2011 Outlook: 'Complexity is the Biggest Problem'
Interview with Kristin Lovejoy, VP of Security Strategy, IBM"This is potentially the most dramatic [trend]," Lovejoy says. "There is a lot of complexity out there. If you ask a customer what their biggest problem is, it isn't compliance - it's complexity."
The global compliance landscape creates unique challenges for organizations across industry, she says, but the greater issue is prioritizing the response to these mandates.
"When these new compliance regs come out, this problem is going to become even more exaggerated because customers are just looking for the prescriptive guidance: What to do, when to do it, how to do it, and what's the benefit."
In an exclusive interview on 2011 security challenges, Lovejoy discusses:
- Top global security threats facing organizations;
- Unique challenges of managing security across IBM;
- How security leaders can do a better job in 2011.
Lovejoy is the Vice President of Security Strategy at IBM, responsible for the overall security portfolio market direction and strategy. She is a representative on IBM's Data Security Steering committee, as well as a number of external boards and advisory panels. Before joining IBM, she was the CTO, CIO and VP of Support and Services at Consul. Lovejoy also was the Vice President of Security Assurance Services at TruSecure Corporation. She is a recognized expert in the field on security, risk, compliance and governance, and she holds U.S. and EU patents for Object Oriented Risk Management Model and Methodology.
TOM FIELD: To get us started, why don't you tell us a little bit about yourself and your role with IBM, please?
KRISTIN LOVEJOY: Sure. I am the Vice-President of security strategy, and to understand it you have to understand how IBM looks at security. IBM is first and foremost a trusted advisor to our clients. So, we help our customers build smart cities, smart grids, new data centers, etc. and security is an aspect of the service that we deliver. So security is a part of everything we do. We are also a security company. We have 40-plus years providing software, hardware and services for the security market segment. Then third, as a company, we have close to 500,000 employees across almost 140 countries. So we are responsible for securing our internal environment.
Now, my responsibility is in the first two buckets that I mentioned. I provide guidance to various organizations within IBM to explain to them how it is we should be delivering security as part of the products and services that we ourselves deliver to market, and second as a security company, as the head of strategy, I'm responsible for working with our customers, understanding what kinds of needs they have, and then ensuring that we have the right products and services to bring to them in the market place.
Today's Top Threats
FIELD: Well, you've got a unique perspective here because you hear from your internal customers as well as your external customers, and again on a global scale. Given all the input, what are the security threats that concern you the most today and why?LOVEJOY: We're seeing quite a change. It's interesting that we're seeing many senior level executives within organizations coming to us and wanting to have this conversation about some of the emergent threats. So I'm going to take a step back and try to describe what it is that I'm seeing from my customer's perspective.
So, as a security executive, when I'm looking at risk to my business I am making the decision to work on something because there are three variables that are present. One is there is a threat -- that there is a person or persons with a tool or tools that has the capacity to harm my organization. Second is that there is a vulnerability or a hole that can be exploited with my infrastructure. And third that there is an impact to my business.
And what we're seeing in the market place are not just threats that have changed; we're seeing very well coordinated. very well funded attackers that are supplied with tools that they've bought from the black market that are now exploiting any number of vulnerabilities that have become available for exploit. Simply because of the changes in which we architect our environments.
It used to be that we'd build our enterprises like you would a medieval city. You had a moat around it, and you had guards at the drawbridge making sure only the right people got entrance, and it's changed. With the influx of mobile devices, we've got modern cities with any number of entrances and exits into the organization, and that means that holes within the infrastructure can be exploited by these well-funded attackers.
Then from an impact prospective what we're seeing is that attackers aren't just attacking data if you will, trying to steal data for the purposes of making money in some ways. They are going for the critical infrastructure, and that is pretty scary because the impact there isn't financial; it's potentially loss of life or limb.
So those are the things that we are seeing in the marketplace is that combination of emerging threats, more available, lively exploitable vulnerabilities, and escalating impact.
