STE WILLIAMS

A new study based on a comprehensive interview survey of dozens of top CISOs by academics with the Darwin Deason Institute for Cyber Security at Southern Methodist University shows that as security spending continues to spike, security executives are evolving in the way they justify spending and prioritize their budgetary allocations.

Funded by IBM, the study took a close look at CISOs across a range of industries and geographies. Here’s some of the insight researchers gleaned from their efforts.

Frameworks Driving Decisions

Security frameworks are growing in importance as CISOs start to recognize that using compliance as the main way to sell security spend to executives across the enterprise will leave the organization open to greater risk. By utilizing security frameworks as a way to justify increased budgets and prioritize spending, CISOs on the whole are able to better move the needle on security.

One CISO told the researchers, “Security has to be able to have a basis to argue its point of view in a compelling story with some thought behind it, rather than ‘I want to get these things because it’s the next cool security thing that’s out there’.”

As he put it, a framework facilitates the articulation of what a security strategy is from a project and monetary standpoint.

Still Lagging On Quantitative

Nevertheless, even though at least one CISO told researchers he’d been’ recruited to bring more planning and science into where his company spent its security dollars, CISOs still lag on quantitatively explaining the impact of budget allocations.

Among the top prioritization approaches for security spending, “quantitative measures” such as ROI came in fourth behind industry best practices, frameworks and information from past attack on the company.

“The use of true quantitative metrics to guide investment decisions has been very rare,” the report said. “Only a few subjects have mentioned using a numeric ROI-type metric as a way of prioritizing investments.”

Cold Calls Don’t Drive Vendor Decisions

About 85 percent of CISOs told researchers they had all the information they needed to select appropriate security controls. In most instances, that information didn’t come from cold calls from vendor sales reps. Nevertheless, CISOs still have to field requests by senior management asking for a look at technology included in some puff piece or another featured in mainstream business press.

“What I always want to say, but don’t, is if we have to change a strategy because of an article you read in the Wall Street Journal, you should probably fire me,” one CISO told researchers.

In many instances, beyond the typical work of scanning through analyst reports and comparing products based on actual strategic needs, CISOs lean heavily on peer groups for advice. Groups like ISACs not only offer threat information sharing opportunities, but also a community for trading experience about tool efficacy.

“Peer feedback on products has been reported to be valuable in both winnowing down the field of contenders and for helping to select among finalists,” the report said.

[IBM’s Security VP Bob Kalka shares his insights about the survey in Bad News is Good News For Security Budgets But Not Skills.]

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/the-evolving-security-budget-3-new-ways-cisos-prioritize-spending/d/d-id/1322987?_mc=RSS_DR_EDT

A new study based on a comprehensive interview survey of dozens of top CISOs by academics with the Darwin Deason Institute for Cyber Security at Southern Methodist University shows that as security spending continues to spike, security executives are evolving in the way they justify spending and prioritize their budgetary allocations.

Funded by IBM, the study took a close look at CISOs across a range of industries and geographies. Here’s some of the insight researchers gleaned from their efforts.

Frameworks Driving Decisions

Security frameworks are growing in importance as CISOs start to recognize that using compliance as the main way to sell security spend to executives across the enterprise will leave the organization open to greater risk. By utilizing security frameworks as a way to justify increased budgets and prioritize spending, CISOs on the whole are able to better move the needle on security.

One CISO told the researchers, “Security has to be able to have a basis to argue its point of view in a compelling story with some thought behind it, rather than ‘I want to get these things because it’s the next cool security thing that’s out there’.”

As he put it, a framework facilitates the articulation of what a security strategy is from a project and monetary standpoint.

Still Lagging On Quantitative

Nevertheless, even though at least one CISO told researchers he’d been’ recruited to bring more planning and science into where his company spent its security dollars, CISOs still lag on quantitatively explaining the impact of budget allocations.

Among the top prioritization approaches for security spending, “quantitative measures” such as ROI came in fourth behind industry best practices, frameworks and information from past attack on the company.

