TECH PRACTICE

Information Risk Executive Council

™

Wednesday March 21st, 2012

The Security ShiftRethinking User Engagement to Drive Compliance and Behaviour Changere

5

INFORMATION RISK EXECUTIVE COUNCIL®IT PRACTICE www.irec.executiveboard.com

© 2010 The Corporate Executive Board Company. All Rights Reserved. IREC6544310SYN

ROAD MAP FOR THE PRESENTATION

Social Media Awareness Tactics

Awareness Challenges and

Social MediaKey Findings

INForMATIoN rISk ExECuTIvE CouNCIl®IT PrACTICEwww.irec.executiveboard.com

© 2012 The Corporate Executive Board Company. All Rights Reserved. IREC2204112SYN

6

a toUgH environMent…

expectations for a Challenging 2012CEB’s Business Executives Sentiment Index

insignificant increase in funding expectedMedian, Millions of US Dollars

no Momentum on Controls MaturityControls Maturity Change from 2009 to 2011

only a small increase in staffing expectedAverage FTEs

the information security function is facing tight operating conditions against an uncertain business outlook.

■■ ceb’s business executives sentiment index (besI) declined for the third consecutive quarter—from 46.9 in Q3 2011 to 42.8 in Q4 2011—showing that executives expect increasingly challenging business conditions across the next 12 months.

■■ Past spending restrictions have prevented improvements in controls maturity.

■■ budget and staffing are expected to be largely flat across the next year.

n = 2,055.

Source: http://cebviews.com/economic-outlook/

n = 53.

Source: IrEC 2011 Controls Maturity Benchmarking Survey.

n = 61.

Source: IrEC 2011 Controls Maturity Benchmarking Survey.

n = 90 (2009); n = 104 (2010); n = 66 (2011).

Source: Information risk Executive Council Controls Maturity Benchmarking Service.

10 10

2011 20112012 (E) 2012 (E)

28 30

2009 2010 2011

3.15 3.04 3.11

42.8

Positive

Besi

negative

INForMATIoN rISk ExECuTIvE CouNCIl®IT PrACTICEwww.irec.executiveboard.com

© 2012 The Corporate Executive Board Company. All Rights Reserved. IREC2204112SYN

7

…BUt tHreats are still driving aMBitioUs Plans

Cisos’ top threat ConcernsRated “High” or “Existential” Risk by at Least 40% of Members

security technology roadmapTechnologies by Mainstream Adoption Timeline, Value, and Risk

despite tight operating conditions, the threat environment is driving ambitious plans for 2012.

■■ seven of seventeen threats were rated “high” or “existential” risk by at least 40% of members.

■■ In response, the security technology roadmap shows adoption of many technologies going mainstream this year.

■■ see the next section of this deck for detailed threat data.

■■ see the last section of this deck and the appendix for detailed roadmap data.

■■ organized Crime and Fraud■■ regulatory Noncompliance■■ State-Sponsored Attacks

■■ Third-Party risk■■ Social Engineering/Phishing

■

■■ Mobile Device Application vulnerabilities

■■ BYoD

n = 55.Source: Information risk Executive Council 2012 Threat landscape Survey.

n = 50 IT organizations.Source: IEC Emerging Technology roadmap Surveys, october 2011.

no Plans to deploy

2011

2012

2013+

mobile device management tools

web app firewalls

network-based dlP

grc tools

Unified threat management tools

endpoint dlP

Identity as a service

folder level encryption

end-user biometrics

security as a service

High value Medium value low value

enterprise value

Based on:

� Security Costs � risk visibility � risk reduction

� Compliance Enhancement

� Business Burden

deployment risk

Based on:

� Marketplace Maturity

� Management Tools � Scalability

� Architecture Direction

� Support Skills � organizational

readiness

High risk Medium risk low risk

INFoRMATIoN RISk ExECuTIvE CouNCIl�®IT PRACTICE www.irec.executiveboard.com

© 2011 The Corporate Executive Board Company. All Rights Reserved. IREC0915011SYN

7

a raPid incrEasE in HiGH ProfilE incidEnts

Publicly reported incidents attributed to aPt attacksPartial Selection

in the two years from Ghostnet to the iMf attack, there has been a rapid increase in reports of sophisticated and damaging attacks attributed to so called “advanced persistent threats.”

dErf xx-xxxx

catalog # Irec0230411syn

title

200820062004 20122010

titan rain

eU govt. leaders

oak ridge national laboratory

lockheed martin

multiple oil and gas companies

ghost net

operation aurora

rsa

rio tinto

l3

Imf

stuxnet

dErf 11-2693

catalog # Irec0639511syn

title

shady rat

INFORMATION RISK EXECUTIVE COUNCIL®IT PRACTICE www.irec.executiveboard.com

© 2010 The Corporate Executive Board Company. All Rights Reserved. IREC6544310SYN

7

Awareness efforts work by directly or indirectly influencing user psychology and attitudes to encourage secure behavior.

