Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Information Security Shake-Up

4.850 Aufrufe

Veröffentlicht am

This Special Report from the Security for Business Innovation Council identifies four technology trends -- cloud computing, social media, big data, and mobile devices -- as game-changers for 2013 and offers concrete guidance on how security teams can meet these requirements.

Veröffentlicht in: Technologie

Information Security Shake-Up

  1. 1. A Special Report by the Information Security Shake-Up:Disruptive Innovations to Test Security’s Mettle in 2013 FEATURING THE PERSPECTIVES OF C-LEVEL SECURITY EXECUTIVES FROM: ABN Amro Coca-Cola Fidelity Investments Johnson & Johnson TELUS ADP, Inc. eBay Intel JPMorgan Chase T-Mobile USA Airtel EMC HDFC Bank Nokia Walmart AstraZeneca FedEx HSBC Holdings plc. SAP AG An industry initiative sponsored by RSA
  2. 2. * Contents REPORT HIGHLIGHTS 2013 PROMISES A FAST AND BUMPY RIDE 2 TECHNOLOGY TRENDS AND THE IMPACT ON INFORMATION SECURITY 3 1. Cloud Computing Adoption>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 3 2. Social Media Adoption>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 3 3. Big Data Adoption>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 4 4. Mobile Devices Adoption>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 4 ADDRESSING THE GAPS 5 Boost Business and Risk Skills>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 5 Court Middle Management>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 5 Tackle IT Supply Chain Issues>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 5 Build Tech-Savvy Action Plans>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 6 1. Cloud Computing Competencies>>>>>>>>>>>>>>>>>>>>>>>> 6 2. Social Media Competencies>>>>>>>>>>>>>>>>>>>>>>>>>>>> 7 3. Big Data Competencies>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 9 4. Mobile Competencies>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 9 CONCLUSION/ ABOUT THE SBIC 10 REPORT CONTRIBUTORS: SECURITY FOR BUSINESS INNOVATION COUNCIL 11 Disclaimer – This Security for Business Innovation Council Report (“Report”) includes information and materials (collectively, the “Content”) that are subject to change without notice. RSA Security LLC, EMC Corporation, and the individual authors of the Security for Business Innovation Council (collectively, the “Authors”) expressly disclaim any obligation to keep Content up to date. The Content is provided “AS IS.” The Authors disclaim any express or implied warranties related to the use of the Content, including, without limitation, merchant- ability, suitability, non-infringement, accuracy, or fitness for any particular purpose. The Content is intended to provide information to the public and is not legal advice of RSA Security LLC, its parent company, EMC Corporation, their attorneys or any of the authors of this SBIC report. You should not act or refrain from acting on the basis of any Content without consulting an attorney licensed to practice in your jurisdiction. The Authors shall not be liable for any errors contained herein or for any damages whatsoever arising out of or related to the use of this Report (including all Content), including, without limitation, direct, indirect, incidental, special, consequential, or punitive damages, whether under a contract, tort, or any other theory of liability, even if the Authors are aware of the possibility of such errors or damages. The Authors assume no responsibility for errors or omissions in any Content.2| SBIC special Report | RSA, The Security Division of EMC
  3. 3. Report Highlightsin 2013, a cluster of the gaps must be addressed Build Tech-savvy Actiondisruptive innovations will in order for information-security Plans: Security teams mustcontinue transforming teams to keep pace with their build specific competencies andenterprise IT and hammering organizations’ technology action plans for enabling theseat the very foundations of aspirations. innovations:information-security strategies For cloud computing focus on: Boost Risk & Business • optimizing cloud vendorthis year promises several Skills: Information-security managementmajor developments teams have long lobbied to be • solving controls assurancein enterprise adoption of: perceived as business enablers • realigning the IT budget to• Cloud computing: Many organiza- not inhibitors. Now that many cover the costs of cloud security tions are preparing to move more are, they don’t have the right • sharpening technical proficiency business processes – even mission- skills. To meet the swelling in virtualized environments critical apps and regulated data – demands to enable innovation, to the cloud. For social media focus on: security teams must rapidly • working with a multidisci- attain risk management and plinary executive team to• Social media: Based on social me- dia’s new-found powers to influence business skills. develop policy and codes of consumer purchasing behavior, conduct many organizations are elevating Court Middle Management: • developing proactive incident it to a strategic endeavor. At most organizations, the response plans C-suite “gets it” but security • training end users• Big data: Evidence of competitive teams now face resistance from • monitoring social media advantage is compelling more channels