It's Halloween, which not only means costumes, parties, candy, and trick-or-treaters, but also the close of the annual Cybersecurity Awareness Month (among other things to be aware of). So... are you more aware today than you were on October 1st? :)
October 2012 Archives
In preparation for an upcoming talk, I ended up going down the path of reading up on the recent history of technological advances, highlights of malware and attack evolution, the highlights of infosec innovation, and landmark laws and regulations that have impacted infosec and privacy. Yes, that's a mouthful, but it turned out to be very interesting. And, since I bugged people online and on lists to help with input, I figured the least I could do was to summarize my findings as best as possible here.
An article popped-up on HelpNetSecurity earlier today highlighting an interesting, if not contradictory, survey report released by NCSA and Symantec. In the SMB-oriented survey, about 3/4ths of respondents indicated that they felt cybersecurity is "critical to their success," but at the same time about 2/3rds indicated that they "aren't concerned about cyber threats" (either internal or external). Even more perplexing, the vast majority indicated not having formal written policies, yet at the same time the vast majority were satisfied with their cybersecurity posture.
This, my friends, is an interesting paradox. How is it that businesses can, on the one hand, claim to be aware of the importance of cybersecurity practices, and yet, on the other hand, so completely fail to comprehend what practices are necessary and important? To me, there are three likely components to the answer.
You may have heard that Gartner's latest Magic Quadrant for Enterprise GRC (EGRC) was released this month (see a summary here, or go buy a full copy over here). There's been a ton of press releases and media coverage since Gartner's announcement, as well as some interesting responses. However, if you look at the MQ graphic itself, what you'll find is a melange of random tech companies providing solutions in a wide range of areas that may or may not qualify as "EGRC."
According to their summary report, Gartner says that they define EGRC around four (4) key functions: risk management, audit management, compliance and policy management, and regulatory change management. However, as much as this might sound like a coherent set of criteria, their application of this definition is odd and inconsistent. For example, SAP and SAS both show up in the "Leaders" quadrant, yet SAS appears to barely meets these four functions, and certainly not in the comprehensive way you might expect, and SAP is even weaker at meeting these criteria (their "EGRC" solution is just one plugin module in their overall ERP framework). In both cases you would be far more likely to look to these technologies for financial risk management, and not for enterprise risk management. It's rare to encounter either of these products in the GRC RFPs and bake-offs we're seeing every month, and yet they're supposedly "Leaders" in the space? The same can in fact be said for 7 of the 9 products listed in that quadrant; they're simply not seen in routine GRC competitive situations much, if at all.
Michael Rasmussen, who by most accounts invented the "GRC" monicker to describe the market space, has posted a vitriolic rant about this latest Gartner report, highlighting many of the discrepancies that the report and associated research process contain. Of his complaints, I think the most important one is that the report is "a mile wide and an inch deep." In his retort, French Caldwell (co-author of the MQ report) even agrees that this is a shortcoming of the process and marketspace. This is curious to me... if you, as the authoring analyst, realize that you've defined the space too broadly, why would you then move forward with publishing a report at all? It seems to me that EGRC is ripe for re-segmenting, such as around Financial GRC, Legal GRC, etc.
A quick jab... allow me to once again highlight the absurdity that is the US Government when it comes to "cybersecurity." They simply don't get it. I'm not surprised, incidentally, since they are not technologists or security professionals, though this underscores why I'm continually annoyed by their insolent attempts at ramming solutions down the throat of private industry.
As of late last week, DHS Secretary Napolitano has said that the pending Executive Order on cybersecurity is nearing finalization, implying that this is essentially a "done deal" that will be executed. Ironically, while the politicians and bureaucrats tout their progress, we learned this morning that the White House itself may not even be able to protect some of it's most important assets (the "football"). So... this is the example we're supposed to follow? Do as they say, not as they do?
I'm obviously not going to go back and re-hash my "3 Simple Ideas to Unbalance the InfoSec Status Quo" post, but suffice to say, I'm in favor of simple rule changes that will cause the market to readjust accordingly. This is America, home of an alleged free market economy. We do not need ignorant, over-confident, non-technical politicians and bureaucrats telling us how to run our businesses or how to secure our assets.
If it were so simple as to write down a bunch of detailed standards, then the US Government itself would surely not be having the myriad problems that makes them one of the most compromised organizations in the country (if not the world). This is the same entity that has lost tons of classified information around nuclear weapons and advanced fighting platforms. Are we really supposed to believe that any form of detailed technical legislation or Executive Orders will somehow magically "solve" the problem that they so clearly haven't defined or understood? Methinks not...