CIO August 15 2009 Issue by Sreekanth Sastry

VOL/04 | ISSUE/19

TeChnOlOgy

leAderShIP

IndIa’s Most ExhaustIvE InforMatIon sEcurIty survEy Page 16

Secure in a virtual world

BuSIneSS

61%

of IT leaders say virtualization has improved security.

1,307 organizations tell us that India Inc. is more serious than ever about security, but the slump has derailed many plans. Where do we go from here?

51%

But So iS coSt cutting Of companies say cost reduction efforts make adequate security more difficult to achieve.

Of companies now have CISOs. That’s an 8 percent increase from last year.

84%

Security’S a HigHer Priority

How to : Get your boss to spend more on security

Page 34

Push your CSO further

Page 26

Guard against insider threat

Page 48

AUGUST 15, 2009 | Rs100.00 www.CIO. I N

Tackle new social networking scams

Page 41

Armor-plate your code

Page 44

Prepare for IPv6

Page 38

From The Editor-in-Chief

Three weeks ago, a senior infosecurity executive and I debated what might be in store

Swine on Your Mind? Organizations will have to go well beyond looking to the government.

for Indian organizations if the influenza A (H1N1) virus struck roots here. For a casual conversation, it was remarkably prescient: at the time of writing this column, a tad close to 1,000 people are down with ‘swine flu’ and over 10 people succumbing to it. Since my friend, the security expert, is associated with a software services company, he was also concerned about detailing to clients in the West the various scenarios his business continuity plan would cover and their net impact on project schedules. From the tsunami of December 2004 to the July 2006 flood in Mumbai to the November 2008 terror attack in Mumbai to the various communal situations that seem to flare up time and again, organizations and their ability to manage crisis have been severely tested over the past many years. Talking to my friend and other IT leaders, has given me distinct learning about business continuity, risk avoidance A business continuity plan and applying them to a flu outbreak. will come through only if While any decent business continuity the number one asset of the plan begins with assessing risk and organization, its people, is identifying critical operations, it will the focus. come through only if the number one asset of the organization, its people, is the focus. That’s how it definitely will work if you’re taking on H1N1. What happens if the government decides to quarantine the campus or worse still the city that hosts your backup facility? What will be the impact of schools or colleges being shut down, thus leading to your employees staying at home to take care of their children? How do you deal with a co-worker falling sick with the flu? The best of plans can go awry for the want of a few details. For starters, you need an updated list of employee addresses (just refer to the Mumbai floods — I know quite a few BPOs who weren’t able to locate even staffers living close to office). Next, assess the skill levels of the employees. This will be critical for your next move — identifying a core team that’ll respond to an incident and will be needed to maintain basic business continuity. Finally, gear up to feed and house them while the epidemic burns out. Organizations and their CIOs will have to go well beyond looking to the government to tackle situations like a ‘swine flu’ outbreak and its impact on business. Be prepared. Be very prepared.

Vijay Ramachandran Editor-in-Chief vijay_r@cio.in

Content,Editorial,Colophone.indd 2

8/14/2009 1:00:33 PM

Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM

AUGUST 15 2009‑ | ‑Vol/4‑ | ‑iSSUe/19

F E AT U R E S 26 I The Changing CSO Career i From incident reaction to proactive risk assessment, the CSO role has evolved dramatically. Next stop: new services and business operations intelligence. Feature by Joan Goodchild

34 I Making BelieverS Leadership i In belt-tightening times, making the case for security investment is more difficult than ever. Here is a five-step process risk professionals can use to communicate value effectively. Feature by Joan Goodchild

38 I COrdOn Off iPv6 NetworkiNg i The next-generation Internet protocol — IPv6 — isn’t keeping too many CIOs and network managers up worrying at night. But the security threats it poses are potent enough to create havoc in your network. Feature by Carolyn Duffy Marsan

41 I dOdging faCeBOOk and TwiTTer SCaMS soCiaL CoLLaboratioN i From phishing scams that play on your curiosity, to criminals posing as friends to steal your money, here are the latest ways scam artists are using social networks to con you. Feature by Joan Goodchild

COver: design by ani l t

44 I arMOr PlaTing YOur COde software i With about 90 percent of attacks targeted at the application layer, creating secure code becomes paramount. Static analysis software helps keeps buggy code from seeing the light of day. But how do you choose the right one? Here’s what you need to ask. Feature by Mary Brandel

48 I fighTing fraud SECURIT

A l l T h E dATA

a u g u S t 1 5 , 2 0 0 9 | REAL CIO WORLD

19%

Officer e ief Privacy that they ar Employ Ch fy in writing yees to certilicies plo em r ou po Require with our privacy ivacy ining on pr complying complete tra ployees to em r ou ire Requ practices privacy policy and training on with ongoing r employees Provide ou practices policy and

the numbers convey a story of conflict. enterprises determined to make security a priority but are hampered by the effects of the slowdown. Which way did your organization swing? By Team CIO

u urds do yo vacy safega ri p a at d What ce for: have in pla PEOPLE

ation sses inform Who addre ty issues? securi

16 I indian infOrMaTiOn SeCuriTY SurveY 2009

Y SPECIA

data breaCh i Slowdowns take away employment opportunities and give way to angry ex-employees. More pink slips mean more company data out of the safe corporate gates. If companies don’t harden their defenses, they could land in deep trouble. Feature by Stacy Collett

49%

26%

58%

30%

ly 2008 makers on decision Business ly Both on s Neither er n mak IT decisio

GY TECHNOLO r laptops

cryption fo Full-disc en cked devices blo to external ing py co lk Bu d te yp cr en of data Transmission rols access cont Up-to-date d re cu se ns tio Web transac

n s decisio d busines . volve IT an us 49% last year es now in rs ni ve pa s, m ue 58% co dress security iss ad makers to

PROCESS

vOl/4 | issUe/19

ports to: uivalent re eq r o O IS C Your 47% 32% 22%

Collective inspiration

International Conference 15 - 16 September 2009. Taj West End, Bangalore The IET is proud to announce its inaugural international two-day event on cloud computing looking at the future and revolution of automated business applications. You will have the opportunity to benchmark your progress in this most dynamic time of IT business applications advancement.

Key Benefits n deliver solutions for best practice management of cloud computing use n share innovation, breakthroughs and developments in cloud computing implementation into the organisation n report on the latest case-study findings for cloud computing for end-user strategy and business application n ensure the most up-to-date and cost effective legal, business and global fiscal strategy to demonstrate its advantage

Presenting companies include DELL India

Google India

Intel India

Jamcracker Inc

IBM India Software Lab (ISL)

Microsoft India

F5 Networks

WOLF Frameworks

Sponsor partnerships with the IET

Principal sponsor

Contact Priya Joshi for details of sponsorship opportunities: T: +91 (80) 4149 8080

E: pjoshi@theiet.org

content

essential technology | 56 Physical Security | Zeroing In on

Surveillance Video Feature by Mary Brandel Pundit | The Risk of Following the Herd

Column by Thomas Wailgum

From the editor-in-Chief | 2 Swine on Your mind

By Vijay Ramachandran

NOW ONlINE

1 4

For more opinions, features, analyses and updates, log on to our companion website and discover content designed to help you and your organization deploy it strategically. go to www.cio.in

c o.in

data management TAkIng A HAmmER TO YOuR DATA | 14 A tech-lawyer tells you the importance of creating data destruction policies and how to do it. Column by mark grossman and Tate Stickles

a u g u S t 1 5 , 2 0 0 9 | REAL CIO WORLD

Content,Editorial,Colophone.indd 6

1 6

vOl/4 | issUe/19

governing BoArd

AdverTiser index

aLok kumar pubLisher louis d’Mello assoCiate pubLisher alok anand editor ia L editor-iN-Chief vijay ramachandran

global Head - internal it, it tCs aNiL khopkar

seNior CorrespoNdeNt Kailas shastry

aNJaN ChoudhurY CtO, bse

CorrespoNdeNt sneha Jha Chief CopY editor sunil shah CopY editor shardha subramanian traiNee JourNaLists

Priyanka varsha Chidambaram

produCt maNager oNLiNe sreekant sastry d es igN & produCtioN Lead desigNers vikas Kapoor, anil v K suresh nair

Emerson

gM (Mis) & CiO, bajaj auto

assistaNt editors gunjan trivedi, t Kanika goswami

Checkpoint

HID

IFC

IBM

ashish ChauhaN President & CiO, it applications, reliance industries a L JaY atu JaYawa YawaNt President Corporate it & group CiO, aditya birla group

IEt

Krone

IBC

Siemens

Sigma Byte

doNaLd patra p CiO, HsbC india

girish a v (Multimedia) seNior desigNers Jinan K vijayan Unnikrishnan a v sani Mani (Multimedia)

dr. Jai meNoN

t toshiba

director t technology & Customer service, bharti airtel & group CiO, bharti enterprises

desigNers M M shanith, anil t photographY srivatsa shandilya produCtioN maNager t K Karunakaran dY. produCtioN maNager t K Jayadeep mark etiNg a Nd saL es Vp saLes sudhir Kamath seNior maNaNger siddharth singh, assistaNt maNager sukanya saikia baNgaLore Kumarjeet bhattacharjee, arun Kumar, Manoj d., ajay s. Chakravarthy deLhi aveek bhose, Punit Mishra, rajesh Kumar sharma mumbai Parul singh, Hafeez shaikh, suresh balaji, Pooja nayak dipti Mahendra Modi Custom pu b LishiNg sr. maNager marketiNg rohan Chandhok CopY editors Kavita Madhusudanh deepti balani Lead desigNer vinoj Kn seNior desigNer Jithesh CC eVeNts Vp rupesh sreedharan seNior maNager Chetan acharya maNagers ajay adhikari, Pooja Chhabra

gopaL shukLa vP - business systems, Hindustan Coca Cola

This index is provided as an additional service. The publisher does not assume any liabilities for errors or omissions.

maNish Choksi Chief Corporate strategy & CiO, asian Paints maNish gupta director-it, it, Pepsi Foods it muraLikrishNa k. Head - CCd, infosys technologies t

mArkeTing & sAles baNgaLore geetha building, 49, 3rd Cross, Mission road, bangalore 560 027 Ph: 3053 0300 Fax: 3058 6065

Na iN Chadha NaV CiO, vodafone v praV ra ir Vohra raV group CtO, iCiCi bank raJesh uppaL Chief general Manager it & distribution, Maruti Udyog saNJaY aY JaiN aY

deLhi 410, Hemkunt towers, t 98, nehru Place, new delhi 110 019, india Ph:011- 4167 4230 Fax: 4167 4233

mumbai 201, Madhava, bandra Kurla Complex, bandra (e), Mumbai 400 051 Ph: 3068 5000 Fax: 2659 2708

CiO, Wns global services shreekaNt mokashi Chief-it, it tata it, t steel suNiL mehta

All rights reserved. No part of this publication may be reproduced by any means without prior written permission from the publisher. Address requests for customized reprints to IDG Media Private Limited, Geetha Building, 49, 3rd Cross, Mission Road, Bangalore - 560 027, India. IDG Media Private Limited is an IDG (International Data Group) company.

Printed and Published by Louis D’Mello on behalf of IDG Media Private Limited, Geetha Building, 49, 3rd Cross, Mission Road, Bangalore - 560 027. Editor: Louis D’Mello Printed at Manipal Press Ltd., Press Corner, Tile Factory Road, Manipal, Udupi, Karnataka - 576 104.

sr. vP & area systems director (Central asia), JWt t k. subramaNiaN t. div. vP-is, Ub group V. k magapu director, larsen & toubro t V.V.r babu group CiO, itC

Corrigendum in our July 15, 2009 issue, sanjay Jain’s designation on Pg. 48 should have read group CiO, Wns. in our cover story, going it alone (august 1, 2009), ranbaxy’s revenue ran as rs 4,400 crore instead of rs 7,300 crore. the errors are regretted.

new

hot

Standing guard

unexpected

places, but, surprisingly, in one area reversed. When asked whether security considerations are a routine part of their organization's business processes, 63 percent big companies say they agree or strongly agree, as opposed to 72 percent of mid-market players. Employees outside of the security department get more security training than they did in 2004, but respondents still aren't wildly optimistic that those employees build security into their day-to-day decisions. Fifty nine percent of respondents agree or strongly agree that all employees receive training in all security policy topics. While 54 percent say that all employees are trained in the consequences of a public security breach. Thirty eight respondents say that they apply ROI and TCO (34 percent) as important methods to calculate the security budgeting process. While, 50 percent respondents say that they don’t even have a formal financial methodology. Security jeopardizes its standing by failing to present a rigorous examination of its spending. —By Derek Slater

IllustratI on by anIl t

S u r v e y All things considered, the state of the CSO is quite good these days. While the economy is in the tank, CSOs report that security's stock is still rising. And perhaps that's not a coincidence. The CEOs and CFOs of the world are more attuned to risk than ever, say respondents to CSO's exclusive annual State of the CSO survey. The CSO role itself is viewed as an evermore strategic and permanent part of corporate leadership. As a result, CSOs report higher overall job satisfaction than last year. Here is a look at key findings from the survey: Job satisfaction among security leaders is up with 82 percent (74 percent in 2008) saying that they are very satisfied or somewhat satisfied with their overall job role, and 65 percent felt that organizational leadership is more attuned to security issues. Seventy percent of respondents agree or strongly agree that senior management views the security leader's role as strategic and permanent. Last year, this figure stood at 64 percent. The often-cited gap between security practices at bigger companies and smaller ones is wide in

Quick take

Sandeep P. on Outsourcer’s Security I t M a n a g e M e n t Outsourcers hold information critical to a company and the security standards sustained by them directly impact an organization’s business operations and reputation. Priyanka spoke to Sandeep Phanasgaonkar, President & CTO, Reliance Capital, and here’s what he said:

How do you choose your outsourcing partners? There has to be a business need and an enterprise-wide requirement, which then makes it critical. Once we have identified our needs, we start looking for a solution. We examine the top vendors in the market, and we also do some research on the solution. How do you monitor the security of your outsourcing partners? When we send data to outsourcers, we ensure that it is encrypted. We follow a secure FTP protocol to transfer our files. If the vendor is managing processes at a fairly large scale

Vol/4 | Issu E/19

then a security audit of the vendor’s operations and premises, in terms of his external gateways, is carried out. Do you also demand direct visibility and control over your outsourcing partners? No, we don’t monitor the networks. We begin our monitoring operations only when the data enters our network. However, we audit our vendor's operations and his security setups on a regular basis. We also screen the inputs we receive from the vendor.

Sandeep Phanasgaonkar

How does this benefit the company? A couple of security threats can happen when vendors don’t conform to the security standards. Critical or sensitive data present at the vendor’s infrastructure could get destroyed or damaged if he does not have adequate anti-virus or other data protection measures. Overall, it impacts the operations and reputation of the company. It then becomes paramount that the vendors conform to strict security standards. REAL CIO WORLD | a u g u S t 1 5 , 2 0 0 9

How Do You Build a Culture of Preparedness? Ris k M i t i g a t i o n Despite well laid out security policies IT executives are always constantly trying to create a more effective security culture. Sneha Jha spoke to your peers to find out how. Here's what they said:

“Organizations should begin with risk analysis and then identify the risk parameters and their impact on business. Creating awareness and ownership is also essential.” trendlines

Dhiren Savla CIO, Kuoni Travels

“Ensuring enterprise security is a continuous improvement initiative. Regular communication with the user base and a complete classification of information assets. is a must.” Gopal Rangaraj VP-IT, Reliance Life Sciences

“Security is everyone's responsibility. Security awareness training helps users develop secure habits, which leads to a secure environment. Great security measures are those that control mishaps before they occur.” Virender Pal

Voice

Write to editor@cio.in

Trendlines.indd 10

Ris k M a n a g e m e n t The global economic crisis will lead to more cases of large-scale business fraud and corruption as the situation continues to unfold, according to a new report from Control Risks, an international business risk consultancy. Control Risks released Corruption, Compliance and Change: Responding to Greater Scrutiny in Challenging Times, a report examining the trends of corruption as a result of the global financial meltdown. The report predicts as a consequence of increased fraud, businesses will be subject to even tighter regulation complicated by inconsistent enforcement that will vary from region to region. The inconsistency of enforcement will be the greatest challenge for mainstream international companies, the report states. "Countries that have never done so before, such as China and Japan, have begun enforcing corruption laws while those who have been enforcing regulations are now seeking steeper fines and, in some cases, lengthy prison sentences," said John Bray, director, analysis for Control Risks. The report also points to an increased number of Foreign Corrupt Practices Act (FCPA) cases initiated by the Department of Justice and the Securities Exchange Commission. They initiated 38 FCPA matters in 2007 followed by 25 in 2008, said Control Risks' report. In late May 2009, Mark Mendelsohn, the deputy chief of the DoJ Fraud Section, reported that as many as 120 companies were currently under investigation on suspicion of FCPA violations, compared with 100 at the end of the previous year, the report noted. To mitigate risk of fraud, the consultancy advises businesses to: Develop and communicate an effective compliance and regualtions program Secure the CEO and management teams commitment to high standards of integrity Rely on good business intelligence: choose the best people and partners Cultivate diplomatic skills and cultural sensitivity Be prepared for setbacks "Fraud will continue to be a serious issue," states Elaine Carey, national director of investigations. "There is no doubt that the organizations maintain the strictest regulations and enforcement for violations, which is precisely why companies need to take a serious look at safeguarding their operations.

