Money Matters

By CIOinsight

Re-Engineering Security

A little past midnight on the morning of January 25, a computer worm called SQL Slammer began attacking 300,000 servers on five continents. In just 14 minutes, from start to finish, the worm ripped through a flaw in a popular Microsoft database package called SQL Server 2000, knocking out 911 emergency response systems in Seattle, forcing Continental Airlines to cancel some flights because of problems in its electronic check-in system and rendering some mobile phone service in South Korea inoperable. Before it was through, Slammer also had crashed many of the 13,000 ATM machines belonging to Bank of America.

The irony? Microsoft had released a patch for the SQL bug a full six months earlier, one of hundreds of patches issued by software makers to companies last year. But many companies around the globe, including Charlotte, N.C.-based BofA, didn't apply the patch in time. Says Rhonda MacLean, the company's director of corporate information security: "Slammer was a good example of a time when the bad guys got us first."

BofA's experience is hardly unique; even Microsoft got hit by the Slammer. According to Carnegie Mellon's national Computer Emergency Response Team, which tallies cyber attacks on company systems, the number of security flaws in software is roughly doubling every year, along with the number of reported attacks. Companies now get hacked, on average, 30 times a week, with 15 percent of attacks resulting in system entry. For the first three months of this year, more than 42,000 attacks were reported to CERT monitors. And that's only a partial reading: The FBI says just one in five attacks are reported, thanks to reluctance on the part of companies to broadcast security failings to customers and shareholders. Worse yet? The new viruses are becoming more sophisticated: Slammer scanned more than 55 million computer systems per second, 100 times faster than the previous Code Red virus, says Allan Paller, director of research at the SANs Institute, a Washington, D.C.-based security information center.

Trouble is, most companies are making little, if any, real headway in countering the rising information security threat. Most companies weren't designed for information security, but for maximum efficiency and transparency in the way they hire and train people, collaborate, and churn out goods and services—all in a highly networked environment. Further, most companies still put more emphasis on physical security, Paller says.

Could we lose the cyber-security war? Former White House cyber-security czar Richard Clarke says companies are at a "tipping point," where the ability of hackers to attack networks may soon eclipse the ability of companies to fight back. Says Gartner Inc. research director Roberta Witty, "There's a momentum building for sweeping corporate security reforms that will be hard for any company to ignore moving forward."

Stepping up to the plate won't be easy. The issue isn't whether companies have the right security tools, or even whether the new guy just hired to head up security has the best available skills. Boosting a company's resistance to threats old and new is going to require what Clarke likes to call a "deep defense," a whole new way that everyone inside the organization—from the people in the mail room to the CEO—must follow instructions, make decisions, collaborate, plan, market and produce. Says Mark Doll, a partner and director of security services for Ernst & Young in New York: "To take it to the next level, companies are going to have to completely re-engineer the entire way they systematically think about risk. It's a cultural issue, not just a technology issue. It's a management issue, a training issue, a business process issue as much as it is a leadership challenge, to pull together people from across the company to jointly figure out new strategies that will determine how they think about risk."

Sure, we've all heard the re-engineering cry before: In the 1980s, companies were forced to retool operations to meet the challenge of rising imports and falling U.S. market share in industries from autos to agriculture. Then came the re-engineering craze set off by Michael Hammer and James Champy's Re-engineering the Corporation. In the mid to late 1990s, companies restructured yet again for the Internet, kicking off a wave of innovation and automation that continues to digitize and influence the way companies make, market, buy and sell every kind of product.

Retooling for security will, again, be disruptive, analysts say, posing what could become stiff new leadership challenges in the months and years ahead as companies step up their push to create new cultures of control. More management and strategy cooperation between business risk and operations managers, CIOs, IT security officers, HR and marketing executives will be a must in this new environment. Also required: new limits on the workplace and how employees conduct their business and interact with customers, clients and each other, at work and at home.

Some companies are already finding mixed and sometimes awkward lessons in their attempts at security re-engineering: Teaching people to shut off their computers at night will probably always be easier than trying to convince them to start thinking of the UPS carrier as a potential cyber criminal who could be wearing a uniform purchased on eBay for $49.95—a scenario suggested at a recent Gartner security conference in Washington, D.C., by analyst Rich Mogull. "Americans have always been better at accommodating resistance in our culture than at accepting cultures of paranoia and control," Mogull said in a recent interview. "It's hard to get people to take some of the new thinking seriously. They get angry, or they laugh."

