SlideShare ist ein Scribd-Unternehmen logo
1 von 2
Downloaden Sie, um offline zu lesen
B6 Wednesday, September 22, 2010                                                                                                                   THE WALL STREET JOURNAL.


                                                                       Special Advertising Section
                                                                       Special Advertising Section


                                PersPectives on risk it
                                                                                                                                             Emerging
       The                                                                                                                                   technologies,
                                                                                                                                             some in their
       Virtual                                                                                                                               infancy,
                                                                                                                                             make risk
       Unknown                                                                                                                               harder
                                                                                                                                             to gauge




     By Joe Mullich


      I
          n some ways, emerging technologies — like social networks, mobile devices and cloud computing — are reshaping how IT views
          risk. In the past, from an IT standpoint, managing risk was about digging technology moats and putting up cyber drawbridges.
          Firewalls, anti-virus programs and the like created a strong perimeter defense to protect data from infiltrators.

       However, moats and drawbridges are only of val-         Then there’s “cloud computing,” the tech buzz-        are challenged in coming up with a compelling
     ue if what you want to protect is behind the castle     word du jour, referring to the housing of corpo-        argument against cloud computing because this
     walls. Emerging technology provides much of its         rate information in a data center controlled by a       stuff is developing so fast and they don’t have data
     payback because it loosens control on data and, in      vendor, which your employees access over the            that defines the risk yet.”
     some cases, places it in someone else’s castle.         Internet. The approach is a no-brainer in terms of         They may lack firm data, but they have at least
        “In general, there is a move to more mobility and    cost savings and efficiencies. The problem is that       a vague sense of the potential pitfalls. The Cloud
     a less rigidly defined security perimeter, connect-      cloud computing can put the company’s crown             Security Alliance, an industry organization, recent-
     ing to devices, like employees’ personal communi-       jewels — its data — at a greater but hard-to-gauge      ly produced a report that identified the top threats
     cations devices, that you don’t trust,” says James      risk, since it inherently requires companies to give    of cloud computing.
     Slaby, managing director for the Security &             up some control of their information.                      Cybercriminals are now targeting cloud comput-
     Networking Practice at TheInfoPro, an independent         As Kark notes, the threat landscape is becom-         ing because increasingly that’s where the most
     research firm. “People understand the business ben-      ing increasingly complex, populated less by             valuable data is — or will be. One surprising finding
     efits of the new environment, but they can’t quite       individual hackers who brag about their latest          of the TheInfoPro survey is, while companies are
     get their arms around the new threat environment.”      exploits than by organized, well-funded crime           worried about cloud security, the first business
       Ironically, he sees this as a positive development    syndicates and even state-sponsored agents. Instead     function they plan to transition to the cloud is
     for IT security. “Before, the tendency in an organi-    of “big bang,” headline-making attacks, criminals       Human Resources data — which is extremely sen-
     zation was to look at threats to the infrastructure     now spend months probing a corporate network            sitive to identity theft.
     and harden the perimeter security,” Slaby says.         for weaknesses and then modify                                                  The Cloud Security Alliance
     “People would lock down the operating systems,          that network to provide them with                                            pointed out other reasons for
     but they wouldn’t think if a contractor was walking     an ongoing stream of information. “Security has to be a portion concern. The software interfac-
     out of the company with data on a thumb drive.          “The sophistication of the attacks                                           es that customers use to man-
     Now the focus is on the security of the data.”          is significantly more mature than            of the capital budget.           age and interact with the cloud
       This is a welcomed perspective — if only there        it was even a year ago, and so the                                           may be weak and easier for
     weren’t so many security concerns to focus on.          business impact over time can be        It can’t be an afterthought.” criminals to break. Services or
     “There is a new universe of threats and attack vec-     huge,” Kark says.                                                            accounts housed in the clouds
     tors that people couldn’t imagine a few years ago                                                                     — Tom Peach can be hijacked, letting miscre-
     that have arrived at a speed that’s shocking,” says     Clouded Discussions                                                          ants redirect customers to their
     Khalid Kark, an analyst with Forrester Research.          Cloud computing offers enticing                                            illegitimate web sites. Malicious
       Consider workers using social media and personal      economies of scale, promising to let                                         insiders at the cloud providers
     mobile devices, giving cybercriminals new operating     companies dramatically reduce spending on tech-         represent a new source of potential data leakage.
     systems to attack that IT has not provided safeguards   nology infrastructure. It has also forced IT people         “Cloud computing is getting a lot of play, but
     for. Many companies are finding they must embrace        to ponder the unknown risks. In a recent survey         from our perspective it’s a little immature in its
     these technologies because workers and custom-          of 259 large and mid-size organizations by              life cycle,” says Tom Peach, CIO of Zurich in North
     ers demand them, yet they also offer more “attack       TheInfoPro, 72 percent said they were “very” con-       America. “Our customers and business brokers
     points” for increasingly sophisticated data thieves.    cerned or “extremely” concerned about security in       demand a rock-solid environment, and we are
       The speed of threats is shown in the “Bring           a cloud environment.                                    looking at it and testing it out.”
     Your Own Equipment” (BYOE) trend — work-                  They are proceeding, albeit cautiously, because          At the same time, Peach, like many IT profession-
     ers using personal devices for business reasons.        “Businesspeople don’t see this as simply moving         als, feels the rising pressure to implement emerg-
     It wasn’t even mentioned as a concern in                money out of IT infrastructure — they view this         ing technology. “I know there are areas within our
     TheInfoPro’s last survey of organizations just six      as money that can be invested in areas outside          company that want to run with this technology,”
     months ago, but is emerging as a top security pain      IT, such as improving manufacturing processes to
                                                                                                                                                        Continued on next page
     point in the year ahead.                                boost margins,” says Slaby. “Security departments


