The Cloud Security Alliance has opened the call for papers for the 2016 CSA EMEA Congress, to be held November 15 at the Circulo de Bellas Artes in Madrid, Spain. CSA EMEA Congress is Europe’s premier cloud security event and is designed around the CSA’s core mission of promoting the use of best practices for providing security assurance within Cloud Computing and to provide education on the uses of Cloud Computing to help secure all other forms of computing.
The call for papers closes on August 1, and speakers will be notified by September 1.
The following topics are of key interest: Current and emerging trends
Containerization and micro service security
Software Defined Perimeter (SDP)
Blockchain
Cloud-enabled vs Cloud-centric application
Multi-actor authentication
Cloud-based solutions for Small and Medium Enterprises (SMEs)
Threat landscape for cloud computing
IoT and Cloud, e.g Cloud and smart cities, smart transport.
Big Data security
Privacy in the Cloud
The impact of the European General Data Protection Regulations
How to manage legal and security compliance in a multi national environment
Cyber Security Laws and Regulation in Europe
The impact of the right to be forgotten in the cloud
Privacy and Security by design
Encryption solutions and trends
Risk Management, Certification and standards for the cloud
The role of standards within organisations
Case studies on the adoption of cloud certification
How manage Governance Risk and Compliance in the Cloud
Risk Profiling
Security and Privacy Service Level Agreements
Cloud Security Automation: how to develop and implement framework for automated risk calculation and response.
SaaS Governance
Incident Management in the Cloud
Incident Information Sharing
Leveraging Big Data for Threat intelligence in the Cloud
Cloud Forensics
SIEM in the Cloud
Cloud Security Gateways vs SIEM
Privacy Breaches Reporting
Reporting Security Breaches: the state of art in Europe
Cloud Disaster Recovery
Cloud Computing in critical sectors
Finance sector
ehealth
eGovernement
Energy
Transport
General guidelines
Proposals cutting across the above topics are also encouraged.
Proposals, presentations, panels, or sessions must be in English and should provide a learning opportunity for the conference attendees.
In case a proposal is accepted, the author (or one of the authors) must attend
Proposals that focus on marketing or promoting a product or service will not be considered.
Proposals from marketing or PR professionals (external or internal) will not be considered.
For general inquiries and speaking opportunities, please contact pr@cloudsecurityalliance.org.
For sponsorship enquiries, please contact marketing@cloudsecurityalliance.org.
For media credentials, please contact kari@zagcommunications.com.
In a large organization, leaders create a vision and strategy for the business and employees work to achieve the vision. At the business unit level in information technology, CIOs, CSOs and CISOs define their strategies while other IT decision makers work to implement it. The key to success is a team working in unison with effective strategies and KPI’s. But this might be a case of “theory vs practice.”
When we surveyed 400 IT decision makers (ITDMs) for our 2016 Datastrophe Study, we discovered that CISOs, CIOs and other IT decision makers often diverge in the real world in terms of everyday data security implementation and addressing real-world issues such as BYOD policy administration, reputation management and insider threats. That’s the scary reality of the unseen divide: when the people who are meant to protect the enterprise do not agree, then the CXO’s need to step up and lead.
The Datastrophe Study reveals several specific drivers contributing to the disconnect between C-level and other IT decision makers and ways in which businesses can bridge the gap.
Image issues Data breaches are hitting organizations left, right and center, and there is little doubt that brands’ reputations are at stake. CISOs, with their executive hats on, spend their time on risk mitigation: more than half of CISO/CIOs (53%) say their ability to protect corporate and customer data is vital to their company’s brand and reputation. However, only two fifths (43%) of ITDMs share that focus.
While the Datastrophe Study reveals a 10% difference between leaders and decision makers, when it comes to sensitive data, even a little complacency can lead to security failures. This may be an issue of operational efficiencies being developed without using a secure framework. Data security needs to be part of the design starting with strategy at the CXO (horizontal) level and vertically with tactical execution.
In order to ensure that risk and the potential of reputational damage is reasonably mitigated, C-level and ITDMs need to work in concert. ITDMs have the clearest view of incumbent systems and employee behaviors—and should not be afraid to speak up. Equally, C-level executives need to take this information on board, if not back to the Board, in order to help ITDMs fulfill the vision of building a secure enterprise.