The ultimate goal, of course, is not to slow down the business of business but to create new ways to think about security and control in the context of the corporation, as long as it doesn't interfere too much with the process of making money. Says Motorola CISO Bill Boni, who reports to Motorola's senior vice president and CIO Sam Desai, "Frederick the Great, one of the greatest military geniuses in history, said that 'he who defends all defends nothing.' The requirement of a companywide security policy is figuring out which threats take priority and what responses are most effective—or could be. My goal here is to always be working with things from a business impact perspective, and working hard to make sure everyone knows precisely what that means."

But very few companies, says E&Y's Doll, are even close to thinking through the new risk paradigm. Most, he says, are still struggling to create a single, coordinated security message. They've also been slow to select the right people to put in charge of making the correct calls between productivity and caution, risk and reward, amid continuously changing levels of threats and sets of business priorities. Until more companies make that leap, he says, it will be ery difficult for many corporations to construct any sort of consistently effective security shield that can survive the demands of day-to-day business, much less the growing new threats waged against it. Says Doll, "CEOs are not saying to CIOs: 'Fix the security, fix the controls.' What they're saying to them is: 'Give me all the productivity and fix the controls, and by the way, give me 10 percent off the budget.'"

Money Matters

Money Matters

But moving beyond today's generally fragmented, inconsistent approach to security won't be easy—or fully achievable. In many ways, says Brian Jenkins, a security expert and senior adviser to the president of the RAND Corp., better security, like improvements in quality, must be an ongoing effort that involves finding the right mix of risk management principles and companywide security policies, IT security, technology initiatives, marketing, education and training. And the effort has to be baked into business processes from the start, not hardwired onto them as an afterthought that will slow productivity, stifle necessary transparency between factory and suppliers or sacrifice worker creativity to policies that might promote excessive monitoring.

What's wrong with our current management efforts? If the torrent of recent security studies, polls and research papers on corporate information security are any guide, the picture isn't encouraging. In 2003, 75 percent of security executives acknowledged financial losses from security breaches, but only 47 percent could quantify the losses to researchers at the Computer Security Institute and the FBI. Some 40 percent of top IT executives surveyed in July by CIO Insight say they've had to cancel plans to reduce security risks after getting complaints from business managers. Some 19 percent of IT workers surveyed by Sophos Corp., an antivirus firm, say they install software patches for security holes "whenever they can get to it" rather than as part of an ongoing procedure that analyzes which patches are most important at any given time to the company's current business priorities.

And if that isn't discouraging enough, a new survey by the Information Technology Association of America, a technology trade group based in Arlington, Va., shows that 65 percent of American workers say their coworkers don't care about cyber security and 46 percent say they have no formal training in information security practices.

What to do? Many analysts, including Gartner's Witty, argue that a different mindset about the IT security problem within the corporation is required. Witty sees a "huge alignment gap" in many firms between IT security people and business risk managers. This, in turn, has led to a situation where few firms today are able to tie information security threats to a specific business vulnerability—a critical piece of knowledge that's missing when companies are deciding how and where to make the most of their security dollars.

At Bank of America, for example, keeping better pace with critical software patches and strategically choosing which to use was not the priority it should have been when the Slammer worm hit. "The need for more effective patch management isn't always correlated strongly enough into what-ifs for many businesses," says BofA's MacLean.

No surprise, says Christopher Klaus, CTO of Atlanta-based Internet Security Systems Inc: "When you total how much it would cost to roll out security patches rigorously in a Fortune 1,000 environment, the result could easily be more than $20 million. Say it takes four hours to install each patch and make sure the applications still work. Say you're paying someone $80 an hour to do this and it costs $320 to patch that one machine and you have 1,000 servers in your environment. That's now $320,000. Multiply that by a conservative estimate of five as the number of Microsoft and Linux and Cisco and Oracle patches each month, multiply that again by 12 months, and it's about $20 million." Most, Klaus says, would not even try due to sheer cost and manpower considerations. And according to a recent CERT report, many system administrators don't install all the security patches issued "because they don't know how, do not have the resources, do not maintain all of the computers or have computer users who will not let them."

Here, again, is where having a more holistic and effective security strategy might have made it clear, even to the part-time programmer in the IT shop, that it's not all or nothing, but more about knowing which patches to install first and which to forget about entirely. "The beauty of a holistic, overarching approach to security is that once you clarify the business values, goals and priorities of what people do and how they do their jobs, you don't get people making decisions on their own anymore that might conflict with what's important to the business," says Joseph Duffy, partner and global leader of PricewaterhouseCoopers' global security practice.