organizations to begin big data middle managers who don’t projects to gain market and want to expend their resources For big data focus on: business intelligence. on security. Security teams must • understanding the complex build these relationships, helping security issues created by• Mobile devices: Organizations are middle managers to understand amalgamating and processing experiencing a surge of consumer huge volumes of customer, security’s value. mobile devices accessing corporate market or business data networks and storing corporate • getting in on the ground floor data. Tackle IT Supply Chain of big data projects Issues: Organizations are • ensuring access controlthese trends will have a accelerating the implementation governancebig impact on information- of new technologies just as there • developing a plan to leveragesecurity programs, revealing is growing concern about the big data technologies for bettersignificant and growing gaps integrity of globally sourced IT threat detectionincluding a lack of business components. Comprehensive For mobile devices:skills, relationships, supply chain programs are required to • Download the recent compre-management, and tech-savvy evaluate as well as demonstrate hensive report from the SBIC,action plans. trustworthiness of hardware and Realizing the Mobile Enterprise: software. Balancing the Risks and Rewards of Consumer Devices. RSA, The Security Division of EMC | SBIC special Report |1
  4. 4. 1 2013 Promises a Fast and Bumpy RideI n 2013, a cluster of disruptive innovations – cloud computing, social media, big data, and outpace information security, several major developments in enterprise technology delivers specific guidance to fill the gaps and ensure that information-security teams have the “right mobile devices – will adoption are exposing stuff” in order to enable continue transforming significant and growing innovation over the next information systems. gaps in information- 12 months. Conventional approaches security programs. to information security Based on the – such as perimeter perspectives of 19 protections, managed security leaders from Information security isn’t just about IT end-points, signature- global enterprises, the anymore. Trends like cloud computing and based threat detection, Security for Business consumerization are quickly extending the and checklist risk Innovation Council information-security role. It’s about business. evaluations – are (SBIC) has developed It’s about people. It’s about risk management.” breaking down. As the this Special Report to DR. MARTIJN DEKKER speed of technological help navigate the shifting Senior Vice President, Chief Information Security Officer, advances continues to landscape. The report ABN Amro2| SBIC special Report | RSA, The Security Division of EMC
  5. 5. 2 Technology Trends and the Impact on Information SecurityE nterprises are looking to up the ante in technology adoption this year. Information-security teams should know what to expect and how they will be impacted. 1. Cloud Computing Adoption 2. Social Media Adoption Trend: Many organizations are preparing to move more Trend: Social media has become a major influencer of business processes – even mission-critical apps and consumer purchasing decisions, setting it on course to regulated data – to the cloud. become a strategic endeavor. Familiarity Breeds Trust Serious Business By now, most companies have deployed some form Organizations will be looking at social media of cloud computing, including Software-as-a-Service with a more strategic eye in 2013. A recent survey (82% of companies), Infrastructure-as-a-Service (51% indicates brand following has doubled in the past of companies), and Platform-as-a-Service (40% of two years by Americans who use social media. And companies),1 to capture benefits such as cost savings, of those who use social networking sites at least agility, and scalability. Over the next few years, once a month, 47% say that Facebook has the most spending on public cloud services is predicted to influence on purchasing.6 increase at 19% per year.2 The opportunities to reach customers and create Although supplier lock-in and system availability are positive brand awareness with social media are some of the big concerns with the cloud, security remains huge. The problem is that social networking sites the number one obstacle to adoption. But trust in the also present enormous opportunities for misuse cloud is growing. In a recent survey, 50% of respondents and misinformation as well as malware distribution were confident that the cloud is now viable for mission- and fraud. In fact, 66% of organizations name critical business applications.3 Even regulators are social media as a significant or critical risk to their getting more comfortable with the cloud. The Dutch brand.7 Yet only 38% of organizations have a security banking authority has given Dutch banks the green strategy in place for social networking.8 light to use cloud services.4 Given this confidence, many As organizations increase their use of social organizations are ready to move more business processes media to capture the business benefits, they must to the cloud. But surprisingly, only 30% of organizations also put in place strategies to manage the risks. have implemented a cloud security strategy5 even though