This document discusses how disruptive technology trends in 2013 such as cloud computing, social media, big data, and mobile device adoption will impact information security programs and strategies. It identifies gaps that security teams need to address to keep pace with these innovations, including boosting business and risk management skills, building relationships with middle management, tackling IT supply chain issues, and developing technical action plans around cloud computing, social media, big data, and mobile device competencies. The report provides perspectives from C-level security executives on how to navigate the changing landscape and ensure information security teams have the right skills and strategies to enable innovation over the next year.
Information Security Shake-Up: Disruptive Innovations to Test Security’s Mettle
1. A Special Report by the
Information
Security Shake-Up:
Disruptive Innovations to Test Security’s Mettle in 2013
FEATURING THE PERSPECTIVES OF C-LEVEL SECURITY EXECUTIVES FROM:
ABN Amro Coca-Cola Fidelity Investments Johnson & Johnson TELUS
ADP, Inc. eBay Intel JPMorgan Chase T-Mobile USA
Airtel EMC HDFC Bank Nokia Walmart
AstraZeneca FedEx HSBC Holdings plc. SAP AG
An industry initiative sponsored by RSA
2. * Contents
REPORT HIGHLIGHTS
2013 PROMISES A FAST AND BUMPY RIDE 2
TECHNOLOGY TRENDS AND THE IMPACT
ON INFORMATION SECURITY 3
1. Cloud Computing Adoption>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 3
2. Social Media Adoption>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 3
3. Big Data Adoption>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 4
4. Mobile Devices Adoption>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 4
ADDRESSING THE GAPS 5
Boost Business and Risk Skills>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 5
Court Middle Management>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 5
Tackle IT Supply Chain Issues>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 5
Build Tech-Savvy Action Plans>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 6
1. Cloud Computing Competencies>>>>>>>>>>>>>>>>>>>>>>>> 6
2. Social Media Competencies>>>>>>>>>>>>>>>>>>>>>>>>>>>> 7
3. Big Data Competencies>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 9
4. Mobile Competencies>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 9
CONCLUSION/ ABOUT THE SBIC 10
REPORT CONTRIBUTORS: SECURITY
FOR BUSINESS INNOVATION COUNCIL 11
Disclaimer – This Security for Business Innovation Council Report (“Report”) includes information and materials (collectively, the “Content”) that are subject to change without notice.
RSA Security LLC, EMC Corporation, and the individual authors of the Security for Business Innovation Council (collectively, the “Authors”) expressly disclaim any obligation to keep
Content up to date. The Content is provided “AS IS.” The Authors disclaim any express or implied warranties related to the use of the Content, including, without limitation, merchant-
ability, suitability, non-infringement, accuracy, or fitness for any particular purpose. The Content is intended to provide information to the public and is not legal advice of RSA Security
LLC, its parent company, EMC Corporation, their attorneys or any of the authors of this SBIC report. You should not act or refrain from acting on the basis of any Content without
consulting an attorney licensed to practice in your jurisdiction. The Authors shall not be liable for any errors contained herein or for any damages whatsoever arising out of or related
to the use of this Report (including all Content), including, without limitation, direct, indirect, incidental, special, consequential, or punitive damages, whether under a contract, tort, or
any other theory of liability, even if the Authors are aware of the possibility of such errors or damages. The Authors assume no responsibility for errors or omissions in any Content.
2| SBIC special Report | RSA, The Security Division of EMC
3. Report Highlights
in 2013, a cluster of the gaps must be addressed Build Tech-savvy Action
disruptive innovations will in order for information-security Plans: Security teams must
continue transforming teams to keep pace with their build specific competencies and
enterprise IT and hammering organizations’ technology action plans for enabling these
at the very foundations of aspirations. innovations:
information-security strategies
For cloud computing focus on:
Boost Risk & Business
• optimizing cloud vendor
this year promises several Skills: Information-security management
major developments teams have long lobbied to be • solving controls assurance
in enterprise adoption of: perceived as business enablers • realigning the IT budget to
• Cloud computing: Many organiza- not inhibitors. Now that many cover the costs of cloud security
tions are preparing to move more are, they don’t have the right • sharpening technical proficiency
business processes – even mission- skills. To meet the swelling in virtualized environments
critical apps and regulated data – demands to enable innovation,
to the cloud. For social media focus on:
security teams must rapidly
• working with a multidisci-
attain risk management and plinary executive team to
• Social media: Based on social me-
dia’s new-found powers to influence business skills. develop policy and codes of
consumer purchasing behavior, conduct
many organizations are elevating Court Middle Management: • developing proactive incident
it to a strategic endeavor. At most organizations, the response plans
C-suite “gets it” but security • training end users
• Big data: Evidence of competitive
teams now face resistance from • monitoring social media
advantage is compelling more channels
organizations to begin big data middle managers who don’t
projects to gain market and want to expend their resources For big data focus on:
business intelligence. on security. Security teams must • understanding the complex
build these relationships, helping security issues created by
• Mobile devices: Organizations are middle managers to understand amalgamating and processing
experiencing a surge of consumer huge volumes of customer,
security’s value.