Lend Your

CTO, Spicejet

Bad Times Good for Fraud

a u g u s t 1 5 , 2 0 0 9 | REAL CIO WORLD

—By Joan Goodchild

Vol/4 | ISSUE/19

8/14/2009 11:45:11 AM

Web of Security

Web 2.0 Security Trends in Hong Kong and China Hong Kong

China

Users bypass security policies

54 %

53 %

IT leaders under pressure to allow access to more sites

88%

93 %

Confident about Web 2.0 security

72%

77 %

gap exists, according to the survey. A majority of IT leaders were confident of their organization's Web security, though they admit to not having the necessary security solutions to protect themselves from all threat vectors. Additionally, many IT leaders appear to be confused on what exactly constitutes Web 2.0, and what they do not know could put their organizations at risk. However, despite these security issues, a majority of IT leaders think that their organization's Web security is up to the mark. The survey said that 72 percent of technology leaders in Hong Kong and 77 percent in China expressed confidence in their security protocols, despite the fact that the findings reveal that many of the enterprises are dangerously ill-equipped to protect from Web 2.0 threats. Websense has commissioned research firm Dynamic Markets to conduct the survey, which involved some 1,300 respondents across the world. â&#x20AC;&#x201D;By Computerworld Hong Kong staff

Vol/4 | Issu E/19

to the average It security practitioner, the idea t of disabling anti-virus (aV) on new machines might seem blasphemous. It's an obstacle to a more perfect defense. and so many security experts have chosen to disable it. among those who feel that way is David litchfield, a leading database security expert who has authored such books as the oracle racle Hacker's Handbook. "as an experienced security guy, I have no faith in most of the aV packages out there because they're completely reactive, offer little advance protection, massively increase the attack surface and have a long history of vulnerable activeX controls," litchfield says. "I've never used aV software and I've never once been infected with a virus." For rich Mogull, former Gartner analyst and founder of security consultancy securosis, it's not simply a matter of distrusting aV. V. It's just that security practitioners who have been in the game as long as he has have found better controls that make aV obsolete. "I don't use aV on most of my systems, and most highlevel security types use only limited aV," he says. Mogull believes aV is quite useful at the e-mail gateway or provider level, and he does have aV on a Windows XP virtual machine (VM) left over from his last job. but there's no aV to be found on his Mac, or on his Vista VM. He points out that he uses "a lot" of other controls that provide him with adequate security, including limited Web browsing, maximum security in the browser, e-mail filtering and other lock-downs on the system. all that says, litchfield and Mogull agree this isn't something the security novice should be doing. "Knowing what is and what isn't safe to do on a computer is 90 percent of the battle," litchfield says. Ken Pfeil, executive director and head of information security for the americas region at financial services company Westlb aG, says he can see both sides of the argument. "litchfield is right in a lot of respects. aV and personal firewalls are pretty much useless unless you are the average end user," he says. However, he also feels that "It still doesn't matter when it comes down to policy in the corporate world because you can't effectively enforce two different sets of standards." In other words, in the enterprise setting, it's aV for everyone. and Pfeil thinks that's okay, noting that even experienced race car drivers wear their seatbelt even though the odds are slim that an accident will happen on their way to the store. M a lwa r e

trendlIneS

Companies around Hong Kong and China are facing security pressures coming from their own employees trying to bypass company security policies for new Web applications, a survey commissioned by IT solutions providers Websense said. According to the Websense survey, about 54 percent of IT leaders in Hong Kong and 53 percent in China admit that their users try to bypass security policies to access Web 2.0 applications. The global figure is slightly lower, only 47 percent of technology leaders say they face the same problem, the survey said. Employees are clamoring for even more use of Web 2.0 in the workplace, leaving IT departments to find the right balance between preventing security risks and allowing safe and flexible access. Apart from the security pressure, some 88 percent of IT leaders in Hong Kong and 93 percent of leaders in China are feeling the heat to allow more access to more types of Web 2.0 sites and technologies. Across the world, some 86 percent of IT leaders are also feeling the same pressure. Though many organizations already allow access to some types of Web 2.0 sites and applications, a dangerous security

Internet

time m to dit me i ch it the anti-vir nti-viru us?

â&#x20AC;&#x201D;by bill brenner REAL CIO WORLD | a u g u S t 1 5 , 2 0 0 9

alternative views B Y K a n i k a G o s wa mi

What takes precedence? Compliance Vs Efficiency

"Compliance is non-negotiable.

The core values and ethics of a company cannot be compromised for efficiency.” Veneeth Purushottaman Head-Technology, HyperCITY Retail India

P hotos by S rivatsa Shandi lya

trendlines

Of-course compliance. I will go with compliance because the core values and ethics of a company cannot be compromised for efficiency. Compliance is non-negotiable because I believe that compliant processes will increase the efficiency and effectiveness of other processes, and meet the efficiency standard when combined with disciplined execution. As a technology person, I know that there is always a dilemma about improving controls while simultaneously reducing unnecessary costs — all of this without jeopardizing compliance. In fact, this is the vital link between standard operating procedures (SOP) and efficiency. SOPs are perceived to be the nemesis of efficiency, however, I feel that if everyone went off on their own to define the processes that are required to achieve the same objective, there would be chaos. That’s why compliance takes more precedence because it forces organizations to adhere to SOPs and reduce chaos. Though the intent of SOX and other regulatory tools is to improve internal controls, it also carries a broader context of improving processes and making them more efficient. That said, it is important to ensure that the SOPs and work flows are aligned so that the impact is positive and the process is optimized.

Trendlines.indd 12

a u g u s t 1 5 , 2 0 0 9 | REAL CIO WORLD

“Since all our storage is internal, compliance is not an issue, so we focus only on efficiency.”

M. Suresh GM-IT, Hyundai Motors

Organizations whose data is not exposed to the external world — like ours — give more importance to efficiency. In most cases, it is felt that compliance and convenience are inversely proportional. When you aim for convenience, compliance will suffer for sure, so you may have to compromise on compliance. Particularly for storage, we ensure that external content is stored in an encrypted form. And when we send content for external usage, we send it in 'read-only' mode. Since all our storage is internal, we focus only on efficiency because compliance is not an issue. The reason why we have not chosen centralized storage for desktop applications is that when you centralize storage there is a big possibility of network outage or that users may not be able to access their data if we store it that way. However, with the latest technologies I don’t think that in order to implement compliance we have to sacrifice or compromise on efficiency. Now there are a lot of new devices available so we are not facing any performance issues even if we go for encryption. Both compliance and efficiency can be achieved simultaneously now, though that calls for a much higher investment. But this may not be the case for all verticals.

Vol/4 | ISSUE/19

8/14/2009 11:45:17 AM

Mark Grossman and Tate Stickles

data Management

Taking a Hammer to Your Data Two tech-lawyers tell you the importance of creating data destruction policies and how to do it.

e are collecting data at ever-increasing rates as the costs of data storage go down. Why get rid of our beloved data when we can always buy more storage space? Some companies like Google love collecting and working with information, and these companies will rarely or never get rid of their data. But odds are your company is not like Google and does not need all of that old data. What you need is an effective data destruction policy. Over time, a company's storage of data often starts to resemble the crazy old hermit's house with newspapers dating back fifty years stacked floor to ceiling. But instead of newspapers, your company is drowning in old digital data. While you may have a method to your madness and know where everything is, you probably do not need all of your old data. To fix this mess, your company needs to figure out what data it has and create effective policies for disposing of it. Since I am a technology attorney, Iâ&#x20AC;&#x2122;m going to focus on digital data â&#x20AC;&#x201D; all those ones and zeros that are littering your storage media. I will address the important questions of who, what, where, when, why, and how you should destroy your data. Your process should guide your company in deliberately and irreversibly removing and destroying old data stored on your systems. This destruction is intended to be permanent.

Consistency Is Key Having a consistent data destruction policy followed by everyone within your company at all times is vital, especially when you are faced with litigation. Legally and properly destroying data prevents extensive fishing expeditions by your opponents in litigation (which is a legalized and ritualized 14

a u g u s t 1 5 , 2 0 0 9 | REAL CIO WORLD

Coloumn_1_Taking a Hammer to Your Data.indd 14

Vol/4 | ISSUE/19

8/14/2009 11:44:18 AM

Mark Grossman and Tate Stickles form of warfare). A regular business process addressing data destruction should also get you some ‘safe harbor’ protections under the Federal Rules of Evidence relating to electronic evidence should litigation arise. (The Indian Information Technology Act 2008 also has safe harbor provisions) I hate to use the word ‘should’, but every situation is different. Be aware that the safe harbor protections exist. A data destruction policy is the second part of your data retention policy. Completing and implementing your data retention policy will help you determine where you store your data, which makes it somewhat easier to delete old data. Once you have mapped out where you store your stuff and have developed a policy on how long you need to keep it, you must formalize the destruction process. Your data destruction policy must handle media leaving the control of your company differently than media simply being re-used internally. However, even then, different procedures may apply for media used by different departments. The general rule for the disposal of any data is that simple deletion and overwriting of data is not enough. When reusing media, you must create processes whereby your company wipes the old data, validates the data is gone and media can be re-used, and then documents the completion

data Management

with your tech attorney. If you are not heavily regulated, you can look at some of the other destruction standards out there. The US Department of Defense standards and methods might be good places to start, but do not forget other sources. Look to international, national, state, and local laws, rules, and regulations for guidance. Look also to international standards such as the National Institute of Standards and Technology's Guidelines for Media Sanitization. After your review of the applicable laws, rules, and regulations, you need to add steps to your data destruction policy. Your data destruction policy needs to address how to classify and handle each type of data residing on your media. Your policy needs a process for the review and categorization of the types of data your company has and what kinds can be removed. Data and media containing confidential information, trade secrets, and the private information of your customers requires the strictest controls and destruction methods. Data and media containing little to no risk to your company may have relaxed levels of control and destruction.

Educate, Verify and Follow Up Do not forget to look at your contracts with other companies to ensure you are handling data destruction within the terms

Document your entire data destruction policy so you will know what media is sanitized and destroyed. Your documentation should allow you to quickly answer those who, what, where, when, why, and how questions. of the process. Only upon completion of these steps should you release the storage media for reuse. Things get more complex with media that leaves the control of your company. Your policy has to cover the purging and destruction of data and sometimes the physical destruction of media. But how much destruction is enough?

Gone, Baby Gone Simple deletion and overwriting of data on media your company is retaining and reusing may be appropriate in some instances. In other situations, you may require the total physical destruction of your media that may include disintegration, shredding, incineration, pulverization, or melting your media. Whether your company is obligated to take certain steps in destroying your data really depends on the laws, rules, or regulations of your company. Regulated industries have requirements in place through a variety of sources. For example, depending on your industry you may have to look to Sarbanes-Oxley, Graham-Leach-Bliley, the Fair and Accurate Credit Transactions Act, or HIPAA for guidance. These laws may say you need to keep your data for a certain period. Check

Vol/4 | ISSUE/19

Coloumn_1_Taking a Hammer to Your Data.indd 15

of those contacts. For example, non-disclosure agreements sometimes contain data destruction terms and you must comply with those terms. Educate your people and verify they are complying with your policy. This is particularly important with media that you are not destroying, but instead are reselling or recycling. If you're doing the data destruction in-house, you need to verify your data sanitation and destruction tools and equipment are functioning properly and maintained appropriately. Document the entire data destruction policy so you will know what media is sanitized and destroyed. Your documentation should allow you to quickly answer those who, what, where, when, why, and how questions. Finally, the last step of an effective data destruction policy is to have a process in place so you can follow up with regularly scheduled testing of your process and media to ensure the effectiveness of your policy. CIO

Mark Grossman is the founder of the Grossman Law Group with offices in Manhattan and South Florida. Tate Stickles is a partner in the Grossman Law Group. Send feedback on this column to editor@cio.in

REAL CIO WORLD | a u g u s t 1 5 , 2 0 0 9

8/14/2009 11:44:18 AM

seCurIty sPeCIal Information Security Survey

IndIan CIOs take the task Of seCurIng theIr OrganIzatIOn's dIgItal data serIOusly. the slOWdOWn makes the task tOugher, but stIll WOrth It. Methodology

The Indian State of Information Security 2009 is a nationwide security survey by PricewaterhouseCoopers and CIO Magazine. It was conducted online during the months of May and June this year. Readers of CIO magazine and clients of PricewaterhouseCoopers were invited via e-mail to take the survey. The results are based on the responses of more than 1,300 CEOs, CFOs, CIOs, CSOs, vice presidents and directors of IT and information security from India. The study represents a broad range of industries including technology (23%), services (12%), banking & financial services (11%), manufacturing (8%), heavy engineering (8%), telecommunications (7%), education & non-profit (6%), government (4%), healthcare (5%), retail (4%), entertainment & media (3%) and transportation & logistics (3%). Thirty-five percent of the executives surveyed reported total annual sales of less than Rs 500 crore, while 20 percent reported sales between Rs 500 crore and Rs 5,000 crore. Eighteen percent of the respondents said that their organizationâ&#x20AC;&#x2122;s annual sales exceeded Rs 5,000 crore, while 10 percent were non-profit, education or government organizations (16 percent didnâ&#x20AC;&#x2122;t answer the question.) Percentages described within may not add up to 100 due to rounding. The margin of error is 1%.

a u g u S T 1 5 , 2 0 0 9 | REAL CIO WORLD

Vol/4 | ISSUE/19

IndIa's sIngle largest survey of its kind, the Information Security Survey spoke to 1,307 IT decision-makers and asked them a 100 questions, no less. The results are very telling. Across industry verticals and companies in various revenue ranges, the threat to information security looms large â&#x20AC;&#x201D; and corporate India has responded. Be it the increased hiring of CISOs, or the increased involvement of IT leaders in addressing data security issues, there are clear pointers that security is more important than ever before. Thatâ&#x20AC;&#x2122;s the good news. Now for the bad. The slowdown has thrown a spanner in the works. IT departments are also being forced to operate in more complex compliance and regulatory environments. Security has to be addressed in the increasingly virtual world as well. And all this needs to be done on thin budgets. Here is what IT leaders say about the present and the future. We trust it shines a light on the road ahead.

security landScape yOuR mOnIEs 35%

Your Spending Justifications

30% More companies have security budgets under Rs 5 lakh

25% 20% 15% 10% 5%

security spends 2008-2009

2007

2008

2009

Rs 50 lakh to 2.5 crore

Less than Rs 5 lakh Rs 5 lakh to 50 lakh

Do not justify

Partner / vendor requirement

26%

Potential liability / exposure

34%

Economic return on investment

31%

Potential revenue impact

30%

Professional judgment

47%

Legal / regulatory requirement

46%

Risk reduction score

47%

Common industry practice

42%

Client requirement

52%

above Rs 2.5 crore

How often do you conduct an enterprise risk assessment?