The insider threat is very real All security professionals will agree that the insider threat is a reality in any business. But it seems that CISOs, CIOs and other ITDMs have not aligned on the scope and magnitude of the threat or the threat vectors. Sixty-four percent of CISOs and CIOs believe that insider data security threats will increase in the next twelve months. Only 50% of other ITDMs agree with them.
Is the view from the top—with a focus on protecting the organization and brand—skewing reality? Or, with the day-to-day liaison between ITDMs and employees, could it simply be that ITDMs lack the proactive (instead of traditional detective) tools required to provide real-time situational awareness? Even so, if they haven’t aligned on the threat vectors, the probability is very high that ITDM’s aren’t aligned on what to measure or monitor. There is, today, a potential tendency for both parties to underestimate threats. A study by Forrester reported that 70% of data breaches could be traced to employee negligence. In order to overcome the insider threat, the C-level and all other ITDMs have to agree on the best strategic course forward. More importantly, both parties need to engage employees and help to educate them on behaviors that could lead to data breach. For example, C-level execs could use a workshop format to explain to employees the costs and damages caused by employee negligence, while ITDMs can provide practical tips and examples of how to actively avoid behaviors that put data at risk.
Anomaly at the endpoint In an increasingly mobile workplace, BYOD is a key driver for adoption of policies to manage employee-owned devices connected to organizational networks. But things are never as simple as they seem. Among the normally skeptical CISO/CIOs, 87% believe their companies have clearly defined BYOD policies in place. Meanwhile, only 65% of ITDMs say their organizations have defined BYOD policies. To add more contention to the mix, 67% of knowledge workers (employees who think for a living and engage with mobile devices daily), believe their companies have no apparent BYOD policies.
This disconnect is a major cause for concern: CISOs/CIOs believe that 47% of corporate data is held on endpoint devices, as opposed to the more moderate estimation of 43% by other ITDMs. It’s clear that C-level and ITDMs need to work collaboratively to clarify, communicate and implement well-defined BYOD policies.
Ultimately
The simple solution to bridging the gap? Better communication. CISO/CIOs need to talk to their teams and their teams need to talk back. Better alignment and integration between the vision and the reality will go a long way to building more secure enterprises.
Businesses of various sizes are extremely worried about information security. On a daily basis, we hear news of banks and financial institutions losing customer records, confidential information and money due to cyberattacks. Cyberattacks have increased exponentially over the last 5 years, and attack methods are becoming more sophisticated each day. On average, enterprises take about 100 days to identify an attack. It takes even more time to investigate, plug the gaps and prevent similar incidents. The goal of my recent Journal article is to help enterprises and security leaders realign the strategy of their information security teams by empowering the chief information officer (CIO) and the chief information security officer (CISO).
Effective strategies by information security drivers, such as the CIO and CISO, can fine-tune information security and the compliance needs of an organization. Many industries have invested heavily in order to meet regulatory requirements, but being compliant and being secure are 2 different things. Many compliant enterprises have been breached.
Information security needs to be a priority at the board level. CEOs should take active roles in promoting information security, as most valuable information is stored electronically, all systems and databases are online, and mobile transactions occur every minute.
CIOs’ and CISOs’ priority is to identify where sensitive information resides and how can it be protected effectively at the lowest possible cost. The security team, guided by the CISO, should approach problems in a consulting mode to solve security-related challenges in the best way for the business. Outsourcing security operations is still one of the easiest options to reduce cost and reduce risk. These decisions should always be undertaken consciously, evaluating the risk and fallback options.
Information security teams are the walls of every enterprise. An empowered CIO and CISO can create a cost effective, consistent security culture across the enterprise with the right strategies.
After the subprime mortgage crisis and the Lehman Brothers collapse in the US, the Financial Services Agency of Japan (FSA) strengthened financial regulations. The FSA regulations introduced an IT governance perspective, which detailed the rules for information security enhancement and IT risk minimization. In response to this, the management of financial institutions have been struggling with a kind of “defensive” IT governance, or a risk minimization and compliance approach.