mobile devices accessing corporate market or business data
networks and storing corporate • getting in on the ground floor
data. Tackle IT Supply Chain
of big data projects
Issues: Organizations are
• ensuring access control
these trends will have a accelerating the implementation governance
big impact on information- of new technologies just as there • developing a plan to leverage
security programs, revealing is growing concern about the big data technologies for better
significant and growing gaps integrity of globally sourced IT threat detection
including a lack of business components. Comprehensive
For mobile devices:
skills, relationships, supply chain programs are required to
• Download the recent compre-
management, and tech-savvy evaluate as well as demonstrate hensive report from the SBIC,
action plans. trustworthiness of hardware and Realizing the Mobile Enterprise:
software. Balancing the Risks and Rewards
of Consumer Devices.
RSA, The Security Division of EMC | SBIC special Report |1
4. 1 2013 Promises a Fast and Bumpy Ride
I n 2013, a cluster of
disruptive innovations –
cloud computing, social
media, big data, and
outpace information
security, several major
developments in
enterprise technology
delivers specific guidance
to fill the gaps and ensure
that information-security
teams have the “right
mobile devices – will adoption are exposing stuff” in order to enable
continue transforming significant and growing innovation over the next
information systems. gaps in information- 12 months.
Conventional approaches security programs.
to information security Based on the
– such as perimeter perspectives of 19
protections, managed security leaders from Information security isn’t just about IT
end-points, signature- global enterprises, the anymore. Trends like cloud computing and
based threat detection, Security for Business consumerization are quickly extending the
and checklist risk Innovation Council information-security role. It’s about business.
evaluations – are (SBIC) has developed It’s about people. It’s about risk management.”
breaking down. As the this Special Report to DR. MARTIJN DEKKER
speed of technological help navigate the shifting Senior Vice President, Chief Information Security Officer,
advances continues to landscape. The report ABN Amro
2| SBIC special Report | RSA, The Security Division of EMC
5. 2 Technology Trends and the Impact on Information Security
E nterprises are looking to up the ante in technology
adoption this year. Information-security teams should
know what to expect and how they will be impacted.
1. Cloud Computing Adoption
2. Social Media Adoption
Trend: Many organizations are preparing to move more Trend: Social media has become a major influencer of
business processes – even mission-critical apps and consumer purchasing decisions, setting it on course to
regulated data – to the cloud. become a strategic endeavor.
Familiarity Breeds Trust Serious Business
By now, most companies have deployed some form Organizations will be looking at social media
of cloud computing, including Software-as-a-Service with a more strategic eye in 2013. A recent survey
(82% of companies), Infrastructure-as-a-Service (51% indicates brand following has doubled in the past
of companies), and Platform-as-a-Service (40% of two years by Americans who use social media. And
companies),1 to capture benefits such as cost savings, of those who use social networking sites at least
agility, and scalability. Over the next few years, once a month, 47% say that Facebook has the most
spending on public cloud services is predicted to influence on purchasing.6
increase at 19% per year.2 The opportunities to reach customers and create
Although supplier lock-in and system availability are positive brand awareness with social media are
some of the big concerns with the cloud, security remains huge. The problem is that social networking sites
the number one obstacle to adoption. But trust in the also present enormous opportunities for misuse
cloud is growing. In a recent survey, 50% of respondents and misinformation as well as malware distribution
were confident that the cloud is now viable for mission- and fraud. In fact, 66% of organizations name
critical business applications.3 Even regulators are social media as a significant or critical risk to their
getting more comfortable with the cloud. The Dutch brand.7 Yet only 38% of organizations have a security
banking authority has given Dutch banks the green strategy in place for social networking.8
light to use cloud services.4 Given this confidence, many As organizations increase their use of social
organizations are ready to move more business processes media to capture the business benefits, they must
to the cloud. But surprisingly, only 30% of organizations also put in place strategies to manage the risks.