Expectations should be set regarding allowable cloud computing has been a growing phenomenon for activity on social sites and policy viewed broadly, years. And even many cloud vendors don’t have sufficient balancing corporate interests with freedom of security programs. expression. Tools and techniques will also be required to mitigate the risks of incidents and Ücome to a The security concernsdemand forcloud adoption will Impact: head. The increasing hindering cloud guard against social-media-based attacks. computing will force organizations to find effective ways to evaluate their providers’ security controls to ensure they meet Ü Impact: Information-security teams must work to actively manage the risks of social media, including requirements, including implementing continuous monitoring. comprehensive policies and effective security controls. 1  uture of cloud computing survey, North Bridge Venture Partners, June 2012 F 5  he Global State of Information Security® Survey 2013, a worldwide survey by T 2  artner: Public cloud spending to increase 19 percent annually to 2016, G CIO, CSO and PwC, October 2012 FierceEnterprise Communications, October 23, 2012 6  The Social Habit, Edison Research, July 2012 3  uture of cloud computing survey, North Bridge Venture Partners, June 2012 F 7  uarding the Social Gates: The Imperative for Social Media Risk Management, G 4  NB neemt hobbel weg voor ‘outsourcen in the cloud’, Nieuwsbericht, D Altimeter, August 2012 De Nederlandsche Bank NV, (DNB), November 6, 2012 8  he Global State of Information Security® Survey 2013, a worldwide survey by T CIO, CSO and PwC, October 2012 RSA, The Security Division of EMC | SBIC special Report |3
  6. 6. TECHNOLOGY TRENDS AND THE IMPACT ON INFORMATION SECURITY 3. Big Data Adoption 4. Mobile Devices Adoption Trend: Evidence of competitive advantage is compelling Trend: More employees are using their smartphones and more organizations to begin big data projects to gain tablets for work, creating a surge of consumer mobile market and business intelligence. devices accessing corporate networks and storing corporate data. Organizations have to prepare for a world where the dominant endpoint is not a desktop PC, but a Better Threat Detection mobile device. In the information-security community, “big data” is generating considerable hype. The power of analytics Risks Mounting can greatly improve the ability to detect cyber attacks. Big data can be used to spot malicious activity by Heading into 2013, consumer mobile devices continue amalgamating and analyzing system and user to create worrisome risks for organizations – ranging behavior data. It will play a major role in changing the from loss of confidential information to high-profile information-security model to be more effective. security breaches. Research shows that 70% of all smartphone-owning professionals are now using their personal devices to access corporate data, yet almost 80% Good for Business of that activity remains inadequately managed by IT departments.10 The potential benefits of mobile devices It’s not only security that is excited about big data. can include improved productivity and reduced costs. So are marketing departments and many other areas Capitalizing on these opportunities is only possible if of business. Big data can be used to gain deep market enterprises know how to manage the risks. insight, provide tailored customer service, and create operational intelligence. A survey of executives worldwide found that the use of big data has improved Ü Impact: Mobile risksinformation-security teams must To avert major incidents, are reaching a critical mass. their businesses’ performance, on average by 26%. implement strategies that manage the risks while enabling The majority of these companies (58%) claim they will the rewards. Security strategies should assume the end- make a bigger investment in big data over the next point is untrusted. three years.9 This evidence of competitive advantage will spur more organizations to invest in big data. But the relative newness of the space means most do not fully understand the privacy and security risks when customer and business information is being collected, combined, processed, and stored at unprecedented scales and speeds. Üvalue of big data for security and develop a multi-year the Impact: Information-security teams must recognize plan to evolve their security management model to utilize big data to detect and remediate security threats. They also must get in on the ground floor of any new big data projects that the business takes on, in order to understand the risks and develop strategies to manage them. When thinking about big data, information-security teams should not only consider how they can use powerful analytics to detect security events but also realize that business overall is shifting towards the use of big data. Securing big data will require an evolution in data protection controls.” DAVE MARTIN Vice President and Chief Security Officer, EMC Corporation 9 The Deciding Factor: Big Data Decision Making, Capgemini, June 2012 10 Multi-market BYOD Survey, Ovum, September 20124| SBIC special Report | RSA, The Security Division of EMC
