The link Between a Company’s Supervisory Board and its Security Strategy

Companies Need New Security Strategies

With regard to cloud computing, Bring Your Own Device (BYOD) or Social Networks companies have to think about their security strategy. Whereas the principle of prevention was effective for a long time it is not effective any more. Having a huge number of mobile devices in place, using various storage systems within the enterprise or outside and the demand for flexible and fast collaboration with clients, partners and suppliers nobody is able to predict where a certain piece of data is right now, how often it has been copied or will be tomorrow.
It is just a fact that business critical information does not reside within the perimeters of the enterprise any more.
Given this fact a company can protect its perimeters with huge efforts and be almost save, a weak system outside the enterprise like a social network or a pubic cloud system destroys all efforts of protecting the assets by preventing intrusion in the own infrastructure. The enterprises are simply not in control of prevention system any more.
Another challenge is the complexity of of attacks against enterprise infrastructures. Nowadays more often zero day exploits and strongly customized malicious code is being used, applying advanced persistent threat techniques which leads to the situation that most of the high sophisticated attacks are not recognized by any prevention system like antivirus, intrusion detection / prevention system or firewalls.
These attacks are simply below the radar screen of the traditional security systems.

What are the new Security Strategies to be applied better today than tomorrow?

The prevention of the future is detection! What does that mean? This means that enterprises have to improve their ability to register anomalies in the data flows leading to a more reliable and faster detection of security incidents. There are two main areas of improvement:

  1. Time to detect a security incident caused by APTs or other high sophisticated techniques
  2. Time to fix the issue

Especially the time to detects requires companies to have intense monitoring capabilities in place to ensure reliable detection. By building these capabilities not only the requirements of companies are in scope but also the personal rights of employees are affected. A company going this way will need to have trust within their working councils and from my perspective it is even better to integrate the employees to build trust that these facilities are not only a requirement to secure the enterprise but also the individual.

Any requirement for the supervisory board?

With respect to the supervisory boards requirements to monitor and give advise to C-Levels, a few questions have to be clarified:

  1. Does the internal control system of the enterprise reduce the risk of exposure of employees and management against threats from the outside (e.G. Use of eMail, websites, unknown documents)?
  2. Is a reporting system in place to to indicate potential threats and suspicious activities?
  3. Does the enterprise have a stable detection system in place to uncover security incidents?
  4. Did the company test the effectiveness of detection techniques and includes the results in a continuous improvement process?
  5. Are security incidents adequately reflected in the board of management’s report on the business situation of the company?

Conclusion

In the end this means that companies have numerous options in place to improve security, deal with liabilities of board members and the supervisory board and drive efficient security measures.

I would suggest to keep an eye on two work streams:

  1. Switch of non effective security measures that simply address prevention – Just talk to me and I will assist you to go this way based on a success fee.
  2. Establish a process too ensure that materiality and severity of security incidents becomes transparent to board members and their supervisory boards to ensure conformity to financial reporting standards.

Just in case that you do not believe that security is to be reflected in the financial reporting you should read the Corporate Finance Disclosure Guidance No. 2: Cybersecurity issued by the SEC. You might also want to use Google to find out who was already addressed by the Regulators of the US to have not properly addressed this issue!

Next Generation Security – See how Facebook, Cloud Computing and Tablets change our lives!

The use of IT has gone through radical change in recent years and will see increasingly radical change in the future. More and more enterprises are getting involved in the opportunities and risks of cloud computing in all its different forms. This would therefore be a good place to clarify what other hot topics would be wise to consider in the context of cloud computing and what this will all mean for information security in particular.

For instance, seeing cloud computing in connection with Bring Your Own Device (BYOD) and social networks – two of the latest IT hypes –can be particularly exciting as this raises new information security issues.

The first question is why there has been so much hype around BYOD and how it relates to cloud computing.

Given the demographic shift, the related lack of qualified experts and the resultant general employee situation among today’s enterprises – a veritable job-seeker’s market – it is now more important than ever before for enterprises to take the needs of their employees to heart so as not to lose sight of the target markets. New employees are attracted to enterprises that have their individual, personal needs in mind, while long-time employees expect their employers to offer an evolving personal working environment that keeps pace with the times.

By now, the use of consumer devices has grown to become part and parcel of an attractive working environment. An IDC study from 2010 shows that about 95% of all employees also use consumer devices. So it is only logical for them to want those devices to be more integrated into the business structure. That integration is increasingly made possible by web based services, which are provided as cloud services.

One good example is the provision of storage capacity, which can be accessed through enterprise devices, consumer devices or a range of general device types. Cloud services make it possible to use to these consumer devices all at one and the same work location. This is also evident from the number of cloud users: since the launch of Android-based consumer devices in 2008, public cloud computing services have grown. While this trend might not be directly attributable to the new generation of devices, the statistics show a define connection.

By analysing different studies on cloud computing (e.g. Cloud Monitor 2012 – http://bit.ly/CloudMonitor2012) one can conclude that public and private cloud services, in spite of the difference in popularity between the two cloud types at present, will converge in the future. The hybrid cloud will therefore be the de-facto cloud model of the future.

The proliferation of social networks can be seen as another phenomenon. While we see different social networks, whose business model is based on actual ‘networking’, the ‘main players’ in this industry see the network as a means to an end to generate large numbers of users. These are then marketed (e.g. advertising) as the actual value added. In particular, some networks have specialised in reusing the identities in their database for authentication services. Facebook, Twitter, Google Yahoo and LinkedIn can be cited as the main examples. Who the market leader is depends on the field of use (http://info.gigya.com/identity.html). Facebook and Twitter almost always range among the top three.

Banks, mobile telephone providers or government agencies would be more likely candidates for B2B authentication systems given the confidentiality issues. And yet, Facebook has grown to become the leading provider of authentication systems (Facebook: 39% market share followed by Google with 19%, source: Gigya, 14 July 2012). In the first year of Facebook Connect alone, Facebook had signed up 80,000 websites and continues to sign up about 100,000 website a year. That social networks have become the dominant public authentication providers is something we simply cannot ignore.

So what do BYOD and social networks mean for cloud computing? Assuming that the proliferation of mobile consumer devices will promote the growth of hybrid clouds, it will likewise be necessary to use authentication providers that support authentication across the widest range of different platforms, both public and private. That is exactly what the social networks are pushing for here.

If we follow this logic, we also see a change in the need for information security.

Neither social networks nor public clouds can be swayed by enterprise security measures. Security in the sense of conventional border defences is only effective to a limited extent. That makes it increasing important to protect enterprise value while being able to react effectively to security incidents in cloud environments once they are detected. In the end, the data – whether stored on mobile consumer devices, social networks or in a cloud – are owned by company management. They remain responsible!

This results in three main aspects, which are dealt with below:

  1. Prevention of security incidents through risk-oriented measures
  2. Detection of security incidents
  3. Effective incident reaction