Editor’s Note: This is the third part of a four-part series featuring an in-depth overview of Infosec’s (Information Security) Unified Security Metrics Program (USM). In this installment, we discuss the effectiveness of the USM program at Cisco.
Information security is all about risk reduction, and risks are notoriously difficult to measure – ask any insurance salesman or actuary. So how do we handle this conundrum for a security metrics program that hasn’t even reached its second anniversary yet?
Peter Drucker, noted business management author, once said, “Efficiency is doing the thing right. Effectiveness is doing the right thing.” Even at this early stage of the USM program, we can see four clear indicators demonstrating we’re doing the right things to improve Cisco’s security posture across the IT organization and Cisco. They include the creation of newly defined partnerships, leveraging existing IT risk management frameworks, developing well-defined feedback mechanisms, and gaining increased support and visibility at the CIO level.
Read More »
Tags: information security, infosec, metrics, security, unified security metrics program, usm
Based on 25 years of professional experience in various businesses around the globe, I can say that many industry verticals have a pretty good state of safety culture as it relates to the health and safety of their employees. This is especially true for companies involved in high-risk businesses such as oil and gas, (nuclear) energy, manufacturing, chemicals, food processing, and so on. In such industries, it is pretty clear that there is a risk that something may blow up, hurt, or even kill people.
However, it seems that the next big driver for them is business alone, and they are not as focused on information or IT security when it comes to the logic side of security like bits and bytes, document handling of confidential information, and similar subjects. This is in stark contrast to their keen attention to physical safety and security issues.
It would seem intuitive that any organization with a commitment to safety by counting (and incentivizing) the hours (days, weeks, months, …) of safety-incident-free time should also be easy to convince that taking a similar approach to information security would be a good thing. But it is not that easy. Operations in these businesses are very physical, so it is not really in the mind-set of a rig guy or gal, a welder, a component mixer, machine operator, or similar, that another devastating incident (attack) could happen from “within” the system(s), by a human adversary committed to do harm in the interest of their nation state or paying agent. All those systems in the above mentioned industries that are working at the process level (sensors/actuators, process control, SCADA (supervisory control and data acquisition) are designed for efficient and effective, good performing, and reliable operation, but they were not really designed and built to resist logic attacks from a human smart guy who can outsmart almost every defense.
In industrial networks, spanning the areas of instrumentation, control bus, operations, business, or enterprise, the often cited Purdue reference model that provides for several “levels” or “zones” of abstraction and segregation can be used. A really good introduction can be found in the Secure Data Transfer Guidance for Industrial Control and SCADA Systems.
The main security points to address are:
Tags: encryption, information security, information technology, IT, network segmentation, physical security, security
I have been coaching youth sports for the past seven plus years now and one of my common mantras when speaking to the girls and boys each season is that “we will win as a team and lose as a team.” In other words, I will never tolerate one player acting selfishly enough to think he or she is above everyone else on the team. I strive to instill the objective that we will collectively pool our talents for the betterment of the team. We use this approach because each boy and girl, believe it or not, brings with himself or herself a unique set of abilities and strengths with which the entire team will benefit.
So why should you care about my coaching philosophies? Read More »
Tags: cisco sio, cybersecurity, DDoS, dos, information security, security
We all know that the virtualization and cloud megatrend is a game changer for data centers, leading to profound shifts in everything from IT services and business models to architectures. Business benefits include reduced capital investments, new revenue growth opportunities, and the greater efficiency, agility and scalability demanded by globalization.
Enterprises have held back from making the transition to virtual and cloud environments primarily because of the inherent security risks and concerns.
Targeted attacks and security breaches are getting more sophisticated. The Verizon Security Threat Report for 2011 showed that 3.8 million records were stolen in 2010, and 94% of this data came from servers (an increase of 18%).
As security concerns are the primary barrier to making this transition from virtualized data center to cloud, we must rethink how security fits in to these new architectures and develop new security tools to ensure the secure transfer of information.
For enterprises to confidently seize the business benefits offered by data center virtualization and the cloud, security must be seen as the art of the possible, not as a hindrance.
Watch below as I explore the challenges and leading practices for securing virtualized environments today, and into the future.
Please join me also for a special webcast “Defending the Data Center “ today at 10:00 am PDT /1:00 pm EDT /17:00 GMT – To watch register here
Tags: Cisco, CSO, cybersecurity, data center, information security, John Stewart, security, virtualization
I have a thing for metaphors. I wrote my dissertation on them. And they have helped me enormously as a non-engineer working in IT security.
Metaphors are powerful tools (that’s a metaphor, by the way). Literally referring to something as something else enables us to make mental connections between concepts that are not really the same. War and weapons have proven historically useful metaphors. In wartime, everything changes. We look at the situation, our opponents, and even ourselves very differently (I like the image of a noble warrior on the battlefield more than that of a guy who spends most of his day sitting and typing…)
But metaphors also cause trouble, especially when we use them to over-simplify. I am skeptical of “security as war” metaphors, including that of the arms race. The metaphor detracts from the very real threats of cyber- and information warfare. War doesn’t define security any more than war defines firearms. Unless we are specifically talking about threats from nation states (and a few other actors) using information technology as part of armed conflict, we are not talking about war. And this is not what we are usually talking about in information security.
Read More »
Tags: cyber crime, cyber security, cyber warfare, information security, security