Year: 2017

Analyst firm Gartner projects that worldwide spending on IT security products and services will grow 7 percent, year over year, to reach a total of US $86.4 billion in 2017.

Historically, organizations have had a tough time allocating security expense budgets because:

• The concept of security was vague and unclear
• There is no methodology to assess the exact requirement and the resultant benefits, thus creating difficulty in establishing a sound business case
• No regulatory compulsion
• The evolution of technology, and its associated threats and digital perils, were slower.

In addition, in the absence of established norms on security spending metrics, many organizations adopted a magical figure of 4% of the total IT budget as the acceptable to spend on information.

Later, in line with the changing times, ISACA rightly clarified that security is a business enabler, and any spend on it needs to be monitored as an investment in line with the tenets of IT governance.

Now, with the current technological tsunami and the accelerated business initiatives struggling to keep pace, on top of regulatory pressure, information security – unsurprisingly – has become the number one priority. Gartner analysis further substantiates this by emphasizing the facts and figures through its analysis. The firm’s significant points include:

• More opportunity for security startups for offering specialist B2B services
• Growing demand for application security testing
• Growth in interactive application security testing projected through 2021
• The fastest-growing segment will be security services, especially IT outsourcing, consulting and implementation services
• The European Union’s General Data Protection Regulation, which is due to come into force in May 2018, projected to drive 65 percent of data loss prevention buying decisions through 2018
• A big rise in the bundling of security services and broader IT outsourcing (ITO) projects, with managed security service (MSS), to rise from 20 percent currently to 40 percent by 2020
• Organizations should be doubling down on “basic security and risk-related hygiene elements,” such as threat-centric vulnerability management, centralized log management, internal network segmentation, backups and system hardening.

All in all, this is a great news for the security profession. However, why should any organization spend millions of dollars on anything without a solid cost justification? Security costs, like any other costs, should be justified, for after all, more funding does not necessarily mean better security.

Investments in security controls do not directly contribute to revenue, but they prevent losses and safeguard reputation. Hence, security professionals should be able to help their organizations by using suitable security ROI metrics to choose the most economical and technically acceptable solution.

This will surely set in motion a strong, win-win relationship between the security profession and business leaders for the coming years, and establish security practitioners as a trustworthy partner to clients worldwide.

Ravikumar Ramachandran, CISA, CISM, CGEIT, CRISC, CISSP-ISSAP, SSCP, CAP, PMP, CIA, CRMA, CFE, FCMA, CFA, CEH, ECSA, CHFI, COBIT-5 Implementer, Certified COBIT Assessor,  ITIL-Expert, Account Security Officer, DXC Technology, India

[ISACA Now Blog]

Privacy has had its Chernobyl moment.

Maybe it was when a foreign power stole everything every American had submitted for a clearance form from the Office of Personnel Management. Maybe it was when an insurer lost control of the health records of millions of Americans. Maybe it was when the United Kingdom spilled its child benefit data. Maybe it was when India created a biometric ID system and sort of forgot about controls.

However you want to define a privacy Chernobyl, it, or something like it, has happened.

We exist in a world where our expectation of privacy has been shattered, diminished and demeaned, and yet privacy invasions still outrage us. What we haven’t done is built a cap, and certainly not a sarcophagus that’s designed to protect the radioactive slag for an appropriately long time.

Privacy failures still make the news. Failures on the part of firms who have promised to take it seriously still result in 20-year consent decrees. (Recall that 20 years ago, in 1997, Alta Vista was still the dominant search engine, the Motorola flip phone was dominant amongst those weirdos who bothered with a cellphone, and 56k was pretty good internet connectivity through your phone line. Will word choices that seem agreeable today be sensible after 20 more years of technological acceleration?)

I want to encourage you to use Implementing a Privacy Protection Program: Using COBIT 5 Enablers With the ISACA Privacy Principles as a way for you to realize that personal data is radioactive, and you want to start treating it as such. If you accumulate too much, you risk a meltdown, but even when you have it in small doses, you want to be intentional about it.  You want to know why it’s here, how you’re protecting it, and how to get rid of it when the risk exceeds the reward.

