Since the role of the Chief Information Security Officer (CISO) and how he or she reports has a major impact on security and risk, I think it’s interesting to look at how different organizations have structured the position. With that said, there is very little consistency other than a correlation with the industry vertical’s understanding of IT risk.
Within financial services organizations, the CISO (occasionally the top position is given to a Chief Security Officer (CSO) that owns both physical and IT security) often reports to the Chief Information Officer (CIO). However, at many large financial services organizations, the CISO or CSO reports outside of IT, often to the Chief Risk Officer or other C-level executive.
The CISO position within healthcare has been treated quite differently. Because of HIPAA, many organizations didn’t want to promote the security manager to the CISO position, so they gave their CIO the CISO title as well. There is often a Director or Manager of Information Security a few rungs down reporting to a lower-level manager.
Information security within retail is also quite different. With the focus on PCI, the CISO or director of information security is often tied to the PCI or compliance group. Within large retailers that have loss prevention or risk departments, the CISO sometimes reports through them.
Because of their historic focus on physical security, energy companies often have a CSO or CISO that owns both the organization’s IT and physical security. In some cases I’ve seen this position report to facilities, but usually it reports into operations, and occasionally it reports to the CIO.
The military often leads industry in its adoption of information security practices. One interesting change is that security teams have taken significant ownership of IT leadership. In the case of US Cyber Command, a separate group is being set up outside of IT reporting directly to the highest levels of government. I’m not sure how this change will find its way to the private sector, but it is a very interesting precedent that will likely have an impact on information security and the CISO.
In general, the more risk-sensitive the industry, the higher the up CISOs will report, until they report entirely outside of IT. In many cases, regardless of where they fit in the reporting structure, the CISO will report regularly to the board about the state of initiatives, compliance, audits or assessments. With this type of visibility, I think it’s clear that the CISO will continue to rise in prominence, and the information security reporting structure will continue to evolve. However, it may take a compliance-related mandate within the lagging industry verticals for this to happen quickly.
The news about the sale of the VeriSign consulting team to AT&T suggests that there will be many similar transactions in the near term within the information security market. The investment being made in this market is great, but based on previous experience, a positive outcome is less than certain. From my point of view there have been three stages of roll-up/investment in the market, and each has had limited success.
This first stage included some winners like the VeriSign IPO, and some less successful acquisitions–like The Wheel Group with NetRanger and NetSonar. The acquisitions continued through the end of the Internet boom, with Symantec leading the charge with acquisitions ranging from Raptor/Axent to Riptech. Overall, the outcome was marginal. Many of the purchases were product-oriented, and most of the products are now gone. However, the managed services organizations like Riptech and the independent spin-off of Secure Computing’s consulting team (Guardent) lived on to do fairly well.
The second stage started with the acquisition of Guardent and was followed by similar transactions with Foundstone and @Stake. The NetSPI team had looked at these firms as the industry leaders to be emulated; however, the rumor was that these sales were driven by the investment bankers’ fears of a market downturn (which turned out to be correct). There were other purchases around this time that also fit into a similar category, like BT’s purchase of Counterpane.
With improved market conditions, the IBM purchase of ISS and the MCI purchase of NetSec with the following conglomeration with Cybertrust fall into a third stage. The outcome of these appears to have been OK, but, as with all mergers, there appears to have been some misalignment. As we’re now seeing, Guardent and the related MSS group are being spun-off from VeriSign. This stage now includes the roll-up of security assessment product companies like Sanctum, SPI Dynamics, and Ounce by major technology integrators. Other real and rumored roll-ups include mid-sized VARs like Fishnet and Accuvant purchasing similar companies.
With the VeriSign consulting announcement, we are seeing the continued consolidation of the market. There will likely be more acquisitions, and it will affect the security market and its consumers in good and bad ways. On the positive side, the industry does not yet have a focused leader with a consolidated offering. Symantec and McAfee tried to play this role, but they appear to have given up on it. IBM may have the offering, but since they offer so much else, I wouldn’t call them the security industry leader.
The current trend of carriers and major technology players getting into the space means larger and more consolidated security offerings. The lack of focus may limit the ability of these large firms to continue to offer boutique-oriented services. Additionally, roll-ups that combine security with other offerings introduce a lack of independence. This is a huge issue that doesn’t get discussed much, but it’s one that no firm has truly overcome. It will be interesting to see how the remainder of the product companies fit into this stage. nCircle and Fortify are organizations to watch in this regard. It will also be interesting to see how successful the carriers like AT&T and the major tech players like IBM and HP are at integrating security consulting into their organizations.
I attended the PCI-SSC community meeting this past week (September 22-24). There were three key issues discussed that showed that the PCI program is maturing and that a number of standards and regulations are converging (both in and outside the PCI world).
The first issue signaled that the council’s view of IT risk is maturing. Bob Russo made it very clear in a couple of his presentations that organizations need to focus on security as opposed to just compliance, although there wasn’t a lot of detail offered on how to do this. The presentations mainly focused on ensuring that complying with the PCI standard is a year-round activity/program and not something just done for the audit. I’d argue that moving from compliance to security is a philosophical shift that occurs when organizations mature in how they deal with IT and business risk. Generally, the financial services organizations within the PCI community get this. It’s interesting to note that the driver for the council’s new views appears to be the very public breaches that have occurred within PCI-covered organizations over the past 18 months. So, the council has felt the impact. The key question is how the council will help the greater PCI community understand and mature their approach to IT and business risk.