have implemented a cloud security strategy5 even though Expectations should be set regarding allowable
cloud computing has been a growing phenomenon for activity on social sites and policy viewed broadly,
years. And even many cloud vendors don’t have sufficient balancing corporate interests with freedom of
security programs. expression. Tools and techniques will also be
required to mitigate the risks of incidents and
Ücome to a The security concernsdemand forcloud adoption
will
Impact:
head. The increasing
hindering
cloud
guard against social-media-based attacks.
computing will force organizations to find effective ways to
evaluate their providers’ security controls to ensure they meet
Ü Impact: Information-security teams must work
to actively manage the risks of social media, including
requirements, including implementing continuous monitoring. comprehensive policies and effective security controls.
1 uture of cloud computing survey, North Bridge Venture Partners, June 2012
F 5 he Global State of Information Security® Survey 2013, a worldwide survey by
T
2 artner: Public cloud spending to increase 19 percent annually to 2016,
G CIO, CSO and PwC, October 2012
FierceEnterprise Communications, October 23, 2012 6 The Social Habit, Edison Research, July 2012
3 uture of cloud computing survey, North Bridge Venture Partners, June 2012
F 7 uarding the Social Gates: The Imperative for Social Media Risk Management,
G
4 NB neemt hobbel weg voor ‘outsourcen in the cloud’, Nieuwsbericht,
D Altimeter, August 2012
De Nederlandsche Bank NV, (DNB), November 6, 2012 8 he Global State of Information Security® Survey 2013, a worldwide survey by
T
CIO, CSO and PwC, October 2012
RSA, The Security Division of EMC | SBIC special Report |3
6. TECHNOLOGY TRENDS AND THE IMPACT ON INFORMATION SECURITY
3. Big Data Adoption 4. Mobile Devices Adoption
Trend: Evidence of competitive advantage is compelling Trend: More employees are using their smartphones and
more organizations to begin big data projects to gain tablets for work, creating a surge of consumer mobile
market and business intelligence. devices accessing corporate networks and storing
corporate data. Organizations have to prepare for a world
where the dominant endpoint is not a desktop PC, but a
Better Threat Detection mobile device.
In the information-security community, “big data”
is generating considerable hype. The power of analytics Risks Mounting
can greatly improve the ability to detect cyber attacks.
Big data can be used to spot malicious activity by Heading into 2013, consumer mobile devices continue
amalgamating and analyzing system and user to create worrisome risks for organizations – ranging
behavior data. It will play a major role in changing the from loss of confidential information to high-profile
information-security model to be more effective. security breaches. Research shows that 70% of all
smartphone-owning professionals are now using their
personal devices to access corporate data, yet almost 80%
Good for Business of that activity remains inadequately managed by IT
departments.10 The potential benefits of mobile devices
It’s not only security that is excited about big data. can include improved productivity and reduced costs.
So are marketing departments and many other areas Capitalizing on these opportunities is only possible if
of business. Big data can be used to gain deep market enterprises know how to manage the risks.
insight, provide tailored customer service, and create
operational intelligence. A survey of executives
worldwide found that the use of big data has improved
Ü Impact: Mobile risksinformation-security teams must
To avert major incidents,
are reaching a critical mass.
their businesses’ performance, on average by 26%. implement strategies that manage the risks while enabling
The majority of these companies (58%) claim they will the rewards. Security strategies should assume the end-
make a bigger investment in big data over the next point is untrusted.
three years.9 This evidence of competitive advantage
will spur more organizations to invest in big data. But
the relative newness of the space means most do not
fully understand the privacy and security risks when
customer and business information is being collected,
combined, processed, and stored at unprecedented
scales and speeds.
Üvalue of big data for security and develop a multi-year
the
Impact: Information-security teams must recognize
plan to evolve their security management model to utilize
big data to detect and remediate security threats. They also
must get in on the ground floor of any new big data projects
that the business takes on, in order to understand the risks
and develop strategies to manage them.