Your Spending Drivers 2009 2008

14% 6% Terrorism

17% 19% Merger / acquisition activity

33%

2009

2008

Donâ&#x20AC;&#x2122;t conduct an enterprise risk assessment

10%

11%

Less than once a year

12%

38%

Twice a year (or more)

36%

42%

Once a year

42%

46% Change

36% 34%

Are you confident that your information security activities are effective?

Outsourcing

39%

49%

2009 2008

51% Regulatory Compliance

45% 42%

48%

41%

57% Internal policy compliance

51%

74% Business continuity / disaster recovery

a u g u s t 1 5 , 2 0 0 9 | REAL CIO WORLD

Don't know

Not at all confident

Somewhat confident

Very confident

Vol/4 | ISSUE/19

SecURITY SpecIal I survey

Who addresses information security issues?

What data privacy safeguards do you have in place for: PEOPLE

6% 6%

Employ Chief Privacy Officer or equivalent

36%

19%

Require our employees to certify in writing that they are complying with our privacy policies

59%

Require our employees to complete training on privacy policy and practices

50%

Provide our employees with ongoing training on privacy policy and practices

58%

49% 58% 26% 30%

TECHNOLOGY 2008 2009 Neither Business decision makers only It decision makers only Both

58% companies now involve both IT and business decision makers to solve security issues (2008: 49%).

Full-disc encryption for laptops

51%

Bulk copying to external devices blocked

59%

Transmission of data encrypted

57%

Up-to-date access controls

64%

Web transactions secured

59%

PROCESS Your CISO or equivalent reports to: 47%

CEO

32%

Board of Directors

22%

CIO with security department directly reporting

21%

Security Committee

19%

CSO

19%

18%

Chief Privacy Officer

18%

Internal Audit

18%

Risk / Compliance management

17%

COO

16%

CTO

16%

CFO

13% 9%

Legal Counsel CIO without security department directly reporting

Vol/4 | ISSUE/19

61%

28%

59%

Conduct privacy assessment internally

55%

Audit privacy standards through third party assessment

43%

Accurate inventory of where personal data for employees and customers is collected, transmitted and stored

42%

Accurate inventory of locations or jurisdictions where data is stored

47%

Due diligence of third parties that handle personal data of customers and employees

32%

Incident response process to report and handle breaches to third parties handling data

38%

Inventory of all third parties that handle personal data of employees and customers

35%

Require third parties (including outsource vendors) to comply with our privacy policies

38%

REAL CIO WORLD | a u g u s t 1 5 , 2 0 0 9

What Went wRong WE DROppED thE bALL & hOW Number of security incidents in the past 12 months

The Breach Cost You

50 to 499

31%

10 to 49

1 to 2

13%

27%

31%

33%

Don't Know 3 to 9 0 or none

18%

2009 2008

16%

Total Downtime 17% 14%

28%

None

Less than $10,000

16%

Less than 1 hour

31%

Of companies could not estimate the actual financial loss resulting from intrusions.

18% 19%

33%

$10,000 to $49,999

$50,000 to $99,999

$100,000 to $499,999

Unknown

Percentages don't add up to 100. Respondents chose more than one option.

23%

35%

1 to 8 hours

10% 8%

2009 2008

9 to 24 hours

11% 9%

86 pErcENT Of It LeadeRs feLt theIR IT SEcUrITY SpENDINg wAS AlIgNED WIth theIR BusINess.

More than one day

How was your organization impacted by the breach? BUSINESS

2008

2009

DATA

Financial losses

42%

50%

Employee records compromised

40%

Legal exposure / lawsuit

15%

Customer records compromised or unavailable

33%

Brand / reputation compromised

31%

32%

Loss or damage of internal records

40%

Company home page altered / defaced

22%

24%

Identity theft (client or employee information stolen)

27%

Fraud

15%

24%

Confidential records compromised

41%

Intellectual property theft

35%

32%

Loss of shareholder value

13%

18%

Extortion

12%

a u g u s t 1 5 , 2 0 0 9 | REAL CIO WORLD

Percentages don't add up to 100. Respondents chose more than one option.

Vol/4 | ISSUE/19

SecURITY SpecIal I survey

hOW yOu WERE hIt How do you intend to tackle insider threat?

A Device Was Stolen

“We have a digital rights management system for all shared documents. We have also implemented DLP tools and awareness campaigns to educate employees about security policies.” — shashi Kumar Ravulapaty VP & CtO, Reliance Consumer finance

tokens and credentials t

21%

Portable devices

37%

Removable media

60% 63%

Laptops

Source of the Breach An Application Was Exploited

Insider threat is still a security professional's greatest nightmare.

14%

32%

87%

Customer

Hacker

Unknown

Employee / Former employee / contractor

Percentages don't add up to 100. Respondents chose more than one option.

abused valid user account / permissions

35%

exploited unknown application vulnerability

41%

exploited website / browser vulnerability

49%

exploited known application vulnerability

53%

Data Was Exploited From: 25% Backup tapes t 30%

What types of security incidents occured? human exploit (social engineering)

17%

device exploit

20%

system exploit

22%

application exploit

23%

Network exploit

29%

data exploit

34%

unknown

29%

Vol/4 | ISSUE/19

Removable Media 38% Laptops 60% databases 61% file shares

REAL CIO WORLD | a u g u s t 1 5 , 2 0 0 9

the sLuMP & BeYond Did slowdown induced cost cutting make security more difficult? Do not know

Strongly agree

17%

gEttIng yOuR hOusE In ORDER

93%

Do not agree

13% Somewhat agree

28%

Agree

39%

75% of respondents say

the slowdown has increased threats to information security. a similar number attributed this to employee layoffs.

of respondents say strengthening their companyâ&#x20AC;&#x2122;s governance, risk and compliance programs is an important way to counter the effect of the slowdown on IT security.

The regulatory environment became more complex and burdensome Do not know

4% Strongly agree

Do not agree

18%

How key is cancelling, deferring or downsizing projects that need Capex and Opex?

12%

Somewhat Agree

Agree

38%

28%

3% 4%

Top priority right now

11% Very important

14% 32% 32%

Important

Not Now: Have you deferred security projects that need capital expenditure?

27%

32% 30%

Somewhat important

17% 15%

59%

10% 4%

Not important

5% 4% Don't know

Capital Expense Operating Expense

a u g u s t 1 5 , 2 0 0 9 | REAL CIO WORLD

Deferred by 1 year or more

Deferred by 6 to 12 months

Deferred by less than 6 months

Not deferred

Vol/4 | ISSUE/19

SecURITY SpecIal I survey

nOt my hEADAChE

Are managed security services more important because of the downturn? Do not know

Not important

Top priority right now

Is security harder because your suppliers have been weakened by the downturn? Do not agree

23%

Somewhat agree

28%

Agree

29%

Strongly agree

14%

Somewhat important

Very important

20%

25% Important

35%

In light of reduced spending, rate the strategy of prioritizing security investments based on risk.

Do managed security services help CIOs?

12% Top priority right now

Managed security services will help CIOs if they are aligned with other components of the security ecosystem like strategy, structure, people and processes to achieve the organizationâ&#x20AC;&#x2122;s IS goal. â&#x20AC;&#x201D; Arvind tawde sr. VP & CIO, Mahindra & Mahindra

30% Very important

35% Important

17% Somewhat important

4% Not important

Are security-related automation technologies more important today?

50%

of respondents said

ongoing security activities did not see any budget reduction, while 39% said they saw a reduction upto 20%. only

1% said on-

going activities saw a

cost reduction of over Vol/4 | ISSUE/19

50%

Don't know

Somewhat important

16%

Important

36%

Not important

Top priority right now

13%

Very important

26%

REAL CIO WORLD | a u g u s t 1 5 , 2 0 0 9

Security & New Tech Virtualization is Secure

What is the greatest security risk to your cloud computing strategy?

How has virtualization affected information security?

Has increased security vulnerabilities

Has improved overall information security

Uncertain continued existence of provider

Uncertain provider regulatory compliance

Uncertain ability to audit provider

7% 9%

Uncertain ability to recover data

61%

31%

Not affected

10%

Proximity of your data to someone else's

14%

Uncertain ability to enforce security policies at a provider

23%

Inadequate training and IT auditing

32%

In a collaborative, multi-tenant environment, what is most critical?

Are your virtualized IT assets adequately protected?

Questionable privileged access control at provider site

YES

30% 70% What's the source of potential vulnerability in your virtualized environment?

Specialists who can anticipate and thwart new kinds of attacks Consistent strategy and policy among organizations

Private, limited access hosts

10% 26%

11% 15%

21%

18%

Systematic, federated identity management Comprehensive anomaly detection Background profiles on those with privileged forms of access

39% Outdated approach to firewalls, identity management or access control 40% Misconfiguration or poor implementation

49% Policy application unclear in a virtualized environment 56% Lack of additional safeguards

57% Lack of adequately trained IT staff

a u g u s t 1 5 , 2 0 0 9 | REAL CIO WORLD

SURVEY_Merged_One.indd 24

InadequatelyTrained IT Staff isthe Single largest Securitythreatinvirtual (57%) and Cloud (32%) Environments. Vol/4 | ISSUE/19

8/14/2009 11:57:43 AM

SecURITY SpecIal I survey

What's comIng

Process safeguards in the next 12 months

GOOD NEWS: security budgets are looking up Increase up to 10% 29% Increase 11 - 30% 23%

Don't know 14% Decrease more than 30% 1%

Increase more than 30% 12% Stay the same 16%

11%

Active monitoring / analysis of information security intelligence Business continuity / disaster recovery plans

22%

Cellular / PCS / wireless security standards / procedures

29%

Compliance testing

13%

Delegated administration of password reset

11%

Employee security awareness training program

22%

Decrease 11-30% 2%

Establish security baselines for external partners/customers/ suppliers/vendors

21%

Handheld / portable device security standards/procedures

26%

Decrease up to 10% 3%

Outsourced security (some or all)

23%

Penetration tests

24%

Risk assessments (internal)

14%

Risk assessments (third-party)

30% 17%

Secure disposal of technology hardware

YoU wIll Be Taken moRe SeRIoUSlY: 87% of cIOs agree that the slowdown has elevated the importance of the security function.

Security audits

18%

Threat and vulnerability assessments

20%

Tiered authentication levels based on user risk classification

30%

Tech safeguards in the next 12 months

People safeguards in the next 12 months

Automated account provisioning / de-provisioning

44%

Automated password reset

19%

Biometrics

38%

Centralized user data store

17%

Data leakage prevention tools (DLP)

27%

Employ a CSO

39%

Disposable passwords / smart cards / tokens for authentication

30%

Employ information security consultants

40%

Encryption (database, backups, laptops, etc)

37%

Employ CISOs

41%

Firewalls (network and end-user firewalls)

26%

Employ security guards or other physical security measures

24%

Intrusion detection tools

20%

Conduct personnel background checks

24%

Dedicated people monitoring use of Internet/information assets

25%

Dedicated people for employee awareness programs for internal policies, procedures, technical standards Link security, either through organizational structure or policy, to privacy and/or regulatory compliance Task and train some IT security personnel as 'account reps' for internal business customers

29% 29% 39%

Integrate physical security and information security personnel

30%

Vol/4 | ISSUE/19

Malicious code detection tools (Spyware & adware) Reduced / single sign-on software

29%

Secure browsers

12%

Subscription to vulnerability alerting service(s)

22%

Tools to discover unauthorized devices

19%

User activity monitoring tools

21% 9%

Web content filters Website certification / accreditation

REAL CIO WORLD | a u g u s t 1 5 , 2 0 0 9

13%

SECURITY SPECIAL Career

From incident reaction to proactive risk assessment, the cso role has evolved dramatically. next stop: new services and business operations intelligence. By Joan Goodchild

SECURITY SPECIAL I Career

IllUStratIon by MM Shan It h

It's been

Vol/4 | ISSUE/19

standards around the corporation, slowly picking away at information almost 15 years since systems security challenges as well. It was a forge-ahead and forward-thinking David Kent first came to Genzyme, a philosophy for security that had not been seen before in the firm. biotech firm headquartered in Cambridge, "Left to its own devices, we wouldn't have the program we have today. We Massachusetts, that develops medical would have separate silos. There had to be someone in the organization to treatments for ailments such as certain drive this stuff." genetic diseases and some forms of cancer. As the company grew, more emphasis was placed on security. But it was the In 1994, the company had less than $200 Bio International Exposition held in Boston in 2000 that gave Kent the perfect million (about Rs 1,000 crore) in sales, opportunity to show how his department could go beyond reactive protection and only about 1,000 employees — a stark to proactive security. contrast to its worldwide workforce of 11,000 "It was the first major East-coast meeting following the World Trade today and the $4.6 billion (about Rs 23,000 Organization meeting in Seattle. The members of the Genzyme senior crore) in revenue it reported in 2008. management team were the chairs for the meeting in Boston. We were asked Kent's first experience with Genzyme to coordinate security around the meeting. There were about 14,000 people was as a consultant. The company had lost expected, and demonstrators could shut down the show." Kent says for several some of its intellectual property through a months he talked with area law enforcement agencies and other companies that theft, and Kent — then working elsewhere might be targeted for demonstration and urged them to prepare. By the time the as a security manager — was called in to help event arrived, Genzyme security officials had coordinated the work of 80-plus evaluate the situation. His work with the agencies and was holding regular meetings with multiple organizations. firm grew into a job offer to be Genzyme's On the opening day of the expo, 3,200 demonstrators turned out in front director of security. The goal was to have of the hall. Their presence, according to Kent, was uneventful; exactly what someone aboard with an intense focus on he hoped for. the security position of the organization to "Nothing happened," he says." So we got tremendous visibility for that. prevent other thefts from occurring. When bad things happen, you've got to have the ability to have a good response. "At that time, I think there were about Those are the things they remember." nine different card access systems. One Soon after the event, Kent was elevated to vice president of security. The person handled their voice and data and promotion, he says, marked the official beginning of the security group their office services," says Kent. "It was an operating under a CSO model. organization reflective of a rapidly growing business. There was no thought put into security, it was a lower priority. It was sort A Skill Set Beyond Security of a barren landscape from my viewing." Kent's experience at Genzyme is familiar at organizations world over that have His first project was to look at the situation decided to place a top security officer, a CSO or a CISO, to be the key point of around laboratory and notebooks in order responsibility for a company's security. (To see the increase in CSOs among to ensure there would not be Indian firms turn to page 18). We've seen this position increase Reader ROI: a repeat theft incident. After in numbers for more than a decade now. But as it has grown, so How the advent of that, he moved on to assessing has organizational expectations. As security programs become CsOs and CIsOs have the physical security of the changed expectations more robust and sophisticated, so, too, do the expectations of building and addressing the companies who have a top security officer in place. CSOs are What businesses multiple card reader situation now expected to expand their skill set: those with technical are looking for from by implementing a single card security professionals backgrounds must understand facets of regulation, compliance, solution. Kent and his team security and risk beyond the datacenter. CSOs from a physical the meaning of being a CsO going forward began pushing for security security career, such as law enforcement or the military, must also REAL CIO WORLD | a u g u s t 1 5 , 2 0 0 9

SECURITY SPECIAL I Career have an understanding of information systems and the threats posed to their organization's data assets beyond just the facilities they are housed in. It is an evolution that was expected among industry analysts when the first CSO roles began appearing. Much like how the role of the CIO has changed, it was inevitable that CSOs would have the same experience. "They, of course, share the same problem that CIOs have traditionally faced," says Paul Saffo, a Stanford University professor, forecaster and essayist with a focus on long-term technological change and its impact on business. "CIOs have been the Rodney Dangerfields of management. 'I don't get any respect,' because their work is so arcane. The other XOs never understood it, or even tried, until recently. CIOs

Portrait of a CSO

With the constantly changing description of the top security job, we answer the question: who really is the CsO?

his is the top security executive in the company. he or she will report directly to a senior functional executive (CEo, Coo, CFo, chief administration officer, head of legal counsel). the CSo will oversee and coordinate security efforts across the company, including information technology, human resources, communications, legal, facilities management and other groups, and will identify security initiatives and standards. the candidate's direct reports will include the chief information security officer and the director of corporate security and safety. RespOnsIbIlItIes: oversee a network of security directors and vendors who safeguard the company's assets, intellectual property and computer systems, as well as the physical safety of employees and visitors. Identify protection goals, objectives and metrics consistent with corporate strategic plan. Manage the development and implementation of global security policy, standards, guidelines and procedures to ensure ongoing maintenance of security. Physical protection responsibilities will include asset protection, workplace violence prevention, access control systems, video surveillance, and more. Information protection responsibilities will include network security architecture, network access and monitoring policies, employee education and awareness, and more. Work with other executives to prioritize security initiatives and spending based on appropriate risk management and/or financial methodology. Maintain relationships with local, state and federal law enforcement and other related government agencies. oversee incident response planning as well as the investigation of security breaches, and assist with disciplinary and legal matters associated with such breaches as necessary. Work with outside consultants as appropriate for independent security audits. â&#x20AC;&#x201D;J.G.

a u g u s t 1 5 , 2 0 0 9 | REAL CIO WORLD

are moving past this stage slowly, but I think the CSOs are still hitting this."