■■ Arrows in the model show how various elements influence other elements.

OPENING THE BLACK BOX

Model of Awareness Campaign EffectsSchematic

Awareness Efforts

Secure Behavior

Emotional Commitment to

Security

Knowledge of Policy

User Psychology and Attitudes

Decision to ComplyInfluence Influence

1

2

3

4

Perception of Risk to Organization

Self-Interest for Security

CISO Actions

INFRASTRUCTURE EXECUTIVE COUNCIL®IT PRACTICEwww.iec.executiveboard.com

© 2011 The Corporate Executive Board Company. All Rights Reserved. IEC0429611SYN

Understand “Consumerized” Demand 13

78% 59% 39% 51%

65% 45% 26% 44%

51% 32% 15% 40%

MAKING THEMSELVES AT HOME

Consumer Technologies Used on a Regular Basis for WorkPercentage of Respondents, “Which Personal/Consumer Technologies Do You Use on a Regular Basis for Getting Work Done?”

Across attitudinal segments, signifi cant percentages of employees are using a broad spectrum of consumer technologies for work.

Personally Owned Devices Social Networking Technologies

Collaboration/Productivity Tools

Communication Tools

■ Personally owned iPhone, Android/Droid, or BlackBerry smartphone

■ Personally owned laptop or home computer

■ Personally owned tablet

■ LinkedIn

■ Facebook/other social networking sites

■ Twitter

■ Google Docs/Zoho

■ SlideShare, Flickr, Dropbox, or other storage/sharing resources

■ Blogger, WordPress, or other blogging software

■ Other productivity tools (e.g., Evernote, audio recording) available on the Internet

■ Skype

■ Other communication tools available on the Internet

n = 9,990 global employees, multiple responses allowed.

Personally Owned Devices

Social Networking Technologies

Collaboration/Productivity Tools

Communication Tools

Early Adopters

Open to New Technology

Skeptics/Wary/Uninterested in

New Technology

Source: IEC Employee Technology Value Survey 2011.

See Appendix for fi ndings by individual technologies.

INForMATIoN rISk ExECuTIvE CouNCIl®IT PrACTICEwww.irec.executiveboard.com

© 2012 The Corporate Executive Board Company. All Rights Reserved. IREC2204112SYN

14

risKs froM eMPloyee BeHavior

risk ratings: social engineering/PhishingPercentage of Respondents

although Cisos have long been concerned with phishing, the concern has risen recently due to the use of this method by aPts.

■■ cIsos consistently agreed on the reason given for high risk ratings: the lack of available approaches.

■■ other types of employee behavior have cIsos much less concerned than in recent years, especially use of social media which was a top five risk for members in 2010.

■■ although some phishing e-mails have become much more difficult to detect, many are still not perfect, and other types of social engineering such as pretexting are still amenable to employee awareness.

■■ members should visit the council’s awareness topic center: https://www.irec.executiveboard.com/members/topics/abstract.aspx?cid=100246633.

reason for High risk ratings: social engineering/PhishingPercentage of Respondents

54% The lack of

Available Approaches

21% Enormous Impact (Despite low likelihood)

8% lack of Security Function Maturity

13% lack of Enterprise Support to Mitigate

4% our lack of understanding the risk

2% low

7% low 11%

low

13% Moderate

27% Moderate

14% Moderate

42% Somewhat High

37% Somewhat High

51% Somewhat High

9% Existential

2% Existential

0% Existential

34% High

27% High

24% High

risk ratings: employee CarelessnessPercentage of Respondents

risk ratings: Use of social MediaPercentage of Respondents

Source: Information risk Executive Council 2012 Threat landscape Survey.

n = 55.

INFORMATION RISK EXECUTIVE COUNCIL®IT PRACTICE www.irec.executiveboard.com

© 2010 The Corporate Executive Board Company. All Rights Reserved. IREC6544310SYN

8

USERS SEE A DIFFERENCE

Correlations of End-User Perceptions of RisksSchematic, Distance Between Risks is Inversely Related to Risk Perception Correlation

End-users view the risks of social media as a class by themselves—there is little correlation between risk perception of social media and risk perception of traditional IT behaviors.