                                                                   Illustration by Alex Williamson
THE WALL STREET JOURNAL.                                                                                                                                                                             Wednesday, September 22, 2010 B7


                                                                                            Special Advertising Section
                                                                                             Special Advertising Section

he says. There is a lot of heat to move on things like the                                                                                                         apply to content on social networks,” he adds, “which
iPhone and the iPad. Our business partners want to be                                “There is a new universe of threats                                           makes the need for a solid social media policy even
on the cutting edge and there’s increasing demand to                                                                                                               more important.”
use these technologies.”                                                         and attack vectors that people couldn’t                                             In the current technology arena, “The problem with risk
                                                                                                                                                                   is that it’s not easy to quantify the business impact,” says
Drawing the Line                                                                             imagine a few years ago.”                                             Kark. “Traditionally, businesses have accepted risks with
  Morgan O’Rourke, director of publications for the                                                                                                                a low probability of happening, but now the impact is so
Risk and Insurance Management Society (RIMS), notes,                                       — Khalid Kark                                                           large from data loss, including government sanctions, em-
“there is so much risk out there that you have to know                                                                                                             barrassing headlines and furious shareholders, that they
where to draw the line.” He points out an emerging risk                                                                                                            cannot ignore even the smallest possibilities anymore.”
in the social network arena called niche social book- breach exposes information that a stakeholder might
marking, where people can “tag” or associate compa- consider private and, therefore, worth taking legal   Joe Mullich writes about business technology and
nies to specific content — say, Exxon to environmental action over,” O’Rourke says. “This would also other topics.
articles.
  “The question is…is that
a risk you want to man-
age?” he says. “You have
to have a thorough un-
derstanding of your risk
appetite, especially as
the definition of risk gets
                                                                ”We had to move this 700 ton
stretched to include nebu-
lous things that are hard
to quantify, like reputa-
                                                                 component more than 400 miles.
tion.” He goes on to say,
“Some companies have                                             Scores of risks, but Zurich
their heads in the sand,
but that’s not an option
anymore.”
                                                                 made us feel confident we
  This new world of
security is bringing fun-
damental changes to “the
                                                                 were well covered.”
professional paranoids”                                Herbert Peters, Managing Director,
who are charged with                                   Sasol-Huntsman, Moers, Germany
safeguarding data. Secu-
rity departments, which
have traditionally been
organized in silos to
look at discrete network
elements like desktops,
are now reorganizing to
reflect a more overarch-
                                                       Integrated insurance solutions for even the most specialized projects.
ing approach.
  Over the past year, Zurich                                        We provided Sasol-Huntsman, one of the largest producers of
in North America’s spend-
ing on IT security has risen                                        Maleic Anhydride in Europe, with an integrated insurance and
20 percent while the rest                                           risk engineering solution to address the risks associated with
of the IT budget remained
flat. “Security has to be a                                          moving a 700 ton factory component across Germany. By helping
portion of the capital bud-                                         our customer ensure the necessary precautions were taken, and
get,” Peach says. “It can’t
be an afterthought. “                                               providing coverage for the entire trip, everyone was breathing

