NFV. VNF. These two terms generate quite the buzz. They have become table stakes in the active trek to the cloud that is well underway in most enterprises and service providers. With the advent of network function virtualization, legacy security technologies that depend on expensive proprietary hardware, legacy network classification and security policy options, and complex and inflexible management are being replaced (or ignored) as the very foundations of the network are being redefined.
As we’ve said many times, virtualization has created a rift in security. There are those who believe that deploying a virtualized version of a legacy security appliance product is ‘good enough’ for now. And then there are those who don’t. We are solidly in that latter camp. We believe that security is both an enabler and an inhibiter of virtualization, in general, and of NFV, in particular. Unless the virtualization technology, networking technology, and security technology are all equally next-generation, we believe that the ensuing system is insecure and, hence, inoperable.
This is why our work with Mirantis is so meaningful. It is clear to us and our customers that OpenStack has found its way into their cloud architectures because of its open approach to innovation and novel ways of driving features, quality and adoption throughout enterprises and service providers. For example, secure OpenStack clouds provide high levels of visibility and control at a user, application, and content level with full carrier-grade network address translation (CGNAT) capability for service providers. It allows enterprises to implement a “Zero Trust” (never trust, always verify) security model that prevents and contains new attacks across the entire attack lifecycle.
Our relationship with Mirantis adds to our recognition of the importance of driving next-generation security into next-generation architectures. We already do that with VMware NSX, Amazon Web Services (AWS), Kernel-based Virtual Machine (KVM), Citrix NetScaler SDX, and now with Mirantis OpenStack. Soon, we’ll add Microsoft to this select group of partners.
The balanced scorecard (BSC) initially developed by Kaplan and Norton1, 2, 3, 4 is a performance management system that should allow enterprises to drive their strategies on measurement and follow-up.
In recent years, the BSC has been applied to IT and, currently, the first real-life IT security governance application has been developed based on mapping International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001 control objectives to COBIT 4.1process areas and IT governance focus areas. As a further exercise, the relationships and similarities of COBIT 4.1 and COBIT 5 can be explored to create a mapping for COBIT 5 in future publications.
This article explains how an exercise in instituting controls can be used to establish the IT BSC, which can be linked to the business BSC and, in so doing, can support the IT/business governance and alignment processes as derived from mapping ISO/IEC 27001 and COBIT 4.1 controls.
Balanced Scorecard Introduction
Kaplan and Norton introduced the BSC at the enterprise level. Their basic idea is that the evaluation of an organization should not be restricted to a traditional financial evaluation, but should be supplemented with measures concerning customer satisfaction, internal processes and the ability to innovate. These additional measures should assure future financial results and drive the organization toward its strategic goals while keeping all 4 perspectives in balance. Kaplan and Norton proposed a triple-layered structure for the 4 perspectives: mission (e.g., to become the customers’ most preferred supplier), objectives (e.g., to provide the customers with new products) and measures (e.g., percentage of turnover generated by new products).
The BSC can be applied to the IT function and its processes.5, 6, 7, 8 This article transformed previous visions into actions that can be used to correct any lapses and reduce value in the BSC results. The use of the BSC can also be applied to IT risk management.9
IT Governance Through Controls
This article illustrates how a cascade of scorecards can be instrumental in the development of IT/business governance processes and how this hierarchy of scorecards can support the alignment of business and IT strategy. The IT development BSC and the IT controls/operational BSC are introduced as enablers for the strategic BSC, which, in turn, is the enabler of the business BSC (figure 1).
Governance is established through compliance to standards and control objectives.
Figure 1—IT Balanced Scorecard as a Business Enabler
Source: Christopher Oparaugo. Reprinted with permission.
Controls Through Compliance to Standards
IT governance is part of corporate governance and has to provide the organizational structures to enable the creation of business value through IT, the assurance that there are no IT investments in bad projects and that there are adequate IT control mechanisms established through compliance to the control objectives of COBIT and ISO/IEC 27001.