Indeed, a company fully re-engineered for security might even have someone from HR creating compensation incentives to reward IT staff for diligence during spikes in the number of patches being issued. "You could have some sort of contest with bonus points tied to workspeed in some of these situations," Duffy says, depending on what your most critical business goals are.

But these sorts of flexible judgments will also require new types of leadership, MIT workplace expert and IT professor Thomas Malone suggests, and new types of worker-management relationships that enable speedier decision-making. Says BofA's MacLean: "Your security strategy has got to be about the people in the boardroom as much as the programmers in the IT shop, as well as the manager on the road with a company laptop. If we're not thinking this way about how we do business now, then security problems are going to rise up and bite us. Companies simply can't afford not to know what their most important security threats are and what their policies are for dealing with them, at every level of the corporation." Says security expert Bruce Schneier, author, cryptographer and CTO of Counterpane Internet Security Inc: "Without a more intelligent approach to security, we're making ourselves sitting ducks and our customers fools."

The point isn't lost on Motorola. CISO Boni's re-engineering strategy, which he began developing in the days after Sept. 11, assumes a number of basic trade-offs, and his goal is to continue defining them as conditions and culture permit. "When you're dealing with IT operations in 64 countries around the planet with over 100,000 employees and a quarter million or so network connected devices and so forth, absolute bullet-proof prevention is an unrealized objective," says Boni. For the past two years, he has worked to help the company better define how these trade-offs can be made, and has assigned 12 members of his 40-member security staff to work with the company's individual business unit, to make sure these priorities see the light of day.

Boni is the first to acknowledge it's been a cultural struggle. "People are too smart and are not going to do something just because they were ordered to by some corporate person," he says. "You've got to get their hearts and minds behind the new directions, behind the notion of control."

The crown jewel of Boni's program is awareness and training—an often under-rated, maligned part of security strategy. It includes social re-engineering, training of all employees in security policies, philosophies and execution, and a framework for penalties and rewards. Boni's goal: to provide, by the end of 2004, in-person or online training sessions that would give what he calls "foundational grounding" in all security and privacy policies and practices to each of Motorola's 100,000 employees, and then add incentives for achieving goals in execution.

Boni acknowledges it's a huge task and that compliance might not be 100 percent, at least not at first—if ever. "It's a big project, but by building the framework and creating the content and putting it into production, we are going to have an impact on the overall awareness and compliance with the standards," Boni says. "No question this has to be a holistic approach that involves changes at every level of the organization."

Compliance with security policies is a huge problem for most firms, surveys show. A joint study by Novell Worldwide Services, Stanford University and Hong Kong University of Science and Technology, for example, says that 8 out of 10 times, passwords are written on the back of a person's business card. Further, 43 percent of companies take more than two days before they cut off computer network access to people who have left the firm, while 15 percent take more than two weeks. Booz Allen Hamilton says many IT security policies are not followed, or even fully understood. "If you don't have a culture where security has been a priority, it's tough to build one," says RAND's Jenkins.

Just ask Jeff Nigriny, the CSO of Exostar LLC, an electronic marketplace for the defense industry. Nigriny gets so frustrated with employees' refusal to follow even basic security policies, he resorts on occasion to sending silly or embarrassing broadcast e-mails to coworkers, under the names of people who keep their machines open when leaving their desks at night to go home—just to force a change in behavior and convince people he means business. It's worked—to some extent. Nigriny reports a more than 90 percent drop in the number of machines left unattended at any given time.

At Avaya Inc., a $5 billion Basking Ridge, N.J., communications network provider, all security policies are under the purview of one cross-functional security team that includes business, legal, HR, IT, real estate, PR, environmental and risk representatives. "The discussions can get lively at times," as members hammer out new trade-offs in the push to weave security into Avaya's business fabric, acknowledges Marene Allison, the company's director of global security. One of the early compromises: minimum change in external physical security at the company, though guard contracts, for example, were changed and there is a new emphasis on emergency response training. "In this case, we wanted to have the ability to secure our environment, but we wanted our facilities to remain welcoming to employees and visitors," she says. "We didn't want to convey the idea that security had to be a negative thing from the start."