When thinking about big data, information-security teams should not only consider how
they can use powerful analytics to detect security events but also realize that business
overall is shifting towards the use of big data. Securing big data will require an evolution
in data protection controls.”
DAVE MARTIN
Vice President and Chief Security Officer, EMC Corporation
9 The Deciding Factor: Big Data Decision Making, Capgemini, June 2012
10 Multi-market BYOD Survey, Ovum, September 2012
4| SBIC special Report | RSA, The Security Division of EMC
7. 3 Addressing the Gaps
I
n 2013, as enterprise adoption migrates from being an IT-focused Tackle IT Supply
of technology intensifies, to a business-focused problem, Chain Issues
information-security teams face many teams lack the required
significant gaps, including a lack skillset. Security professionals Organizations are accelerating
of business skills, relationships, must become risk managers and the implementation of new
supply chain management, business consultants – translating technologies within their IT
and tech-savvy action plans. business requirements into environments just as there is
Addressing these gaps will take a security requirements. More growing concern about the
commitment to rapid-fire change. and more, the performance of integrity of hardware and
security teams will be measured software components. Many of
on their ability to enable business, these components are globally
Boost Risk and which requires knowing how to sourced, creating complex supply
Business Skills tie security programs to business chain issues. Going into 2013,
outcomes. organizations must increasingly
As the need to protect question whether their IT supply
information has become chain can be trusted. However
increasingly vital, at most global Court Middle the approach should evolve from
organizations the information- Management banning gear to a more holistic
security role has become more risk management approach to
strategic and is transitioning to an As we begin 2013, most C-suites adopt technology with appropriate
“information risk management” and Boards “get it.” The growth of security safeguards. Organizations
role. Enabling a set of disruptive information protection regulations should seek assurances regarding
innovations is accelerating that and the escalation of cyber all of their suppliers’ technology-
trend, forcing a risk management threats mean that most of them development and -delivery
perspective versus a security understand the importance of practices.
“lock-down” mentality. To capture information security and consider As well, most organizations not
the business benefits of new it a priority. Today, it is common only implement IT products
technologies, each organization for CISOs to meet regularly with developed by others but also
must accurately evaluate how executive leadership and the develop IT, such as custom
much risk it is willing to take on Board. In many cases, information applications for use by business
to capture those benefits. The security has attained the sought- partners and customers. Whether
information-security team must after attention from the top. they develop commercial or
work with the business in order to The current resistance to custom hardware or software,
understand the risks and develop information-security efforts is two organizations must be able
protection strategies to mitigate levels down from the executive to demonstrate that they are
them to an acceptable level. level. Middle managers don’t want a trustworthy supplier of IT.
This includes identifying the key to use their resources on security. Comprehensive programs will
information assets and assessing They are incentivized by timeline be required to evaluate and
their value to the organization. and budget; adding security doesn’t demonstrate the integrity of
For years, security professionals fit into their objectives. Security the entire IT supply chain,
have been lobbying to be perceived teams need to build relationships downstream and upstream.
as business enablers rather than with middle managers, helping
inhibitors. Now many information- them understand the value of
security teams are bombarded information security. It may be
with requests to enable innovation. a harder nut to crack than the
But as information security C-suite.
RSA, The Security Division of EMC | SBIC special Report |5
8. ADDRESSING THE GAPS
Build Tech-Savvy Action Plans
Solving all of the security issues that disruptive
innovations are creating isn’t going to happen in
2013, but security teams have to make large strides
or fall even further behind their organizations’ plans
for technology adoption. Security teams must build
competencies and specific actions plans in each area.
1. Cloud Computing Competencies
Cloud Vendor Management
Organizations are ultimately accountable for
safeguarding the information handled by their
cloud service providers. Cloud computing is forcing
information-security teams to switch their focus from
implementing controls to assuring that the controls Budget Realignment
implemented by others meet requirements. Security The assurance process adds cost on both sides (for
teams need to determine “How can we ensure that the cloud provider and the enterprise). Organizations
cloud providers can meet our trust level? How do we should recognize that the increasing costs of
know they are attuned to our particular threats? Can assurance can reduce any cost savings from moving
they meet our regulatory compliance and e-Discovery to the cloud in the first place. As with outsourcing, if
requirements?” the process is mismanaged the cost savings may be
neutralized. Organizations also need to understand
Controls Assurance that in a highly virtualized environment more of IT’s
The conventional controls-assurance model is not budget will be needed to address cloud security. One
sustainable in the cloud. Client organizations can’t solution is budget realignment – reinvesting a portion
go on site to examine the security controls of every of the IT savings the organization achieves by moving
cloud service provider, so they expect the providers to to the cloud into managing the risks.