Playing It Safe                                                                                   easy. It’s an example of how Zurich HelpPoint delivers the help
  Without question, the                                                                           businesses need when it matters most. To learn more about this
rush is on to try to se-
cure the cloud. The Cloud                                                                         case, visit www.zurichna.com/risks
Security Alliance is advanc-
ing best security practices
and recently implemented
the industry’s first certifica-
tion program to ensure IT
professionals demonstrate
awareness of cloud security
threats and best practices.
  In Slaby’s view, many
organizations are seeking
to build their “cloud secu-
rity calluses” in lower-risk
scenarios, first by gaining
experience with “private
clouds” within the safety
of their own networks
before venturing out to
true cloud services. As
companies migrate to
the cloud, they are look-
ing to protect themselves
with carefully negotiated
service level agreements
(SLAs) and tools to ac-
tively monitor and verify
the performance of cloud
providers.
  Exploring       safeguards
now is important, Slaby
notes, because “it will be
hard for business manag-
ers to resist for long. The
compelling cost-arbitrage
benefits of the cloud — its
ability to deliver big sav-
ings in hardware, power
and IT support costs —
will likely force IT security
professionals to figure out
these challenges sooner
rather than later.”
  Emerging       technology
is prompting companies
to seek other safeguards,
demonstrated by the grow-
ing interest in business
interruption insurance in
case data is compromised
or becomes unavailable
and prevents them from
conducting business as
usual. “Businesses should
also be looking at er-
rors and omissions cov-
erage, which can offer          In the United States, coverages are underwritten by member companies of Zurich in North America, including Zurich American Insurance Company. Certain coverages not available in all states. Some coverages may be
                                written on a non-admitted basis through licensed surplus lines brokers. Risk engineering services are provided by Zurich Services Corporation. Zurich Services Corporation does not guarantee any particular outcome and
protection if, say, a data
                                                                                                                                                 there may be conditions on your premises or within your organization, which may not be apparent to us.

Weitere ähnliche Inhalte

Was ist angesagt?

Cloud Computing Security: Government Acquisition Considerations for the Cloud...
Cloud Computing Security: Government Acquisition Considerations for the Cloud...Cloud Computing Security: Government Acquisition Considerations for the Cloud...
Cloud Computing Security: Government Acquisition Considerations for the Cloud...Booz Allen Hamilton
 
CLUSIR DU 12 JUIN
CLUSIR DU 12  JUIN CLUSIR DU 12  JUIN
CLUSIR DU 12 JUIN ndelannoy
 
Issa Charlotte 2009 Patching Your Users
Issa Charlotte 2009   Patching Your UsersIssa Charlotte 2009   Patching Your Users
Issa Charlotte 2009 Patching Your UsersMike Murray
 
The Economic Impact of File Virtualization
The Economic Impact of File VirtualizationThe Economic Impact of File Virtualization
The Economic Impact of File VirtualizationFindWhitePapers
 
Information Security Shake-Up
Information Security Shake-Up  Information Security Shake-Up
Information Security Shake-Up EMC
 
Strategic Information Management Through Data Classification
Strategic Information Management Through Data ClassificationStrategic Information Management Through Data Classification
Strategic Information Management Through Data ClassificationBooz Allen Hamilton
 
Smart, Data-Centric Security for the Post-PC Era
Smart, Data-Centric Security for the Post-PC EraSmart, Data-Centric Security for the Post-PC Era
Smart, Data-Centric Security for the Post-PC EraTrend Micro (EMEA) Limited
 
Closing the gaps in enterprise data security: A model for 360 degrees protection
Closing the gaps in enterprise data security: A model for 360 degrees protectionClosing the gaps in enterprise data security: A model for 360 degrees protection
Closing the gaps in enterprise data security: A model for 360 degrees protectionFindWhitePapers
 