“The use of true quantitative metrics to guide investment decisions has been very rare,” the report said. “Only a few subjects have mentioned using a numeric ROI-type metric as a way of prioritizing investments.”

Cold Calls Don’t Drive Vendor Decisions

About 85 percent of CISOs told researchers they had all the information they needed to select appropriate security controls. In most instances, that information didn’t come from cold calls from vendor sales reps. Nevertheless, CISOs still have to field requests by senior management asking for a look at technology included in some puff piece or another featured in mainstream business press.

“What I always want to say, but don’t, is if we have to change a strategy because of an article you read in the Wall Street Journal, you should probably fire me,” one CISO told researchers.

In many instances, beyond the typical work of scanning through analyst reports and comparing products based on actual strategic needs, CISOs lean heavily on peer groups for advice. Groups like ISACs not only offer threat information sharing opportunities, but also a community for trading experience about tool efficacy.

“Peer feedback on products has been reported to be valuable in both winnowing down the field of contenders and for helping to select among finalists,” the report said.

[IBM’s Security VP Bob Kalka shares his insights about the survey in Bad News is Good News For Security Budgets But Not Skills.]

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: http://www.darkreading.com/vulnerabilities---threats/the-evolving-security-budget-3-new-ways-cisos-prioritize-spending/d/d-id/1322987?_mc=RSS_DR_EDT

Personal data about you, me, and, most importantly, your customers is being openly sold via online marketplaces. Stolen data has become a mature commodity market, not unlike oil or metals, with supply-driven price fluctuations, different qualities of product, and a range of values and scarcities. This market has expanded far beyond credit card numbers, mirroring the growth of big data in legitimate organizations.

We recently published a report titled The Hidden Data Economy, detailing key types of information that are available and how much they cost. Since you cannot trust criminals, some of these marketplaces may be scams or may be using reputable brand names to perpetrate a different type of fraud, but that does not reduce the overall impression of a vibrant cybercrime economy.

Credit card numbers and other payment information are the most common stolen data, with the lowest price point and widest range of values. Large scale thefts, the increasing use of chip-and-PIN cards, and rapid response from credit card companies have driven down the value of basic card information. After a big data breach floods the market with new numbers, they may go for only a few dollars each.

However, add in some additional data and the price goes up quickly. Combine payment card information with date of birth, which is a common fraud prevention question, and the value jumps to $15 in the US and about $30 in other major countries. Add in the billing address and the username and password for the account, and the price goes up to between $30 and $45. Many options are available for the discerning criminal, including issuing bank, country, available balance, maximum withdrawal limit, and usability at an ATM, store, or online.

The Stolen Data Value Chain

Credit card numbers are the base metal of stolen data markets — widely available but not worth that much without additional info. Moving up the value chain are account login credentials for payment accounts or banking services, which appear to be priced based on the balance in the account. For less than 5% of the account balance, you can purchase login information for an online payment account. More valuable are full banking services, especially those with the ability to transfer funds to US banks, which sell for about 8% of the balance. Some sellers offer replacements if the purchased account no longer has the advertised balance, while others rely on reputation rankings, purchase feedback, and other common tools of online shopping to reassure customers.

High demand and automated theft operations have made the market for premium content account information attractive and apparently profitable. Whether you want to read some comic books ($0.55), watch online video (up to $1), get access to premium cable channels ($7.50), or watch live professional sports ($15), stolen login credentials are readily available. In an ironic twist, you can even buy stolen credentials to Dark Web markets.

Rare and more specific are logins for individual companies, open vulnerabilities to valuable systems at banks and airlines, access to industrial machines or critical infrastructure, and even stolen enterprise datasets. Just like rare art or jewels, this type of stolen data does not typically carry a direct price tag; instead, value is negotiated between the buyer and seller. Also like stolen art, the prospect of commissioned thefts is probably not very far away, if it is not here already.

With such a significant number of data breaches making headlines over the last two years, it’s not surprising to see so much consumer data for sale. But the wide variety of data and related profit-making schemes never cease to surprise those of us monitoring the Dark Web on an ongoing basis. Beyond the aforementioned stolen data types, you can also find personal identities, social media access, email accounts, medical information, and much more.