  7. 7. 3 Addressing the GapsI n 2013, as enterprise adoption migrates from being an IT-focused Tackle IT Supply of technology intensifies, to a business-focused problem, Chain Issues information-security teams face many teams lack the required significant gaps, including a lack skillset. Security professionals Organizations are accelerating of business skills, relationships, must become risk managers and the implementation of new supply chain management, business consultants – translating technologies within their IT and tech-savvy action plans. business requirements into environments just as there is Addressing these gaps will take a security requirements. More growing concern about the commitment to rapid-fire change. and more, the performance of integrity of hardware and security teams will be measured software components. Many of on their ability to enable business, these components are globally Boost Risk and which requires knowing how to sourced, creating complex supply Business Skills tie security programs to business chain issues. Going into 2013, outcomes. organizations must increasingly As the need to protect question whether their IT supply information has become chain can be trusted. However increasingly vital, at most global Court Middle the approach should evolve from organizations the information- Management banning gear to a more holistic security role has become more risk management approach to strategic and is transitioning to an As we begin 2013, most C-suites adopt technology with appropriate “information risk management” and Boards “get it.” The growth of security safeguards. Organizations role. Enabling a set of disruptive information protection regulations should seek assurances regarding innovations is accelerating that and the escalation of cyber all of their suppliers’ technology- trend, forcing a risk management threats mean that most of them development and -delivery perspective versus a security understand the importance of practices. “lock-down” mentality. To capture information security and consider As well, most organizations not the business benefits of new it a priority. Today, it is common only implement IT products technologies, each organization for CISOs to meet regularly with developed by others but also must accurately evaluate how executive leadership and the develop IT, such as custom much risk it is willing to take on Board. In many cases, information applications for use by business to capture those benefits. The security has attained the sought- partners and customers. Whether information-security team must after attention from the top. they develop commercial or work with the business in order to The current resistance to custom hardware or software, understand the risks and develop information-security efforts is two organizations must be able protection strategies to mitigate levels down from the executive to demonstrate that they are them to an acceptable level. level. Middle managers don’t want a trustworthy supplier of IT. This includes identifying the key to use their resources on security. Comprehensive programs will information assets and assessing They are incentivized by timeline be required to evaluate and their value to the organization. and budget; adding security doesn’t demonstrate the integrity of For years, security professionals fit into their objectives. Security the entire IT supply chain, have been lobbying to be perceived teams need to build relationships downstream and upstream. as business enablers rather than with middle managers, helping inhibitors. Now many information- them understand the value of security teams are bombarded information security. It may be with requests to enable innovation. a harder nut to crack than the But as information security C-suite. RSA, The Security Division of EMC | SBIC special Report |5
  8. 8. ADDRESSING THE GAPS Build Tech-Savvy Action Plans Solving all of the security issues that disruptive innovations are creating isn’t going to happen in 2013, but security teams have to make large strides or fall even further behind their organizations’ plans for technology adoption. Security teams must build competencies and specific actions plans in each area. 1. Cloud Computing Competencies Cloud Vendor Management Organizations are ultimately accountable for safeguarding the information handled by their cloud service providers. Cloud computing is forcing information-security teams to switch their focus from implementing controls to assuring that the controls Budget Realignment implemented by others meet requirements. Security The assurance process adds cost on both sides (for teams need to determine “How can we ensure that the cloud provider and the enterprise). Organizations cloud providers can meet our trust level? How do we should recognize that the increasing costs of know they are attuned to our particular threats? Can assurance can reduce any cost savings from moving they meet our regulatory compliance and e-Discovery to the cloud in the first place. As with outsourcing, if requirements?” the process is mismanaged the cost savings may be neutralized. Organizations also need to understand Controls Assurance that in a highly virtualized environment more of IT’s The conventional controls-assurance model is not budget will be needed to address cloud security. One sustainable in the cloud. Client organizations can’t solution is budget realignment – reinvesting a portion go on site