Documente Academic
Documente Profesional
Documente Cultură
10Minutes
on Information Security
November 2010
At a glance The old approach to security… …versus the approach required to meet
today’s challenges.
• Companies focus on securing the walls
around their networks. • The goal is protecting valuable data wherever
it resides.
• Oversight of security is fragmented,
leading to duplication of effort, often • Chief information security officers (CISOs)
with inconsistent results. set companywide priorities and function
as trusted business advisers who weigh
• Security personnel focus on complying with security risks against business needs and help
company policies, even when they are outdated. companies grow.
• User data are managed manually, exposing • Benchmarking studies and other tools are
companies to human errors or allowing people used to assess the cost-effectiveness of security
who leave the company to continue to have programs. Most companies don’t need a
access to some systems or applications. Department-of-Defense level of security, but
they do need to address the risks they face.
• Security personnel are cautious to the point of
refusing to support new business initiatives. • Companies automate management of user data
and handle compliance more efficiently, freeing
up resources to focus on protecting critical data.
Menu
01
Where CEOs and Question 1: Who is accountable for protecting
our critical information?
It’s also a good idea to review your overall security
strategy. Weigh risks against business needs,
boards should Leading companies employ CISOs who focus on
set companywide priorities and use resources
to protect data that, if lost, would cause the
focus first securing critical data across the organization. most damage. That can change over time as the
They ensure that security is a consideration at business evolves. For example, allowing data to
the outset of new business initiatives by lending move beyond your company’s physical control—
security experts to business units. “If you partner by outsourcing data storage, sharing inventory
with the business to meet industry needs and information with suppliers or running software
drive growth, they will bring you to the table on a cloud computing provider’s platform—poses
to collaborate on best practices and innovative new challenges.
ways to address information security,” Equifax
Chief Security Officer (CSO) Tony Spinelli told Question 3: How do we evaluate the
an industry conference this year.4 effectiveness of our security program?
Organizations with CISOs also tend to lose less Many firms don’t track metrics such as spending
data than those without CISOs, according to on security administration or actively monitor
studies and PwC’s experience working with a their logs for signs of breaches.
broad range of clients.
Leading firms that track indicators like these are
Question 2: How do we define our key able to benchmark their programs against peers.
security objectives and ensure that they The benchmarking data along with internal
remain relevant? assessments help them determine where to
increase spending and where to cut.
Security on the radar
CEOs and boards help articulate these objectives
More and more CISOs are reporting to the CEO or the board as they pursue growth. Security can’t be an
afterthought. In the power industry, for example,
Percentage of CISOs who: 2007 2010 utilities need to incorporate security in the design
report to CEO 32% 36% of smart grids to protect all of the new points in
report to the board 21% 32% networks where intrusions can occur.5
report to the CIO 38% 23%
02
Keeping the Question 4: How do we monitor our systems
and prevent breaches?
in PwC’s 2011 Global State of Information Security
Survey said their firms either don’t have a
bad guys out Hackers were once motivated largely by ego,
contingency plan or have a plan that doesn’t
work. Independent assessments of IT operations
but they now target valuable data they can sell have helped companies identify specific
or use to steal money. Cases of state-sponsored vulnerabilities and develop a more integrated
espionage known as advanced persistent approach to maintaining information security.7
threats also target companies’ intellectual
property. Hackers’ techniques have gotten Question 6: How do we train employees to
more sophisticated, and they can hide view security as their responsibility?
evidence of attacks, going undetected for
months or even years. Employees who aren’t trained to think about
security can disclose sensitive data on social
A study of confirmed breach cases in 2009 networks or click on sites that hackers use to
found that nearly 90% of victims had evidence infiltrate corporate networks.8 Messages appearing
of the breach in their log files.6 The companies to come from friends are often used to encourage
just didn’t effectively review the logs. Proactive employees to click.
breach analysis can find signatures of attacks,
communications with external networks Vigilant companies embrace social media and
Unprepared for an increasingly connected world
known to have been compromised and other step up training. At Intel, which conducts security
Percentage of respondents suspicious activity. awareness training and has an internal portal
devoted to security, the view is that “people are
Don’t have security policies Question 5: What is our plan for responding the new perimeter.”9
addressing the use of social
media or Web 2.0 technologies to a security breach?
03
Keeping up with Question 7: How do we take advantage
of cloud computing and still protect our
Question 8: Are we spending our money on
the right things?
the pace of change information assets?
Instead of trying to lock down everything,
in the business As they do with all business partners, companies firms can redeploy their resources to focus on
need to assess the ability of cloud providers protecting data that is most at risk. A recent
to protect the confidentiality, availability and Forrester study suggests companies may spend
integrity of their data. They need to understand too much on compliance and not enough on
the risks related to how the cloud provider securing corporate secrets.11
handles data from multiple clients or how it
manages the third parties it uses. In contracts, Management of user data, which is handled
they need to spell out requirements, including manually at many companies, can be automated
how providers will mitigate the risks and handle to free up resources. Automation can help reduce
data when the contract ends. Certification or the vulnerability of companies to human errors
third-party audits can be required to ensure that inherent in manual management.
providers do what they promise.10
04
Compliance and Question 9: How can we ensure that we
comply with regulatory requirements and
Question 10: How do we meet expectations
regarding data privacy?
customer trust industry standards in the most cost-effective,
Financial services firms and health-care
efficient manner?
providers are required by law to protect personal
Companies such as highly regulated financial information about customers and patients. Some
services firms face overlapping requirements. states require all businesses to do this, and most
Costs can be reduced by mapping these and states require businesses to notify customers
conducting tests to demonstrate compliance if their personal information is compromised.
with multiple regulations and standards. Companies also need to uphold promises they
Independent evaluations can help streamline make in privacy policies; the Federal Trade
the process further. Commission holds them to their word.
But compliance with Sarbanes-Oxley or the But firms have an opportunity to go beyond
Health Insurance Portability & Accountability compliance and gain consumers’ trust amid
Act doesn’t mean their systems are secure. Major growing concern about the amount of electronic
breaches have occurred at credit-card processors data companies collect, analyze and share.
and merchants certified as compliant with Smart grid operators can use privacy protection
Payment Card Industry standards. to gain credibility among customers and
encourage them to participate. Online advertisers
who target ads to people based on products they
view could win their confidence by making it
easier for people to opt out.
At a glance Menu
Gary Loveland
US Security Leader
PwC
Phone: 949-437-5380
Email: gary.loveland@us.pwc.com
© 2010 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers LLP, a Delaware
limited liability partnership, which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is
a separate legal entity. This document is for general information purposes only, and should not be used as a substitute for consultation with
professional advisors. 10Minutes ® is a trademark of PricewaterhouseCoopers LLP US. NY-11-0190