Allison says Avaya has been able to reduce costs and increase employee compliance with its new security policies because it now has a single security initiative, versus dozens of ongoing efforts. "Having a single point of accountability for security and a clear understanding of how it fits into the business has not only improved employee compliance with the new set of security rules, it has also eased negotiations with insurance underwriters," says Diane Askwyth, Avaya's risk manager.

But Allison says her work is just beginning. The push to re-engineer has made it clear that new forms of leadership are required, she says, not only for companies to make better concessions day-to-day between convenience and caution, cost and business efficiency, but to help employees and customers cope with the new climate of caution.

But if regulators, underwriters and hackers aren't enough to trigger a re-engineering drive at a company, its customers may, ultimately, be the final drivers of change. Don't think it could happen? Guess again. Last winter, a teenage computer programmer trying to buy a pair of jeans online from clothing retailer Guess.com decided to test the system's security before trusting it to take his credit card. In went an SQL injection attack—a well-known Web commerce vulnerability—and out came 200,000 customer names and credit card numbers. Not only did the information spill out easily, it was in clear text rather than the encrypted format Guess.com had promised in its privacy policy. Miffed, the teenager reported the apparel company to the Federal Trade Commission. On June 18, the FTC ordered the company to "implement a comprehensive information security program for Guess.com and its other Web sites." Says Howard Beales, director of the FTC's Bureau of Consumer Protection: "Consumers have every right to expect that a business that says it's keeping personal information secure is doing exactly that. It's not just good business, it's the law." Edward Amoroso, the CISO of AT&T, predicts: "We're going to see more customer activism as generations born with the Internet come of consumer age." To be sure, he says, "security has migrated out of the CIO's office and become an industry issue. As it relates to the pure corporate environment, most definitely, the focus today is indeed all about re-engineering."

But will many more companies step up to the re-engineering challenge? For Boni, MacLean and others now working on the front lines for change, those who move faster will have the ultimate advantage. "Without a more deeply ingrained, holistic approach to security," says MacLean, "the bad guys are going to keep winning."

Retooling for Security

Retooling for Security

Security strategy will increasingly determine business success or failure in the information Economy. Here's how some companies are starting to go restructure for risk:


Before Sept. 11: No holistic approach to security; policies unclear and partially heeded.

Now: Each of 12 lines of business has its own security rep to size up and monitor IT and business risk issues, and to spot new ways to boost, change or expand current policies.

Key Project: A global awareness and training program, to be offered in person or online to all 100,000 employees by late 2004 in the philosophy, purpose, details and practices required of all security and privacy policies.

Payoff So Far: CISO Bill Boni reports less impact from viruses and 90 percent reduction in externally visible high-risk vulnerability.

Bank of America

Before Sept. 11: Fragmented security policies differed by business unit and lacked consistency across the corporation.

Now: Security strategy that coordinates physical, data, risk and business continuity strategies into one overarching plan that aims to take into account continuous change in technology and types of threats.

Key Project: Training initiative to boost employee awareness and better compliance with security policies.

Payoff So Far: Increased brand marketing value and lower costs in some areas due to a lack of duplicative efforts.

Air Products and Chemicals

Before Sept. 11: Security policy consisted of ID badges, visitor registration, fences and gates with cameras, along with security guards.

Now: Company-wide security management team assembled on Sept. 11 became permanent and scrutinizes the $5.4 billion company's policies and processes for physical and information security holes.

Key project: A $20 million security improvement program screens new buyers of the firm's most sensitive chemicals.

Payoff So Far: Jack Fekula, manager of IT security, says security policy compliance is up more than 50 percent.

Avaya Inc.

Before Sept. 11: Security policies at the $5 billion, Basking Ridge, N.J., communications network builder were inconsistent throughout the company.

Now: All security policies are under the control of one cross-functional security team that includes business, legal, HR, IT, real estate, PR and environmental and risk representatives.

Key Project: New emphasis on emergency response training.

Payoff So Far: Having a single point of security accountability has reduced operational security costs and has kept a lid on insurance premiums, says risk manager Diane Askwyth.



Corporate Security Management: Organization and Spending Since Sept. 11
By The Conference Board, 2003

"Internet Chernobyl?"
By Keith Epstein, CIO Insight, September 2001

Web Sites

Nonprofit IT security training site operated by the SANS (SysAdmin, Audit, Network, Security) Institute

Carnegie Mellon University's national Computer Emergency Response Team

www.cert.org/ advisories/CA-2003-04.html
MS-SQL Server Worm Advisory, CERT

This article was originally published on 08-12-2003