IBM's Approach
FIELD: Well Kris those are evolving threats and they are big ones, and it is hard for an organization to be able to change to tackle those particularly a large organization. How has IBM been able to evolve and tackle these threats as they are evolving?LOVEJOY: Our response and our point of view to the marketplace is "Secure by Design." Now this is not a new concept by any stretch of the imagination, but it is our suggestion to the marketplace that it is important to design the right level of safety and security into a solution. and then maintain the safety and security in the solution life cycle throughout the life cycle. Now how do you do that? That is sort of the practical question that most organizations would ask us.
Our approach is to say that in order to design security into the infrastructure, we must start thinking about the business initiative. We must start thinking about the business itself. We have to understand within the context of the business, within the context of the people who are interacting with data, which reside on applications, which lives on IT infrastructure within a physical facility. We have to understand what the hazards are, what the potential break points are, and then apply a reasonable level of control to control you know sort of the potentiality for harm.
Now in IBM, we've structured a governance model, a set of best practices and an execution model that enables us to carry that out. That actually, for those who are interested, you can actually download what we call a "red guide" from the IBM website. One of the red guides is called the IBM Security Blueprint. The IBM Security Blueprint represents best practices for the implementation of security throughout the IT infrastructure. Second, we also have published something called the Secure Engineering Framework. This is a framework which is appropriate for the development organizations and specifically for the development organization and represents best practices for how we can code security into the infrastructure as we're designing it in the first place.
Global Security Management
FIELD: Again, you come from a unique position, Kris, because you're at IBM. There aren't many organizations the size or the scale of IBM. What do you find to be the unique challenges of managing security in an organization of your size?LOVEJOY: That's a good question. If you think about IBM and the culture of all of IBM, almost 500,000 employees, again scattered over 140 countries, and the bulk of us, in fact almost 60 percent of us actually work from home, and those of us who do work from home are enabled with use of technologies like social networking. And so you ask yourself, "What are the key ingredients for securing that kind of architecture?" So what I'm going to tell you is that, I see that there are four key ingredients, and I'm going to give these to you at a very high level because we only two minutes to talk about this.
Number one is to implement an appropriate governance model. So that is a governance model which allows for risk to be quantified and tracked at the most senior level of the organization, and for there be mechanisms by which you can monitor risk to the lowest levels of the organization.
Two is focus on standards. I truly believe that in order for an organization to achieve any level of security, we must have visibility. In order to get visibility, one must have an infrastructure that allows one to gather data on the effectiveness of controls within the underlying sources. That can't happen if your infrastructure doesn't plug into one another, or you're not using common reporting formats. So a focus on standardization is important.
Third is a focus on assurance. Going back to this concept that security must be designed in, I would argue that every organization needs to adopt policies and principles that are implemented within the development organizations or adhere to within the development organizations, and then you take those concepts and you apply them to the employees so that on an ongoing basis they understand what they're responsibilities are.
Then finally a characteristic of an effective organization is intelligence. It's the capacity to monitor emerging threats, to monitor sort of your own risk profile, and then to feed that information back into the governance model.
So again, governance, standards, assurance, intelligence are all the key characteristics of managing such a large environment.
Trends for 2011
FIELD: You talked about a couple of things that I find interesting. One is the remote work aspect and then social networking. Now, we spoke about security threats. What are some of the global security trends you are tracking as we head into the New Year? And I would be surprised to not hear social networking come up among those.LOVEJOY: I know it is absolutely an issue, but I think there is something that is may be even more compelling, which is the protection of centers and actuators in the wild. I don't think anybody realizes the extent to which our planet has become intelligent and inter-connected, and we talk about the Smart Planet. This is an important thing. I want you to think very practically about your automobile today as an example of something new that we need to worry about. You know, back in 1977 the old Toronado was the first car to be introduced to the market with a single computer unit for spark plug timing. Today, the modern car has more than 30 computer chips that are loaded in that car with more lines of code than an airbus. The telemadix systems that are enabled by this computer systems allow for onboard sensing, and communications in the event of crashes, seek emergency help, etc, etc. The reality is that these systems. if not designed with security on board, could be hacked and used for harm. So I think that a focus on the centers and actuators in the wild is non-traditional endpoints -- even pacemakers as an example is going to be important.