The methodology of the BSC is a measurement and management system that is suitable for supporting the IT governance process and the IT-business alignment process. Figure 2 shows sample cumulative average scores for the ISO/IEC 27001 control objectives and questions showing inputs for the security policy domain used in the exercise for mapping ISO/IEC 27001 to COBIT 4.1.
Figure 2—Sample Cumulative Average Scores for the ISO/IEC 27001 Control Objectives and Questions Showing Inputs for Security Policy Domain
Source: Christopher Oparaugo. Reprinted with permission.
Figure 3 shows sample cumulative domain scores for the ISO/IEC 27001 control objectives. These results are computed by domain as used in the exercise for mapping ISO/IEC 27001 to COBIT 4.1. The future state results are arbitrary figures that are being aspired to as targets for the exercise.
Figure 3—Resulting ISO/IEC 27001 Compliance Data by Domain
Source: Christopher Oparaugo. Reprinted with permission.
Figure 4 is the bar chart representation of the ISO/IEC 27001 results.
Figure 4—ISO/IEC 27001 Compliance Data by Domain Result in Bar Chart Format
Source: Christopher Oparaugo. Reprinted with permission.
The generic maturity model score was derived from the data of the assessment based on the values that are mapped to the COBIT 4.1 domains (figure 5). These scores are used to create the charts in figures 6 and 7 for maturity benchmark results by domains.
Figure 5—Compliance Output Data to Generic Future Desired State With Generic Maturity Model
Source: Christopher Oparaugo. Reprinted with permission.
Figure 6—ISO/IEC 27001 Compliance Data Results to Generic Future Desired State
Source: Christopher Oparaugo. Reprinted with permission.
Figure 7—COBIT Compliance to Generic Future Desired State
Source: Christopher Oparaugo. Reprinted with permission.
The value inputs of 0% to 100% from the ISO control objectives, sections and control questions are mapped to COBIT 4.1 domains and processes. These are linked to the IT focus areas as shown in figure 8.
Figure 8—Sample Results Showing Mapping of ISO/IEC 27001 Data to COBIT Processes
Source: ISACA, Mapping COBIT 4.1 to ISO /IEC 27001, USA, 2005
These resultant data from the exercise are further employed as COBIT information criteria for primary and secondary grouping. The resultant values of the ISO/IEC 27001 mapping into COBIT processes are linked with the defined IT goals. Exercise results showing the values from the data mapping outputs are shown in figure 9.
Figure 9—Linking COBIT Processes Data Results to IT Goals Showing the Information Criteria for Governance Activities
Source: Christopher Oparaugo. Reprinted with permission.
Based on the data values from the COBIT process linking to IT goals, the IT goals to business goals are derived and the elements of the BSC are developed. Figure 10 shows the results of these links.
Information Security Governance Balanced Scorecard
The BSC is a management system (not only a measurement system) that enables organizations to clarify their vision and strategy and translate those into action. It provides feedback around both the internal business processes and external outcomes in order to continuously improve strategic performance and results. When fully deployed, the BSC transforms strategic planning from an academic exercise into the nerve center of an enterprise.
The BSC uses 4 perspectives, develops metrics, collects data and analyzes the data relative to each of these perspectives:
Financial—To succeed financially, how should we appear to our shareholders? 52.38%
Customer—To achieve our vision, how should we appear to our customers? 59.40%
Internal business—To satisfy our shareholders and customers, at what business process must we excel? 61.31%
Learning and growth—To achieve our vision, how will we sustain our ability to change and improve? 55.54%
Conclusion
The vision and strategy driver scores are achieved from the mapping exercise of ISO/IEC 27001 to COBIT 4.1 and these can be used in determinig key permormance indicator (KPI) scores for a department and be drilled down to an individual’s contribution in the overall department success. The results from linking IT goals to business goals and reviewing with the COBIT information criteria helps form a better perspective of the BSC. The assessment results can be drilled and backward review of the mapping values used in determining the root cause of having low values from a set of mapped data in ISO/IEC 27001 control objectives and questions; this will form a basis for developing an action plan as needed by the business.
