organization for the enterprise. It will provide something to work towards and make it easier to communicate with the board.

Original Post on IBM Center for Applied Insights Blog

Finding a strategic voice - Insights from the 2012 IBM CISO Assessment

2012-05-03T19:24:00Z

It’s easy to say that information security leaders have it tough. The security landscape is full of conflict, confusion and uncertainty, coming from a number of different directions. Leaders have a lot to handle. If it’s not a rapidly shifting threat, it’s new technology platforms to secure including mobile, cloud and social. Almost every article I see these days is focused on the growing challenges, with titles like the “Eye of the storm”, “Into the cloud, out of the fog” and “Converging waves of pain.”

Today, the IBM Center for Applied Insights releases the results of the 2012 IBM Chief Information Security Officer Assessment. This was our first foray into examining the role of information security leaders, and how they are evolving to meet the challenging landscape. While we understand and appreciate the fact that things are difficult on the technical front, we wanted to focus on the organizational and leadership aspects of information security.

We felt that information security leadership was in the process of undergoing a transformation and wanted to test whether the role was changing based on increasing security challenges and greater attention from business leaders.

We wanted to identify best practices that could be shared across the industry – and understand if organizations were moving toward a more holistic, risk-based approach to information security.

We also wanted to know what roles collaboration, innovation and integration are playing in security organizations.

What we discovered was that only 1 in 4 security leaders have made the shift to being recognized as having strategic impact on their enterprise. Based on a self-assessment of their organizational maturity and their ability to handle a security incident, three different types of leaders emerged.

Influencers (25%) – This group sees their security organizations as progressive, ranking themselves highly in both maturity and preparedness. These security leaders have business influence and authority – a strategic voice in the enterprise.

Protectors (47%) – These security leaders recognize the importance of information security as a strategic priority. However, they lack important measurement insight and the necessary budget authority to fully transform their enterprises’ security approach.

Responders (28%) – This group remains largely in response mode, working to protect the enterprise and comply with regulations and standards but struggling to make strategic headway. They may not yet have the resources or business influence to drive significant change.

*Influencers are much more likely to have elevated information security to a strategic priority, according to the IBM Center for Applied Insights study, Finding a strategic voice: Insights from the 2012 IBM Chief Information Security Officer Assessment.

We also discovered some significant differences between the groups that show how Influencers have developed their strategic voice. Compared to Responders, Influencers are:

2x more likely to have a dedicated CISO

2.5x more likely to have a security or risk committee

3x more likely to have information security as a board topic

2x more likely to use a standard set of security metrics to track their progress

4x more likely to be focused on improving enterprise-wide communication and collaboration over the next two years

2x more likely to be focused on providing education and security awareness over the next two years

This is just the beginning of our conversation around the role of information security leadership and its place within the enterprise. The full report goes into more detail on the security landscape, the different types of leaders and their characteristics, and a way forward for everyone.

Check out the full report, “Finding a strategic voice” for more information on this important topic. Also, catch our ongoing series of articles on best practices for information security from IBM’s VP of IT Risk on the IBM Center for Applied Insights security site.

(Please visit the site to view this video)

Original Post: IBM Center for Applied Insights

Security: Worrying about holes in the cloud

2012-04-23T23:03:00Z

According to the 2012 Cloud Computing Survey released this month by IDG, the number one barrier to implementing cloud strategies is security. A full 70% of respondents reported being significantly worried about it. More than service interruptions and other factors – unauthorized users getting access to data strikes fear into the heart of potential cloud adopters.

However, because of their flexibility, potential cost savings and ease of use, the allure of cloud computing is undeniable. So, what to do? How can we have cloud computing platforms that inspire confidence instead of instill fear?

It all starts with education. Everyone developing a cloud-delivered service becomes, de facto, an IT architect. Users must understand the risks and responsibilities in operating on a cloud, and follow a set of best practices that they respect and incorporate into their daily routines.

Second, we have to think in a different context – it needs to be more about securing information, rather than the security of physical devices and locations. If the information is secure by its nature, it doesn’t matter where it is, or what device it is on. The data has to be encrypted and available only to those who need access to it. Putting the onus on the data owner instead of the cloud provider is a good idea. Ponemon and CA released the results of a survey in May 2011 which showed that cloud providers didn’t make security their number one concern. The majority of cloud providers believed it was their customer's responsibility to secure the cloud, not theirs.

Finally, this leads us to the importance of knowing and trusting the cloud vendor and the country the hosting data center operates in. Depending on the location of the data center, there are

The IBM Center for Applied Insights has been working with IBM’s VP of IT Risk to develop a series of eight articles on Security Essentials for CIOs, based on IBM's own experiences. The latest, the third in the series, is about what it takes for an enterprise to develop a secure cloud computing strategy.possible data rights issues and disruptions caused by political unrest, infrastructure issues or natural disaster. In the end, you’re investing not only in the cloud provider, but in a country as well.

To read more, check out the article here, and watch for forthcoming articles in the coming months on the IBM Center for Applied Insights security site.

Original post from IBM Center for Applied Insights