to examine the security controls of every of the IT savings the organization achieves by moving cloud service provider, so they expect the providers to to the cloud into managing the risks. provide assurance by answering questionnaires. This is an inefficient process, since the cloud providers’ Technical Proficiency customers all ask the same questions. In order to evaluate the controls, security teams Standardized assessments would help. Industry will need a high level of technical proficiency initiatives, to achieve large-scale sharing of within virtualized environments. When servers assessments, have not had a lot of success so far. It’s and applications are decoupled from hardware, the hard for a large number of organizations to agree on security controls framework is completely different a standard set of controls that will satisfy everyone’s than in conventional IT environments. For example, requirements. Some organizations are beginning software controls (such as hypervisor security to turn to small-scale sharing of assessments. This modules) replace hardware controls. might follow the same model as intelligence sharing Many security teams are still not convinced whereby exchanging information among a small set of regarding the efficacy of cloud security controls. They trusted individuals grows over time. Another possible need to validate the security model for themselves, approach is third-party assessments or certification of understanding the advantages and limitations, in order service providers, such as the AICPA’s SOC 2 Report to oversee cloud providers. Especially in public clouds, on Controls at a Service Organization or the upcoming data co-mingling and data remanence remain big ISO 27017 Standard for Security in Cloud Computing. concerns. Security teams don’t yet have an acceptable In moving to the cloud, security teams need to find level of assurance that cloud service providers can effective ways to measure the health of controls and protect data integrity and confidentiality in a multi- detect failures. The building blocks for attestations tenant environment. Proficiency in cloud security through governance, risk, and compliance (GRC) controls is critical not only for public/hybrid clouds but technology are there, but the process needs to mature. also private clouds. Security teams must have the know- Automated and transparent controls assurance and how to secure virtualized environments within their continuous monitoring will be an important part of the own data centers. solution. 6| SBIC special Report | RSA, The Security Division of EMC
  9. 9. ADDRESSING THE GAPS Cloud Computing Suggested Actions: • lan for increasing P • ake it a general rule to M • everage technologies such L resources for cloud segregate the role of as GRC solutions that vendor management. controls implementation can perform automated from controls assurance to assurance and continuous ensure impartial controls monitoring and provide oversight. visibility into cloud environments. • ake the case to M • ork with auditors in the W • nsure your team has the E earmark a portion early stages of public or technical proficiency to of IT savings that private cloud computing evaluate software controls result from moving to initiatives, to educate them and secure the virtualized cloud computing for about the new security environment. information-security controls in virtualized oversight. environments. • actor in IT savings/ F • nvestigate the possibility I • nvestigate next-generation I security oversight offset of sharing cloud vendor encryption solutions that when making decisions assessments with a small can be used to protect your regarding moving to the number of trusted partners sensitive data in the cloud. cloud. to reduce redundancy and costs. 2. Social Media Competencies It will require an organizational strategy, including a defined code of conduct and an incident Executive Treatment response plan. Defining social media policy takes a The potential scenarios are nightmarish: insiders cross-functional team of executives from security, tweeting pre-released earnings data, developers IT, legal, HR, and communications. It can be a long inadvertently disclosing confidential intellectual process, taking months to set up the initial policy and property in peer forums, employees making requiring ongoing iterations based on learnings and inappropriate comments to customers or re-tweeting the evolution of the social space. For example, users rumor as fact, hacktivists hijacking corporate officers’ will be testing the limits/parsing definitions. social networking accounts, cyber-threat agents using Determining areas of responsibility can be an area social sites for reconnaissance or spreading malware. of tension. It’s not always straightforward whether The security team must carefully articulate the risks certain aspects of social media risks are security, PR, of social media to the business – including data loss, or legal matters. The policy should cover who owns damage to reputation, regulatory issues, malware what. For example, legal/compliance owns the liability infections, and targeted spear-phishing campaigns – issues, marketing owns sentiment management, and and design and implement controls to manage security owns technical monitoring solutions. the risks. Response Plan Traditional incident-response methods that may have worked with conventional media don’t work with social media because of the extreme audience reach and speed of communications. Often, organizations are forced to think through a social-media response only when they experience a watershed event like a major outage or flash event. To avert a social media crisis, an organization needs to plan responses to various scenarios ahead of time. RSA, The Security Division of EMC | SBIC special Report |7