Techie to Business Exec In the early days, information security professionals were viewed as two things, according to Steve Katz. "Highly technical, and the people who consistently said 'no'," he says. Katz, considered by many to be the first person to hold a chief information security officer position, began to debunk the notions around information security when he was recruited in 1995 by Citicorp (now Citigroup). The company hired Katz after a hacker broke into Citibank' cash management system and siphoned $10 million (about 50 crore) into his own accounts. Much of the money was not recovered. The theft brought information security to the forefront for Citibank, and the company wanted someone to minimize the risk that such a breach would occur again. Katz's CISO title was created by a board headed by former Citicorp CEO John Reed. "His view was: Let's bring a business perspective to information security," says Katz. "[Reed] said, 'Citicorp sells two things: money and trust.' As security, we were there to help them deliver trust." Katz says he spent much of his first year traveling to meet with Citi executives around the world. His mission was to put a face on security and figure out what needed to be done to protect the company. He asked executives, "Do you care about who you transact with? Who are your customers?" "Technology wasn't part if it," says Katz. "It was simply, 'Do you care about keeping information confidential and private." In turn, Katz began to introduce concepts such as identity, and company officials began "shaking their heads and saying 'Yeah, that makes sense,'" says Katz. Katz, who now runs his own consultancy, continues to meet with CSOs and CISOs and does some mentoring as well. When he is giving career advice, he urges up-andcoming security professionals to hone their understanding of business and risk if they want to be successful. "The role is becoming a technical- and business-risk effort much more than it is viewed as a security role. The requirement to work with business professionals is

Vol/4 | ISSUE/19

SECURITY SPECIAL I Career probably the greatest hurdle security professionals have to face. If you aren't at home working with people at the executive level, you will be relegated to a much smaller role."

The CSO of the Future To project future developments in the CSO role, it's again useful to look a bit deeper at the CIO position, arguably the most recent to make a transformation from corporate support player to a more elevated executive spot. (Though not the first; recall that CFOs, before they became strategists focused on shareholder value, were simply accountants.) The challenge for CSOs, says Saffo, is to find ways to demonstrate their effectiveness beyond their core protective mission. He believes going to the next step will require CSOs to do what CIOs have managed to do over the last decade. That is, move from a support/infrastructure role, to a central role in enhancing productivity and effectiveness around a company's core mission. That is the hope of Beth Cannon, CSO with Thomas Weisel Partners, an investment bank and broker-dealer. Cannon has been with the company from its beginning in 1999, taking on the CSO role in 2004. Prior to her promotion, she was responsible for engineering and infrastructure that included the operations of the server and the network side of things. "I had always had some level of security under me related to compliance and the network," she says. "When regulations started increasing, the CIO said, 'I think we need someone to focus on these things.' That's how my role was born in company." In five years, the role has clearly changed, says Cannon. The company began doing international business, and Cannon then had to learn about compliance rules in several other nations in addition to the United States. The company also went public in 2006. "Initially the job was very operational and infosec-focused in the respect that we had to get our patching stuff up to date, our network activity logged," she says. "We had to get several things in place in order to have a better handle on what was going on outside of the network." Now, Cannon feels that many of the protective measures she put in place at the start of her tenure have become operational. Things that had to be taken care of in the beginning are just business as usual now. That has given her a chance to put more time into finding ways for security not only to protect, but also to add value to the organization. A primary focus now is business continuity, she says. The recent swirl of concern around the swine flu pandemic helped bring the issue to the top of mind for executives. "Now I'm trying to get out there and say, 'This is more than just technology'. Let's talk about what you are going to do with your personnel." Another new focus is data classification. Cannon says she hopes her efforts will give security a seat at the executive table as she demonstrates the value that the department brings to future compliance and regulation efforts. Slowly, she says, she is pushing past that perception that security is merely a cost center,

demonstrating its importance to the future mission of the company. Just as social networking sites and other Web 2.0 apps have combined platforms to create a new way for users to communicate, CSOs will need to combine knowledge of several aspects of business to effectively assess risk and communicate with executive management, according to Eric Domage, an information security analyst with IDC. Personal and communication skills are crucial for CSO 2.0 (a need that's been reflected in the State of the CSO survey results for years). While many security directors may have come into their roles with a primary focus on one security concentration with little focus or communication elsewhere in the organization, they will now be required to work with many others throughout. Those who cannot, won't have a future, according to Tim Williams, director of global security at Caterpillar, the world's largest maker of construction and mining equipment, diesel and natural gas engines and industrial gas turbines. Williams likens the changing landscape to a game of musical chairs. "The music has stopped and those who will get to the chairs today and in the future are the ones who really do have the business context and outlook." Williams, a professional with decades of experience in security roles with companies such as Proctor & Gamble, Boise Cascade and Nortel, sat on the board of ASIS International, which first put together an official definition of a CSO five years ago. Today, Williams defines the role as one of enterprise security risk management. "The CSO who has put together a cohesive strategy for the industry and the culture in which they work are probably the ones surviving this economic downturn," notes Williams. "They have the ability to explain what the security process is, link it to the business and show the value."

As security programs become more robust and sophisticated, so, too, do the expectations of companies who have a top security officer in place. It is an evolution many have seen coming, much like how the role of the CIO has changed.

Vol/4 | ISSUE/19

Feature -01.indd 30

REAL CIO WORLD | a u g u s t 1 5 , 2 0 0 9

8/14/2009 12:36:50 PM

SECURITY SPECIAL I Career

Why You Need a CSO

If it’s important, it’s got to be done well. With security that means it has to be holistic, and having a CsO is the first step in that direction.

nough squabbling already. Disjointed management and a lack of communication leads to a weaker security posture and wasted money due to duplicated efforts. these are some of the areas where having holistic security management, which a CSo can bring, can benefit the enterprise: Business continuity. Mike hager, who helped get oppenheimer Funds up and running four hours after their offices at the World trade Center were destroyed on 9/11, puts it best: "Some companies have people who do information security, and people who do physical security, and people who do business continuity. the three people may come up with three answers about what to protect. If you have a total protection program, you can save a lot of time, money and effort. It just simplifies the whole process and makes it more effective." Regulatory compliance. Sarbanes-oxley says the board of Directors has a fiduciary responsibility to know what risks its business faces. Who's going to give them an accurate picture if no one has visibility across all security domains? Hiring and firing. When an employee comes on board, she may need a number of assets and rights, like a building access card, a laptop, a network password, among others. Some of these are physical and some are digital. In a company with disjointed access management, that employee will have a much longer ramp-up time. that's lost money. and if an employee is abruptly terminated, the poorly managed company stands little chance of recovering all its assets and disabling access rights quickly. Intellectual property protection. IP is stored in many forms, from data on the corporate network, to CaD printouts in the trash can, to drawings on the whiteboard. losing that IP cripple a company competitively. bill boni, CISo of Motorola and a former army intelligence officer, notes that the only way to protect intellectual property from threats inside and outside the company is by interconnecting all the necessary defensive measures — logical, physical, legal and otherwise. the most obvious way to manage security holisitically is to put make one person responsible: a CSo. but even in companies where that's impractical, creating new lines of communication and knocking down formerly adversarial relationships is a must. —Derek Slater

Williams believes that CSOs and CISOs will need to be able to come armed with knowledge around the risk to the enterprise they work in from a security standpoint and be able to put that in a business context that can foresee the economic impact and the frequency or likelihood of a risk event. He also speaks passionately about the need for an effective security leader to work well as part of a team. He credits much of the success he has experienced so far at Caterpillar with the strong dynamic between members of his security department. Williams concurs that the job of the new CSO is to be an executive with a security-functional expertise. But how the CSO engages and puts risk context 32

a u g u s t 1 5 , 2 0 0 9 | REAL CIO WORLD

into the business is an art and a science that each CSO will need to master to gain the respect Saffo referred to previously. It will take as thorough an understanding of a company's product line and economic drivers, in addition to risks. And it will likely mean knowing how to make the case for investment with limited resources. Williams believes that the number of security executives who hold MBA degrees will continue to grow in the future. "You have got to develop a cohesive, understandable, clear strategy for how you are spending the company's money and what risks you are addressing as a result of that spend," says Williams. "The pressure will now be on the ability to logically and cohesively defend and advocate for dollars. It is a critical skill set we better have, or we are in trouble." And for those who do have the necessary skills? A walk through the halls of Genzyme today might offer a glimpse. CSO toured the facility recently and had a chance to see Kent's state-of-the-art program that approaches security with an ‘all-hazards’ view of risk. It includes an impressive monitoring room where staff members assess potential realtime risks to the company, looking at data from all over the world. Such an all-encompassing view isn't confined to a basement operations center. Earlier this year, Genzyme combined security, risk management, competitive and technical intelligence under a single purview and changed Kent's title to vice president of global risk and business resources. Vastly different from his early days with the company as a security professional brought in to react to a negative event, Kent now takes a seat at the table with other executives in the company to discuss security strategy and risk assessment. He is optimistic that this group will prove not merely reactive, but will grow in its ability to provide business intelligence. "We are leveraging obvious synergies between the groups," says Kent. "The interesting work, though, will be discovering new connections and building the resulting services we don't know about today." CIO Joan goodchild is senior editor. send feedback on this feature to editor@cio.in

Vol/4 | ISSUE/19

Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM

SECURITY SPECIAL Leadership

In belt-tIghtenIng tImes, makIng the case for securIty Investment Is more dIffIcult than ever. here Is a fIve-step process rIsk professIonals can use to communIcate value effectIvely. By Joan Goodchild

The biggesT challenge security teams face in Reader ROI:

The importance of a shared framework in winning over non security folk How to create impact and connect fast Why the job goes beyond the presentation

a u g u s T 1 5 , 2 0 0 9 | REAL CIO WORLD

their organization is one of perception, according to Michael Santarcangelo, founder of Security Catalyst, a consultancy focused on changing the way people protect information. Santarcangelo says professionals focused on security are practiced at looking at risks and reducing them. Unfortunately, the rest of society often doesn't see risks the same way, making communication difficult. "They lack relevant context," says Santarcangelo. "So security people get wrapped up in thinking: 'The CFO wants ROI. We better work on ROI.' But what the CFO is really saying is:' I don't understand what you do. So you have to justify it.' Here is Santarcangeloâ&#x20AC;&#x2122;s five step process to getexecutives and boards to understand, and even approve, of spending decisions in tough economic times.

Vol/4 | ISSUE/19

SECURITY SPECIAL I Leadership

Create Santarcangelo believes one of the most effective ways to communicate value is to place focus back on the person to whom you are trying to make your pitch. "The reason why someone changes a behavior or takes an action is because there is an inherent benefit to the person," says Santarcangelo. "But when many people start to create, they forget that. They tend to fall into the trap of thinking: 'I'm really smart and I know a lot of stuff. So I'm just going to say it and hope they will understand the value of it.'" Instead, Santarcangelo recommends creating a presentation that keeps the motivation of the audience in mind. "Talking to an executive is different from talking to a technologist is different from talking to an end user," he says. "If we are going to communicate with someone in a way that they understand the value and support what we are asking for, we have to know what we are asking for. We have to think about what we want them to know."

Connect We connect to people through stories, according to Santarcangelo. Before you make your pitch, find something in their experience base that you can reference that your audience can connect to and understand. “What most people will do is say: "I've got a presentation in 20 minutes and they open up power point and start making slides. And when they are done they go and read the slides to whoever they are going to talk to and then they get rejected." Santarcangelo recommends asking yourself: "How can I explain this to them using their frame of reference? What is a story or example I can use?" "If you are presenting to a broad audience, I always recommend using pop culture. Music or movies are great places to start. You can always preface with 'Did you see?'" Of course, finding out what reference might work will take some prep work. "The simplest way to do that is ask questions," says Santarcangelo. "If the executive you will be presenting to is outgoing and friendly, talk to them. Find out what kind of TV shows they watch or

Vol/4 | ISSUE/19

sports team they really like. On the other hand, coming in with a sports analogy to someone who doesn't like sports, is going to be a swing and a miss. Find out ahead of time." Another strategy might involve taking a topical security reference, such as a high-profile breach, and asking: "How would we be impacted if that happened to us?"

Rehearse The first time you make your presentation will be different from the time you actually do it, according to Santarcangelo. Because your window of time to make your pitch or presentation will likely be small, rehearsing is important for maximum impact. "The reason I call it rehearsal instead of practicing or testing is because when you rehearse, you are allowed to make a mistake. We tend to trend toward too much information. Rehearsing let's us distill. Rehearsing allows you to make sure your sequence and flow make sense." Getting a multi-thousand or multi-million dollar security Of Indian CIOs expect project financed with a 15 minute their security budgets presentation that you wing it through may be possible when times are good, to increase in the next according to Santarcangelo. But now, 12 months. source: CIO-PWC IIss 2009 more than ever, tight budgets require finesse and precision when making the case for spending money.

29%

Deliver If each of the five steps were given equal weight, delivery is only 20 percent. Yet many people jump right into delivery without planning or thinking or looking for a connection and rehearsing, says Santarcangelo. But when you get to delivery, the trick is to put it out there without worrying about being perfect. “It's about being authentic," he says. "If you honestly believe in it, put it out there. Don't be afraid to make mistakes. You don't have to be perfectly polished. Don't worry about ums or ahs or reading from a script. The idea is to have a conversation." Once you have thought through what you hope to get out of it, and once you have put together a story and rehearsed or practiced, be natural in the moment once you get to it. "Make your case succinctly and then have a natural conversation," he says.

Review & Follow Through When you are done, go back and ask yourself: How did it go? And if I had that conversation again, would I do it the same way? Once you've evaluated in your own mind how you think it went, follow through is important, says Santarcangelo. "Many times our first connection and creation may not have been dead on. So when we had a conversation, things didn't get resolved," he says. "If you go back and say: 'I didn’t connect the way I wanted to connect' you can follow up with your audience and say 'I didn't explain that the way I wanted to. I know you are busy, but can I have five more minutes? I'd like to explain it to you differently.'" CIO Joan goodchild is senior editor. send feedback on this feature to editor@cio.in

REAL CIO WORLD | a u g u s T 1 5 , 2 0 0 9

SECURITY SPECIAL Networking

the next-generation internet protocol â&#x20AC;&#x201D; ipv6 â&#x20AC;&#x201D; isn't keeping too many cios and network managers up worrying at night. But the security threats it poses are potent enough to create havoc in your network. By Carolyn Duffy Marsan

IPv6 traffic running across their networks, and that few network managers are equipped to see, manage or block it. Increasingly, this rogue IPv6 traffic includes attacks such as botnet command and controls. "If you aren't monitoring your network for IPv6 traffic, the IPv6 pathway can be used as an avenue of attack," says Tim LeMaster, director of systems engineering for Juniper's federal group. "What network managers don't understand is that they can have a user running IPv6 on a host and someone could be sending malicious traffic to that host without them knowing it." Most network managers are blind to rogue IPv6 traffic because they don't have IPv6-aware firewalls, intrusion detection systems or network management tools. Also, IPv6 traffic is being tunneled over IPv4

a u g u s t 1 5 , 2 0 0 9 | REAL CIO WORLD

IllUSt ratIon by an Il t

ExpErts say that most US organizations have hidden

Vol/4 | ISSUE/19

SECURITY SPECIAL I Networking

connections and appears to be regular IPv4 packets unless an organization has deployed security mechanisms that can inspect tunneled traffic. "At least half of US CIOs have IPv6 on their networks that they don't know about, but the hackers do," says Yanick Pouffary, technology director for the North American IPv6 Task Force and an HP Distinguished Technologist. "You can't ignore IPv6. You need to take the minimum steps to secure your perimeter. You need firewalls that understand IPv4 and IPv6. You need network management tools that understand IPv4 and IPv6."