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...HyTrust
 
The Essential Ingredient for Today's Enterprise
The Essential Ingredient for Today's EnterpriseThe Essential Ingredient for Today's Enterprise
The Essential Ingredient for Today's EnterpriseReadWrite
 
Print - Overlooked piece of the security puzzle whitepaper - DRAFT
Print - Overlooked piece of the security puzzle whitepaper - DRAFTPrint - Overlooked piece of the security puzzle whitepaper - DRAFT
Print - Overlooked piece of the security puzzle whitepaper - DRAFTGerry Skipwith
 
Info360 Keynote by AIIM President John Mancini
Info360 Keynote by AIIM President John ManciniInfo360 Keynote by AIIM President John Mancini
Info360 Keynote by AIIM President John ManciniJohn Mancini
 
Nexus2010 keynote -- ImageSource
Nexus2010 keynote -- ImageSourceNexus2010 keynote -- ImageSource
Nexus2010 keynote -- ImageSourceJohn Mancini
 
2013 global security report
2013 global security report2013 global security report
2013 global security reportYury Chemerkin
 
Is your data at risk? Why physical security is insufficient for laptop computers
Is your data at risk? Why physical security is insufficient for laptop computersIs your data at risk? Why physical security is insufficient for laptop computers
Is your data at risk? Why physical security is insufficient for laptop computersFindWhitePapers
 

Was ist angesagt? (20)

Cloud Computing Security: Government Acquisition Considerations for the Cloud...
Cloud Computing Security: Government Acquisition Considerations for the Cloud...Cloud Computing Security: Government Acquisition Considerations for the Cloud...
Cloud Computing Security: Government Acquisition Considerations for the Cloud...
 
The Vigilant Enterprise
The Vigilant EnterpriseThe Vigilant Enterprise
The Vigilant Enterprise
 
CLUSIR DU 12 JUIN
CLUSIR DU 12  JUIN CLUSIR DU 12  JUIN
CLUSIR DU 12 JUIN
 
Issa Charlotte 2009 Patching Your Users
Issa Charlotte 2009   Patching Your UsersIssa Charlotte 2009   Patching Your Users
Issa Charlotte 2009 Patching Your Users
 
Posterv2
Posterv2Posterv2
Posterv2
 
The Economic Impact of File Virtualization
The Economic Impact of File VirtualizationThe Economic Impact of File Virtualization
The Economic Impact of File Virtualization
 
Information Security Shake-Up
Information Security Shake-Up  Information Security Shake-Up
Information Security Shake-Up
 
Strategic Information Management Through Data Classification
Strategic Information Management Through Data ClassificationStrategic Information Management Through Data Classification
Strategic Information Management Through Data Classification
 
Smart, Data-Centric Security for the Post-PC Era
Smart, Data-Centric Security for the Post-PC EraSmart, Data-Centric Security for the Post-PC Era
Smart, Data-Centric Security for the Post-PC Era
 
Closing the gaps in enterprise data security: A model for 360 degrees protection
Closing the gaps in enterprise data security: A model for 360 degrees protectionClosing the gaps in enterprise data security: A model for 360 degrees protection
Closing the gaps in enterprise data security: A model for 360 degrees protection
 
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
Virtualize More in 2012 with HyTrust-Boost Data Center Efficiency and Consoli...
 
The Essential Ingredient for Today's Enterprise
The Essential Ingredient for Today's EnterpriseThe Essential Ingredient for Today's Enterprise
The Essential Ingredient for Today's Enterprise
 
Print - Overlooked piece of the security puzzle whitepaper - DRAFT
Print - Overlooked piece of the security puzzle whitepaper - DRAFTPrint - Overlooked piece of the security puzzle whitepaper - DRAFT
Print - Overlooked piece of the security puzzle whitepaper - DRAFT
 
2010 grail research_cloud_computing
2010 grail research_cloud_computing2010 grail research_cloud_computing
2010 grail research_cloud_computing
 
Info360 Keynote by AIIM President John Mancini
Info360 Keynote by AIIM President John ManciniInfo360 Keynote by AIIM President John Mancini
Info360 Keynote by AIIM President John Mancini
 
Nexus2010 keynote -- ImageSource
Nexus2010 keynote -- ImageSourceNexus2010 keynote -- ImageSource
Nexus2010 keynote -- ImageSource
 
