« TJX Breach Twice as Nasty | Main | Identity Management in Big Business »

Listen to or download the 8:27 minute podcast below:

Download file

What follows is a transcript of my podcast with Ed Adams, the CEO of Security Innovation. Ed Adams has extensive industry experience delivering world-class IT services to many of the most recognizable technology companies in the world. In this podcast we discuss security risks: how companies should view their security risks, how they should measure their security risks, and how they often make the mistake of overreacting to the wrong security risks.

Can you give me an overview of some of the biggest risks that IT departments are facing today?

Yes. IT departments, they're mainly facing two significant risks. The first, is that they're over-relying on network defenses. Network defenses being things like antivirus, firewalls, intrusion detection systems. The reason that this is a huge risk for IT departments is because the largest number of security vulnerabilities actually exist in the software layer and not in the network layer. So many organizations make the mistake of thinking, "Well, I've got the latest and greatest firewall. I've got my intrusion detection system, my intrusion prevention systems. I've got my antivirus up-to-date and I'm protected from security vulnerabilities. "

And that's simply not the case. In fact, depending on who you listen to, Gartner says it's over 70 percent of all security vulnerabilities exist in the application layer. NIST says it's 92 percent. But to me, the most disturbing statistic is one that Aberdeen Group just published in May 2007, from a survey, and the results of this survey said that 70 percent of companies today are not applying security application development techniques in their software development practices. 70 percent! To me, that's absolutely abysmal and is a mass risk for IT departments.

The second major risks that IT departments are facing today is believing the hype of technology and tools. Whether it's for network defenses or application security defenses. Believe it or not, vendors don't always tell the truth in their marketing literature. And a lot of organizations get a false sense of security when they might run their application through a source code scanner or use a Web vulnerability scanner and think that they've identified all the potential security vulnerabilities. It's also a larger risk for organizations because IT managers and information security officers will get a false sense of security that because they've used some tool, their information systems are protected. And it's just not the case.

Is that what you mean when you say that companies are falling into what you say is a recency trap?

Yes. When I talk about a recency trap, what I mean is overreaction to recent public mishaps or changes. And let me give you an example that is completely out of the realm of IT and you'll see what I mean. In Sweden, in 1967, the country decided they wanted to change from driving on the left side of the road to driving on the right side of the road. And in the twelve months after that change, automobile fatalities dropped by 30 percent in Sweden. Now, is that because the right side of the road is more safe than the left side of the road? No, of course not. And there is also no significant change in automobile safety. What happened is that there was a recent event and people felt more at risk, so they changed their behavior. The sad moral of that story is that in the following twelve months, automobile fatalities in Sweden went right back to their pre-1967 values.

However, this happens in the IT world all the time. There is a recent event that happens. The TJX companies, they unfortunately had a security vulnerability and 45 million credit cards were stolen. Or an Ernst and Young employee leaves a laptop on a bus. And what happens is that organizations will make emotional, usually dramatic, over-investments in those areas. They might all of a sudden decide, we're going to encrypt all hard drives on this laptop.

And what ends up happening is they end up overspending in noncritical areas and they miss threats that are probably more real and more damaging in other areas. Because they are making an emotional decision based on a recent event as opposed to an informed decision based on threat analysis.

What new rules do you think companies need so they stop reacting emotionally and start acting sensibly?

What companies need to measure security effectively is an informed threat analysis. And one tool that I've seen used very effectively in companies is something called "threat modeling." It's a process that maps business processes to information security threats and risks. And what threat modeling allows an organization to do is take a relatively nebulous concept like application security and whether they do it, an assessment internally or use an export third party, they can then map those potential risks and threats into the business processes that particular application or information system manages.

And a threat model is a persistent asset that can be used on multiple occasions. So when a new security risk becomes available or a new vulnerability is discovered, you can literally pump that into the threat model and determine whether or not you have appropriate mitigations in place. It's really the only way that you can accurately measure how secure you are and whether or not, an existing risk is something you want to accept or transfer or try to put an additional mitigating control in place for.

You keep talking about risk. Now, can you just give me a quick view of how different companies and different industries can accept different levels of risk?

Yes, absolutely. Risk is something that everyone as an individual deals with every single day. And you make risk-based decisions, 15, 20, 30 times a day -- whether you realize it or not. But different organizations, depending on their context can accept different levels of risk. For example, when an organization that builds software that controls the navigation system of a fighter jet, they have incredibly low risk tolerances. They have to make sure that that software functions very well, is very resilient and has almost zero or zero defects, etc.

On the other hand, you take an organization -- maybe a software vendor that makes a word processing application and sells it, or an email server to small to medium-sized businesses. The risks that that organization is willing to take are much greater because they don't have the liability that an organization might have who are developing control systems for aircraft.

So risk really revolves around context and liability. So if you're in a context where you don't have a tremendous amount of liability, you can accept a lot more risk. And IT risk is just like life insurance. And it's one of the other mistakes, I think, a lot of organizations make is they look at investments in IT security and they look for a return on it. If you think of a term life insurance, every year you don't die is a bad investment for term life insurance. But do you have term life insurance? Well, I do. Well, why do you do that? Because you're trying to mitigate some risk. And for me, it's not acceptable to have the risk that I might die and leave my family with no income.

And IT security is very similar to term life insurance, in my opinion. So organizations have to make that contextual decision -- are they willing to accept this risk? Or mitigate it and don't use ROI as a leading indicator.

What do you see as the future of both risk and application security?

I think the future of application security is moving more and more towards the developer's desktop. If you look just even a year or two years ago, applications security really was in the realm of the corporate security or the IT risk management organization. It's becoming more and more of just an accepted aspect of software quality and being addressed at the developer's desktop which, to me, is music to my ears. So, I've been saying for a long time that the application security dilemma will never be addressed until it's addressed at the developer's desktop. And most of the applications lifecycle tool vendors, up until this past year, have not made any investment in application security. If you look at the IBM Rational, the HP Mercury, the Compuware, the Borland. None of them really had any kind of application security solutions. But two of those large vendors made acquisitions in this past year and will be integrating that into their development desktop tools.

So, I think the future of applications security is moving more and more towards the developer desktop and I couldn't be more pleased about it.

Posted by pschooff in Podcast |Digg This|Add to del.icio.us

Trackback Pings

TrackBack URL for this entry:
http://www.ebizq.net/mt/mt-tb.cgi/2800