Itâ&#x20AC;&#x2122;s On Your Network

Business. "Hackers are trying to leverage IPv6 to fly under the radar. We're seeing a lot of bot networks where the command and control is under IPv6. We're also seeing illegal file sharing that leverages IPv6 for peer-to-peer communications." Rogue IPv6 traffic is an emerging threat for network managers. The biggest risk is for organizations that have decided to delay IPv6 deployment because they don't see a business driver for the upgrade a category that includes most US corporations. US federal agencies are in a better position to protect themselves against IPv6-based threats because they have enabled IPv6 across their backbone networks. Federal agencies are moving ahead with plans to integrate IPv6 into their enterprise architectures and capital investments. Rogue IPv6 traffic "is a very real threat," says Sheila Frankel, a computer scientist in the Computer Security Division of the National Institutes of Standards and Technology (NIST). "People can have IPv6 running on their networks and not know it. Computers and other devices can ship with IPv6 turned on. Ideally, if you're not prepared to protect against IPv6, it should be turned off for all the devices on your network. You need to be prepared to block it at your perimeter. You want to block it coming in and going out," Frankel says. Frankel recommends that organizations that don't want to run IPv6 in production mode buy firewalls and intrusion-prevention systems that can block both native and tunneled IPv6 traffic. "You should be blocking not only pure IPv6 traffic but also IPv6 traffic tunneled inside of other traffic," Frankel says. "Network operators have to be aware of the ways IPv6 would normally be tunneled in IPv4 traffic and in the different types of transition mechanisms, and they have to become aware of the rules necessary to block these various classes of traffic."

"Although they're not thinking about IPv6, for most of the Fortune 500, it's in their networks anyways," agrees Dave West, director of systems engineering for Cisco's public sector group. "You may not see IPv6 today as a business driver. But like it or not, you are running IPv6 in your network." IPv6 is the long-anticipated upgrade to the Internet's main communications protocol, known as IPv4. IPv6 features vastly more address space, built-in security and enhanced support for streaming media Rogue IPv6 and peer-to-peer applications. Available IPv6 traffic gets on your network because many operating systems including for a decade, IPv6 has been slow to catch Microsoft Vista, Windows Server 2008, Mac OS X, Linux and Solaris ship on. Now that unallocated IPv4 addresses with IPv6 enabled by default. Network managers have to disable IPv6 on are expected to run out in 2011, the every device that they install on their networks or these devices are able to pressure is on carriers and corporations receive and send IPv6 traffic. to deploy IPv6 in the next few years. "We're probably talking about 300 million systems that have IPv6 IPv6-based threats are not well enabled by default," estimates Joe Klein, director of IPv6 Security at understood, but they are becoming more Command Information, an IPv6 consultancy. "We see this as a big risk." prominent. For example, the issue of IPv6Experts say it's likely that network managers will forget to change the based attacks was raised at a meeting of the IPv6 default settings on some desktop, server or mobile devices on their National Security Telecommunications networks. At the same time, most organizations have IPv4-based firewalls Advisory Committee, a high-level and network management tools that don't automatically block IPv6 traffic industry group that advises the White coming into their networks. House about cybersecurity. "The most common IPv6-based attacks that we're seeing "We are seeing quite a right now are when you have devices on the edge of your Reader ROI: bit of command and control network that are dual stack, which means they're running Why enterprises are traffic that is IPv6," says IPv4 and IPv6. If you only have an IPv4 firewall, you can not moving to IPv6 Jason Schiller, senior Internet have IPv6 running between you and the attacker," Klein says. security threats of network engineer, global IP "The attacker is going through your firewall via IPv6, which new protocol network engineering for the at that point is wide open." Another common problem is IPv6 How to guard against public IP network at Verizon traffic tunneled over IPv4 using such techniques as Teredo, IPv6 traffic Vol/4 | ISSUE/19

REAL CIO WORLD | a u g u s t 1 5 , 2 0 0 9

SECURITY SPECIAL I Networking

15%

which is supported by Microsoft, or the alternative 6to4 all IPv6 traffic for the and intra-site automatic tunnel addressing protocol next five years. You (ISATAP) approaches. should only block it until "The typical IPv4 security devices are not tuned to you have a policy and look for IPv6 tunnels," Klein says. "They offer very weak understand the threats." Of IT professionals say defense, which is kind of scary." Long term, the better Klein says the only way network managers can discover solution is to start that they will begin IPv6 devices on their network is to run IPv6. Even then, running IPv6 so you migrating to IPv6 within it's extremely difficult to discover IPv6 tunnels. can gain visibility into the next two years. "You might be able to find the top three tunnels but your IPv6 traffic and source: Bt INs survey not all the other sub-tunnels," Klein says. "You can experience with the new tunnel IPv6 over HTTP over IPv4. How are you going protocol, experts say. to find that?" "We don't recommend that you block To battle these threats, Command Information is offering software IPv6 traffic. We are recommending that called Assure6, which operates in conjunction with deep packet inspection you do an audit and find out how many systems to identify IPv6 traffic tunneled over IPv4. Similarly, the McAfee IPv6 devices and applications are on your Network Security Platform offers full IPv6 and tunnel inspection. Cisco network. If you have IPv6 traffic on your and Juniper offer IPv6-enabled routers, firewalls and other systems that network, then you've got to plan, train allow network managers to set IPv6-related security policies. and implement IPv6," says Lisa Donnan, Klein says he gets one or two calls a month from organizations that have vice president of advanced technology been attacked through rogue IPv6 traffic. solutions at Command Information. "One of our honeypots that we have set up saw a botnet using an IPv6Cisco recommends that its customers only attack," Klein says. "It was hiding itself as IPv4 through our router, adopt the same security policies for and it was attacking and issuing command and controls to a botnet in the IPv4 and IPv6, and that these policies be Far East." implemented using a layered approach. The number of IPv6 attacks is small but growing, LeMaster says. " C o n f i g u r at i o n m a n age m e nt , "There are fewer people that have IPv6 enabled, so it's not as rich a configuration control and policy are going target as IPv4," LeMaster adds. "The majority of the vulnerabilities are to be pretty critical now as all of these IPv6 over HTTP. They're application related, where IPv6 is just the transport devices just show up on the network," West for those security concerns." says. "Configuration management may be Frankel says IPv6-based threats are common enough that every network the largest threat we have around IPv6." manager needs a plan for mitigating them. Frankel says now is the time for "Nobody today will deny that they have to do something about viruses or corporations to start training staff in about spam," Frankel adds. "It's fair to say that rogue IPv6 traffic is in this IPv6 and getting experience with IPv6 so category of threats that's going to hit you if you ignore it." they can protect themselves against IPv6based attacks. "Companies need to acquire a minimal To Block or Not To Block level of expertise in IPv6, which will help Experts disagree about whether it's best for network managers to block protect them against threats," Frankel says. IPv6 traffic or to enable IPv6 traffic for monitoring purposes. "The other thing they should do is to take Most say that if an organization isn't prepared to support IPv6, it their outward-facing servers, those that are should block IPv6 traffic coming into and leaving its network using IPv6external to the corporation's firewalls, and enabled routers, firewalls, intrusion-prevention systems and intrusionenable IPv6 on them. That way customers detection systems. from Asia with IPv6 addresses will be Network managers "should be creating policies that look for IPv6 able to reach these servers and their own traffic and if they see it to drop that packet," LeMaster says. "Within their people will acquire expertise in IPv6. This security incident manager solution they need to look at the profiles of will be a first step in the process." traffic coming into their network. They need that visibility. If they see IPv6 is "coming," Frankel says. "The IPv6 traffic, they need to find out what host it's coming from or going to, best way is to face it head on and to decide and turn that traffic off." you're going to do it in the most secure But these experts admit that blocking IPv6 traffic is a temporary solution manner possible." CIO because a growing number of your customers and business partners will be supporting IPv6. "If you're not prepared for IPv6, then the prudent thing to do is not to allow it into your network," LeMaster says. "But you shouldn't be blocking send feedback on this feature to editor@cio.in 40

a u g u s t 1 5 , 2 0 0 9 | REAL CIO WORLD

Vol/4 | ISSUE/19

SECURITY SPECIAL Social Collaboration

From phishing scams that play to your curiosity, to criminals posing as Friends to steal your money, here are the latest ways scam artists are using social networks to con you. By Joan Goodchild

According to reseArch recently conducted by

security firm Webroot, about three in ten social network users have experienced some form of a security attack, such as a virus infection or a phishing scam, on a social network in the last year. As the popularity of these social networks explodes, and more organizations ease restrictions among employees, they become more attractive for criminals seeking private information that can be used for profit. Here, two social network security experts tell you how to recognize and avoid the latest scams on Facebook and Twitter.

Reader ROI:

The most current popular phishes User buttons that scamsters push How to defend yourself

Vol/4 | ISSUE/19

Secret details about Michael Jackson's death! Celebrity news will always be used in criminal ploys because scammers know that many people love gossip. The recent death of Michael Jackson is already spawning bad e-mails that contain malware in their attachments, according to several security firms, including Sophos. Graham Cluley, senior technology consultant with Sophos, predicted immediately following Jackson's death REAL CIO WORLD | a U g U s T 1 5 , 2 0 0 9

SECURITY SPECIAL I social Collaboration

Five Deadly Social Networking Sins Are you or your colleagues guilty of these oversights? Over-sHaring COmpany aCTiviTies This is a sin of pride, when someone is excited about something their company is working on and simply must tell everyone about it. Maybe you work for a drug company that is on the verge of developing the cure for cancer. This sin has sparked a debate over whether companies need to revise their employee computer use policies with more specific language on what is/isn't allowed in the social networking arena. To reign in the urge to share, it might be useful to repeat this saying: "loose Tweets Sink Fleets." mixing persOnal WiTH prOfessiOnal The problem starts when someone uses a social network for both business and pleasure forgetting that the language and images one shares with friends and family may be entirely inappropriate professionally. In sharing such things, you also stand a good chance of making the company you represent look bad. Believing iT’s aBOUT THe nUmBers For some social networkers, it's all about accumulating as many connections as possible. This may seem harmless enough but when the name of the game is quantity over quality, it's easy to friend a scam artist or identity thief. "Always verify the person who wants to get in contact with you," says Ruud van den Bercken, a security specialist at XS4All Internet. "Check if the profile of the other person is secured. If you can't retrieve a list of that person's connections, you have to ask yourself" if you really want to go down that road. Trigger finger Facebook is notorious as a place where inboxes are stuffed with everything from drink requests to cause requests. For some, clicking on such requests is as natural as breathing. Unfortunately, the bad guys know this and will send you links that appear legitimate. open the link and you're inviting a piece of malware to infect your machine. endangering yOUrself and OTHers All of the above tie into the seventh and perhaps most serious sin, which is that reckless social networking can literally put someone's life in danger. It could be a relative or co-worker. or it could be yourself. Security experts advise extreme caution when posting birthday information, too much detail on your spouse and children, etcetera. otherwise, they could become the target of an identity thief or even a kidnapper. Motorola CSo Bill Boni expressed his reservations about using Twitter, calling it a great way to get one's self kidnapped. His advice? "Don't be a twit," —Bill Brenner 42

a U g U s T 1 5 , 2 0 0 9 | REAL CIO WORLD

that cyber criminals would soon start to take advantage of the news to pull off scams. Typically, malicious Facebook and Twitter messages relating to celebrity news contain links that claim to have ‘secret’ information. With Jackson, Cluley says he's heard of lures promising songs by the King of Pop that have never been heard before. The link to the music then typically prompts users to download an update of Adobe Flash. Of course, instead of an update, users end up with a piece of malware. "One of the most famous of these is Koobface," says Cluley. "There have been many iterations designed to steal data from your computer. Once they have compromised your computer, they can use it to send spam, install spyware, steal your identity, or launch a denial of service attack."

I'm trapped in Paris! Please send money. The details of this scam, often called a 419 scheme, were reported several months ago but it continues to make the rounds on Facebook, according to Cluley. It goes like this: You are on Facebook, when a ‘friend’ uses the Facebook chat feature to send you an instant message. Sometimes it might be a message in your inbox. Either way, the ‘friend’ informs you that they are trapped in some foreign country and have been robbed or have lost their wallet through some other unfortunate incident. They need you to wire money quickly to help them get home. However, on the other end is a person posing as your friend that has hacked into your actual friend's account. This scam is really just a new version of the old e-mail trick that informs a recipient they have ‘inherited millions’, according to Cluley. "The e-mails often say something like 'Just give us your bank account details and we will deposit the money," he says. But in this particular Facebook ruse, the idea is to get you to assume it is someone you know and trust on the other end of the IM so you will wire money to help them out. "People tend to be more relaxed about communications with friends on social networks," notes Cluley. "Also, the scammer can use other information from your profile, such as your wife's name or your children's names, to make it seem more legitimate."

Vol/4 | ISSUE/19

SECURITY SPECIAL I Social Collaboration Sean Sullivan, a security advisor in the F-Secure Corp. security labs, says most of these attacks are the result of a compromised username and password. Sullivan recently criticized Facebook for their security questions protocol, which he thinks use outdated questions such as mother's maiden name. "Perhaps when the college kids that created Facebook designed it, they never thought any one would be able to guess their father's name," said Sullivan. "But I actually have my father in my network."

OMG! Did you see this picture of you? Both Facebook and Twitter have been plagued by several phishing scams that involve a question that piques the user's interest and then directs them to a fake login screen. Typically, the user receives a message, such as ‘Did you see this picture?’ with a link also included. The user clicks the link, and it prompts them to enter log-in credentials on a fake log in screen. On Facebook, for example, members might receive a message in their inbox, or their wall, that directs them to another site which looks identical to the Facebook log-in page. Recently, Twitter users began receiving tweets that asked "OMG! Is it true what they said about you in this blog?" The link directed the user to a screen that looked just like the Twitter log-in page, but was instead a phishing site. Of course, once you've entered your user name and password into one of these fake sites, the criminals engineering the con have easy access to your account. Sullivan says another recent version of this scheme included messages requesting users update account information, which then took them to fake log-in screens. This is a classic phishing ploy, according to Cluley. Hackers may be looking for your account information in order to send spam, or pose as you in order to pull off a 419 scam. In order to avoid having this happen, make sure you check the url before entering your log-in information. If your browser bar says anything other than Facebook.com or Twitter.com, leave the site immediately. The other potential in this scam is spyware infection, says Cluley. The tiny url function makes this even easier for scammers because you can't see the link you are clicking.

Vol/4 | ISSUE/19

Feature -04.indd 43

"You click on a link that is infected with spyware, and it can steal credentials, bank information, all kinds of useful information about the different accounts you may have," he said. Bottom line: If a link or a message seems suspicious; click at your own risk.

Test your IQ Facebook members who recently decided to use an application that offered an IQ test were shocked to learn they had unwittingly also subscribed to a text messaging service that cost approximately $30 (about Rs 1,500) a month. The IQ test looked like most other Facebook applications. But once the test had been completed, users were asked for their cell phone number in order to receive results. However, by handing over their number, they were also enrolled in the text messaging service. The terms of the service were in fine print that many claimed was nearly impossible to notice. This is just one of many examples of scams that take advantage of the ‘applications’ feature on Facebook, says Sullivan, who advises users to be wary of all of the applications on Facebook and says he rarely uses them himself.