provide assurance by answering questionnaires. This
is an inefficient process, since the cloud providers’ Technical Proficiency
customers all ask the same questions. In order to evaluate the controls, security teams
Standardized assessments would help. Industry will need a high level of technical proficiency
initiatives, to achieve large-scale sharing of within virtualized environments. When servers
assessments, have not had a lot of success so far. It’s and applications are decoupled from hardware, the
hard for a large number of organizations to agree on security controls framework is completely different
a standard set of controls that will satisfy everyone’s than in conventional IT environments. For example,
requirements. Some organizations are beginning software controls (such as hypervisor security
to turn to small-scale sharing of assessments. This modules) replace hardware controls.
might follow the same model as intelligence sharing Many security teams are still not convinced
whereby exchanging information among a small set of regarding the efficacy of cloud security controls. They
trusted individuals grows over time. Another possible need to validate the security model for themselves,
approach is third-party assessments or certification of understanding the advantages and limitations, in order
service providers, such as the AICPA’s SOC 2 Report to oversee cloud providers. Especially in public clouds,
on Controls at a Service Organization or the upcoming data co-mingling and data remanence remain big
ISO 27017 Standard for Security in Cloud Computing. concerns. Security teams don’t yet have an acceptable
In moving to the cloud, security teams need to find level of assurance that cloud service providers can
effective ways to measure the health of controls and protect data integrity and confidentiality in a multi-
detect failures. The building blocks for attestations tenant environment. Proficiency in cloud security
through governance, risk, and compliance (GRC) controls is critical not only for public/hybrid clouds but
technology are there, but the process needs to mature. also private clouds. Security teams must have the know-
Automated and transparent controls assurance and how to secure virtualized environments within their
continuous monitoring will be an important part of the own data centers.
solution.
6| SBIC special Report | RSA, The Security Division of EMC
9. ADDRESSING THE GAPS
Cloud Computing Suggested Actions:
• lan for increasing
P • ake it a general rule to
M • everage technologies such
L
resources for cloud segregate the role of as GRC solutions that
vendor management. controls implementation can perform automated
from controls assurance to assurance and continuous
ensure impartial controls monitoring and provide
oversight. visibility into cloud
environments.
• ake the case to
M • ork with auditors in the
W • nsure your team has the
E
earmark a portion early stages of public or technical proficiency to
of IT savings that private cloud computing evaluate software controls
result from moving to initiatives, to educate them and secure the virtualized
cloud computing for about the new security environment.
information-security controls in virtualized
oversight. environments.
• actor in IT savings/
F • nvestigate the possibility
I • nvestigate next-generation
I
security oversight offset of sharing cloud vendor encryption solutions that
when making decisions assessments with a small can be used to protect your
regarding moving to the number of trusted partners sensitive data in the cloud.
cloud. to reduce redundancy and
costs.
2. Social Media Competencies It will require an organizational strategy,
including a defined code of conduct and an incident
Executive Treatment response plan. Defining social media policy takes a
The potential scenarios are nightmarish: insiders cross-functional team of executives from security,
tweeting pre-released earnings data, developers IT, legal, HR, and communications. It can be a long
inadvertently disclosing confidential intellectual process, taking months to set up the initial policy and
property in peer forums, employees making requiring ongoing iterations based on learnings and
inappropriate comments to customers or re-tweeting the evolution of the social space. For example, users
rumor as fact, hacktivists hijacking corporate officers’ will be testing the limits/parsing definitions.
social networking accounts, cyber-threat agents using Determining areas of responsibility can be an area
social sites for reconnaissance or spreading malware. of tension. It’s not always straightforward whether
The security team must carefully articulate the risks certain aspects of social media risks are security, PR,
of social media to the business – including data loss, or legal matters. The policy should cover who owns
damage to reputation, regulatory issues, malware what. For example, legal/compliance owns the liability
infections, and targeted spear-phishing campaigns – issues, marketing owns sentiment management, and
and design and implement controls to manage security owns technical monitoring solutions.
the risks.
