- Email: [email protected]
It's all about the data
Column
It’s all about the data Rob Newby Money is oxygen to a business; it is required in order to grow. Without money, it will die. Businesses are run to ensure maximum profit to increase the chances of survival and growth. Information security is often a difficult sell to these profit-focused businesses. Putting safeguards in the way of business operations slows communications, and operational latency creates cost. Safeguards themselves do not provide a revenue boost, in fact they cost money. For a security product to become successful it has to be proven that the cost associated with deployment is a worthwhile investment. Adding security does not guarantee to fix a threat, it merely reduces the probability of it harming a business. The security officer’s role is one of risk analysis, to collect information about his network, seek out vulnerabilities, and calculate the cost of securing each weak point compared with the cost of a breach. In the absence of fines or threats to the business, the cost of a breach is passed on to the customer in increased costs, without their knowledge. The breach therefore registers as zero on the company balance sheet, so no security investment can be justified. Compliance is now used to hold board level management directly responsible for customer information and has forced disclosure of private information breaches, but it has also helped put a more level figure on security across the board. It has not increased the inherent value of security however, so using it as a driver is still limited, and businesses are not yet queuing at security vendors’ doors. Security sales still tend to be driven by events. High profile cases of viruses and Trojans made antivirus popular, and hacking of networks made firewalls a necessity. More recently, high profile data breaches such as those at TJX, Choicepoint and HMRC have started a slew of panic sales. Products used in resolution of these events often give a false sense of security, whether intentional or perceived. It is assumed that paying for the answer will solve the problem, as well it might be. But security of any system is only ever as strong as the weakest link. Security marketing has become largely about creating possible events and relying on fear, uncertainty and doubt (FUD) to push sales. Sadly, compliance is also used as ‘proof’ that this FUD has a reason to exist. Security officers and marketing executives can often make a volatile mix as a result, and agreement is rarely simple. To bullet-proof a business would be to cripple it. The ability to access data quickly and efficiently, on demand, is the normal concern of any business. Understandably then, the focus in the enterprise so far has been on network security, the conduit to the data. But recently this focus has changed to where the real security issues lie, with the data itself. A friend of mine on the security circuit coined the phrase: “Information is data with a value”. Widespread availability of data can reduce its value quickly, especially when it appears outside your network. In simple terms, if everyone else knows what I know, I can’t charge them for it. So what needs to be added to the data to keep the value ‘locked in’? Integrity of data adds value when we are certain of origin. The origin can be questioned far less if the data is encrypted: if I sign a piece of clear text information, because it can still be read, it can be intercepted, changed, re-signed and re-sent. If this was encrypted, it cannot be read; changing it changes the signature, which then cannot be accepted at the end point, so the original message must be re-sent. To access information, strong user controls and policies are required. Start adding endpoint controls to prevent information leaving an organisation and it becomes more secure, without losing the ability to reach those who can add yet more value. In this way, adding security helps retain value for longer periods or even increase it. Security isn’t the full solution that many vendors market it as. The market is maturing to accept data security as being of great importance, and the marketing which stands out now is that which doesn’t speak in compliance buzzwords. A data-centric approach in which businesses directly benefit from added security might just be the answer. Indeed, it may even detract from ‘security theatre’ and FUD, and instead, information security will be able to add real value to a business.
Rob Newby, SecurEMEA
Security marketing has become largely about creating possible events and relying on fear, uncertainty and doubt (FUD) to push sales. Sadly, compliance is also used as ‘proof’ that this FUD has a reason to exist
MAY/JUNE 2008
43
It’s all about the data Rob Newby Money is oxygen to a business; it is required in order to grow. Without money, it will die. Businesses are run to ensure maximum profit to increase the chances of survival and growth. Information security is often a difficult sell to these profit-focused businesses. Putting safeguards in the way of business operations slows communications, and operational latency creates cost. Safeguards themselves do not provide a revenue boost, in fact they cost money. For a security product to become successful it has to be proven that the cost associated with deployment is a worthwhile investment. Adding security does not guarantee to fix a threat, it merely reduces the probability of it harming a business. The security officer’s role is one of risk analysis, to collect information about his network, seek out vulnerabilities, and calculate the cost of securing each weak point compared with the cost of a breach. In the absence of fines or threats to the business, the cost of a breach is passed on to the customer in increased costs, without their knowledge. The breach therefore registers as zero on the company balance sheet, so no security investment can be justified. Compliance is now used to hold board level management directly responsible for customer information and has forced disclosure of private information breaches, but it has also helped put a more level figure on security across the board. It has not increased the inherent value of security however, so using it as a driver is still limited, and businesses are not yet queuing at security vendors’ doors. Security sales still tend to be driven by events. High profile cases of viruses and Trojans made antivirus popular, and hacking of networks made firewalls a necessity. More recently, high profile data breaches such as those at TJX, Choicepoint and HMRC have started a slew of panic sales. Products used in resolution of these events often give a false sense of security, whether intentional or perceived. It is assumed that paying for the answer will solve the problem, as well it might be. But security of any system is only ever as strong as the weakest link. Security marketing has become largely about creating possible events and relying on fear, uncertainty and doubt (FUD) to push sales. Sadly, compliance is also used as ‘proof’ that this FUD has a reason to exist. Security officers and marketing executives can often make a volatile mix as a result, and agreement is rarely simple. To bullet-proof a business would be to cripple it. The ability to access data quickly and efficiently, on demand, is the normal concern of any business. Understandably then, the focus in the enterprise so far has been on network security, the conduit to the data. But recently this focus has changed to where the real security issues lie, with the data itself. A friend of mine on the security circuit coined the phrase: “Information is data with a value”. Widespread availability of data can reduce its value quickly, especially when it appears outside your network. In simple terms, if everyone else knows what I know, I can’t charge them for it. So what needs to be added to the data to keep the value ‘locked in’? Integrity of data adds value when we are certain of origin. The origin can be questioned far less if the data is encrypted: if I sign a piece of clear text information, because it can still be read, it can be intercepted, changed, re-signed and re-sent. If this was encrypted, it cannot be read; changing it changes the signature, which then cannot be accepted at the end point, so the original message must be re-sent. To access information, strong user controls and policies are required. Start adding endpoint controls to prevent information leaving an organisation and it becomes more secure, without losing the ability to reach those who can add yet more value. In this way, adding security helps retain value for longer periods or even increase it. Security isn’t the full solution that many vendors market it as. The market is maturing to accept data security as being of great importance, and the marketing which stands out now is that which doesn’t speak in compliance buzzwords. A data-centric approach in which businesses directly benefit from added security might just be the answer. Indeed, it may even detract from ‘security theatre’ and FUD, and instead, information security will be able to add real value to a business.
Rob Newby, SecurEMEA
Security marketing has become largely about creating possible events and relying on fear, uncertainty and doubt (FUD) to push sales. Sadly, compliance is also used as ‘proof’ that this FUD has a reason to exist
MAY/JUNE 2008
43