  10. 10. ADDRESSING THE GAPS End-User Behavior Threat Management End-user training specific to social media is Brand monitoring on social sites is commonly used essential. It’s not just about what employees do at by corporations to help manage reputational issues. work but also on their personal time. Training should Customer care teams also monitor social sites help them understand the policy and internalize the to address specific customer issues before they consequences of non-compliance, making them safer escalate. The information-security team needs Internet citizens overall. to work with the corporate marketing teams. Organizations need to set constructive boundaries Monitoring social media sites can also be a valuable through training and technical controls – although source of threat intelligence. Social media threats technical controls available today lack the granularity (YourCompanySucks.com) are not necessarily cyber- needed. Some organizations may have a very open security issues, but security should be informed of culture where blocking of social media channels is not anything that points to possible cyber threats, such as a viable option. Programs can also include moderating hacktivist postings or discussions regarding possible an organization’s Facebook page and monitoring targeted attacks directed at the company. Some employees’ postings on social sites. organizations have a team that specifically monitors social media channels for security threats. Social Media Suggested Actions: • evelop a social media risk D • ature the incident- M • ain threat intelligence G management strategy response process and from reputation/brand- involving a multidisciplinary include crisis management monitoring services. team. and surprise drills that test performance of the response team. • ave a clear policy which H • evelop a plan to monitor D • reate Facebook and C delineates responsibilities the corporate social media Twitter accounts for and covers code of conduct presence for hijacking, leadership to pre-empt and incident response. malware, misrepresentation, others from creating and other public-facing falsified accounts. threats. • eliver ongoing end-user D • reate policy regarding when C • ork with vendors to W awareness training and how to respond to rumors/ develop more advanced, programs including misleading statements flexible technologies educating employees regarding your organization, for fine-grained social on what information such as its security posture. media access control and is appropriate to post monitoring. on social channels and monitor employees’ social media activities. For social media response planning, one of the most useful things is a table-top exercise. Create scenarios and go through simulated events in real time with all of the stakeholders – such as IT, Communications, HR, Legal – in order to train and test the response of the team. You’ll quickly learn how different social media events are compared to other events.” VISHAL SALVI Chief Information Security Officer and Senior Vice President, HDFC Bank Limited 8| SBIC special Report | RSA, The Security Division of EMC
  11. 11. ADDRESSING THE GAPS Formulating Security Strategies As organizations begin big data projects, security teams must get involved early on, in order to understand the risks and devise strategies to manage them. To protect information in a big data context, a major focus area must be access control governance. Unfortunately not many specialized tools are available yet. Limited data masking and coarse data access control are some of the currently available techniques, but they’re not sufficient. Better methods 3. Big Data Competencies for sanitizing aggregations and fine-grained access controls for large data sets are needed. Increased Complexity For big data, security teams will also need to get a Big data technologies such as Hadoop go well beyond handle on information life cycle. It’s important to conventional database engines. They allow organizations understand what data is being collected and stored, to amalgamate data sets and run powerful analytics at including the queries: “What returns large amounts? unprecedented volumes and speeds. Rapidly amassing Small amounts?” As well, the individuals performing and processing customer and business information the analytics will need to be monitored. A possible increases the complexity of security issues such solution may be a peer review of query results to as access governance, confidential data exposure, check, for example, for access to PII. regulatory compliance, and data integrity. For example, as data sets grow, without robust 4. Mobile Competencies access controls, individuals could easily be over- A recent comprehensive provisioned access. If not carefully tracked, report from the SBIC, Realizing