On the Insider Threat, PCI and Risk ManagementWords of Wisdom from Recent Interviews with Thought Leaders
Sorry to have been away so long. It's been some time since I've posted, but that doesn't mean I haven't been busy. Let me share with you some highlights of recent podcast interviews I've conducted on the insider threat, PCI compliance and risk management.
In late July, Verizon Business came out with its annual Data Breach Investigations Report, and I was fortunate enough to speak with one of its principal authors, Wade Baker. The gist of the report: Organized crime was responsible for 85 percent of all stolen data in 2009. Stolen credentials were the most common way to gain unauthorized access into organizations. And almost 50 percent of the breaches investigated by Verizon and the Secret Service in 2009 were attributed to insiders.
There are 100 different definitions for what risk management means.
I asked Baker whether these insider incidents were mainly intentional or accidental -- a lost laptop, for instance. His response:
" Almost everything in this report is a deliberate and malicious attempt," Baker says. "The statistics that we have been talking about are when the insider really ... acts deliberately. And a few of them are what we call inappropriate, so the insider didn't deliberately attack systems with the intent to steal data; but they knew they were breaking policy, and maybe they just decided that it was more convenient to behave in this manner or to skirt this policy or to avoid this procedure in an entirely different way.
"We have policies for a reason, and those things can facilitate or help lead to breaches in various ways, whether it is downloading malware, because you have been visiting Internet sites that you shouldn't, or opening attachments, because you are using corporate e-mails to communicate with non-corporate people for non-corporate purposes -- all of those kinds of things."
All of those kinds of things that lead to 143 million records breached in 2009.
Another significant piece of news from this past summer: The PCI Security Standards Council announced a summary of expected changes to the PCI DSS and the Payment Application Data Security Standard. I had the opportunity to speak with PCI Council General Manager Bob Russo, whose main theme is: This update brings no real surprises.
"We are providing greater clarity on PCI-DSS as well as PA-DSS," Russo says. "We are calling for improved flexibility for merchants, while managing the risks and the threats that they are seeing as well, and we are aligning with industry best practices.
"So, relatively minor changes, no new requirements to the standards -- that's good news -- and the clarifications, basically, are there to remove any kind of confusion around what the intent of the requirement is."
Stay tuned. To this point, we've seen but a general summary of proposed PCI changes. The detailed summary is due later this month, prior to the PCI Council's community meetings. Then the full proposal will be published on Oct. 28.
The final topic I want to bring to your attention today is risk management. I spoke recently with Debbie Christofferson, a career information security leader who sits on the board of the Information Systems Security Association. And her take on the marriage of risk management and business strategy is simple: It's all about risk. "All of your decisions about information security should be based on risk to the organization," she says.
One of the topics we discussed is the question of whether an organization can buy and deploy a "cookie-cutter" risk management plan from a service provider. Her thoughts:
"There are a lot of people that are selling it, per se, but no one size does not fit all. You might be able to find a one-size-fits-all when you look at the strategic level of what your approach is, but even when you define what it means for your organization, it is very different.
"A hospital that is handling healthcare records needs more [security] than some of the other kinds of business, so it depends on what data you need to protect and what your core business drivers are. And some managers, if they come to you and ask for a risk solution or a one-size-fits-all, you have to be able to know about their business to ask the right questions to help support them. Because, sometimes, what they tell you they want is really not what they want. There are 100 different definitions for what risk management means."
And we have dozens more recent interviews for you to hear and enjoy. Any thought-leaders we've not interviewed, but whose insight you'd like to hear? Drop me a line and let me know.