Successful enterprises understand the risk and exploit the benefits of IT, and find ways to deal with aligning IT strategy with the business strategy, cascading IT strategy and goals down into the enterprise and insisting that an IT control framework be adopted and implemented. IT governance is not an isolated discipline. It is an integral part of overall enterprise governance that drives the business in these days of the Internet of Things. The need to integrate IT governance with overall business governance is similar to the need for IT to be an integral part of the enterprise business.
Christopher Oparaugo, CISM, CGEIT, CRISC
Is the chief technology officer of KATEC Consulting Ltd. He has worked for IBM Global Business Services as an information security consultant. He has also worked in the telecommunication and banking industries in West Africa. Oparaugo has contributed to the ISACA CISM, CGEIT and CRISC Certification Project and Test Enhancement Committee since 2005, setting exam questions and reviewing the manuals.
Endnotes
1 Kaplan, R.; D. Norton; “The Balanced Scorecard—Measures That Drive Performance,” Harvard Business Review. January-February 1992, p. 71-79 2 Kaplan, R.; D. Norton; “Putting the Balanced Scorecard to Work,” Harvard Business Review. September-October 1993, p. 134-142 3 Kaplan, R.;D. Norton; “Using the Balanced Scorecard as a Strategic Management System,” Harvard Business Review. January-February 1996, p. 75-85 4 Kaplan, R.; D. Norton; The Balanced Scorecard: Translating Vision Into Action, Harvard Business School Press, Boston, 1996. 5 Gold, C.; “Total Quality Management in Information Services—IS Measures: A Balancing Act,” research note, Ernst & Young Center for Information Technology and Strategy, USA, 1992 6 Gold, C.; “US Measures—A Balancing Act,” Ernst &Young Center for Business Innovation, USA, 1994. 7 Willcocks, L.; Information Management, The Evaluation of Information Systems Investments, Chapman & Hall, UK, 1995 8 Van Grembergen, W.; D. Timmerman; “Monitoring the IT Process Through the Balanced Scorecard,” Proceedings of the 9th Information Resources Management (IRMA) International Conference, USA, May 1998, p. 105-116 9 Van Grembergen, W.; ”The Balanced Scorecard and IT Governance,” Information Systems Control Journal, vol.2, 2000
I am very excited that Naveen Zutshi joined us today as our CIO. A few weeks ago we hiredLucas Moody as our first-ever CISO. The three of us will closely work together on pushing the IT envelope at Palo Alto Networks and expanding our security architecture in a way that not only will benefit us, but also very much benefit our customers.
Today, the relationship between the CTO, the CIO, and the CISO is evolving to one that is highly complementary. As organizations are moving to a prevention-first security architecture, it is imperative that technology, people, processes, operations, and policy are streamlined such that the outcomes become highly predictable and automated. Having Naveen and Lucas join the company is a natural step in our evolution. As more of our own infrastructure is moving into the cloud, and more of the services we provide to our customers are moving there too, we need to demonstrate leadership in how we address that challenge.
I’m also very excited to go on the road with Naveen and Lucas to share our experiences as best practices with our customers.
As 2015 comes to a close, it’s time to look ahead to next year and consider the sorts of changes we can expect in the threat landscape. Predictions of this nature are almost always based on two main factors:
Continuation of a trend we’ve seen in the current year leading to small incremental changes.
A significant shift away from the status quo based on a technological, cultural or political change that is underway.
Predictions based on continuing trends are highly likely to come true, while those based on significant shifts are more uncertain. Reluctant prognosticators, like myself, prefer to rely on data rather than speculate broadly about the future, but that doesn’t lead to very interesting predictions. So, this year, I’m going to split the predictions into two sections: “sure things” and “long shots” – and spend more time on the latter.
Sure Things
Based on the patterns I’ve seen in the last year, the following are “sure things” in 2016:
There will be more mobile malware, and most of it is going to both originate in and have the most impact in China. If you look at someofmy team’s discoveries in 2015, you’ll see that China is a hotbed of mobile security research and attacks.
Attackers will continue to deploy ransomware for financial gain, and they will become increasingly specialized. In 2015 we saw widespread infections from ransomware, which encrypts files and demands a ransom for their safe return. Next year I expect attackers to use this technique in more specialized attacks, targeting high-value files and demanding ransoms much larger than the typical $500-700 we see today.