■■ Risk correlations within each behavior type (social media or “traditional” IT behaviors) are high—ranging from about 0.6–0.9.

■■ The correlations between the risks seen in social media and “traditional” behaviors are below 0.5, indicating that users see the risks from these two behavior types differently.

Social Media Risks

“Traditional” IT Risks

Posting Company or Client

Information on Collaboration

Sites

Leaving Sensitive

Information on Desk

Using Facebook for Job-Related

Networking or Collaboration

Leaving Laptops

Unsecured

Tweeting on Work-Related

Topics

Sharing Passwords

Blogging on Work-Related

Topics

Copying or E-Mailing

Sensitive Data

INFORMATION RISK EXECUTIVE COUNCIL®IT PRACTICE www.irec.executiveboard.com

© 2010 The Corporate Executive Board Company. All Rights Reserved. IREC6544310SYN

9

NEW AWARENESS FOR NEW MEDIA

Key Differences Between Effective Traditional and Social Media Awareness Programs

Social media awareness programs must focus on teaching prudent use at all times rather than on just proscribing certain activities at work.

■■ Ninety percent of organizations in the IREC survey already include some social media awareness activities for their end-user population.

Traditional Awareness

Social Media Awareness

Implications for Awareness Program

Goal Strict Compliance General Prudence

Awareness programs must teach highly nuanced and complex skills that users need to apply in an evolving and non-standard environment.

Curriculum Relatively Stable Rapidly EvolvingThe rate of change in social media creates the potential for risks to emerge suddenly, requiring constant updating of curriculum.

Scope Only Work-Related Includes Personal Use

The blending of employees’ professional and personal lives requires awareness programs to cover personal-use terrain traditionally excluded from curriculum.

Audience Broad Narrow (for now)

Social media awareness activities must take into account the variety of social media adoption and be targeted at a specific, but growing group of users.

11

INFORMATION RISK EXECUTIVE COUNCIL®IT PRACTICE www.irec.executiveboard.com

© 2010 The Corporate Executive Board Company. All Rights Reserved. IREC6544310SYN

ROAD MAP FOR THE PRESENTATION

Social Media Awareness Tactics

Awareness Challenges and

Social MediaKey Findings

INFORMATION RISK EXECUTIVE COUNCIL®IT PRACTICE www.irec.executiveboard.com

© 2010 The Corporate Executive Board Company. All Rights Reserved. IREC6544310SYN

14

FINDING CULTURES OF “SECURITY UNAWARENESS”

Identify the Individual Cultures of “Security Unawareness.”Illustrative

By analyzing data from its internal security awareness survey, Symantec discovers a correlation between the security habits of direct reports and their superior.

■■ The internal security awareness survey tests for general understanding of policies, adherence to policies, and behaviors.

■■ Symantec finds and targets communications towards the cultures of “security unawareness” it finds within poor performing parts of the organization.

Invite all employees to participate in a yearly security awareness survey.

Collect survey results.

Examine results across business units and by director to find trends.

Look for patterns of poor score relationships between managers and their direct reports.

Target individual teams with communication and training to remediate findings.

Business Unit Level Scores

Director Level Scores

Staff Scores

BU 1

Jo Mia Sam

BU 2

Bob Lyn Pam

BU 3

Ann Ted Sal

High Security Awareness

Moderate Security Awareness

Low Security Awareness

Cultures of “Security Unawareness,” where both managers and their direct reports have unacceptable security awareness.

INFORMATION RISK EXECUTIVE COUNCIL®IT PRACTICE www.irec.executiveboard.com

© 2010 The Corporate Executive Board Company. All Rights Reserved. IREC6544310SYN

15

BUILDING TRUST THROUGH SOCIAL MEDIA

Illustrative

Intel uses the disinhibition effect of social media to its advantage, hosting online sessions where users can anonymously have conversations with information security.

■■ Intel’s online platform unites employees from across the organization to have discussions about balancing the need for both a collaborative workplace and information security.

Send

INTEL | ANONYMOUS SECURITY DISCUSSION

The new password rules are terrible!!!! I never remember what I changed it to, unless I write it down.

RE: We understand sometimes the policy is too strict. Visit this Intel site to see some tips on how to make memorable passwords.

How can I safely use Intel’s name and logo on my Facebook and LinkedIn Profiles?