2013 global security report
2013 global security report2013 global security report
2013 global security report
 
White Paper: Mobile Security
White Paper: Mobile SecurityWhite Paper: Mobile Security
White Paper: Mobile Security
 
Digital Trust In The Cloud
Digital Trust In The CloudDigital Trust In The Cloud
Digital Trust In The Cloud
 
Is your data at risk? Why physical security is insufficient for laptop computers
Is your data at risk? Why physical security is insufficient for laptop computersIs your data at risk? Why physical security is insufficient for laptop computers
Is your data at risk? Why physical security is insufficient for laptop computers
 

Ähnlich wie Wall street journal 22 sept 10 - perspectives on risk it

Latest Cybersecurity Trends
Latest Cybersecurity TrendsLatest Cybersecurity Trends
Latest Cybersecurity TrendsIRJET Journal
 
Why Cybersecurity is a Data Problem
Why Cybersecurity is a Data ProblemWhy Cybersecurity is a Data Problem
Why Cybersecurity is a Data ProblemBernard Marr
 
Information Security
Information SecurityInformation Security
Information Securitytrunko
 
What Possible Computer Disasters Can Be Associated With "Cloud Computing"?
What Possible Computer Disasters Can Be Associated With "Cloud Computing"?
What Possible Computer Disasters Can Be Associated With "Cloud Computing"?
What Possible Computer Disasters Can Be Associated With "Cloud Computing"? white paper
 
The importance of information security
The importance of information securityThe importance of information security
The importance of information securityethanBrownusa
 
New Security Challenges Juan Miguel Velasco
New	Security Challenges Juan Miguel VelascoNew	Security Challenges Juan Miguel Velasco
New Security Challenges Juan Miguel VelascoJuanMiguelVelascoWeb
 
Juan miguel-velasco-lopez-urda-seguridad-informatica-cloud-computing
Juan miguel-velasco-lopez-urda-seguridad-informatica-cloud-computingJuan miguel-velasco-lopez-urda-seguridad-informatica-cloud-computing
Juan miguel-velasco-lopez-urda-seguridad-informatica-cloud-computingJuan Miguel Velasco López Urda
 
New Security Challenges Juan Miguel Velasco
New	Security Challenges Juan Miguel VelascoNew	Security Challenges Juan Miguel Velasco
New Security Challenges Juan Miguel VelascoJuanMiguelVelascoWeb
 
Ten Security Essentials for CIOs
Ten Security Essentials for CIOsTen Security Essentials for CIOs
Ten Security Essentials for CIOsIBM Security
 
PCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio PanadaPCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio PanadaIBM Danmark
 
IBM Tivoli - Security Solutions for the Cloud
IBM Tivoli - Security Solutions for the CloudIBM Tivoli - Security Solutions for the Cloud
IBM Tivoli - Security Solutions for the CloudVincent Kwon
 
Becoming the safe choice for the cloud by addressing cloud fraud & security t...
Becoming the safe choice for the cloud by addressing cloud fraud & security t...Becoming the safe choice for the cloud by addressing cloud fraud & security t...
Becoming the safe choice for the cloud by addressing cloud fraud & security t...cVidya Networks
 
Sivasubramanian Risk Management In The Web 2.0 Environment
Sivasubramanian Risk  Management In The  Web 2.0  EnvironmentSivasubramanian Risk  Management In The  Web 2.0  Environment
Sivasubramanian Risk Management In The Web 2.0 EnvironmentVinoth Sivasubramanan
 
The 5 most trusted cyber security companies to watch.
The 5 most trusted cyber security companies to watch.The 5 most trusted cyber security companies to watch.
The 5 most trusted cyber security companies to watch.Merry D'souza
 
Bringing Cloud Computing Out of the Shadows: Shine the light on Shadow IT wit...
Bringing Cloud Computing Out of the Shadows: Shine the light on Shadow IT wit...Bringing Cloud Computing Out of the Shadows: Shine the light on Shadow IT wit...
Bringing Cloud Computing Out of the Shadows: Shine the light on Shadow IT wit...DivvyCloud
 

Ähnlich wie Wall street journal 22 sept 10 - perspectives on risk it (20)