Human beings and their passwords will continue to be the weakest link. Malware and exploit code are common attacker tools, but they aren’t always necessary to successfully accomplish a task. At some point in almost any major network breach, a human makes a mistake (clicks a link, opens a file, etc.) and that person’s password is captured and used for malicious purposes. This trend is not going away unless something significant changes in the world of passwords (See: Long Shot 2).
Long Shots
Now that the easy bets are out of the way, let’s move on to predictions that probably aren’t better than a coin flip but will be more interesting for you to discuss with your colleagues at the water cooler.
Long Shot #1: A cyberattack will impact the 2016 presidential election
While U.S. citizens don’t vote online (like Estonians), there are many ways that a cyberattack could impact the outcome of the election either directly or indirectly. For example:
An attacker might release embarrassing information about a candidate at a critical junction, swaying public opinion or forcing that person to exit the race. Releasing private email messages, photos or documents could be very damaging and could be accomplished using a simple phishing email.
A candidate’s social media account could be hijacked to spread false information about a candidate.
A major news source could be hijacked to display false information about a candidate’s view.
Voting machines are far from immune to attack, but I suspect this is the least-likely way the election will be impacted.
The impact on the election may not tip the scales in the favor of one candidate or another; but, between now and November 4, the political process could experience a significant cyber “nudge.”
Long Shot #2: Multifactor authentication will become common and expected
Passwords are the keys to nearly every lock on the Internet, yet attackers steal them every single day. Authentication systems that require only a username and password for access are known as “single factor.” “Multifactor” authentication systems require an additional form factor, typically something you “have” (a token) or something you “are” (biometrics.) These additional factors are most-often used by systems that require higher levels of security; but, in 2016, they may finally make it to the mainstream.
The most common form of two-factor authentication (2FA) in place today involves tokens that generate random numbers every 30 to 60 seconds. These are either physical tokens, which you might attach to your keychain, or software tokens installed on your smartphone. They are offered by a multitude of companies, sometimes for free, and offer an excellent mechanism to prevent a simple password theft from resulting in an account compromise. In other cases token 2FA systems are replicated using SMS messages that contain the token code and offer a similar level of protection. Companies across nearly every industry offer 2FA options, but some still lag behind.
How often do you use a fingerprint reader? If I’d posed this question at the end of 2014, a small number of people may have said occasionally, but very few, daily. With the addition of fingerprint readers to the iPhone 5S (announced 3 years ago) and many more smartphones since, this technology has begun proliferating widely, and I suspect many readers have a fingerprint reader in their pocket right now.
At the moment fingerprint readers are mostly used as a convenient way to avoid typing a pin code. Fingerprints generally should not be used as a primary form of authentication (you leave fingerprints everywhere); but, as these devices become ubiquitous, they will offer a two-factor opportunity that was not previously feasible at scale.
While biometric authentication is unlikely to become ubiquitous in 2016, demand for 2FA options will force more and more companies to support token-based systems and some will require 2FA to keep their users safe. Widespread adoption of 2FA would be one of the greatest blows the security community could deal to cyberattackers around the world.
Long Shot #3: Data destruction and modification take center stage
Data theft is always in the headlines. Organizations are breached, and attackers steal private information for their own benefit. Of course, “theft” isn’t the only action an attacker can take once they enter a network. Some attackers destroy log files or modify records to cover their tracks, but what about those who have no intention of stealing information in the first place?
Director of National Intelligence, James Clapper, recently stated that he expects the next wave of attacks to manipulate or delete data, rather than just steal it.
A data destruction attack, like the Shamoon malware attack against Saudi Aramco in 2012, could temporarily or permanently shut down an entire organization. Viewers of Mr. Robot (I highly recommend it.) will note that the fictional attack that plays out in the first season is all about destroying the financial records of a major corporation to erase debt and throw the financial system into chaos.