You should be thinking of ISACA’s new privacy protection guidance as an important move forward in your privacy journey. It’s a necessary step, and going through the steps will help you understand if there’s more that you need to do.

Editor’s note: Additional privacy-related guidance can be found in ISACA’s new white paper, Adopting GDPR Using COBIT 5.

About Adam Shostack: Adam is a consultant, entrepreneur, technologist, author and game designer. He’s a member of the BlackHat Review Board, and helped found the CVE and many other things. He’s currently helping a variety of organizations improve their security, and advising and mentoring startups as a Mach37 Star Mentor. While at Microsoft, he drove the Autorun fix into Windows Update, was the lead designer of the SDL Threat Modeling Tool v3 and created the “Elevation of Privilege” game. Adam is the author of “Threat Modeling: Designing for Security,” and the co-author of “The New School of Information Security.”

Adam Shostack, Consultant and Author

[ISACA Now Blog]

Many of us are creatures of habit, and changing our ways can be difficult. It is much easier to do so, however, when the new way is more convenient – not to mention more secure – than the old method.

That’s just the case with the new password guidance from NIST, released in June. The guidance calls for longer phrases that are easier to remember, as opposed to use of special characters, blends of uppercase and lowercase letters, and frequent password resets – all hallmarks of NIST’s previous, well-entrenched password guidance.

This move toward improved usability was not done at the cost of sound security. In fact, the creator of NIST’s previous direction on passwords, Bill Burr, acknowledged to The Wall Street Journal that the older guidance was “barking up the wrong tree,” and not based on the caliber of data that he would have preferred. The new password guidance will make for passwords that are actually more difficult to hack.

While NIST’s new guidance figures to be well-received, raising awareness is the short-term challenge.

An ISACA micro-poll, conducted just after NIST’s announcement, showed that the majority of the respondents – audit and security professionals at organizations with more than 5,000 employees – were unaware of the new guidance, and consequently unsure how quickly it could be implemented. While those results are no surprise given how fresh the guidance is, it reinforces that there is much awareness-spreading to be done – including at ISACA. We have a range of opportunities to support NIST’s guidance by updating the training and education materials we offer our professional community, as well as reinforcing the change at ISACA conferences and through our exam procedures.

At the enterprise level, changing password policies is a necessary first step before implementation. Otherwise, enterprises will be implementing password procedures that may contradict existing policies, which could cause headaches when external auditors flag the disconnect.

Emphasizing multifactor authentication is another important piece of the puzzle. The majority of respondents to ISACA’s poll indicated that less than half of their applications require two or multifactor authentication – a practice that should be adopted more widely and is strongly advocated by NIST. Multifactor authentication should be more accessible than ever given the advancement of fingerprint and facial recognition technology. Even when multifactor authentication is in use, NIST’s new password guidance remains relevant, since passwords often are among the factors being used.

We are in the early stages of what will be a major course correction on passwords. NIST’s previous guidance is heavily entrenched, with 95% of respondents to ISACA’s poll indicating their enterprise adheres to practices such as frequently causing passwords to expire and requiring passwords to contain lower and uppercase letters, numbers or special symbols. Users on the other hand, have frequently complained about the difficulty of remembering complex passwords and having to cope with expired passwords. Chances are they will welcome this more user-friendly NIST guidance.

The level of buy-in for the previous NIST password guidance did not happen overnight, and it will not be the case this time, either. But given the opportunity to simultaneously improve security and alleviate password frustrations of the status quo, it only is a matter of time before NIST’s new guidance gains widespread momentum.

Editor’s note: For additional ISACA resources related to NIST’s new password guidance, see our analysis brief and a related PowerPoint deck.

Robert Clyde, CISM, Vice-Chair of ISACA’s Board of Directors, Managing Director of Clyde Consulting LLC

[ISACA Now Blog]