Latest Cybersecurity Trends
Latest Cybersecurity TrendsLatest Cybersecurity Trends
Latest Cybersecurity Trends
 
Why Cybersecurity is a Data Problem
Why Cybersecurity is a Data ProblemWhy Cybersecurity is a Data Problem
Why Cybersecurity is a Data Problem
 
Information Security
Information SecurityInformation Security
Information Security
 
Big Data Dectives
Big Data DectivesBig Data Dectives
Big Data Dectives
 
What Possible Computer Disasters Can Be Associated With "Cloud Computing"?
What Possible Computer Disasters Can Be Associated With "Cloud Computing"?
What Possible Computer Disasters Can Be Associated With "Cloud Computing"?
What Possible Computer Disasters Can Be Associated With "Cloud Computing"?
 
The importance of information security
The importance of information securityThe importance of information security
The importance of information security
 
New Security Challenges Juan Miguel Velasco
New	Security Challenges Juan Miguel VelascoNew	Security Challenges Juan Miguel Velasco
New Security Challenges Juan Miguel Velasco
 
Juan miguel-velasco-lopez-urda-seguridad-informatica-cloud-computing
Juan miguel-velasco-lopez-urda-seguridad-informatica-cloud-computingJuan miguel-velasco-lopez-urda-seguridad-informatica-cloud-computing
Juan miguel-velasco-lopez-urda-seguridad-informatica-cloud-computing
 
New Security Challenges Juan Miguel Velasco
New	Security Challenges Juan Miguel VelascoNew	Security Challenges Juan Miguel Velasco
New Security Challenges Juan Miguel Velasco
 
Ten Security Essentials for CIOs
Ten Security Essentials for CIOsTen Security Essentials for CIOs
Ten Security Essentials for CIOs
 
Internet
InternetInternet
Internet
 
expert tips
expert tipsexpert tips
expert tips
 
Ten Expert Tips on Internet of Things Security
Ten Expert Tips on Internet of Things SecurityTen Expert Tips on Internet of Things Security
Ten Expert Tips on Internet of Things Security
 
PCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio PanadaPCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio Panada
 
IBM Tivoli - Security Solutions for the Cloud
IBM Tivoli - Security Solutions for the CloudIBM Tivoli - Security Solutions for the Cloud
IBM Tivoli - Security Solutions for the Cloud
 
Becoming the safe choice for the cloud by addressing cloud fraud & security t...
Becoming the safe choice for the cloud by addressing cloud fraud & security t...Becoming the safe choice for the cloud by addressing cloud fraud & security t...
Becoming the safe choice for the cloud by addressing cloud fraud & security t...
 
Ccsw
CcswCcsw
Ccsw
 
Sivasubramanian Risk Management In The Web 2.0 Environment
Sivasubramanian Risk  Management In The  Web 2.0  EnvironmentSivasubramanian Risk  Management In The  Web 2.0  Environment
Sivasubramanian Risk Management In The Web 2.0 Environment
 
The 5 most trusted cyber security companies to watch.
The 5 most trusted cyber security companies to watch.The 5 most trusted cyber security companies to watch.
The 5 most trusted cyber security companies to watch.
 
Bringing Cloud Computing Out of the Shadows: Shine the light on Shadow IT wit...
Bringing Cloud Computing Out of the Shadows: Shine the light on Shadow IT wit...Bringing Cloud Computing Out of the Shadows: Shine the light on Shadow IT wit...
Bringing Cloud Computing Out of the Shadows: Shine the light on Shadow IT wit...
 