On the other hand, the Japan Revitalization Strategy was approved by the Abe Cabinet of Japan in 2013 and the FSA applied the Corporate Governance Code in 2015, in which listed companies are urged to achieve sustainable growth and increase corporate value over the mid- to long term. Under these circumstances, financial institutions are seeking aggressive or proactive IT governance aiming at value creation for stakeholders rather than defensive or reactive risk minimization and compliance.
The requirements that management teams of enterprises, especially financial institutions, need to satisfy are intended to transform their IT governance from defensive risk management and compliance to proactive IT governance. Figure 1 shows the relationship between defensive risk management and proactive IT governance as well as the related frameworks. Enterprise management teams are seeking a transformation that focuses on moving from the left to the right in the figure.
Figure 1—Relationship Between Defensive Risk Management and Proactive IT Governance
Source: Y. Inaba. Reprinted with permission.
This article presents an enterprise IT governance (EITG) implementation model derived from the following practical experiences using COBIT:
Implementation of a group IT governance system1 using the COBIT 4.1 process reference model and its Maturity Model at a global insurance group based in Japan
Implementation of a governance, risk management and compliance (GRC) system2 at an IT service subsidiary of the insurance group using COBIT 5
Practical experience as an employee of a major auditing firm in Japan, Deloitte Touche Tohmatsu LLC
The Proactive IT Governance Model
The core of the proactive IT governance model is value creation for stakeholders and fulfillment of the organization’s fiduciary duty and accountability. Figure 2 shows the concept of the proactive IT governance model developed and presented in this article.
Figure 2—IT Governance Implementation Model for Enterprise Seeking IT-enabled Value Creation View Large Graphic
Source: Y. Inaba. Reprinted with permission.
Goals Cascade From Stakeholder Needs to Enabler Goals
The left-hand side downstream flow of figure 2 or the enlarged chart in figure 3 shows the goals cascade from stakeholder needs to enabler goals. This follows the COBIT 5 principle, Meeting Stakeholder Needs.
Figure 3—Relationship Between Defensive Risk Management and Proactive IT Governance
Source: Y. Inaba. Reprinted with permission.
First, the governance team, consisting of the directors, evaluates the value creation needs for the stakeholders, comprising shareholders, customers, employees, regulatory agencies and social communities such as economic societies, and reports to the management team on what kind of value it should create. The report can be made by creating mission, vision and values (MVV) statements. This corresponds to the action of aligning the governance objective with value creation.
Then, the management team sets the enterprise goals from the results of the evaluation of the stakeholder needs, which consist of the 4 components of the balanced scorecard (BSC), i.e., financial, customer, internal, and learning and growth. The result of this step is the creation of the management strategy document. The next step is that the management team sets the IT-related goals from the enterprise goals, formatting according to the same 4 components of the IT BSC. The output of this step is an IT strategy document. Finally, the goals are cascaded down to the enabler goals, as described in COBIT 5. The result of the enabler goals setting is represented in the enabler strategies, i.e., the strategies for principles/policies, processes, organizational structures, culture, information, service/systems and human resources (HR). Usually, those enabler strategies are included in the IT strategy documentation.
These series of goals cascades can be supported by the mapping from stakeholder needs to enterprise goals described in the COBIT 5 framework3 and the mapping from enterprise goals to IT-related goals and then to process enabler goals described in COBIT 5: Enabling Processes.4
Implementation of the 7 Enablers with Plan-Build-Run-Monitor Cycle
The next step is management execution, which includes a series of practices on the Plan-Build-Run-Monitor (PBRM) Cycle. The management team executes by focusing on 7 enablers. The bottom part of figure 2 shows this cycle and it is further described in figure 4.
Figure 4—Implementation of the 7 Enablers
Source: Y. Inaba. Reprinted with permission.
For the process enabler, the enabler goal setting corresponds to the selection of the priority processes from the 37 processes defined by the COBIT 5 process reference model, each with its targeted capability level defined in theCOBIT 5 Process Assessment Model (PAM): Using COBIT 5. The selection of processes is driven by the goals cascade from stakeholder needs. The next step is to build enablers. The process capability assessment is made regarding the selected processes and following that, the improvement action plan is formulated to fill the gaps between the current capability level and the targeted level and the improvement is implemented. Then, the improved processes are operated to achieve the process enabler goals. Finally, the process performance or the process enabler goals are monitored.