Both Facebook and Twitter have been plagued by several phishing scams that involve a question that piques the user's interest and then directs them to a fake login screen. In order to use a Facebook application, which often include fun quizzes such as ‘Test your 1980's trivia’ you must allow the application to have access to information in your profile. The privacy issue is just one risk, says Sullivan. In some cases, the applications download malware onto your computer. "There was an application that was going around that was spamming people internally," says Sullivan. "In other instances, malware authors are looking for banking passwords, any kind of password."

Join the Class of 2013 Facebook group A college guide book publisher called College Prowler was recently criticized for creating Facebook communities for students in the class of 2013 that appeared to be organized by their college or university. A recruiter with the admissions department at Butler University uncovered the ruse when he found a Class of 2013 page for Butler University on the site, but no one at Butler knew who had created it. The recruiter, Brad Ward, blogged about the find and said pages had been created for many major universities around the country, including the University of Michigan, Cornell University, Duke University and Northwestern University. According to Ward, none appeared to have been created by any one with legitimate ties to the class of 2013 at any of the schools. Invites to Facebook groups run the gamut from alumni groups to groups with common interests in sports or hobbies. But if you don't know the person inviting you, it may be best to ignore it. Other instances of fake groups have included invitations that prompt users to install certain applications in order to ‘chat’ with other members, but instead install malware. In some instances, unwanted products, such as toolbars, have been installed onto the user's computer after the person joined a group. CIO Joan Goodchild is senior editor. Send feedback on this feature to editor@cio.in

REAL CIO WORLD | a u g u s t 1 5 , 2 0 0 9

8/14/2009 12:44:33 PM

SECURITY SPECIAL Software

With about 90 percent of attacks targeted at the application layer, creating secure code becomes paramount. static analysis softWare helps keeps buggy code from seeing the light of day. but hoW do you choose the right one? hereâ&#x20AC;&#x2122;s What you need to ask. By Mary Brandel

Reader ROI:

What you need for static analysis tools The difference between static and dynamic tools What to watch out for with these tools. 44

a u g u s T 1 5 , 2 0 0 9 | REAL CIO WORLD

IllUSt ratIon by MM Shan Ith

The high cosT

of finding and patching application flaws is well known. Wouldn't it be cheaper to write secure code in the first place? One of the fastest growing areas in the software security industry is source code analysis tools, also known as static analysis tools. These tools review source code (or in Veracode's case, binary code) line by line to detect security vulnerabilities and provide advice on how to remediate problems they find â&#x20AC;&#x201D; ideally before the code goes into production. The entire software security market was worth about $300 million (about Rs 1,500 crore) in 2007, according to Gary McGraw, CTO at Cigital,

Vol/4 | ISSUE/19

SECURITY SPECIAL I software

a software security and quality consulting firm. McGraw estimates that the tools portion of that market doubled from 2006 to 2007 to about $180 million (about Rs 900). About half of that is attributable to static analysis tools, which amounted to about $91.9 million (about Rs 460 crore), he says. And no wonder; according to Gartner, close to 90 percent of software attacks are aimed at the application layer. If security were integrated earlier in the software development lifecycle, flaws would be uncovered earlier, reducing costs and increasing efficiency compared with removing defects later through patches or never finding them at all, says Diane Kelley, founder of Security Curve, a security consultancy in Amherst, N.H. "Although there is no replacement for security-aware design and a methodical approach to creating more secure applications, codescanning tools are a very useful addition to the process," she says. Despite the high degree of awareness, many companies are behind the curve in their use of static analysis tools, Kelley says, possibly due to the big process changes that these tools entail. Here are key decisions in source code analysis:

Should you start with static tools or dynamic tools or use both? In addition to static analysis, which reviews code before it goes live, there are also dynamic analysis tools, which conduct automated scans of production Web applications to unearth vulnerabilities. In other words, dynamic tools test from the outside in, while static tools test from the inside out, says Neil McDonald, an analyst at Gartner. Many organizations start with dynamic testing, just to get a quick assessment of where their applications stand, McDonald

Vol/4 | ISSUE/19

says. In some cases, the groups that start this initiative are in security or audit compliance departments and don't have access to source code. The natural second step is to follow up with static analyzers, enabling developers to fix the problems found by dynamic analysis tools. Some companies continue using both, because each type yields different findings. An important differentiator between the two types is that static analyzers give you the exact line of code causing the problem, while dynamic analyzers just identify the Web page or URL causing the issue. That's why some vendors offer integration between the two types of tools. According to the chief scientist at a large software vendor, dynamic assessment tools "tend to be brute force," he says. "You have to hit every parameter to find the vulnerabilities, whereas static tools investigate the whole landscape of the application." He recently chose a code scanner from Ounce Labs, after outsourcing the work to Cigital since 2006. He became interested in application security when customers began requiring PCI DSS certification. He plans to add in dynamic testing in the future, but the static analysis tool is the cornerstone of his application security program.

Do you have the source code? Most static analyzers scan source code, but what happens if you want to analyze third-party software or code written so long ago that you only have the executable? In that case, Veracode offers binary code scanning through a software as a service platform. "A vendor may not be willing to give you source code, but they will give you executables or binary," Kelley says. At the Federal Aviation Administration, Michael Brown, director of the Office of Information Systems Security, says he chose to use Veracode's services this year because of the amount of vendor-written code the FAA anticipated to use as a result of its modernization of the national airspace system. Brown says he wanted to ensure the code was not only functionally correct and of high quality but also secure. He wanted a service rather than a tool to reduce the need for training. So far, the results have been eyeopening, he says. "A lot of the code didn't really take security into account," he says. "There were cases of memory leaks, cross-site scripting and buffer overflows that could have been a cause for concern."

What do you use for software quality? Some tool vendors, such as Coverity, Klocwork, Parasoft and Compuware, originated in the quality-testing arena and have added security capabilities vs. vendors like Ounce and Fortify Software, which were solely designed for security. It's worthwhile to check into the quality tools you already use to see if you can leverage the existing

90% of software attacks are aimed at the application layer. source: gartner

REAL CIO WORLD | a u g u s T 1 5 , 2 0 0 9

SECURITY SPECIAL I Software relationship and tool familiarity. You should also consider whether it's important to your organization to have the two functions merged into one tool in the long term, McDonald says.

Do's and Don'ts of source code analysis DON'T underestimate adoption time required. Most static analysis projects are initiated by security or compliance, not developers, who may not immediately embrace these tools. Before developers get involved, McDonald suggests doing the legwork on new processes; planning integration with other workflows like bug-tracking systems and development environments; and tuning the tool to your unique coding needs. "Don't deploy to every developer at once," he adds. "Ideally, you'll get someone who wants to take on a competency role for security testing." The chief scientist at the large software vendor has developed an application security awareness program that includes training on common vulnerabilities, through podcasts and videocasts. Once he builds up awareness, he'll educate developers on secure coding standards. To complete the circle, he'll introduce Ounce's static code analysis tool to enforce the standards and catch vulnerabilities "so it's a feedback loop," he says. DO consider using more than one tool. Collin Park, senior engineer at NetApp, says the company uses two code analysis tools: developers run Lint on their desktops, and the company uses Coverity each night to scan all completed code. "They catch different things," he explains. NetApp began using these tools when its customer base shifted to enterprise customers who had more stringent requirements. While Coverity is better at spotting vulnerabilities such as memory leaks, Lint catches careless coding errors that developers make and seems to run faster on developer desktops, Park says. According to Kelley, organizations typically implement static analyzers at two stages of the development process: within the development environment, so developers can check their own code as they're writing, and within the code repository, so it can be analyzed at check-in time. The chief scientist uses this method. "In the first scan, if the engineer takes every finding and suppresses them, a milestone scan will catch those and generate a report," he says. DO analyze pricing. Vendors have different pricing strategies, McDonald says. For instance, while all continuously add information to their libraries about the latest vulnerabilities, some charge extra for this, while others include it in the maintenance fee, he says. In addition, some vendors charge per seat, which can get expensive for large shops and may even seem wasteful for companies that don't intend to run the scanner every day,

while others charge per enterprise license. Additionally, some vendors charge for additional languages, while others charge one price for any language they support, McDonald says. DO plan to amend your processes. Tools are no replacement for strong processes that ensure application security from the beginning, starting with defining requirements, which should focus on security as much as functionality, according to Kelley. For instance, a tool won't tell you whether a piece of data should be encrypted to meet PCI compliance. "If a company just goes out and buys one of these tools and continues to do everything else the same, they won't get to the next level," she says. The chief scientist says it's also important to determine what will happen when vulnerabilities are found, especially because the tools can generate thousands of findings. "Does the workflow allow them to effectively analyze, triage, prioritize or dispose of the findings?" he says. He is working with Ounce to integrate the system better with his current bugtracking system, which is Quality Center. "It would be great to right-click on the finding to automatically inject it into the bug-tracking system," he says. At NetApp, Park has reworked existing processes to ensure developers fix flagged vulnerabilities. As part of doing a code submit, developers do a test build, which must succeed or it can't be checked in. Then, when they check in code, an automated process starts an incremental build. If that build fails, a bug report is filed, complete with the names of developers who checked in code before the last build. "Developers are trained to treat

Do not underestimate the time it takes for your solution to be adopted. Most static analysis projects are initiated by security or compliance, not developers, who may not immediately embrace these tools. Before developers get involved do the legwork required for new processes.

Feature -05.indd 46

a u g u s t 1 5 , 2 0 0 9 | REAL CIO WORLD

Vol/4 | ISSUE/19

8/14/2009 12:30:47 PM

SECURITY SPECIAL I software a build failure as something they have to look at now,'" Park says. NetApp also created a Web-based chart that's automatically updated each night, to track which managers have teams that were issued Lint or Coverity warnings and whether they were cleared. DO retain the human element. While the tools will provide long lists of vulnerabilities, it takes a skilled professional to interpret and prioritize the results. "Companies don't have time to fix every problem, and they may not need to," Kelley says. "You have to have someone who understands what is and is not acceptable, especially in terms of a time vs. perfection tradeoff.'" The chief scientist calls this “truly an art form" that requires a competent security engineer. "When the tool gives you 10,000 findings, you don't want someone trying to fix all those," he says. "In fact, 10,000 may turn out to just be 500 or 100 vulnerabilities in actual fact." Park points out an instance where the Coverity tool once found what it called "a likely infinite loop." On first glance, the developer could see there was no loop, but after a few more minutes of review, he detected something else wrong with the code. "The fact that you get the tool to stop complaining is not an indication you've fixed anything," Park says. DON'T anticipate a short scan. NetApp runs scans each night, and because it needs to cover thousands of files and millions of lines of code, it takes roughly 10 hours to complete a code review. The rule of thumb, according to Coverity, is for each hour of build time, allow for two hours for the analysis to be complete. Coverity also enables companies to do incremental runs so that you're not scanning the entire code base but just what you've changed in the nightly build. DO consider reporting flexibility. At the FAA, Brown gets two reports: an executive summary that provides a high-level view of vulnerabilities detected and even provides a security ‘score’, and a more detailed report that pinpoints which line of code looks troublesome and the vulnerability that was detected. In the future, Brown would like to build into vendor contracts

Vol/4 | ISSUE/19

Evaluate Source Code Analysis Tools you know you have a good tool if you get: y Support for the programming languages you use. Some companies support mobile devices, while others concentrate on enterprise languages like Java, .net, C, C++ and even Cobol. Good bug-finding performance, using a proof of concept assessment. hint: Use an older build of code you had issues with and see how well the product catches bugs you had to find manually. look for both thoroughness and accuracy. Fewer false positives means less manual work. Internal knowledge bases that provide descriptions of vulnerabilities and remediation information. test for easy access and crossreferencing to discovered findings. tight integration with your development platforms. long-term, you'll likely want developers to incorporate security analysis into their daily routines. a robust finding-suppression mechanism to prevent false positives from re-occurring once you've verified them as a non-issue. ability to easily define additional rules so the tool can enforce internal coding policies. a centralized reporting component if you have a large team of developers and managers who want access to findings, trending and overview reporting. —M.b.

the requirement that they meet a certain security score for all code they develop for the FAA. DONT forget the business case. When Brown first wanted to start reviewing code, he met with some pushback from managers who wanted a defined business need. "You've got program managers with schedules to meet, and they can view this as just another bump in the road that's going to keep them from making their milestones," he says. Brown created the business case by looking to independent sources like Gartner and Burton Group for facts and figures about code vulnerability, and he also ran some reports on how much time the FAA was dedicating to patch management. The chief scientist justified the cost of the Ounce tool by taking the total cost of the product and comparing that to the effort involved in a manual review. "With millions of lines of code, imagine how many engineers it would take to do that, and by the way, we want to do it every week," he says. "The engineers would fall down dead of boredom." CIO

Mary Brandel is a freelance writer. send feedback on this feature to editor@cio.in

REAL CIO WORLD | a u g u s T 1 5 , 2 0 0 9

SECURITY SPECIAL Data Breach

SlowdownS take away employment opportunitieS and give way to angry ex-employeeS. more pink SlipS mean more company data out of the Safe corporate gateS. if companieS don’t harden their defenSeS, they could land in deep trouble. By Stacy collett

Bernard Madoff, Allen Stanford and California money

Reader ROI:

The different ypes of internal fraud The cost of fraud and why it's increasing How to detect and stop it

a u g u s T 1 5 , 2 0 0 9 | REAL CIO WORLD

manager Danny Pang may be the latest examples of outrageous fraud. But what about the little guys? The administrator, middle manager or callcenter rep? It doesn't take a high-profile, multibillion-dollar scandal to rock an enterprise. These days, when employers are cutting salaries, staff and bonuses — and staff is uncertain about the next round of layoffs — more employees are committing fraud, according to a study by the Association of Certified Fraud Examiners. More than half of fraud examiners surveyed said that the level of fraud has slightly or significantly increased in the previous 12 months compared to the level of fraud they investigated or observed in years prior. US organizations lost 7 percent of their annual revenues to fraud between 2006 and 2008 for an estimated total cost of $994 billion (about Rs 49,70,000 crore) in losses, according to the ACFE. That's a slight uptick from the 5 percent loss reported for the two-year period ending in 2006.

Vol/4 | ISSUE/19

SECURITY SPECIAL I Data Breach What's more, about half cited increased financial pressure as the biggest factor contributing to the increase in fraud, compared to increased opportunity (27 percent). Fraud can include minor things like expensing personal items or major, fraudulent billing schemes carried out over months or years. "They're using corporate credit cards for expenses that are really tying back to people in the accounting department to fill their own needs," says Adam Safir, COO of security consulting firm Safir Rosetti in New York. "We've had clients where individuals have racked up $500,000 (about Rs 250 lakh) worth of transfer payments to various parties that were done piecemeal through small [charges]" over several months. Making matters worse, layoffs are affecting organizations' internal control systems, according to the ACFE study. Nearly 60 percent of companies say they had experienced layoffs during the past year. Among those who had experienced layoffs, more than a third said their company had eliminated some controls for preventing fraud.

Warning Signs

"I don't think this is anything new, but with the economy down and people getting desperate, this is a methodology that they use that takes advantage of a typical weakness," such as poor oversight or holes in security procedures, Safir says. Fraud examiners expect that number to rise during the next 12 months, especially embezzlement cases and an increase in Ponzi schemes investigated by the SEC, says Bruce Dorris, ACFE program director.