Wall street journal 22 sept 10 - perspectives on risk it

  • 1. B6 Wednesday, September 22, 2010 THE WALL STREET JOURNAL. Special Advertising Section Special Advertising Section PersPectives on risk it Emerging The technologies, some in their Virtual infancy, make risk Unknown harder to gauge By Joe Mullich I n some ways, emerging technologies — like social networks, mobile devices and cloud computing — are reshaping how IT views risk. In the past, from an IT standpoint, managing risk was about digging technology moats and putting up cyber drawbridges. Firewalls, anti-virus programs and the like created a strong perimeter defense to protect data from infiltrators. However, moats and drawbridges are only of val- Then there’s “cloud computing,” the tech buzz- are challenged in coming up with a compelling ue if what you want to protect is behind the castle word du jour, referring to the housing of corpo- argument against cloud computing because this walls. Emerging technology provides much of its rate information in a data center controlled by a stuff is developing so fast and they don’t have data payback because it loosens control on data and, in vendor, which your employees access over the that defines the risk yet.” some cases, places it in someone else’s castle. Internet. The approach is a no-brainer in terms of They may lack firm data, but they have at least “In general, there is a move to more mobility and cost savings and efficiencies. The problem is that a vague sense of the potential pitfalls. The Cloud a less rigidly defined security perimeter, connect- cloud computing can put the company’s crown Security Alliance, an industry organization, recent- ing to devices, like employees’ personal communi- jewels — its data — at a greater but hard-to-gauge ly produced a report that identified the top threats cations devices, that you don’t trust,” says James risk, since it inherently requires companies to give of cloud computing. Slaby, managing director for the Security & up some control of their information. Cybercriminals are now targeting cloud comput- Networking Practice at TheInfoPro, an independent As Kark notes, the threat landscape is becom- ing because increasingly that’s where the most research firm. “People understand the business ben- ing increasingly complex, populated less by valuable data is — or will be. One surprising finding efits of the new environment, but they can’t quite individual hackers who brag about their latest of the TheInfoPro survey is, while companies are get their arms around the new threat environment.” exploits than by organized, well-funded crime worried about cloud security, the first business Ironically, he sees this as a positive development syndicates and even state-sponsored agents. Instead function they plan to transition to the cloud is for IT security. “Before, the tendency in an organi- of “big bang,” headline-making attacks, criminals Human Resources data — which is extremely sen- zation was to look at threats to the infrastructure now spend months probing a corporate network sitive to identity theft. and harden the perimeter security,” Slaby says. for weaknesses and then modify The Cloud Security Alliance “People would lock down the operating systems, that network to provide them with pointed out other reasons for but they wouldn’t think if a contractor was walking an ongoing stream of information. “Security has to be a portion concern. The software interfac- out of the company with data on a thumb drive. “The sophistication of the attacks es that customers use to man- Now the focus is on the security of the data.” is significantly more mature than of the capital budget. age and interact with the cloud This is a welcomed perspective — if only there it was even a year ago, and so the may be weak and easier for weren’t so many security concerns to focus on. business impact over time can be It can’t be an afterthought.” criminals to break. Services or “There is a new universe of threats and attack vec- huge,” Kark says. accounts housed in the clouds tors that people couldn’t imagine a few years ago — Tom Peach can be hijacked, letting miscre- that have arrived at a speed that’s shocking,” says Clouded Discussions ants redirect customers to their Khalid Kark, an analyst with Forrester Research. Cloud computing offers enticing illegitimate web sites. Malicious Consider workers using social media and personal economies of scale, promising to let insiders at the cloud providers mobile devices, giving cybercriminals new operating companies dramatically reduce spending on tech- represent a new source of potential data leakage. systems to attack that IT has not provided safeguards nology infrastructure. It has also forced IT people “Cloud computing is getting a lot of play, but for. Many companies are finding they must embrace to ponder the unknown risks. In a recent survey from our perspective it’s a little immature in its these technologies because workers and custom- of 259 large and mid-size organizations by life cycle,” says Tom Peach, CIO of Zurich in North ers demand them, yet they also offer more “attack TheInfoPro, 72 percent said they were “very” con- America. “Our customers and business brokers points” for increasingly sophisticated data thieves. cerned or “extremely” concerned about security in demand a rock-solid environment, and we are The speed of threats is shown in the “Bring a cloud environment. looking at it and testing it out.” Your Own Equipment” (BYOE) trend — work- They are proceeding, albeit cautiously, because At the same time, Peach, like many IT profession- ers using personal devices for business reasons. “Businesspeople don’t see this as simply moving als, feels the rising pressure to implement emerg- It wasn’t even mentioned as a concern in money out of IT infrastructure — they view this ing technology. “I know there are areas within our TheInfoPro’s last survey of organizations just six as money that can be invested in areas outside company that want to run with this technology,” months ago, but is emerging as a top security pain IT, such as improving manufacturing processes to Continued on next page point in the year ahead. boost margins,” says Slaby. “Security departments Illustration by Alex Williamson
