IT security and risk professionals who attended the 7th Annual Secure360 Conference earlier this week at the St. Paul River Center in Saint Paul, Minnesota certainly heard a startling earful as the show kicked-off: If they're not managing risk right in their organization, they may, in fact, be the biggest risk their organization faces.
"What's your single biggest risk? It's that your risk assessment method doesn't actually work," said keynoter Douglas Hubbard, founder of Hubbard Decision Research and author of the book "The Failure of Risk Management: Why It's Broken and How to Fix It."
Hubbard detailed how empirical analysis tends to be overlooked too often when measuring organizational risk, and when it is used, it's applied to the wrong sets of problems. And, those conducting quantifiable risk assessments often feel more confident in their decisions, even when their decisions could be qualified as having poor outcomes. This overconfidence in risk and management was certainly present in the security survey CSO conducted along with PwC last year, when survey respondents vastly overestimated the maturity of their own security programs.
Most organizations today are still grappling with basic IT security blocking and tackling. And many speakers at the conference advised attendees to get back and to focus on the basics of securing their enterprises even as they move to cloud. For example, in his talk, "Cloud Security," David Mortman, chief security officer at cloud infrastructure management provider enStratus, stressed that enterprises weren't going to be struggling with new issues as they moved to cloud, but rather new ways of looking at longstanding challenges such as logging, access control, firewall rule management, key and certificate management. "Things like simple access control in the cloud can be problematic. The access control cloud providers make available just don't provide the granularity many organizations need. So you have to think through how you are going to handle access control before you move to cloud in a substantial way," Mortman said.
In his talk, "Seeing through the Clouds: Tactics to deal with Limited Cloud Visibility," Mike Rothman, president of independent research firm Securosis, told attendees to focus on many of the basic aspects of cloud security, with a specific focus on Web application security.
The Web application security practices also looked quite similar to practices organizations probably should have been doing for some time with their traditional applications, but probably haven't. Some of the security practices just as relevant in cloud as in on-premise environments include maintaining a secure development lifecycle, continued security assessments of their applications running in production and in development, deploying web application firewalls, and having proper change management controls in place throughout application lifecycles.
"Cloud doesn't make any of the challenges you have today magically disappear. It'll simplify some things, but other aspects of security management stay the same," Rothman said. "In many ways, it's back to the future with cloud security. However, in other ways because of how open and available cloud can be, not doing the right things can lead to more pain if you're sloppy," he said.
In the session "Are We There yet? Information Security Grows Up," Chris Veltsos, associate professor in the Department of Computer Information Science at Minnesota State University, Mankato, stressed that in the near future the consumerization of IT, cloud, will continue to significantly disrupt enterprises. This will force IT security to gain more attention with executive leadership, increase the need for improved incident response, and cause renewed focus on human-centric security, Veltsos predicted.
However, the security industry has been talking about the importance of security awareness training and keeping end users engaged for decades without much in the way of progress to show for it. Both Chris R. Rowland, a services practice lead at Aeritae Consulting Group and Eng-Wee Yeo, a senior security consultant at Aeritae, believe they have a technique that should be part of the answer: gamification. In their presentation "Make the Leaderboard: Tactics to Achieve Security Performance Measures," the duo made the case for making aspects of security a game as a way to increase awareness and improve some security-related outcomes. While most everyone is aware of such services as FourSquare, through giving users badges and points for their progress, Rouland and Yeo argue that those same techniques can be used to engage users when it comes to IT security awareness and training.
It's about getting people to view security not so much as a stick, but as a carrot through the process of game dynamics, they explained. For example, users could be rewarded with points or badges for logging out of applications when they leave their desk, answering security related surveys properly, or gamifying anything else that can be measured. That can include rewarding developers who produce the least amount of vulnerabilities per thousand lines of code developed in a given period. "Gamification can provide techniques to get users engaged in your security program," said Yeo.
Read more about application security in CSOonline's Application Security section.