Fraud Frenzy Embezzlement accounts for 70 percent of fraud cases. "That's employee theft across the board" from C-level execs to administrative staff, Dorris explains. That's anything from fabricating vendors to charge payments to corporate credit card misuse, taking petty cash "down to stealing pencils, pens and notepaper." Vendor fraud is also on the rise. Examiners are detecting fraud schemes in contract and procurement areas, where, for example, a vendor suddenly shows a marked increase in contracts over the previous year â&#x20AC;&#x201D; especially low dollar amount, no-bid contracts, which may indicate kickbacks to employees. Data fraud cases continue to concern employers, but now many employees who fear losing their jobs are using stolen client lists, marketing data or company secrets to leverage new jobs. Some 59 percent of employees who leave or are asked to leave a company are stealing company data, according to a report by the Ponemon Institute, and two-thirds of them admit to using their former company's confidential, sensitive or proprietary information for new employment. But even without economic pressures and downsizing, data theft "certainly is an issue that has existed and continues to exist" on a daily basis, says Lisa Sotto, a partner and head of the privacy and information management practice at Hunton & Williams, which represents companies who have suffered a security breach, often by rogue employees. Call center agents, for instance, are highly susceptible to breaches because they have easy access to customer data, and callers are willing to give up sensitive information, such as credit card numbers, Sotto says. What's more, healthcare and insurance providers often use Social Security numbers to authenticate a patient's identity on call center inquiries.

Excessive or inappropriate contact with a particular vendor, or a familial relationship between an employee and vendor, can lead to fraud. Sloppy record-keeping can also mask illicit activity. An employee who is living beyond his or her means or is known to be having financial difficulty may become desperate enough to Combating Fraud commit fraud. "People who commit fraud Some fraud schemes have taken up to two years to detect. Illegal activity can be become withdrawn or very hostile," says detected faster by having policies and procedures in place that include audits Adam Safir, COO of Safir Rosetti. There and monitoring, data access control, physical security, employee education and are also cases where employees maintain a discreet ways to report fraud. low profile and "fly under the radar" while In the accounting department, look at relationships between vendors and keeping a fraud scheme employees, such as familial relationships between vendors going for months. and purchasers or a sudden increase in contract awards "Keep your ear to the to a particular vendor, which may lead to fraud, and set ground," Lisa Sotto, policies regarding those relationships. a partner at Hunton A fraud monitoring program must include spot audits. & Williams adds. Accounts should be reconciled daily with no variances, The number of employees Safir says. That way, "you know immediately that you Sometimes rogue employees can't keep have a problem that requires further investigation. At that steal company data their mouth shut, she some companies, their accounting department becomes too when they leave or are says, so listen to what complex and they'll carry over imbalances" he says. asked to leave. employees are chatting Surprise audits continue to prove effective in catching source: Ponemon Institute about at the water cooler. fraud. "If they know that corporate security is doing audits

59%

Vol/4 | ISSUE/19

REAL CIO WORLD | a u g u s T 1 5 , 2 0 0 9

SECURITY SPECIAL I Data Breach

Employees should have access to confidential data on a need-to-know basis. Review access rights weekly or quarterly, and terminate access immediately for any employee leaving the company. on the first Tuesday of the month, they take care of everything on Monday. But if they don't know they're coming, they're more likely to catch a fraud in place," Dorris says. Also, when employees know that a surprise audit looms, "they're less likely to [commit fraud] because the opportunity has been removed." Simply checking financial statements can uncover fraud. "Why is there a tremendous increase this month in accounts receivable? Are they inflating numbers to make the bottom line look better, to increase earnings per share? Those don't require a tremendous amount of resources â&#x20AC;&#x201D; that gives you some predication to look and see an anomaly â&#x20AC;&#x201D; and investigate it a bit further," Dorris says. Around the office, physical protections in the building and its perimeter can also curb fraud. Do you have someone at the front door? Are you locking cabinets with sensitive data in them? Do you have a policy on transporting removable media like laptops and BlackBerrys? Where is the company trash going? Sotto recalls one multibillion-dollar, family-owned company that 20 years earlier donated reams of used paper to a pre-school for a recycling drive. Recently, one of the pre-school's parents called to report that one of her son's pre-school art projects included names and social security numbers on the backside. Any sensitive documents should be shredded or designated for burning. Employees should have access to confidential data on a need-to-know basis. Review access rights weekly or quarterly, and terminate access immediately for any employee leaving the company. Make sure everyone has the right levels of access, and mask some of the data for some levels of access. Audit log software can also document who logged into what documents and systems, when and whether they made changes or exported files. Don't forget the call center. Fraud prevention in the call center begins with background checks for all employees before hiring them. Once they're on the job, monitor their computer activity. "See what they're looking at and why," Sotto says. Deactivate CD drives or USB ports so information can't be copied. Adopt a paperless work environment so information can't be written down and documents can't be removed. Keep purses and backpacks outside of the call-center room. Employees who work from home can be difficult to monitor. Sotto suggests occasional surprise visits from a supervisor. "Have policies in place where the PC is in a segregated area away from family, use strong encryption and password protection" for PC access, she adds. Occupational frauds are much more likely to be detected by an anonymous tip than by audits, controls or any other means, according to the ACFE. Hotlines are one of the easiest ways of allowing those tips to come in. Sarbanes-Oxley requires public companies to establish whistle-blower hotlines, and many private companies are following suit. Other companies have set up anonymous e-mail programs "or a locked box in the coffee room for notes," Dorris says. One of the easiest and most inexpensive ways to reduce fraud is through employee awareness and training about fraud protection and security. 50

Feature -06.indd 50

a u g u s t 1 5 , 2 0 0 9 | REAL CIO WORLD

Employees can be trained on how to handle sensitive documents left near printers, for instance. "They may be unknowingly printing important information that can be used in a fraud or theft context and leaving it near the printer," Safir says. "Most importantly, let employees know from their first day of employment of the company's rules and expectations regarding fraudulent activity â&#x20AC;&#x201D; not after fraud surfaces."

Connecting Fraud and Security Programs Anti-fraud policies and procedures should be part of an overall security program, with input from the general counsel. "Some CSOs work very closely with their general counsels, and some who are very skilled become relied upon as the 'finders of fact' for these very sensitive issues," Safir says. "A good CSO doing the job proactively and doing it well ends up speaking the language of and servicing the general counsel whose basic duty it is to ensure on behalf of the board that upper management isn't doing anything [fraudulent]." In rare cases, CSOs can find themselves at odds with executives who might be engaging in rogue behavior themselves, over certain control environments or his or her responsibilities to the general counsel reporting to the board. A series of checks and balances can clear that impasse. "You have a board of directors, an audit committee and control procedures that public companies need to comply with, and a lot of private companies have adopted this as a best practice," Safir says. CIO

Send feedback on this feature to editor@cio.in

Vol/4 | ISSUE/19

8/14/2009 12:33:51 PM

Trendline_Nov11.indd 19

11/16/2011 11:56:19 AM

EvEnT REPORT

Presenting Partner

Business DynAmics simplifieD IBM, in association with CIO, held a forum to address the operational challenges that today’s IT leaders face while striving to keep their businesses up and running.

“We consolidate the requirements and buy the highest possible configuration of servers. This is a virtualizationfriendly purchase policy." V. BalakriShnan, CIO, Polaris Software Lab

“A new technology might help us to come out of legacy systems, so at some point you have to take a call to move on and transform." Sunil Sirohi, VP, NIIT

To succeed in today's fast-paced world, where almost everything is connected and automated, an organization's underlying business and IT infrastructure need to be highly flexible and responsive. Unfortunately, many of today's infrastructure are rigid, siloed, and outdated, thereby driving cost and complexity to unsustainable levels, and at the same time, hampering organizational maneuverability. CIOs now realize that as the pace of business continues to accelerate, the physical and digital foundations, on which business growth depends, are under continuous traction. The IBM-CIO forum served as the right platform to inform the audience about the transformations in IT infrastructure that would enable CIOs to formulate flexible, adaptable, and dynamic approaches to improve service, reduce costs, and manage risks.

EvEnT REPORT

The nexT-GenerATion infrAsTrucTure Talking about the state of IT infrastructure in the current economic scenario, Suchitra Joshi, Manager, Competitive Project Office Software, IBM, said, “Economies are emerging and dynamics are changing, thus driving business models to change. Given that resources are limited, we can do only so much with whatever we have and we will have to learn to do it in an intelligent fashion. Yet, all of us want to make sure that IT is growing.” She aptly pointed out that, although, during the last decade the cost of a server has been relatively constant, the operational and maintenance costs have grown manifold. She prompted the audience to devise intelligent ways to tackle the ever-growing infrastructure demands. Joshi added, “The traditional scale-out model that involves the addition of resources with every demand doesn’t fit in anymore, as it doesn’t address the pain points of a business.” Promoting the case of a dynamic infrastructure, she said that such an infrastructure doesn’t involve removal and replacement of applications, as it also takes care of legacy components. Instead, a dynamic infrastructure adds growth and new applications, alongside existing infrastructure. Talking of the traits of cloud computing she said, “Cloud computing could be a solution to the problems related to IT infrastructure, but if it is a public cloud, it also has a threat angle to it. The solution would be to implement a public cloud and utilize it as a private cloud. In this manner, the cloud is very much within one’s control. A cloud is perceived to be a lowcost solution that helps manage the TCO.” She elaborated on cloud infrastructure by saying that it works on a ‘payas-you-go’ pricing model and helps users deploy elastic scaling. In this manner, organizations could engage more servers and provision more information and storage as their need grew; and could even scale back when need decreased. Transitioning of traditional IT to dynamic infrastructure Suchitra JoShi has, thus, become Manager - Competitive Project Office Software, IBM imperative for most companies worldwide.

“The traditional scale-out model that involves addition of resources with every demand doesn’t fit in anymore.”

“We allocate common computing resources which are scheduled in a manner that the requirements don’t clash." V. SriniVa V S, Chief Information and Technology Va Officer, Nagarjuna Fertilizers & Chemicals

“This is the right time for iT transformation as our resources are getting squeezed and we have to achieve maximum utility from them." B.l.V. rao, VP - Networks & Systems, and Chief Information Security Officer, Infotech Enterprises

“Any organization will have some amount of inertia, apart from adaptability." Da iD BriSkman, VP and CIO, DaV Ranbaxy Laboratories

“create an infrastructure that is scalable and there's no need to rip and replace when the demand surges." ViJay Sethi, VP - Information Systems, Hero Honda Motors

EvEnT REPORT

Achieving greATer AdApTAbiliTy in an unstable economy, all organizations are taking steps to make their businesses agile, flexible and dynamic. What is an effective approach to achieve this flexibility? sathyanarayanan Venkatraman, Managing Consultant, IT Strategy and Architecture Consulting Services, IBM provides some tips on how CIOs can shed their company's rigidity and attain better operational flexibilty. What should be the approach to move current infrastructure to dynamic infrastructure?

One can do it in a phased manner. The first step should be to establish a baseline for the present IT infrastructure and assess it thoroughly. One needs to view the system holistically and plan the utilization of different resources. All this should be done keeping the business requirements in mind.

is not to look at investments from a technology perspective alone. One needs to justify investments on the basis of business needs. In the current scenario, companies are not looking at great returns, but quick returns. When expanding the datacenter, organizations need to look for virtual consolidation. There is also a people and process angle to transformation. how do cios deal with this?

There are four elements of dynamic infrastructure, namely, people, process,

how does one make a business case for this transformation?

A CIO should be able to convert the transformation project into monetary terms. He should be able to quantify the spending and returns. The important factor to keep in mind

Sathyanarayanan Venkatraman Managing Consultant, IT Strategy and Architecture Consulting Services, IBM

creATinG A Difference Taking the discussion forward, John J Thomas, Consulting Engineer, IBM, USA, talked about the reducing costs, improving sales delivery, managing risks and various other aspects of using private dynamic infrastructure. He also talked about server consolidation, virtualization platforms and server provisioning in different workload conditions. He pointed out that during peak workloads, most infrastructure experience wasted computing resources. Hence, it would be wise to make computing and resources available on demand to handle spikes, by shifting the pool of resources to an appropriate workload. In this way, there would be a 50 percent reduction in the number of servers required in such a setup. Thomas also suggested, “For this you need virtualization technology appropriate for the workload. You need to decouple the workload from the underlying hardware, and

technology, and information. It is important to assign roles and responsibility for the effective delivery of business. CIOs also need to have a clear understanding and count of the resources in their IT infrastructure and at the same time be environment- conscious. If companies are able to virtualize, optimize, consolidate, and cut down on their IT footprint, then they would add value to society. What challenges can a cios face during the transition phase and how can they counter them?

Possible pitfalls in transitioning could be the absence of a roadmap or a strong business case. Another snag could be that a CIO may only be focusing on the tactical goal instead of the strategic goal. To ensure project success and to avoid getting the transformation shelved halfway, CIOs need to have a strong management approval and to map the impact of investments on different elements in the system.

make your hardware resources available as virtual resources and utilize them in an intelligent fashion, thus reducing the TCO and maintenance cost. This is what intelligent workload management is all about.” Elaborating on SLAs, Thomas said that CIOs need to understand the variability of workload and SLAs and then assess their datacenters to create sustainable models that will, in turn help save costs. Talking about cloud computing he said, “If the benefits of the cloud could be made available in-house, it would be very beneficial. This way, end users get immediate provisioning, lower cost per workload, and resources on demand. This would help operate datacenters at a significant margin.” Talking about service management for dynamic infrastructure, he explained how self service provisioning of systems helps in automatic provisioning of resources through private cloud. He

EvEnT REPORT

also informed that IBM is using rapid, and self-service enabled request-driven provisioning models to provision systems. Talking about systematic disaster recovery, he said that in such a system synchronous data recovery is possible and failure is addressed through scripted mechanism.

iT infrAsTrucTure unDer scruTiny The forum also organized a discussion that brought up issues such as the practical perspectives IT leaders are looking at to make companies more dynamic. The discussion highlighted how simple changes in the usage of IT resources could make organizations more agile and flexible, even during the time of an economic slump. Talking about his take on the transformation of traditional IT infrastructure to dynamic infrastructure, B.L.v. Rao, vP networks and Systems, and Chief Information Security Officer, Infotech Enterprises, said, “The slowdown has taught us that opportunities like these must be encashed. This is the right time for IT transformation because we all know that our resources are getting squeezed and we have to achieve maximum utility from them. If some technology is able to help us achieve more with less, then it should be pursued. We should do it on a small scale and then take it to larger level.” Talking about the risk factor involved in making businesses agile, v. Srinivas, Chief Information and Technology Officer, nagarjuna Fertilizers and Chemicals, said, “We categorize resources based on the level of risk they are currently at. Then we try to think of a suitable strategy to bring the resources under an acceptable risk range through various technology options. Once this is implemented, we review the strategy continuously.” n. nataraj, CIO, Hexaware Technologies, seconded Srinivas’ opinion and said, “We look for the vulnerability in applications and then come out with risk mitigation strategies. This is how we ensure security.” Talking about integrating legacy in IT transformation, v. Balakrishnan, CIO, Polaris Software Lab, said that his company

From leFt: h.r. mohan, Associate VP - Systems, The Hindu, SireeSh chanDra Vungal, Manager IT, Vimta Labs, n. nataraJ, CIO, Hexaware Technologies.

constantly rejuvenates its systems. He informed as part of its latest replacement policy, his company buys resources that have a five-year guarantee. At the end of that period the resources go into the cannibalization phase. On how his company is adopting virtualization he said, “When we get new servers, we get virtualization ready ones. We consolidate the requirements of the company and buy the highest possible John J. thomaS configuration. This is a Consulting Engineer, IBM, USA virtualization-friendly purchase policy.” Adding his views on the same topic, Sunil Sirohi, vP, nIIT, said, “Legacy is a reality and we all have to live with it. We can have refresh policies, and exercise them at appropriate intervals. Sometimes a new technology helps us to come out of that legacy.” Talking about the workloads in his organization, Sireesh Chandra vungal, Manager IT, vimta Labs, said, “The workloads are irregular and depend on various projects. Our company work on contracts, hence, the resources we dedicate to one customer cannot be used for another. The problem for us is lateral traffic and there is no other way to allocate resources.” Adding to this Srinvas of nagarjuna Fertilizers and Chemicals said, “We have allocated common computing resources which we schedule in a manner that they do not clash with each other. We also try to manage the cycle such that all the peak loads also do not clash.” When asked how adaptable an organization could be made, David Briskman, vP and CIO, Ranbaxy Laboratories, said, “Any organization will have some inertia, whether we like it or not. It is about where we want to have that inertia and where we want adaptability. Change in business requirements and the way infrastructure keeps up with it, dictates these terms.” Talking about adaptability in infrastructure, vijay Sethi, vP Information Systems, Hero Honda Motors, said that even during a slowdown, transactions and infrastructure need not be scaled down. Instead, he suggested that organizations need to create an infrastructure that is scalable and does not need to be broken down and replaced in case of a sudden surge in demand.