  • 2. THE WALL STREET JOURNAL. Wednesday, September 22, 2010 B7 Special Advertising Section Special Advertising Section he says. There is a lot of heat to move on things like the apply to content on social networks,” he adds, “which iPhone and the iPad. Our business partners want to be “There is a new universe of threats makes the need for a solid social media policy even on the cutting edge and there’s increasing demand to more important.” use these technologies.” and attack vectors that people couldn’t In the current technology arena, “The problem with risk is that it’s not easy to quantify the business impact,” says Drawing the Line imagine a few years ago.” Kark. “Traditionally, businesses have accepted risks with Morgan O’Rourke, director of publications for the a low probability of happening, but now the impact is so Risk and Insurance Management Society (RIMS), notes, — Khalid Kark large from data loss, including government sanctions, em- “there is so much risk out there that you have to know barrassing headlines and furious shareholders, that they where to draw the line.” He points out an emerging risk cannot ignore even the smallest possibilities anymore.” in the social network arena called niche social book- breach exposes information that a stakeholder might marking, where people can “tag” or associate compa- consider private and, therefore, worth taking legal Joe Mullich writes about business technology and nies to specific content — say, Exxon to environmental action over,” O’Rourke says. “This would also other topics. articles. “The question is…is that a risk you want to man- age?” he says. “You have to have a thorough un- derstanding of your risk appetite, especially as the definition of risk gets ”We had to move this 700 ton stretched to include nebu- lous things that are hard to quantify, like reputa- component more than 400 miles. tion.” He goes on to say, “Some companies have Scores of risks, but Zurich their heads in the sand, but that’s not an option anymore.” made us feel confident we This new world of security is bringing fun- damental changes to “the were well covered.” professional paranoids” Herbert Peters, Managing Director, who are charged with Sasol-Huntsman, Moers, Germany safeguarding data. Secu- rity departments, which have traditionally been organized in silos to look at discrete network elements like desktops, are now reorganizing to reflect a more overarch- Integrated insurance solutions for even the most specialized projects. ing approach. Over the past year, Zurich We provided Sasol-Huntsman, one of the largest producers of in North America’s spend- ing on IT security has risen Maleic Anhydride in Europe, with an integrated insurance and 20 percent while the rest risk engineering solution to address the risks associated with of the IT budget remained flat. “Security has to be a moving a 700 ton factory component across Germany. By helping portion of the capital bud- our customer ensure the necessary precautions were taken, and get,” Peach says. “It can’t be an afterthought. “ providing coverage for the entire trip, everyone was breathing Playing It Safe easy. It’s an example of how Zurich HelpPoint delivers the help Without question, the businesses need when it matters most. To learn more about this rush is on to try to se- cure the cloud. The Cloud case, visit www.zurichna.com/risks Security Alliance is advanc- ing best security practices and recently implemented the industry’s first certifica- tion program to ensure IT professionals demonstrate awareness of cloud security threats and best practices. In Slaby’s view, many organizations are seeking to build their “cloud secu- rity calluses” in lower-risk scenarios, first by gaining experience with “private clouds” within the safety of their own networks before venturing out to true cloud services. As companies migrate to the cloud, they are look- ing to protect themselves with carefully negotiated service level agreements (SLAs) and tools to ac- tively monitor and verify the performance of cloud providers. Exploring safeguards now is important, Slaby notes, because “it will be hard for business manag- ers to resist for long. The compelling cost-arbitrage benefits of the cloud — its ability to deliver big sav- ings in hardware, power and IT support costs — will likely force IT security professionals to figure out these challenges sooner rather than later.” Emerging technology is prompting companies to seek other safeguards, demonstrated by the grow- ing interest in business interruption insurance in case data is compromised or becomes unavailable and prevents them from conducting business as usual. “Businesses should also be looking at er- rors and omissions cov- erage, which can offer In the United States, coverages are underwritten by member companies of Zurich in North America, including Zurich American Insurance Company. Certain coverages not available in all states. Some coverages may be written on a non-admitted basis through licensed surplus lines brokers. Risk engineering services are provided by Zurich Services Corporation. Zurich Services Corporation does not guarantee any particular outcome and protection if, say, a data there may be conditions on your premises or within your organization, which may not be apparent to us.