Making security a shared responsibility

As enterprises take more logical views of computing and build NDC architectures in support of global supply chains, how do security best practices need to change?

As enterprise IT executives embrace the concepts of open, logical, Web-based computing, they also must rethink their security best practices. In New Data Center (NDC) architectures, security needs to go beyond the borders of the enterprise to encompass partners, customers and even users. Rhonda MacLean, former head of security for Bank of America and, before that, Boeing, today takes on that tall order for a variety of enterprises. She has parlayed her experiences into a position as principal of the year-old MacLean Risk Partners and now spends her time advising clients about how to quantify and mitigate security risks in today’s NDC environment. In this Q&A, she shares her latest thinking on security best practices

Global supply chaining is causing de-perimeterization of our IT environments. There may still be some glass houses out there, but the processing is going on virtually all over the world. And this is a world in which sensitive information needs to be shared and collaboration needs to be enabled. So enterprise security is not about withholding access anymore, but about having really good processes and technologies and people to enable sharing.

Security best practices need to be adopted universally – cross-company, cross-border, cross-partner, cross-customer. Security has to be a shared responsibility among the primary organization and its suppliers, partners and customers.

This is going to take some significant cultural evolution. For years we said, ‘Security is the weakest link in the chain.’ Well, when you controlled the whole chain, the world was simple. But that isn’t the case anymore. Organizations today are doing virtualization, grid computing, Web services or open source code – all these things are occurring and converging at the same time. Embracing the notion of shared responsibility and having robust governance and assurance processes are going to become more important [than ever].

So security needs to be a collective responsibility?

A good way to think about this is by comparing it to healthcare and insurance. If you’re a smoker, your premiums are high. But your doctor advises you to quit smoking, exercise more and eat more broccoli, [and your insurance company says] your premiums may go down if you do these healthier things, because you’ll then be at lower risk. So you take personal responsibility and do so. This shows the chain effect, if you will, of everybody working together to make sure that you’re managing your health.

The computing environment is a lot like that. We’re in this ecosystem where everyone needs to have some responsibility for the health of the ecosystem.

Does this apply to governance and assurance as well?

Governance is complex. Obviously, it starts with company policy. And you’ve got legal and regulatory obligations wherever you’re doing this business. Those are givens.

I know the financial industry has an initiative that it’s working toward for vendor management, around the whole compliance of vendors that financial companies rely on. Companies want to get some assurances from their vendors about security practices. What are their business-continuity practices? And how much resiliency is built in? I want to make sure my company is online 24 hours a day, seven days a week, 365 days a year. So I need to know the best practices of the companies in that supply chain, because today I’m dependent on delivering those services through a cast of characters.

And if this third party can’t meet your standards, then you don’t work with it?

That’s right. The real winners will be the ones who know how to do that – because of the criticality and the competition to have robust capabilities.

So the largest companies will push these standards and assurances?

They will. And the more companies get asked about their policies, the more governance and oversight they see, the more they’ll begin to build security in upfront. If you’re going to be a part of this global supply chain . . . integration of security and resiliency should be an essential part of every product and service. Retrofitting and recovery is much more expensive.

Do we have all the pieces necessary to secure NDC architectures?

The basic security concepts around protect, detect, respond and recover are still good. And so the technologies that revolve around them are still important. Now, to support the virtualization of this infrastructure, we need to have some investment as well as maturing and evolving of capabilities that we’ve talked about for a long time.

[For example, we need] a real robust identity- and access-management capability that’s easy to operate in a de-perimeterized, global environment. This means federated identities, which will be tough, because those involve policy agreements. A lot of work needs to be done there.

Also, [we need to better understand] the concepts of data management and data-rights management. Where is your data? Who has access to the data? What is the data going to be used for? What does the data retention look like? What is the source of the truth?

The concept of software assurance needs additional work, too, given the emerging world of allowing more open source. Depending on where you are – if you’re in China or South America – open source is just how you do business globally. So how do you know whether the software you’re using contains open source code or malware? Is it hidden, or is it just sloppy code?

That, operationally, can have significant consequences. The associated risk warrants some investment. We need to better understand how to provide and deliver on software assurance.

Is there a security best practice that tends to be overlooked in the NDC?

Oftentimes the security or the risk professionals are not at the table when organizations are talking about new products, services or capabilities.

Why? Are they seen as naysayers?

I don’t think so. Most understand this need to be able to share sensitive data and the need for collaboration. The issue is more just setting up good processes and good relationships.

I was fortunate enough to work in two great companies where security was considered integral and involved a lot of collaboration. We worked hand in hand with the business. I don’t think everybody has that. I know when I talk to many chief information security officers, one of their biggest complaints is that they don’t often know something is going on until after it’s happened.

That’s the real missed opportunity – to leverage that expertise. [Companies would see a big gain] if they were able to get some of the security best practices integrated into the existing [product] life cycles. Security would become an integrated part of the process.

What do you say to companies that balk at the potential expense?

Expense depends on the business, its risk tolerance and the product and service. That’s why one size does not fit all. To leverage its investment, a company needs that [CISO] expertise at the table – someone who has a balanced understanding of the risk appetite, the threats and vulnerabilities and, most importantly, what the customer expects. If you really think through these as you develop New Data Centers and associated processes when you’ve virtualized the data centers, you can in the long run save the company money. If you do it right the first time, it’s generally cheaper.

Isn’t the cost of security difficult to quantify?

I’m a big believer in metrics and measurement. Financial institutions are well versed in the discipline of credit and market risk. They have scientific, quantitative approaches to figuring out their exposure in a credit or market risk. Right now, the concept of operational risk is just emerging. There are some quantitative capabilities out there, but there’s a lot of folk art too.

There are some companies that do threat assessments and publish reports – Symantec puts out a very good threat assessment, for example. We need to start getting some real metrics and measures around risk assessments that have been done. We need these so that we can start quantifying as well as prioritizing the investment a company might need to make. It will help leverage an investment, so you’re not overdoing or underdoing, but you’re adequately covering it.

The more information we can get about the risk appetite, the risk profile of an organization – how much is within the walls, outside the walls, are you using a lot of open source? Your profile could change based on the way you’re doing business. Knowing that and being able to look at your organization and the process flows is where you can get innovative.

From your experience, what would you offer as a lesson learned regarding security best practices?

One of the challenges in this business is getting to the root cause. So not jumping to conclusions before you have your facts and data is important. As you communicate what’s going on, it’s OK to say, ‘I don’t know yet.’

[Also important is] working with executives and partners and being in this together to stay calm through the crisis and keeping your wits about you and being willing to go through the process. I look at a lot of this as process – collecting your facts and data and then acting on facts and data.

The key is to be flexible, innovative and build strong relationships – relationships are so critical in this equation – to be able to call on the people you need, to get their support. Everybody working together is critical to the success. It’s all about relationships, [and even more so for the NDC], because the opportunities and challenges may not be within your own organization or corporate walls. We really need to have this culture of shared responsibility.

Rhonda MacLean offers further advice

Cummings is a freelancer writer in North Andover, Mass. She can be reached at jocummings@comcast.net.

Previous: Best practices for new IT | Next: Credit to the New Data Center