Response Plan
Traditional incident-response methods that may
have worked with conventional media don’t
work with social media because of the extreme
audience reach and speed of communications.
Often, organizations are forced to think through a
social-media response only when they experience a
watershed event like a major outage or flash event. To
avert a social media crisis, an organization needs to
plan responses to various scenarios ahead of time.
RSA, The Security Division of EMC | SBIC special Report |7
10. ADDRESSING THE GAPS
End-User Behavior Threat Management
End-user training specific to social media is Brand monitoring on social sites is commonly used
essential. It’s not just about what employees do at by corporations to help manage reputational issues.
work but also on their personal time. Training should Customer care teams also monitor social sites
help them understand the policy and internalize the to address specific customer issues before they
consequences of non-compliance, making them safer escalate. The information-security team needs
Internet citizens overall. to work with the corporate marketing teams.
Organizations need to set constructive boundaries Monitoring social media sites can also be a valuable
through training and technical controls – although source of threat intelligence. Social media threats
technical controls available today lack the granularity (YourCompanySucks.com) are not necessarily cyber-
needed. Some organizations may have a very open security issues, but security should be informed of
culture where blocking of social media channels is not anything that points to possible cyber threats, such as
a viable option. Programs can also include moderating hacktivist postings or discussions regarding possible
an organization’s Facebook page and monitoring targeted attacks directed at the company. Some
employees’ postings on social sites. organizations have a team that specifically monitors
social media channels for security threats.
Social Media Suggested Actions:
• evelop a social media risk
D • ature the incident-
M • ain threat intelligence
G
management strategy response process and from reputation/brand-
involving a multidisciplinary include crisis management monitoring services.
team. and surprise drills that test
performance of the response
team.
• ave a clear policy which
H • evelop a plan to monitor
D • reate Facebook and
C
delineates responsibilities the corporate social media Twitter accounts for
and covers code of conduct presence for hijacking, leadership to pre-empt
and incident response. malware, misrepresentation, others from creating
and other public-facing falsified accounts.
threats.
• eliver ongoing end-user
D • reate policy regarding when
C • ork with vendors to
W
awareness training and how to respond to rumors/ develop more advanced,
programs including misleading statements flexible technologies
educating employees regarding your organization, for fine-grained social
on what information such as its security posture. media access control and
is appropriate to post monitoring.
on social channels and
monitor employees’ social
media activities.
For social media response planning, one of the most useful things is a
table-top exercise. Create scenarios and go through simulated events in
real time with all of the stakeholders – such as IT, Communications, HR,
Legal – in order to train and test the response of the team. You’ll quickly
learn how different social media events are compared to other events.”
VISHAL SALVI
Chief Information Security Officer and Senior Vice President, HDFC Bank Limited
8| SBIC special Report | RSA, The Security Division of EMC
11. ADDRESSING THE GAPS
Formulating Security Strategies
As organizations begin big data projects, security
teams must get involved early on, in order to
understand the risks and devise strategies to manage
them. To protect information in a big data context, a
major focus area must be access control governance.
Unfortunately not many specialized tools are
available yet. Limited data masking and coarse data
access control are some of the currently available
techniques, but they’re not sufficient. Better methods
3. Big Data Competencies for sanitizing aggregations and fine-grained access
controls for large data sets are needed.
Increased Complexity For big data, security teams will also need to get a
Big data technologies such as Hadoop go well beyond handle on information life cycle. It’s important to
conventional database engines. They allow organizations understand what data is being collected and stored,
to amalgamate data sets and run powerful analytics at including the queries: “What returns large amounts?
unprecedented volumes and speeds. Rapidly amassing Small amounts?” As well, the individuals performing
and processing customer and business information the analytics will need to be monitored. A possible
increases the complexity of security issues such solution may be a peer review of query results to
as access governance, confidential data exposure, check, for example, for access to PII.
regulatory compliance, and data integrity.
For example, as data sets grow, without robust 4. Mobile Competencies
access controls, individuals could easily be over- A recent comprehensive
provisioned access. If not carefully tracked, report from the SBIC, Realizing
confidential information could be combined with the Mobile Enterprise: Balancing
other data sets and inadvertently exposed. As the Risks and Rewards of
personally identifiable information (PII) is processed Consumer Devices, identifies
in new ways, organizations run the risk of breaching today’s major sources of risk
privacy laws which require that data remain in for the mobile enterprise
particular geographical locations. Analyzing blended and the outlook for the near
data sets to produce business insights may lead to new future and presents concrete
intellectual property (IP) that will need protecting. recommendations for managing
As well, data integrity issues arise when data from mobile risks.
different sources gets combined; organizations must
consider whether all of the data is from trusted
sources and if the resulting analysis can be trusted.
