Home

The excellent choice of current and relevant topics, the great moderator and the small group size make these roundtable discussions both enjoyable and extremely valuable. This is one of the few events for which I will always make time.

Kylie Watson
CISO, Sumitomo Mitsui Banking Corporation

Roundtables — Worth Repeating

Perspectives, issues, and commentary from recent roundtables

The most unique feature of our information security roundtables is the lively and enthusiastic discussion that results. Here are highlights of commentary from the following discussions:

San Francisco, Mobile Device Security, Q4 2011
New York, Web-based Malware, Q4 2011
US TelePresence, Cloud Security, Q2 2011
Atlanta, Enterprise Systems Encryption, Q1 2011
London – New York TelePresence, Cloud Security, Q4 2010
Toronto, Next Generation Information Security, Q2 2010
New York, Information Risk Management, Q1 2010

Can't attend our next event? Stay on top of key takeaways from roundtable discussions by subscribing to updates to this page.

San Francisco, Q4 2011

Topic: Mobile Device Security

"Mobile is our number one security risk"
"Supporting mobile development is our biggest challenge"
"There is a bit of public hysteria around protecting personal information due to the media frenzy"
"In healthcare, physicians want information on their personal devices in real time"
"We talk openly about the responsibility of freedom – we must apply controls without disrupting culture"
"Providing access on all devices is required for productivity around the globe"
"We support BYOD with employees and customers, and must do it safely"
"We just launched our first app which supports PHI on mobile"
"We are developing mobile apps for our customers because they are demanding it"
"I have never had anyone say I love your authentication"
"You are now sleeping with every phone"
"The convergence of business and personal is significant"
"We have employee owned devices connecting to outsourced data – how do we create accountability?"
"We have not yet figured out how to keep the data safe with personally owned devices"
"Is the problem political or technical?"
"It's all about personal productivity and the business is simply not worried about the risk"
"Mobile brings in new business opportunities along with the additional risk"
"It's about balancing risk; allowing productivity, driving new business while keeping the data safe"
"We have to see exactly how the criminal will use these devices and what the breach is going to be – the risk is so vast"
"The technology has to catch up, till then it's risk acceptance"
"This is a catalyst for data classification as the user is not going to do anything"
"End user education is crucial"
"The cost savings of BYOD is not realized given increased help desk support"
"The sheer number of mobile app's will create the next tsunami"
"DLP is top of mind with personally owned devices"
"The asset is PII – 65% of botnet attacks are on android"
"Focus on the data, not the device"
"We simply don't allow employees to connect to our network with personally owned devices"
"Its' our job to find a way for them to do it securely"
"We treat mobile devices just like laptops"
"Apple has a good governance model – we can protect our brand better than with android with regards to malicious apps"
"We only allow downloads from our app store"
"MDM is immature and fragmented for enterprise; we must work hard with vendors to ensure they deliver"
"Wiping is a false sense of security, the device has to be on and accessible"
"If encryption is working, a lost or stolen device is NA"
"When you sandbox the device, you sandbox the malware too"
"Mobile is even more complex in a cloud environment"
"You must balance real risk against the last media event"
"We have a policy contract that must be signed before users connect their own device to our network"
"Mobile adoption is moving faster than we can even imagine –we have no choice but to figure out the security"

New York, Q4 2011

Topic: Web-based Malware

"There is a big demand for mobile applications from our users and the malware risk is high"
"There is no such thing as a free app given the incremental cost to supporting the business"
"Mobile apps are downloaded daily and written by god knows who – if you don't write the app yourself, it's simply not trusted"
"The consumerized enterprise accelerates the mobile issue"
"We see the trend that our customer wants to be "only mobile" and originate all transactions on their mobile device"
"We are developing for mobile then extending to the web rather than the other way around"
"Mobile apps and cloud service are going to happen faster than we can imagine and it's impossible to prepare"
"We must limit apps downloaded by employees"
"Productivity issue with mobile makes it impossible to limit"
"Only the BB will disallow certain mobile apps from being downloaded"
"It's all about culture and creativity so putting in controls is hard – but we can indeed give them what they want safely if they let us"
"You can never guarantee that any app will be hack-proof"
"Dynamic testing and change control are critical with 3rd party content providers"
"Most of our content is internally developed but we don't do our own pen testing so it's very expensive"
"It's all about reputational risk and I don't yet know if malware can create that level of damage"
"Our code changes daily, zero day is critical "
"It's very hard to do all the due diligence with 3rd parties – you must test the content which is coming from every direction, daily"
"You see the attacks on the exchanges and do wonder if you are properly prepared"
"The more users, the bigger the attacks"
"Our entire organization is one big attack vector with >50 Internet based companies"
"Partners want us to host sites on their behalf making 3rd party content even more removed from scrutiny"
"20%-60% of customers come to you infected so it's nearly impossible to know what malware you are hosting"
"Our world is changing – we are now interacting with clients directly. We know we are a target and that we have to serve up a safe environment"
"How do you do code review of your 3rd party's 3rd party content"
"It is not a matter of if, but when"
"Minimize complexity and functionality and stay low on the target radar"
"I cannot simplify my website – it's my biz to bring people in"
"Is there anyone who is concerned that people won't come to your site because of malware?"
"Since we own most of our content, the biggest risk is with our ads, we will take money from anyone willing to pay us"
"There has to be a vulnerability to exploit first so finding the exploitable vulnerabilities is a critical first step"
"We are not catching the exploitable vulnerabilities created by our own developers"
"It's more difficult to determine if you have an exploitable vulnerability then if you have malware"
"We have 100's of rogue sites that mimic our site which we want to shut down given the extreme liability; we just can't find them"
"6 to 7 new app's are launched each week that are counterfeit – we must control the storefront to protect our brand"
"We don't even know the sites exist"
"We need counterfeit sites shut off, it's a religious experience"
"You cannot boil the ocean so it ends up being a money discussion with the business units who own the risk"
"I don't know if the trade-offs I have made in security are correct until they are tested"
"What is the definition of commercially reasonable"
"Information sharing like this is greater than any product I can buy"
"The perimeter is melting from the outside AND the inside"
"We need a breach to reduce entitlement"
"Competition makes companies take risks"