confidential information could be combined with the Mobile Enterprise: Balancing other data sets and inadvertently exposed. As the Risks and Rewards of personally identifiable information (PII) is processed Consumer Devices, identifies in new ways, organizations run the risk of breaching today’s major sources of risk privacy laws which require that data remain in for the mobile enterprise particular geographical locations. Analyzing blended and the outlook for the near data sets to produce business insights may lead to new future and presents concrete intellectual property (IP) that will need protecting. recommendations for managing As well, data integrity issues arise when data from mobile risks. different sources gets combined; organizations must consider whether all of the data is from trusted sources and if the resulting analysis can be trusted. Big Data Suggested Actions: • amp up technical R • onitor what’s being M • ducate analysts regarding risks E knowledge in big data. requested and what’s going to various types of data and out including anomalous make clear what can be shared access or queries. and with whom. • nsure proper E • atch carefully for over- W • ove toward data-centric M information classification provisioning of access and security, protection that travels which covers legal and segregate roles for different with the information. regulatory compliance types of access, such as those and considers country- who ask for queries and those specific requirements. who run them. • evelop data-flow D • volve access control E • ork with vendors to develop W mapping as a core governance by tracking technologies required for competency of the types and levels of managing the risks of big data, the security team. data requests and queries. such as better data masking, meta-tagging, data classification, and fine-grained access control. RSA, The Security Division of EMC | SBIC special Report |9
  12. 12. 6 ConclusionE xpect cloud computing, social media, big data, and mobile devices to be on the radar as disruptive forces for all of 2013 and beyond. As enterprises accelerate implementation, the information-security team needs to ensure it has what it takes to enable innovation – including people, processes and technologies. It is critical for the security team – as risk management partners – to develop a keen understanding of business goals and engage multiple departments and levels of management. It will require developing or honing skills, especially the ability to engage and influence stakeholders from across the organization, in order to ensure that information security has a seat at the table as the business moves forward. About the Security for Business Innovation Council Initiative The Security for Business Innovation Council (SBIC) is a group of top security leaders from Global 1000 enterprises committed to advancing information security worldwide by sharing their diverse professional experiences and insights. The Council produces periodic reports exploring information security’s central role in enabling business innovation.10 | SBIC special Report | RSA, The Security Division of EMC
  13. 13. Report Contributors Security for Business Innovation CouncilMARENE N. ALLISON, ANISH BHIMANI, CISSP, WILLIAM BONI, CISM, CPP, CISA, ROLAND CLOUTIER,Worldwide Vice President of Chief Information Risk Corporate Information Security Vice President, Chief SecurityInformation Security, Officer, JPMorgan Chase Officer (CISO), VP, Enterprise Officer, Automatic DataJohnson Johnson Information Security, Processing, Inc. T-Mobile USADR. MARTIJN DEKKER, Senior JERRY R. GEISLER III, GCFA, RENEE GUTTMANN, Chief MALCOLM HARKINS,Vice President, Chief GCFE, GCIH, Office of the Chief Information Security Officer, Vice President and ChiefInformation Security Officer, Information Security Officer, The Coca-Cola Company Information Security Officer,ABN Amro Walmart Stores, Inc. General Manager, Information Risk and Security, IntelKENNETH HAERTLING, PETRI KUIVALA, DAVE MARTIN, CISSP, Vice TIM MCKNIGHT, CISSP, Execu-Vice President and Chief Chief Information Security President and Chief Security tive Vice President, EnterpriseSecurity Officer, TELUS Officer, Nokia Officer, EMC Corporation Information Security and Risk, Fidelity InvestmentsFELIX MOHAN, ROBERT RODGER, Group Head RALPH SALOMON, CRISC, VISHAL SALVI, CISM, ChiefSenior Vice President and of Infrastructure Security, Vice President IT Security Information Security OfficerGlobal Chief Information HSBC Holdings plc. Risk Office, SAP ag and Senior Vice President,Security Officer, Airtel HDFC Bank Limited To see SBIC members’ full bios,SIMON STRICKLAND, LEANNE TOLIVER, CISA, CISSP, DENISE D. WOOD, Corporate please visit emc.com.Global Head of Security, Interim Chief Information Vice President, InformationAstraZeneca Security Officer, Global Security, Chief Information Information Security, eBay Security Officer, Chief IT Risk Officer, FedEx Corporation RSA, The Security Division of EMC | SBIC special Report | 11
  14. 14. EMC, EMC2, the EMC logo, RSA, and the RSA logo areeither registered trademarks or trademarks of EMCCorporation in the United States and/or other countries. Allother products and/or services referenced are trademarksof their respective companies.©2012 EMC Corporation. All rights reserved. h11391 RPT 1212