“Cloud helps the users get immediate provisioning of resources on demand and lower cost per workload.”

EssEntial

technology Video management software helps with efficient monitoring, transmission and storage of IP surveillance video. Here's how to evaluate, purchase and implementVMS.

a u g u s t 1 5 , 2 0 0 9 | REAL CIO WORLD

From InceptIon to ImplementatIon — I.t. that matters

Zeroing In on Surveillance Video By Mary BrandEl

| Video management software (VMS) allows you to record and view live video from multiple surveillance cameras — either IP-based or analog cameras with an encoder — monitor alarms, control cameras and retrieve recordings from an archive. Because they are IP-based, VMS systems are more expandable and flexible than DVR-based systems, and employees can control the software from anywhere on the network. Surveillance and security teams can use the software for live monitoring, as well as investigative and forensic purposes, using archived footage. Users have three form factors from which to choose for managing IP video: softwareonly, hardware/software appliances (sometimes referred to as network video recorders, or NVRs) or a hybrid DVR (digital video recorder), which is a DVR with additional software to manage IP equipment. Because of the economic downturn, the VMS market will see slower growth in 2009 than in previous years, with a forecast of 29 percent versus more than 40 percent, according

Physical security

Vol/4 | ISSUE/19

essential technology

to IMS Research. But with technology changing shape everyday, users can choose between software that they load, configure and manage on a server of their choice or a hardware appliance that's already loaded with software.

Software-Only Versus Appliance The benefits of appliances are reduced setup and installation complexity, while disadvantages are less flexibility, fewer customization options and more difficult integration with third-party systems. According to Simon Harris, senior research director at IMS Research, more advanced users will typically opt for software-only solutions, while those that aren't comfortable doing setup and configuration will choose an appliance, or what IMS calls a proprietary system. "If you have only a small number of cameras

with increasing criminal mischief. The surveillance system was designed to work with a large-scale, 4.9 GHz wireless mesh network designed by Norris and deployed throughout both cities. The network was intended for emergency access to municipal security systems as well as the deployment of remote cameras. Early in the endeavor, some of the Auburn schools were equipped with analog cameras and DVRs from Pelco, as well as some IP cameras managed by a Pelco video management appliance. But as the surveillance system was expanded, it became increasingly desirable to use high-resolution megapixel cameras in some areas and to use a more unified, single-application approach to accessing both video and other securitybased services. Using encoders, Norris tied the analog cameras into the schools' fiber-based

More advanced users typically opt for software-only solutions,while those that aren't comfortable doing setup and configuration will choose an appliance, or a proprietary system. and don't intend to integrate with your access control or building management system, that lends itself to proprietary systems," Harris says. "As they get bigger and more complex, that's when they go for open platform." This is what Jeff Hinckley, a systems integrator at Norris, ran into when he designed and implemented a video surveillance network for the cities of Lewiston and Auburn in Maine. The schools were working in conjunction with Lewiston-Auburn 911, an organization created by Auburn and Lewiston to provide dispatch and radio communications to first responders. The school system had obtained federal funding for a surveillance system to help

Vol/4 | ISSUE/19

Essentisl Tec.indd 57

network, added megapixel cameras and replaced the Pelco VMS with software from Exacq Technologies. Exacq's system, which runs on a Windows or Linux server, is able to support all the cameras and can integrate with access control systems.

VMS Versus Hybrid DVR Some DVR vendors have begun selling software that enables their DVRs to support both IP cameras and directly connected analog cameras. VMS-based systems can also support analog cameras, but they require the use of an encoder to translate the signal to digital. With hybrid DVRs, both types of cameras are supported directly. The hybrid option is particularly attractive to companies now, during the

29%

The amount that the VMS market is expected to grow by in 2009. Source: IMS Research.

economic downturn, when many end users will be motivated to make modest, incremental upgrades to IP, while staying with their existing DVR providers, says John Honovich, founder of IP Video Market Info, a video surveillance information portal. "In the past, if you wanted to add megapixel or other IP cameras to your surveillance system, you were forced to go to an IP-based VMS solution," he says. "That has become much more complicated now that DVR vendors are rolling out increased IP support." DVR vendors still don't support the breadth of cameras that VMS-based systems do, Honovich says. They might support two to five manufacturers versus leading VMS vendors, which support up to 50. "The DVR folks have a long way to go to catch up," he says. At the same time, over the next 18 months, the distinction between these manufacturers will largely disappear, Honovich says. He sees DVR companies broadening their IP camera support and selling software-only systems, either independently or through acquisitions, while VMS vendors will offer DVR/NVR appliances to appeal to organizations with smaller camera deployments. Already, he says, hybrid DVR vendors offer enterprise-level functionality, such REAL CIO WORLD | a u g u s t 1 5 , 2 0 0 9

8/14/2009 12:39:05 PM

essential technology

as centralized management and thirdparty system support that, in some cases, is superior to VMS vendors, especially in the area of access control. "IP players will say they're more open, but I'd ask them to prove that," he says.

VMS Dos and Don'ts Do investigate the level of support for third-party systems. VMS systems can integrate with a wide range of third-

only supported by five software vendors in the market." Don’t forget user authentication and authorization. A big benefit of VMS systems is that you can centrally manage an unlimited number of devices. But you also need to consider how you're going to centrally manage the users accessing the system, especially if they are geographically dispersed. One way is to ensure the system integrates with the directory services

Abig benefit ofVMS systems is that you can centrally manage an unlimited number of devices.But you also need to consider how you're going to centrally manage the users accessing the system. party systems, including access control, video analytics, building automation and alarm management systems. Companies should investigate not just whether the VMS integrates with the systems it needs, but also the level of integration, which varies widely, says Brian Carle, product manager at Salient Systems. At a basic level, the VMS can receive and act on alarm events from the thirdparty system, he says. For example, when a person enters a building, an access control system could trigger the video management system to verify that the image of the person captured from video matches the ID card/system. At a more sophisticated level, he says, you'd be able to configure the third-party system through the VMS interface. Don’t get stuck on a particular vendor until you know which cameras they support. Whereas DVRs support almost any analog camera, such is not the case with IP video software, which needs specific drivers for each camera type. "Some support only one brand, while others support 500," Honovich says. "You can decide you really want to use a particular IP camera but then realize it's 58

Essentisl Tec.indd 58

a u g u s t 1 5 , 2 0 0 9 | REAL CIO WORLD

you're already using, such as Microsoft Active Directory Support. "If you're already using that for PCs, you can integrate your video surveillance system with that so they're both using the same user name and password," Honovich says. Plus, you can keep logs of video-watching behavior in a database. In the bad old days, says Honovich, you would have to set up a unique user name and password for every DVR or video management system, which created a nightmare scenario of people using weak default passwords like "admin." "Anyone could get in at any given point of time," Honovich says. "That's why centralized management is an important element, given the history of poor user access management."

User Comes First Do look for an intuitive user interface. Security personnel can turn over quickly, so it's important to have a system on which you can train people quickly and easily. Not to mention, many are moving from the world of analog systems, so the transition to a computer interface needs to be considered. "Security can be a fluid

How to Decide on Video Management VMS systems range from the basic to the sophisticated, with major differences including reliability features and number of cameras and locations supported. Here is a sampling of features to consider: Specific options for different verticals, including retail, banking, transportation, and more Video analytics, such as license-plate or facial recognition Integration with third-party systems, such as access control, building automation, alarm management, video analytics and more Motion detection Customizable, resizable viewing panes User interface features that include hot-spot windows, color-indicated activity, instant replay, and quick switching between cameras ‘Privacy zones’ to protect sensitive areas from being monitored Creation of customized rules. For instance, if a particular door opens, the camera begins recording and even activates an alarm or sends an alert Camera control (pan, tilt, zoom) View multiple video channels at once Multi-channel playback, which allows users to play recorded video from several cameras simultaneously — useful if tracking a suspect through hallways Multiple search devices, including fastforward, reverse, thumb-nail view, time line bars, bookmarking, and more Secure export of material evidence Fail-over capability that enables continued recording if the primary server goes down

—M.B

Vol/4 | ISSUE/19

8/14/2009 12:39:05 PM

essential technology

profession, so you don't want to invest a lot of training, which makes an intuitive interface paramount," Honovich says. Often, Carle warns, applications are designed with functions buried under menus, and it takes many mouse clicks to perform a function. "Ease of use and training are a primary concern for organizations that have guards monitoring the video," he says. The best thing to do is try the product in an existing environment to see what users do and don't like, says Kani Neves, executive director of the Sherwood Valley Gaming Commission. That's what his group did before choosing a system from Genetec for the Black Bart Casino. "We visited other facilities and environments to see what we thought would apply to us and not," he says. Do consider resource-saving features. Some features can help minimize time and

view, as well as a specific time frame, and capture only recordings where motion is detected in that area in that time period. Systems differ, he says, in terms of the speed of these searches, depending on whether it records metadata along with the video. Meanwhile, a mapping feature allows administrators to import an image file and overlay icons representing cameras on the map, Carle explains. "This will show an operator exactly where a camera is in the facility, making it much easier to learn the system and track activity across cameras."

Talking Money and Storage Do understand cost structures. Many vendors calculate cost by charging a certain amount for each video device used with the system, plus an upgrade subscription fee, which entitles the user to download new

Do look for an intuitive user interface. Security personnel can turn over quickly,so it's important to have a system on which you can train people easily.The transition to a computer interface needs to be considered. staffing levels, including alarm clients, mapping clients and smart searching. Alarm clients display a blank video screen until activity occurs on associated cameras. Only video triggered by motion or alarm will display, "which prevents the operator from being bombarded with potentially irrelevant video information," Carle says. This can cut down on the number of personnel you need. Some alarm clients include a history list of events, so an operator can click on an item in the list and quickly play back video of the event, he says. Smart search, Carle explains, speeds investigations because you can specify particular areas in the camera's field of

Vol/4 | ISSUE/19

Essentisl Tec.indd 59

versions of the software, Carle explains. Some also charge a server fee, either as a site license or for each server on which the software is installed. Per-device costs vary widely, mainly depending on the system's level of sophistication. Very highend systems can be over $1,000 (about Rs 50,000) per camera, while an enterpriselevel, scalable system can be $200 (about Rs 10,000) to $500 (about Rs 25,000) per camera, Carle says. Donâ&#x20AC;&#x2122;t forget to consider storage. Especially with higher resolution cameras, video surveillance can start to take a big bite out of storage. Many vendors offer various techniques to keep that to a minimum.

For instance, the Genetec system that Neves selected can change video resolution from 4 CIF to 2 CIF or less. "The software can manipulate what the camera sees and records, how much it records and with how much clarity," he says. Another way that Neves minimizes storage requirements is through Genetec's motion detection capability, which can be applied to any camera even if the camera itself does not have the ability to sense light. The feature enables the casino to record only when tables are in use, to meet the federal requirement of 24/7 recording for active tables. In all, there are 100 tables, and if just 50 are being used at a time, only the cameras focused on those tables need to record video. "Anytime a customer or dealer enters the frame, the system automatically starts recording five minutes prior to that," Neves says. "And you can tell it to stop recording once motion has left the frame. It allows us the freedom to utilize cameras when we need them." Plus, if certain areas of a casino are only accessible at certain times, he can use motion detection on cameras monitoring the hallways and doors in those areas to check for abnormal access. "With 500 to 600 cameras, we don't have the manpower to hire the people it would take to see everything going on," he says. "This enables us to minimize our staffing while increasing our security level." CIO

Send feedback on this feature to editor@cio.in

REAL CIO WORLD | a u g u s t 1 5 , 2 0 0 9

8/14/2009 12:39:05 PM

Pundit

essential technology

The Risk of Following the Herd

Thereâ&#x20AC;&#x2122;s a new threat to business: supply chain risk. By tying in to a small set of suppliers executives are putting themselves in a corner. By Thomas Wailgum supply chain| Without question, today's supply chain applications can provide unmatched visibility into a company's supplier base, help spot inefficiencies and allow for better, smarter decision-making on logistics and inventory. But if several manufacturers in your Chinese or European network suddenly shut down, there's not much software can do. You're on your own. That is, in fact, a problem that's been staring at companies big and small since the

of the Fortune 500 companies spend," states the report. "If these common suppliers become 'high risk' suppliers, then that risk will likely impact a high percentage of Fortune 500 companies." New global trade data from Panjiva, a vendor that tracks the health of the world's suppliers, shows that "after four months of free fall in the number of manufacturers shipping to American customers," there have been small increases from February 2009 to March, and from March to April,

strategist in a May report, titled Supply Chain Risk, 2008-2009: As Bad as it Gets. Top risks include: intellectual property infringement, supplier quality failures and internal product quality failures. That inherent Chinese risk becomes almost exponential, simply because so many companies have flocked to China for sourcing partners and when the dominos fall, it's difficult to make them stop. O'Marah offhandedly wonders whether the world has put "too many eggs" in China's basket.

AMR Research's risk survey data says that the recession has given global supply chain professionals the ultimate real-world crash course in risk assessment and mitigation. recession began, and has been amplified each month as new manufacturing data surfaces showing even more risk and uncertainty. For the Fortune 500 set, for instance, data from CVM Solutions (a suppliermanagement software vendor) shows that the world's biggest companies rely on a relatively small pool of the same suppliers. And when businesses in this pool sink, it can ultimately mean "interruptions in business operations, financial loss and damage to brand reputation," notes a recent report from CVM. "Years of strategic sourcing and supplier consolidation has created a dangerously small group of suppliers that receive most 60

ET-Pundit.indd 60

a u g u st 1 5 , 2 0 0 9 | REAL CIO WORLD

notes Panjiva CEO Josh Green on his blog. However, he adds, "the news isn't all good." Data released by Chinese officials, for example, suggests that, on a seasonally adjusted basis, "April was worse than March for the world's largest exporting economy," Green writes. "Risk for those engaged in global trade remains high: The percentage of significant manufacturers on the Panjiva Watch List edged up from 30 percent in March to 31 percent in April." China, in particular, has lost much of its luster as the low-cost, no-frills manufacturer to the world. China "is the world capital of supply chain risk," notes Kevin O'Marah, AMR Research's chief

Of course, when the economy does rebound, companies may find that there aren't enough manufacturers to deal with their manufacturing demands. O'Marah sums up today's unenviable supply chain environment this way: "Our newest quarterly risk survey data just came in, and the story shows a quantum leap in maturity among global supply chain professionals who have enjoyed the ultimate real-world crash course in risk assessment and mitigation," O'Marah writes. "The bottom line: Disaster is real and pervasive." CIO Send feedback on this column to editor@cio.in

Vol/4 | ISSUE/19

8/14/2009 12:41:07 PM

Engineered for uptime

™

Data Center Solutions to Maximise Network Uptime One of the most critical measures for Data Centers is network availability. Sophisticated data centers seek Tier IV reliability of 99.995% network availability. Still, all of the redundancy and advanced power and cooling solutions available are worth nothing if the cable, connectivity and cable management systems are inferior and lead to network downtime.

ADC KRONE’s TrueNet structured cabling solution for Data Centers help: • Lower your total cost of ownership • Support your future growth plans • Reduce your risk of downtime • Maximize performance • Improve your ability to reconfigure

Tap into ADC KRONE’s expertise. Contact us today to get a:

Copy of Data center Solutions guide

Appointment with our Data Center cabling consultant

Brochure on Creating a Green Data Center

SPACE SAVINGS | RELIABILITY | MANAGEABILITY

LAN Cabling systems

Intelligent Physical Layer Management

Racks & Glide Cable Management

Fibre Management Systems

truenetindia@adckrone.com 1800 425 8232 or +91 80 2839 6101 www.adckrone.com/in

10G Solutions The World’s first Cat6A cable

Fibre management Systems

Green Data Center