Regarding the other enablers, the enterprise IT governance implementation model described in this article does not include detailed and concrete processes to follow because the focus is on the process enablers. The intent is to explore the other enablers after the completion of the process enabler implementation descriptions. This is supported by the fact that the detailed enabler guide5 for the process enabler already exists as do the process assessment model and the assessor guides.6, 7
Developing the information enabler can happen next because COBIT 5: Enabling Information gives the guidance needed to build that enabler. In addition, how to assess the current information enabler status and how to reach the targeted status for the information enabler needs to be described.
Experience would tend to indicate that implementation guidance for the service/system enabler and the HR enabler is in great demand because they seem to be the essential enablers for the era of disruptive innovations and digital transformations, where proactive IT governance is required. ISACA’s plans include issuing such guidance in the form of another 5 enabler guides to assist its members in implementing COBIT 5.
Monitoring Enabler Goals Up to Value Creation for the Stakeholders
The right-hand side upstream flow of figure 2 or the enlarged chart in figure 5 shows the goals monitoring from enabler goals up to value creation for the stakeholders.
Figure 5—Goals Monitoring
Source: Y. Inaba. Reprinted with permission.
First, the implementation and the operation of each enabler are monitored and the result of the monitoring is reported in an enabler monitoring report. The report is then summarized into an IT monitoring report, which describes the results of the monitoring of IT-related goals. Continuing the flow upstream, the IT monitoring report is integrated into a management monitoring report, which describes the monitoring results of not only IT, but also other governance areas.
Finally, the value created through the governance and management cycles is described in a value creation report, or the integrated monitoring report, and it is reported to the stakeholders as the fulfillment of accountability.
Enterprise IT Governance Perspective in the Enterprise Governance Environment
To enhance the governance and management cycle described above, it would be valuable to view it from the standpoint of enterprise governance—in other words, a corporate governance model which is shown in figure 6. The top circle describes enterprise governance and the bottom circle indicates governance of enterprise IT (GEIT), which is referred to here as EITG.
Figure 6—Enterprise IT Governance
Source: Y. Inaba. Reprinted with permission.
Enterprise governance is performed by C-suite executives under the direction and oversight of the board of directors (BoD). According to the EITG implementation model, it consists of the 2 major governance areas: business governance, referred to here as business value creation governance (BVCG), and corporate governance, referred to here as valued service governance (VSG).
On the top side, BVCG includes the enterprise’s business (e.g., property and casualty insurance or life insurance, in the case of an insurance company) and/or functional unit (underwriting, claims handling) governance. It can be an IT service delivery business and/or a system development function as well as a system operation function for an IT service company.
On the bottom side, VSG is broken down to the so-called corporate governance areas, i.e., corporate planning, financial reporting, HR, risk, information security, compliance and audit/assurance. These area definitions are generally similar for all industries.
Once the governance team sets up the management goals and strategies from the stakeholder needs, they are allocated into the individual areas of enterprise governance. IT governance is one of them.
Focusing on IT governance, the chief information officer (CIO), the chief executive officer (CEO) and the chief operating officer (COO) execute the goals cascade into enabler goals setting in order to align with the enterprise business and create IT value for the stakeholders. This is depicted in the circle at the bottom of figure 6, where IT governance is put at the center of the chart and BVCG and VSG are located around IT governance with the overlapped areas labeled “Align.”
It is important to note that there are several similar circles behind the scenes. For each governance area, each C-suite executive in charge of it is executing a PBRM cycle under another circle where each governance area is put at the center, and the other governance areas, including IT governance, are located around it with the overlapped “Align” label (figure 7).
Figure 7—Enterprise IT Governance From Each Governance Area Perspective View Large Graphic
Source: Y. Inaba. Reprinted with permission.
In addition to cascading down to IT-related goals, the goals of each governance area are cascaded down in parallel. Then, the enabler goals are set for each governance area and the enabler implementations with the PBRM cycle for each governance area are executed.
For example, suppose there is a financial institution whose goals include the implementation of financial technologies (FinTech). Its HR management may plan to introduce an HR development program for FinTech and its IT management may plan to identify the skills for FinTech implementation and acquire people with the defined FinTech skills. Clearly, these 2 initiatives in these 2 departments should be aligned with each other.
