Information Security News: No Such Thing as Security "Best Practices"

[InfoSec News <alerts () infosecnews org>]

http://www.baselinemag.com/article2/0,1540,2209216,00.asp

By Bob Violino
Baseline
October 29, 2007

Linda Stutsman is managing director of the International Information 
Integrity Institute. I-4, as it's known, was founded in 1986 by SRI 
International (formerly Stanford Research Institute) to promote the 
sharing of security-related information and help companies address 
critical security issues. Operated by IT services company Getronics, I-4 
works with its global members to explore security issues and identify 
cost-effective solutions to security threats.

Before joining I-4 in June, Stutsman was senior vice president of 
corporate information security at Bank of America, and previously served 
as chief information security officer at Xerox. She spoke recently with 
contributing editor Bob Violino about her experience in corporate IT 
security, her role with the I-4 consortium and why she doesn't believe 
in best practices.


Baseline: What do you see as the biggest threat to corporate information 
and computing centers today?

The biggest threat is the same threat we've always had: It's not 
unauthorized access to information—it's abuses of authorized access to 
information. It's not a new threat, but there are new ways of abusing 
that same access. I've been in this business for a very long time, and 
25 years ago we didn't have to worry about employees taking pictures of 
customer information with their cell phones. We didn't have to worry 
about employees with USB drives on their key chains. There are new ways 
of thinking about old threats. It's not just employees. This can be by 
employees, customers, business partners or outsourcing partners who have 
authorized access.


What can be done about abuses of authorized access? What are the best 
technology and policy solutions?

Some companies are dealing with data leakage by more carefully limiting 
the scope of authorized users on the policy implementation side, and on 
the technology and process side by restricting methods of access, via 
thin client, and by piloting digital rights management for controlling 
usage—scaling continues to be an issue. There's more extensive access 
monitoring, where legal or forensics have helped define patterns of 
access to information, for example. It's a combination of people, 
process and technology solutions.


What about information security threats from the outside? What are 
organizations concerned about most right now?

There's a growing awareness of application-level vulnerabilities of 
Internet-facing applications. Companies are investing in technologies 
and processes to help applications people understand and correct the 
problems in a timely manner.


On a broader scale, what are some of the key riskmanagement issues 
facing organizations today?

I-4 is involved in risk-management issues across the board. Because of 
the nature of the wide breadth of industries in I-4, it's the regulatory 
environment that is one of the biggest issues. The landscape of 
regulatory requirements is an immense challenge. It's just very tough 
for businesses to keep up with the changing requirements. You have the 
federal level—Sarbanes- Oxley is an example—and then multiple 
state-level privacy laws and regulations. Then add in the industry 
regulations such as HIPAA [Health Insurance Portability and 
Accountability Act], and the global regulations such as the European 
Union Data Directive and Basel [recommendations on banking laws and 
regulations issued by the Basel Committee on Banking Supervision, an 
institution created by the central bank governors of the G-10 
countries].


Exactly what kind of security information sharing and problem solving 
does I-4 handle?

We share case studies about experiences; I'm not going to say best 
practices because I believe there are no best practices. We share 
information about real life, practical security solutions. We share war 
stories. We have select vendors come in and talk about their strategies. 
We don't talk so much about products, but about thought leadership and 
strategic visions. We also have [representatives from] universities come 
in and talk about research, where they think security is going. We talk 
about things that are happening today rather than focusing on older 
threats and technologies. For example, we saw phishing as it was 
happening because we had a member comment that his company was dealing 
with it, almost in real time. We discussed solutions to phishing way 
before the public first saw it.


How detailed are the discussions about specific security incidents?

Because we're a confidential group we can get down to a detailed 
level—we're truly sharing useful information. Typically when it's a 
public group you don't get down to a detailed level of discussion 
because you don't know who you're sharing with. [In I-4] you're getting 
data you can take back to your office and adjust to your own needs. 
You're networking with other colleagues, and when you run across 
problems you can call someone to help solve the problem.


Are there other examples, besides phishing, of security threats that I-4 
members discussed before they were generally known?

I-4's history has many examples of topics introduced early in their 
maturity cycle. I've spoken with some of the I-4 founders and they 
actually talked about data protection in 1988, how to safely connect a 
company to the Internet, how the Web would change the world, about the 
disappearing perimeter in 1997, quantum computing and crypto in 2002 and 
managing offshoring in 2003.


You mentioned a moment ago that there are no best practices in security. 
Can you explain what you mean?

I don't believe in best practices.

"Best" is contextual. What is a best practice for one organization may 
not be a best practice for another. In one industry it might be a best 
practice but for another type of company it might not work or it might 
be overkill. Members consider what their colleague organizations have 
done that's new or different compared to what their own approach to 
related situations has been and apply the thinking within their business 
risk tolerances. I believe each company has to take the best of each 
solution and customize it. There may a best practice within an industry 
but it's tough to go across industries.


How do you plan to change I-4's focus, and what are your ultimate goals 
for the organization?

It's really way too early for me to say right now. I'm in discovery 
mode; I'm talking with members and working with the member advisory 
committee. I'm listening, I'm asking questions. Any changes we make will 
be thoughtful, and they will be member-influenced changes. I-4 has not 
only survived for 21 years, but has thrived for 21 years. There's a lot 
that's right with I-4, so any change will be very slow, purposeful, 
strategic change. But again, it's way too early right now to tell what 
that change will be.


Do you think your previous experience at Bank of America and Xerox will 
help or hurt you manage a corporate security consortium?

It will absolutely help. My experience with information security in 
general will help. I think the fact that I've been a member of I-4 will 
also help. I'm aware of what I-4 is all about, and I think the fact that 
I've been participating in I-4 for almost eight years will have an 
impact. I've seen it evolve over those eight years and l've seen the 
information security field evolve over the last 25 years. Also, coming 
from two different industries, manufacturing and financial services, 
gives me some good perspective.


How has the information security field evolved over the years? What have 
been the biggest changes since you began working in the field?

The most important changes have been, on the technical side, the immense 
growth of "connectedness" in all aspects of business processes and work 
life, and on the management side, the recognition that information 
security organizations and people work best when serving the business. 
The security people are helping businesspeople understand the risks and 
security implications of their plans and activities, and are helping to 
secure those business processes within the risk environment.


During your tenure at Bank of America and/or Xerox, did either 
organization experience a security breach? What happened, and how did 
you or the organization respond?

Every organization at some time experiences some type of security 
breach. But I can't really comment in detail on that. I wasn't part of 
the investigative teams at either of those companies.

I can say that at Xerox it was more around early response to viruses and 
being able to contain them and shut things down while we did cleaning 
and prevented damage to our systems— the emergency response team had to 
deal with things like the Melissa virus.


Any advice about security for CIOs and CSOs?

I'd say treat information security as a business problem, not a 
technology problem. It's a business problem because information is a 
business enabler. My entire career has been spent [looking at 
information security] that way. We are in the business of business, not 
in the business of information security. If information security is 
implemented correctly, you should be there to help support the business 
goals. Information security should never be an end unto itself.

Copyright (c) 2007 Ziff Davis Media Inc.

__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com