The second, closely related topic was the focus on moving to more of a risk-based approach to implementing the PCI DSS. The council was only lukewarm to this idea, and I agree with their hesitation. Managing a risk-based approach may be something that is incorporated over time, but it adds too much subjectivity to the current PCI program. I think that until more organizations fully and truly implement PCI, such an approach will only muddy the waters. That said, incorporating risk as a consideration is important to an organization’s compliance efforts. As I mentioned above, I think the most pertinent issue is to get PCI-covered organizations to understand IT risk and how it translates into risk to their business. While assessors and many of the banks understand this, some merchants are still a ways off in getting to this level of maturity.
The final and much broader issue related to general standards. The council has always relied on NIST as a guideline, but this year there was much more discussion surrounding NIST, FISMA, and future regulations that will impact PCI. In the keynote, former Congressman Tom Davis discussed the process of passing FISMA. His prediction was that any new information security legislation was not going to happen in the near term. Nonetheless, there appears to be a converging consensus on the value of the existing FISMA and NIST standards. The nuclear power industry, NERC, and a number of the ISACs are strongly considering moves and potentially longer-term mandates that use these federal standards as their direct basis. Ultimately, I think it is very likely that many organizations will use significant portions of these federal standards as their basis. This could be both good and bad and is much easier said than done, but simplification and consistency should help all industries and information security in general.
Overall, the conference was a good barometer on the maturity of the PCI community and I think that, although there have been issues, the program is moving in the right direction.
I attended the Nuclear Information Technology Strategic Leadership (NITSL) conference last week, which featured some very interesting discussions on cyber security. One of the keynote speakers described the state of the industry’s physical security, which, when compared with information security, is in very good shape. She discussed the quite substantial investment that her organization had made over the past eight years.
In general, since 9/11 the nuclear power industry has spent billions on physical security upgrades and programs at US plants. This spending is in addition to the significant budgets for physical security allocated since the industry’s inception. Physical security has always been well addressed systematically within plants. This means significant security input from design (Design Basis Threat analysis) through post-implementation testing (Force on Force Drills). Annual spending per plant on physical security is estimated at $10M to $15M.
The impact of a physical security event has the potential to be catastrophic. At the upper end of impact, these events range up to compromise of the core reactor itself. While the impact of an event of this nature would be catastrophic, this risk scenario was planned for in initial plant design and with subsequent physical security programs. So, while the potential impact may be great and the threat high, because of significant risk mitigation through design and ongoing physical security programs, the overall risk is low.
While the impact of a cyber security incident may not be quite as dramatic, it still has the potential to be very damaging. As plant IT environments become more networked and control systems are integrated within IT, the potential for a catastrophic event based on a cyber security incident greatly increases. The threat level is orders of magnitude higher at a nuclear power plant; they are attacked on an ongoing basis.
At the conference last week, the discussion revolved around what the final cyber security standard will be for the industry. There have been steps to develop a common risk and compliance framework through the NRC and NEI, but there has not been agreement on how to secure the US nuclear power industry. This needs to be addressed immediately (and one hopes it will be), but more importantly, power companies and plants need to begin to allocate appropriate budget to implement and maintain their cyber security programs. The investment will be substantial, and the organizations will need to plan accordingly. One way to look at the budgeting for cyber security is that, while it may not be quite as costly as physical security, it will be on that order of magnitude.
Because of increasing threats, high-profile data breaches, and increased awareness of the damage they cause, we anticipate a substantial tightening of regulations and contractual requirements that will significantly impact information security in healthcare.
Today, HIPAA, CCHIT, and state breach notification laws are the main standards that govern security within healthcare systems that deal with protected health information (PHI). But these are generally high-level requirements with low levels of enforcement. The American Recovery and Reinvestment Act (ARRA) of 2009 contains legislation mandating broader and deeper security for healthcare, and the consensus view is that more legislated regulations will follow.
The Healthcare Information Trust Alliance (HITRUST) is an industry group that has developed a set of standards, the Common Security Framework (CSF). This set of standards generally follows industry best practices and is very comprehensive. Important members of this group (Humana, United Health Group, Blue Cross Blue Shield, and Columbia HCA, to name a few) are pushing to mandate these standards across the industry. It is possible that many of these standards will be adopted by the group members through a contractual stipulation that the software they purchase meet the HITRUST CSF standards.
In addition to HIPAA and CSF, Payment Card Industry (PCI) standards also affect healthcare payers and providers when credit card information is involved in any way (processing, storing, or transmitting). For healthcare payers and providers, the PCI Data Security Standard (PCI DSS) applies. For healthcare software providers whose applications touch credit card data, the PCI Payment Application Data Security Standard (PA-DSS) applies.
It is likely that the Obama administration will implement much stricter security standards in healthcare, in conjunction with its emphasis on greater use of electronic health records (EHR). It is also likely that these standards will follow industry best practices and be based on the most successful existing standards, such as PCI and HITRUST. Based on this likely increase in regulations and the increasing number of threats, healthcare organizations should develop a risk-based security strategy that includes industry best practices using HIPAA, CCHIT, PCI and HITRUST as a guide.
Subscribe