I know from direct conversations with organizations that there is quite a bit of apathy on the subject of cybercrime. Even today, after all the headlines, cybercrime still seems intangible. Too many of us still fail to realize cybercrime is simply the digital evolution of crime, and given the widespread apathy, the emergence of an increasingly established hidden data economy is the destination at which we are bound to arrive. It’s a constant and important reminder for those of us committed to making our connected world safe for our connected lives. 

Raj has previously worked as the Chief Information Security Officer for a large public sector organization in the UK. He volunteers as the Cloud Security Alliance EMEA Strategy Advisor, is on the advisory councils for Infosecurity Europe, and Infosecurity Magazine. In … View Full Bio

Article source: http://www.darkreading.com/partner-perspectives/intel/what-is-your-customer-data-worth/a/d-id/1322990?_mc=RSS_DR_EDT

Personal data about you, me, and, most importantly, your customers is being openly sold via online marketplaces. Stolen data has become a mature commodity market, not unlike oil or metals, with supply-driven price fluctuations, different qualities of product, and a range of values and scarcities. This market has expanded far beyond credit card numbers, mirroring the growth of big data in legitimate organizations.

We recently published a report titled The Hidden Data Economy, detailing key types of information that are available and how much they cost. Since you cannot trust criminals, some of these marketplaces may be scams or may be using reputable brand names to perpetrate a different type of fraud, but that does not reduce the overall impression of a vibrant cybercrime economy.

Credit card numbers and other payment information are the most common stolen data, with the lowest price point and widest range of values. Large scale thefts, the increasing use of chip-and-PIN cards, and rapid response from credit card companies have driven down the value of basic card information. After a big data breach floods the market with new numbers, they may go for only a few dollars each.

However, add in some additional data and the price goes up quickly. Combine payment card information with date of birth, which is a common fraud prevention question, and the value jumps to $15 in the US and about $30 in other major countries. Add in the billing address and the username and password for the account, and the price goes up to between $30 and $45. Many options are available for the discerning criminal, including issuing bank, country, available balance, maximum withdrawal limit, and usability at an ATM, store, or online.

The Stolen Data Value Chain

Credit card numbers are the base metal of stolen data markets — widely available but not worth that much without additional info. Moving up the value chain are account login credentials for payment accounts or banking services, which appear to be priced based on the balance in the account. For less than 5% of the account balance, you can purchase login information for an online payment account. More valuable are full banking services, especially those with the ability to transfer funds to US banks, which sell for about 8% of the balance. Some sellers offer replacements if the purchased account no longer has the advertised balance, while others rely on reputation rankings, purchase feedback, and other common tools of online shopping to reassure customers.

High demand and automated theft operations have made the market for premium content account information attractive and apparently profitable. Whether you want to read some comic books ($0.55), watch online video (up to $1), get access to premium cable channels ($7.50), or watch live professional sports ($15), stolen login credentials are readily available. In an ironic twist, you can even buy stolen credentials to Dark Web markets.

Rare and more specific are logins for individual companies, open vulnerabilities to valuable systems at banks and airlines, access to industrial machines or critical infrastructure, and even stolen enterprise datasets. Just like rare art or jewels, this type of stolen data does not typically carry a direct price tag; instead, value is negotiated between the buyer and seller. Also like stolen art, the prospect of commissioned thefts is probably not very far away, if it is not here already.

With such a significant number of data breaches making headlines over the last two years, it’s not surprising to see so much consumer data for sale. But the wide variety of data and related profit-making schemes never cease to surprise those of us monitoring the Dark Web on an ongoing basis. Beyond the aforementioned stolen data types, you can also find personal identities, social media access, email accounts, medical information, and much more.

I know from direct conversations with organizations that there is quite a bit of apathy on the subject of cybercrime. Even today, after all the headlines, cybercrime still seems intangible. Too many of us still fail to realize cybercrime is simply the digital evolution of crime, and given the widespread apathy, the emergence of an increasingly established hidden data economy is the destination at which we are bound to arrive. It’s a constant and important reminder for those of us committed to making our connected world safe for our connected lives. 