Another area that we are really focusing is on virtualization/cloud computing. We are beginning to see quite a lot of concern about attacks at the hyper-visor layer, and so we are expecting to see some real exploits emerge there.
Another area that is a concern is obviously addressing the new cyber threat landscape -- those organized groups of attackers that we were describing, otherwise known as the advanced persistent threat. This is something that we're keeping an eye on.
We are also keeping an eye on the need for better management of digital identities. You know in today's world a digital identity, it is our identity and we need better mechanisms by which we can protect that.
Another area of concern is social networking and the safe use of social networking. Now this is tied to a theme that we call expectation of privacy. The interesting thing about our new generation is that our new generation thinks that they or believes that sort of privacy is built in. They have no concept that it may not be. So it's something as we develop these new technologies like social networking, we're going to have to recognize sort of the balance between these social networking sites and the risk of some form of privacy violation or reputation damage associated with that use.
Then the last area that we are focusing on and this is potentially the most dramatic is actually the changes in the compliance landscape. What we're beginning to see are pieces of legislation appearing in various national governments: Russia, China, India, and US, which require the organizations that delivering services to critical infrastructure -- these would be banks, healthcare providers, etc. -- that they need to assure higher levels of security than ever before at potentially very, very high penalties. Like for instance being locked out of doing business in particular segment, being locked out of the procurement process of a particular country etc. So again that compliance landscape is important.
FIELD: Well, you might have just answered my next question with your last point here. The question is which of these trends are going to challenge security organizations most, and it sounds like that compliance one might be a biggie?
LOVEJOY: There is a lot complexity out there. If you were to ask a customer what is the biggest problem, their biggest problem isn't necessarily compliance. Their biggest problem is complexity. Their biggest problem is the fact that there are a hundred million things to deal with, and there are a hundred million things to buy. There's not enough time and money to deal with them all, and so they need help in prioritizing. Interestingly enough, compliance becomes the number one reason why a business case for security if fulfilled because compliance is very easy to understand. If I'm a CSO and I'm looking for budget, I'm going to turn to compliance because it's an easy answer. The reality is that yes, the sort of changing compliance landscape is going to create a lot of focus within the businesses, but I would say to you that the biggest challenge right now is just in the prioritizing. When these new compliance regs come out, this problem is going to become even more exaggerated because customers are just looking for the prescriptive guidance. What to do, when to do it, how to do it, and what's the benefit.
Advice to Leaders
FIELD: So final question for you, Kris. If you could boil it down, how can security leaders individually do a better job in 2011 than they have done in 2010?LOVEJOY: The new security leader needs to first and foremost focus on the foundation. There is an old axiom out there that says, "Never spend $100 to fence a $10 horse." And it has been proven that is true that there are a finite set of security controls that provide the best value to the security executive. Now, the interesting thing about the security controls is they are not necessarily security, they're process oriented. Things like change and configuration management, relief management, problem and incident management, these are all key controls. In addition to the traditional identity and access management, encryption management, threat vulnerability management, and security information and event management, what I would say is that in order for a security executive to be successful, they must A) recognize that security is about managing risk. To manage risk you don't need to buy a product or a service that starts with the word security. You need to look within your environment. You need to understand the business service you are trying to protect, and you need to use the appropriate controls, the operational controls, the administrative controls, the physical controls that help you to do that. Often times those are not necessarily going to be security. B) the business leader must focus on assuring that in addition to the tactical controls that they've implemented to protect the business, that they are really focusing on how to better get visibility, to understand the effectiveness of all of that underlying work. So once they've implemented the processes, they've implemented the controls, they build those measurement systems that allow them to gain the sort of the insight necessary for them to make continued "good" business decisions.