RE: Here is our Social Media policy and Tips page. If you have any questions, let us know.

I don’t think this error should have happened: I recently logged into the HR portal and another Intel employee’s account displayed instead of my own.

RE: That definitely should not have happened. Can you send more specific details to us?

I’ve been using GoogleDocs to share information with my team, because the tools we currently have don’t let us collaborate like we want to.

We don’t have enough software licenses for StatsAreFun, so I have to let my coworkers log onto my machine sometimes.

I saw someone in the Engineering Department making a lot of copies and leaving work with them. I’m not sure where I should go to report this violation.

I

Ensure employees understand that the anonymous space is a place to provide constructive feedback to security.

Use the space to provide help to employees when they ask for it.

Listen carefully to employees concerns, since they may point out information security issues that go beyond IT.

Look out for usage patterns that may point to pockets of insecure behavior in the organization.

The Consumerization Shift 40

INFRASTRUCTURE EXECUTIVE COUNCIL®IT PRACTICEwww.iec.executiveboard.com

© 2011 The Corporate Executive Board Company. All Rights Reserved. IEC0429611SYN

MAPPING CAPABILITY NEEDS

Mingus Corporation’s Technology Value Segmentation Analysis

Mingus Corporation1 supplements its application consumption analysis with survey data to ensure optimal device provisioning.

■ Survey questions address current technology use and preference patterns, level of access to confi dential information, and mobility requirements.

■ Survey results show strong correlation between mobility and “early adopter”–level interest in new technology options.

■ Survey results also identify specifi c security risks for each user segment.

1 Pseudonym.

Mingus’s analysis suggests a need for disproportionate focus among employees with the most intensive technology use.

■ Works from multiple locations

■ Deals with confi dential information but limited to own customers

■ Uses most applications ■ Clearest vision for how

to use technology ■ Greatest interest in

BYO and smartphone support

■ Less mobile, does not deal with confi dential information

■ Values location fl exibility and prefers smartphone use

■ Satisfi ed with current technology capability but values ability to work from home

■ Not mobile but requires access to broad sets of confi dential information

MingusCorporation

High

Enable Smartphone Capability

Enable “Early Adopter” Capability

Enable “Work from Home”

Enable Security

7%

Mo

bili

ty N

eed

Access to Sensitive DataLowLow

High

= Percentage of Workforce

28% 25%

40%

APPLICATIoNSExECuTIvECouNCIL®ITPRACTICEwww.aec.executiveboard.com

© 2011 The Corporate Executive Board Company. All Rights Reserved. AEC1115111SYN

5

Business executive temperamentsBusiness-facing applications staff must tailor engagement to business leaders’ preferences for risk, benefit, and effort in applications projects.

■■ The four business executive temperaments are defined by two dimensions: Openness to Persuasion and desire for Control of Applications Projects.

■■ At the top, the Abdicators and the Opportunists desire less control of Applications projects overall, whereas at the bottom, the Cowboys and the Entrepreneurs seek control.

■■ On the left, the Abdicators and the Cowboys are close minded about how they want to work with Applications on solutions delivery.

■■ On the right, the Opportunists and the Entrepreneurs are more open to persuasion about how and why they engage with Applications for solutions delivery.

Low Highopenness to persuasion

Low

High

Desire for control

the abdicators (11% of sample) They want to do what they do and think IT should do IT.

psychographics■■ AvoidmanagingITprojectsatallcosts■■ unswayedbythelureofhighprojectreturns

top concern■■ Wanttoprotecttheirtimeaboveallelse

Demographics■■ Typicallyhave5–15yearsofworkexperience

the opportunists (51% of sample) Reformed Abdicators looking for opportunities to do it themselves

psychographics ■■ Canbeluredbyhighreturnstoself-manageprojects

■■ AvoidriskyITprojectsatallcosts

top concern■■ Mostconcernedaboutgettingthefullscopeofwhattheywant

Demographics■■ Typicallyhave5–15yearsofworkexperience

the cowboys (15% of sample)See applications solutions as critical and need to control them; impatient

psychographics ■■ Wanttoself-manageITprojectsatallcosts■■ Insensitivetorisk

top concern■■ Speedtomarketismostimportantmotivator

Demographics■■ Typicallyhave16–25yearsofexperience

the entrepreneurs (23% of sample) Can look like Cowboys but have more rational desire to control projects; want to hit home runs and are willing to take risks to do it

psychographics ■■ Willdoitthemselvesforhigherreturns,eveniftakingonrisk

■■ Willdowhatittakestoattainbusinessoutcomes

top concern■■ Mostconcernedaboutachievingbusinesscase/outcomes

Demographics■■ Typicallyhave16–25yearsofexperience

3

INFORMATIONRISKEXECUTIVECOUNCIL�®ITPRACTICEwww.irec.executiveboard.com

© 2011 The Corporate Executive Board Company. All Rights Reserved. IREC0713711SYN