Subtle data manipulation attacks are much less common (or less publicized). Students break into school district systems to change their grades, but this likely isn’t the type of attack that worries General Clapper. The OPM breach disclosed earlier this year is a more likely concern. Modification of OPM records could be used to help someone gain, or to be denied, a top-secret security clearance.
While I don’t expect these types of attack to surpass data theft in volume, we may find that the top cyberattack headline of 2016 isn’t about how many records were stolen, but how many were silently modified or deleted.
Want to explore more of our top 2016 cybersecurity predictions? Register now for Ignite 2016.
The Internet is often referred to as the Wild West, a relatively ungoverned space, yet this week the European Union (EU) took a huge step forward in coming to agreement on what should be included in the forthcoming Network and Information Security (NIS) Directive. This landmark directive – the first time the EU has legislated on cybersecurity – aims to raise cybersecurity and resilience capabilities across the EU’s 28 member nations. First proposed in 2013, it may have seemed the directive was a long time in discussion, which is really validation of how important it was to society. Carefully defining what is required and who is included was critical to encourage confidence in the ever-growing digital world, bolstering potential GDP growth with a more secure and resilient cyberspace.
What does this mean for businesses?
First and foremost, the December 7 agreement now moves the directive into the more formal steps – it will progress from concept into application via the development of national implementing regulations. Until now it’s been easy to view this as a distant goal, timelines immediately become more predictable. Furthermore, with a defined scope of what types of organisations are covered and how, each should be looking to define their own plan now to ensure relevant compliance. Although the final text is yet to be released, much of the content has been long decided.
Who does it apply to?
The NIS directive has requirements at both a member state level and for businesses. Member states must have a defined national cyber strategy and capabilities to manage incidents that could impact digital society, by establishing (if they don’t already have one) a national CSIRT or computer security incident response team.
The directive specifically calls out obligations for “operators of essential services”, or those entities that are generally part of a country’s Critical National Infrastructure. The directive lists those essential services, which include as examples finance, healthcare, and energy, and requires them to have state-of-the-art cybersecurity that notifies, without undue delay, when they have significant incidents that could impact the continuity of the services they provide. Moving forward, member states will determine exactly which entities fall into these categories.
Also included are digital service providers (which was an area of much debate) and include the likes of e-commerce platforms, search engines, and cloud service providers. While the plan is that the requirements will be lighter on this group, their inclusion is a clear reflection of just how core these services are becoming to our increasingly digital society.
It’s worth noting that there are strong rumours that the Data Protection Regulation reforms under negotiation are to be finalised before the end of the year which would move the reform into the closing stages.
What should you do next?
Now that the scope has been settled, you should be able to clearly validate if you, your business partners, and/or your supply chain will be covered, so you can validate what the implications will be for your business.
Closely monitor implementation, especially by member states. Once the directive is published in the Official Journal of the European Union (which should occur shortly), member states will have 21 months to enact implementation regulations or laws. Timelines will become much clearer, which will allow you to define your plan for compliance.
At the same time, monitor for the General Data Protection Regulation to similarly reach agreement in the coming months. Although a separate piece of legislation, it is on a parallel track, and its conclusion will likely add to your requirements – pay attention to its scope and timelines.
The right mindset is key when thinking about compliance.
In my experience, as businesses review the implications of the legislation, they can easily over focus in on the new requirement to notify. This is due to response being the largest gap for many in their current capabilities; to date, many had no mandate to do so. However, before focusing your energies on response, you should first determine if you are effectively doing all you can to prevent cyber incidents from occurring in the first place. The more you prevent, the less you will require responsive capabilities.
Cybersecurity continues to evolve at a rapid pace, yet it’s very easy to slip into the habit of taking the same security measures that worked in the past. Ask yourself when you last changed a security process, or reviewed your capabilities, and whether they remain state of the art. More rudimentary is: how do you measure success; just what is the yardstick that allows you to validate the need for change? In the dynamic cybersecurity arena, continuing to do the same old things because they worked in the past typically means you are slowly slipping away from state-of-the-art capabilities.
In summary, it may seem obvious to tackle the new requirement of notification, but the greatest business benefit comes from stopping the incident in the first place. Finding the right balance between prevention and response is critical.