Raj has previously worked as the Chief Information Security Officer for a large public sector organization in the UK. He volunteers as the Cloud Security Alliance EMEA Strategy Advisor, is on the advisory councils for Infosecurity Europe, and Infosecurity Magazine. In … View Full Bio

Article source: http://www.darkreading.com/partner-perspectives/intel/what-is-your-customer-data-worth/a/d-id/1322990?_mc=RSS_DR_EDT

Historically, corporate-owned desktops and laptops were obligatory. They not only saved employees time and money, but also enabled IT to carefully control their use and minimize risks associated with using them for work. Anti-malware, data loss prevention (DLP), web access control and VPN were some of the security capabilities that were commonly enabled to company-issued devices. 

Bring Your Own Device programs and the rise of employee-owned devices in the workplace have dramatically transformed how companies can (or can’t!) control the risks of these devices Over the years, employees have come to expect their devices to be under little or no scrutiny from their employer. At the same time, many major mobile operating systems are designed in a way that restricts the visibility and enforceability of an enterprise’s security capabilities.

But device ownership is only a small part of the current problem. An even greater concern is the content – work files, emails, enterprise resource planning records – that are increasingly stored on the devices themselves. Historically, the objective of enterprise security controls has always been to limit the risk of data exposure on laptops and desktops. Today – with the growing use of smartphones and tablets – data exposure has now become a top priority.

To capitalize on the benefits of BYOD without sacrificing security, it’s essential for security teams to fully understand potential threats, and preemptively develop plans to mitigate the risks to enterprises’ data. Here are three examples of these types of threats, and how companies can proactively defend against them.

Risk #1: Data Loss: Data loss is relatively straightforward to handle; enterprises should be able to remotely wipe lost or stolen devices. However, when the personal is intertwined with the professional, enterprises should only be empowered to remove work-related content. So – in case the device is recovered – the employee’s personal data can also be recovered.

Encrypting enterprise content and improving device security through access passcodes and ensuring the OS is up-to-date can help prevent criminals from extracting sensitive data from the device. But new  research from IBM Security into one million BYOD and corporate-issued devices found that nearly 80 percent of companies enforce only the most basic option to protect their data on employees’ phones: a 4-5 digit PIN. As hackers increasingly recognize mobile as an emerging attack vector, it’s essential that organizations update their mobile security policies accordingly, and require their employees to use lengthier passcodes to protect their data.

Risk #2: Data Leak: When an employee shares company data from a mobile device with an unauthorized app or third party, he or she is a mere click away from placing corporate data at a significant risk. In order to  prevent data leakage, companies need to develop centralized policies offering granular control of how data is accessed,  used and shared with specific applications and users. Data leak prevention can be enforced within individual corporate mobile apps or within content containers on the device.

Data leaks can also be caused by application vulnerabilities exploited by malware. According to a March IBM-Sponsored Ponemon Institute Study (registration required), nearly 40 percent of companies, including many in the Fortune 500, aren’t properly securing the mobile apps they build for customers. That’s why IT directors must ensure enterprise apps are vulnerability free in order to improve resilience to data leakage. 

Risk #3: Data Breach: If an employee-owned device connected to the company’s network becomes compromised by malware ­­from downloading a malicious app or faulty device security,  the whole network is susceptible to a data breach. This requires a different level of data breach prevention at the point of network entry, one that involves a deeper understanding of the risk profile of the device and the user. High risk factors include compromised and vulnerable devices, the context of the access (time, location) and historical access patterns (what is being accessed, how often).  Context- and risk-aware access control can enable enterprises to minimize the risk mobile devices pose to their networks.

Looking ahead, understanding and building a plan to lessen the risks to company data is an essential part of realizing the benefits mobility brings to employees and businesses alike. 