SELF-SERVICE PROJECT RISK ASSESSMENTS

The Challenge of Efficiently Assessing Project RisksRoot Cause Analysis

Challenge

Components

Handingoffresponsibility,responsibly

AsupportiveroleforSecurity

Baselinecontrolevolution

TooManyProjectstoFullyAssessforInformationRisks

Root Causes

Securityresourcesareinsufficienttoreviewallprojects.

Projectmanagersareoverburdenedbysecurityrequirements.

Toomanycomplexcontrolshindertimelyprojectcompletion.

BP’s Insight

Securityneedsanapproachthattransfersriskmanagementactivitiestoprojectmanagerswhilestillmaintainingprocessoversightandguidance.

Withsimplifiedrequirementsandtherightsupporttools,projectmanagerscanownassessmentandcontrolimplementationforlower-riskprojects.

Baselinecontrolsaretoostatic;theneedsofprojectsshoulddriveoptimizationofthebaselinecontrolsportfoliotominimizerequiredprojectcontrols.

1

2

3

DERF xx-xxxx

Catalog # IREC0230411SYN

Title

INFORMATIONRISKEXECUTIVECOUNCIL�®ITPRACTICEwww.irec.executiveboard.com

© 2011 The Corporate Executive Board Company. All Rights Reserved. IREC0713711SYN

8

WIN-WIN

Improvement from Security’s Point-Of-View

BP’s project risk management redesign is improving project assessment coverage and reallocating resources to where they are needed most.

■■ “Security-Involved” project assessments include all projects with any degree of direct security involvement.

■■ For the two percent of projects that are insignificant changes to existing systems, true waivers for assessment are granted.

■■ “Self-Service” project assessments include all projects that can meet security requirements without any direct security involvement.

■■ “Security-Led” project assessments include projects in which Security is embedded early in the SDLC.

Previous

Improvement from the Project Manager’s Point-of-View

Redesigned

450 WaiveredProjects

InvisibletoSecurity

1050“Security-Involved”ProjectAssessments

*FourFTEsperformingtesting*TwelveFTEsperformingriskassessments(~90projectsperFTEannually)

Elimination of significant number of projects not receiving a risk assessment

50NoAssessmentRequired

L�owRisk

850“Self-Service”ProjectAssessments

FourFTEs(whopreviouslyperformedtesting)nowprovidingself-servicesupport

600“Security-L�ed”ProjectAssessments

TwelveFTEs(whoassess~50projectsannually)

Approximately 45% decrease in project workload per FTE enables deeper involvement in critical projects

Lightweight:Projectseligibleforself-servicecomplywith36minimumrequirementsratherthanthe107itemsonthefullsecurityassessment.

Faster: Forprojectsusingself-service,theworkneededwilltake3–4hours,fewerforsmallprojects.

Projects/Year Projects/Year

DERF xx-xxxx

Catalog # IREC0230411SYN

Title

17

INFORMATION RISK EXECUTIVE COUNCIL®IT PRACTICE www.irec.executiveboard.com

© 2010 The Corporate Executive Board Company. All Rights Reserved. IREC6544310SYN

ROAD MAP FOR THE PRESENTATION

Social Media Awareness Tactics

Awareness Challenges and

Social MediaKey Findings

K Fi di

1. Despite increased interest in, and spend on, security technologies, focussing

Key Findings

1. Despite increased interest in, and spend on, security technologies, focussing on end-user awareness and behaviour has biggest outcome. End-users approach new technologies differently than they approach traditional IT.

2. As well as training, investment in security technologies needs to be focussedon user groups who most often access the most critical data.

3. Business partners want to take on more responsibility for IT delivery, but their ability to do this effectively depends on temperament.

4. IT should focus on creating clear and accountable processes to hand off project decisions, enabling a focus on fewer projects that carry ‘real’ risk.

INFORMATION TECHNOLOGY PRACTICEINFORMATION RISK EXECUTIVE COUNCIL®

© 2010 The Corporate Executive Board Company. All Rights Reserved. IREC6544310SYN