Then the monitoring of the goals of each governance area is performed. And finally, working up to the enterprise governance chart (the top circle in figure 7), the governance team monitors the enterprise goals and integrates all the monitoring results from each governance area into a single management report.
Creating Value With the Enterprise IT Governance Implementation Model
COBIT 5 is a useful tool and guidance framework for EITG. Practitioners can create value for clients by combining the interpretation of service delivery from COBIT 5 guidance with the implementation practices outlined in the EITG implementation model described in this article.
By assuming this kind of advocacy role, practitioners can create value for clients as well as fulfill social responsibilities in Japan.
Yuichi (Rich) Inaba, CISA
Is a senior manager at Deloitte Touche Tohmatsu LLC where he developed an enterprise IT governance implementation model base on his COBIT experience. Previously, he was a manager at the holding company of a global insurance group based in Japan, where he had engaged in the implementation of a group IT governance system for the group by using COBIT 4.1. Subsequently, he was a senior consultant specialist in the areas of GRC, IT governance, risk management and information security at the IT service company of the group, where he implemented a GRC system for the IT service company of the group by using COBIT 5. He is a member of the Standards Committee of the ISACA Tokyo Chapter and currently working on the translation of COBIT 5 materials into Japanese as well as an advocacy of COBIT 5 in Japan.
Author’s Note
The content of this article is based on the author’s personal opinion and does not reflect an official position by Deloitte Touche Tohmatsu LLC.
Amy Zegart is the Co-Director of the Stanford Center for International Security and Cooperation. This year, she invited me to join the advisory council for the Stanford Cyber Policy Advisory Program; a multi-year working group think tank designed to develop cyber strategy, doctrine, and fundamental ideas for the U.S. government. She also helps run the Stanford Cyber Boot Camp series, a program that aims to educate various communities around the country about cybersecurity issues.
This week, she targeted journalists and invited me, and some other prominent network defenders, to have an off-the-record conversation regarding what we thought about how journalists approach the cybersecurity topic.
The room was filled with journalists from ABC, The Washington Post, Foreign Policy, NPR, The Wall Street Journal, CNN, and The New York Times. I have dealt with reporters before, usually in a friendly situation explaining some technical aspect of the latest security event, but I have never been outnumbered before by a factor of 20 to 1 in a situation where we might be exchanging some “off-the-record” criticism on both sides.
Amy had us in a circular, two-tiered conference room, where the network defenders sat on the bottom tier, surrounded by journalists both on the same tier and on the upper tier. Going in, it felt like we were gladiators walking into the arena with hungry lions and tigers roaming around looking to eat us on our tier, and the spectators on the higher tier, who definitely were rooting for the animals.
In truth, it was nothing like that all. It turned out to be a free exchange of information from both sides that helped to dismantle some pre-conceived and incorrect assumptions that both the network defenders and journalists had about the other side. Here is my big takeaway from the boot camp.
Journalists are professionals who know a lot of things about a gazillion different topics, cybersecurity being one of them. Network defenders are specialists with a deep knowledge about cybersecurity but probably only a cursory knowledge of other things. Most journalists are generalists without a lot of depth in any particular topic but who know how to pull a compelling story out of a specific topic by sifting through myriad known facts, assumptions and rumors. They rely on network defenders to get the facts straight and to help them find the right angle to make the story good without it turning into marketing.
Network defenders should assist in this regard as much as possible. The relationship does not have to be adversarial. We are on the same side in most cases. The reporters want to publish a good story – hopefully one that’s balanced and accurate. The network defenders want to make sure that journalists educate the general public correctly. Without our help, we lose the opportunity to help educate the masses. And that opportunity is greater than ever, with so many publications – even publications that traditionally do not cover technology topics in depth – running stories on cybersecurity.
I thought the Stanford Cyber Boot Camp series was a huge success. Even though I initially felt like I was walking into the lion’s den, with reporters lying in wait to eat me at the first opportunity, the experience turned out to be the complete opposite. Both sides walked away a bit smarter about how to deal with the other. I learned that journalists have a tough job to do even if they are really good at their craft. They mostly just want to publish a good story. I also learned that my relationship with journalists does not have to be adversarial. Network defenders can help reporters publish good stories, and at the same time, ensure that the public receives accurate stories to read about cybersecurity.