Subbu Sthanu is the Director of Mobile Security and Application Security at IBM. Prior to IBM, Subbu served on the leadership teams of security software vendors like Novell, NetIQ, Trustwave and BeyondTrust, heading up product management, marketing, corporate development and … View Full Bio

Article source: http://www.darkreading.com/mobile/byod-2015--data-loss-data-leaks-and-data-breaches/a/d-id/1322994?_mc=RSS_DR_EDT

Historically, corporate-owned desktops and laptops were obligatory. They not only saved employees time and money, but also enabled IT to carefully control their use and minimize risks associated with using them for work. Anti-malware, data loss prevention (DLP), web access control and VPN were some of the security capabilities that were commonly enabled to company-issued devices. 

Bring Your Own Device programs and the rise of employee-owned devices in the workplace have dramatically transformed how companies can (or can’t!) control the risks of these devices Over the years, employees have come to expect their devices to be under little or no scrutiny from their employer. At the same time, many major mobile operating systems are designed in a way that restricts the visibility and enforceability of an enterprise’s security capabilities.

But device ownership is only a small part of the current problem. An even greater concern is the content – work files, emails, enterprise resource planning records – that are increasingly stored on the devices themselves. Historically, the objective of enterprise security controls has always been to limit the risk of data exposure on laptops and desktops. Today – with the growing use of smartphones and tablets – data exposure has now become a top priority.

To capitalize on the benefits of BYOD without sacrificing security, it’s essential for security teams to fully understand potential threats, and preemptively develop plans to mitigate the risks to enterprises’ data. Here are three examples of these types of threats, and how companies can proactively defend against them.

Risk #1: Data Loss: Data loss is relatively straightforward to handle; enterprises should be able to remotely wipe lost or stolen devices. However, when the personal is intertwined with the professional, enterprises should only be empowered to remove work-related content. So – in case the device is recovered – the employee’s personal data can also be recovered.

Encrypting enterprise content and improving device security through access passcodes and ensuring the OS is up-to-date can help prevent criminals from extracting sensitive data from the device. But new  research from IBM Security into one million BYOD and corporate-issued devices found that nearly 80 percent of companies enforce only the most basic option to protect their data on employees’ phones: a 4-5 digit PIN. As hackers increasingly recognize mobile as an emerging attack vector, it’s essential that organizations update their mobile security policies accordingly, and require their employees to use lengthier passcodes to protect their data.

Risk #2: Data Leak: When an employee shares company data from a mobile device with an unauthorized app or third party, he or she is a mere click away from placing corporate data at a significant risk. In order to  prevent data leakage, companies need to develop centralized policies offering granular control of how data is accessed,  used and shared with specific applications and users. Data leak prevention can be enforced within individual corporate mobile apps or within content containers on the device.

Data leaks can also be caused by application vulnerabilities exploited by malware. According to a March IBM-Sponsored Ponemon Institute Study (registration required), nearly 40 percent of companies, including many in the Fortune 500, aren’t properly securing the mobile apps they build for customers. That’s why IT directors must ensure enterprise apps are vulnerability free in order to improve resilience to data leakage. 

Risk #3: Data Breach: If an employee-owned device connected to the company’s network becomes compromised by malware ­­from downloading a malicious app or faulty device security,  the whole network is susceptible to a data breach. This requires a different level of data breach prevention at the point of network entry, one that involves a deeper understanding of the risk profile of the device and the user. High risk factors include compromised and vulnerable devices, the context of the access (time, location) and historical access patterns (what is being accessed, how often).  Context- and risk-aware access control can enable enterprises to minimize the risk mobile devices pose to their networks.

Looking ahead, understanding and building a plan to lessen the risks to company data is an essential part of realizing the benefits mobility brings to employees and businesses alike. 

Subbu Sthanu is the Director of Mobile Security and Application Security at IBM. Prior to IBM, Subbu served on the leadership teams of security software vendors like Novell, NetIQ, Trustwave and BeyondTrust, heading up product management, marketing, corporate development and … View Full Bio

Article source: http://www.darkreading.com/mobile/byod-2015--data-loss-data-leaks-and-data-breaches/a/d-id/1322994?_mc=RSS_DR_EDT