Big Data Suggested Actions:
• amp up technical
R • onitor what’s being
M • ducate analysts regarding risks
E
knowledge in big data. requested and what’s going to various types of data and
out including anomalous make clear what can be shared
access or queries. and with whom.
• nsure proper
E • atch carefully for over-
W • ove toward data-centric
M
information classification provisioning of access and security, protection that travels
which covers legal and segregate roles for different with the information.
regulatory compliance types of access, such as those
and considers country- who ask for queries and those
specific requirements. who run them.
• evelop data-flow
D • volve access control
E • ork with vendors to develop
W
mapping as a core governance by tracking technologies required for
competency of the types and levels of managing the risks of big data,
the security team. data requests and queries. such as better data masking,
meta-tagging, data classification,
and fine-grained access control.
RSA, The Security Division of EMC | SBIC special Report |9
12. 6 Conclusion
E xpect cloud computing, social media, big data, and mobile
devices to be on the radar as disruptive forces for all of 2013
and beyond. As enterprises accelerate implementation,
the information-security team needs to ensure it has what
it takes to enable innovation – including people, processes
and technologies. It is critical for the security team – as risk
management partners – to develop a keen understanding of
business goals and engage multiple departments and levels
of management. It will require developing or honing skills,
especially the ability to engage and influence stakeholders
from across the organization, in order to ensure that
information security has a seat at the table as the business
moves forward.
About the Security for Business
Innovation Council Initiative
The Security for Business Innovation Council (SBIC) is a group of top
security leaders from Global 1000 enterprises committed to advancing
information security worldwide by sharing their diverse professional
experiences and insights. The Council produces periodic reports exploring
information security’s central role in enabling business innovation.
10 | SBIC special Report | RSA, The Security Division of EMC
13. Report Contributors Security for Business
Innovation Council
MARENE N. ALLISON, ANISH BHIMANI, CISSP, WILLIAM BONI, CISM, CPP, CISA, ROLAND CLOUTIER,
Worldwide Vice President of Chief Information Risk Corporate Information Security Vice President, Chief Security
Information Security, Officer, JPMorgan Chase Officer (CISO), VP, Enterprise Officer, Automatic Data
Johnson Johnson Information Security, Processing, Inc.
T-Mobile USA
DR. MARTIJN DEKKER, Senior JERRY R. GEISLER III, GCFA, RENEE GUTTMANN, Chief MALCOLM HARKINS,
Vice President, Chief GCFE, GCIH, Office of the Chief Information Security Officer, Vice President and Chief
Information Security Officer, Information Security Officer, The Coca-Cola Company Information Security Officer,
ABN Amro Walmart Stores, Inc. General Manager, Information
Risk and Security, Intel
KENNETH HAERTLING, PETRI KUIVALA, DAVE MARTIN, CISSP, Vice TIM MCKNIGHT, CISSP, Execu-
Vice President and Chief Chief Information Security President and Chief Security tive Vice President, Enterprise
Security Officer, TELUS Officer, Nokia Officer, EMC Corporation Information Security and Risk,
Fidelity Investments
FELIX MOHAN, ROBERT RODGER, Group Head RALPH SALOMON, CRISC, VISHAL SALVI, CISM, Chief
Senior Vice President and of Infrastructure Security, Vice President IT Security Information Security Officer
Global Chief Information HSBC Holdings plc. Risk Office, SAP ag and Senior Vice President,
Security Officer, Airtel HDFC Bank Limited
To see SBIC
members’ full bios,
SIMON STRICKLAND, LEANNE TOLIVER, CISA, CISSP, DENISE D. WOOD, Corporate please visit emc.com.
Global Head of Security, Interim Chief Information Vice President, Information
AstraZeneca Security Officer, Global Security, Chief Information
Information Security, eBay Security Officer, Chief IT Risk
Officer, FedEx Corporation
RSA, The Security Division of EMC | SBIC special Report | 11