TelePresence, Q3 2011

Topic: Cloud Security

"We are looking at many vendors for cloud, even bought a book to learn more about how to assess providers"
"Investigating HIPAA requirements in the cloud is a crucial first step"
"ADP is essentially a cloud provider which many of us use so it's not new"
"I leveraged cloud in a previous company and am now looking to move this company to the cloud"
"Unhappy with SaaS security – IDM needs to be tightly tied"
"We are looking for the best way to leverage cloud and create the right vendor relationship"
"Cloud requires trust; we use partners all the time, it's a risk balancing task"
"Clouds have been here for awhile (Hewitt, ADP) and security is trying to catch up; it's a risk based on how sensitive the data is"
"There are many issues; contractual (i.e. who is accountable for the data), legal (i.e. how do you do ediscovery) and cost (i.e. is it really cheaper per user)."
"We have MS Exchange in the cloud but it's not fulfilling the promise"
"Our concern is the compliance structure disappears with the cloud"
"Those things that are commoditized lend well, but we will never put our proprietary information in the cloud"
"Eventually cloud providers will figure it out – I would rather have them execute the security services but till now they haven't done it"
"Cloud providers like Google are storing data in other countries without permission"
"It could be big savings, but depending on how the vendor handles it, it could be a disaster"
"We have a shared environment with MS and there is no cost savings, less features, no access to logs and it's not auditable – so what is the benefit?"
"You cannot go from 1 cloud provider to another – pick one and your done. It becomes a hard decision"
"Legal has got to be involved"
"Marketing of cloud is better than it's ever been so the BOD asks about it without realizing it's more expensive with the risk factored in"
"We don't know if our vendor partners are using cloud and if our data could be in another country"
"Standing in front of this freight train was harder than jumping on"
"We are optimistic about cloud – the controls are greater than what we can provide"
"If we decide to use cloud, we would not promote it for fear it would tempt a hacker"
"Our customers / consumers expect their data to be safe – it's hard to pass that responsibility"
"The key is to start small. Always saying NO is not going to work"
"Cloud providers are not offering services that they should (i.e. DLP)"
"I don't know if my cloud provider's security is good since they don't tell me"
"Vertical clouds are coming (i.e. Healthcare) and could provide higher value however they could aggravate sharing"
"Google docs is like a hemorrhage – stuff is getting pumped out without our knowledge"
"Our employees are going around IT to Google because we are not offering the services they need"
"Balance is the key – how secure does it need to be?"
"Cloud is a huge enabler – it can spin up much faster but we need resources to vendor manage"
"It's is not unlike when the enterprise said no to the Internet – now we cannot imagine life without it – that is how cloud will be – you have to dip a toe in the water"

Atlanta, Q1 2011

Topic: Enterprise Systems Encryption

"The data classification exercise is critical or you end up encrypting everything"
"You must define by element what sensitive data is (your policy), then go find the data and encrypt it"
"There are tools that force users to classify but we find they just use the default of "personal data" and frankly that is not helpful"
"I have no idea where to start looking for the unstructured data"
"Legacy database systems are hard to encrypt"
"We have systems from 2003 and you cannot decouple the software, hardware and data; you need to have the encryption independent"
"Encryption needs to be integrated with access management"
"Data ownership issues get more complicated when the data is shared"
"It's a balancing act of providing the required access but still protecting the data"
"Role based access is needed but too difficult to maintain"
"Encryption makes e-discovery really challenging"
"Centralized key management is still the nagging problem"
"Given the great complexity of multiple points solutions, centralized key management is a goal worth pursuing"
Multiple point solutions = people = cost, however multiple points solutions guarantee no single point of failure, a single key creates too much risk"
"Key management needs to be resilient; losing a key is resume generating"
"Data and keys want to be free"
"We actually found that putting data in the cloud made access more limited which is a good thing"
"Shifting to a data center that we do not own makes segregation of duties even more challenging"
"Our EMR system cannot tolerate encryption; it's a cultural push back on access"
"You will spend less on encryption if you have an effective data retention policy"
"It's impossible to get the business units to buy in when they have a ginormous risk appetite"
"It's difficult to create a business case for encryption when the fines are significantly smaller than the cost – it's all about the right amount of data and the right amount of money"
"What is the business unit FUD factor – response time, deployment time, cost�.."
"BYOPC just complicates this problem"
"Willful non-compliance is indeed a compliance strategy"
"It all comes back to data-centricity"
"I focus on managing risk and security requirements fall into place"
"The key is to document the risk in business terms and have the business unit sign off on owning that risk – you'll get budget"
"Employees put sensitive data out on the web for convenience but there is no access to the data to protect it"
"Encryption does not have the same performance hit that it used to"
"Which providers deliver secure SaaS and/or cloud, does anyone here know?"
"Most cloud providers will not sign an agreement with shared liability unless you trick them into it"
"No matter what flavor of cloud, we want to own the key"

London – New York TelePresence, Q4 2010

Topic: Cloud Security

"The real value of cloud is provisioning on demand – we can do this to some extent internally but there are no economic benefits until you go external"
"We use cloud for integration and acquisition activities; we could never provision these activities internally in a timely manner"
"We cannot ignore the cost savings of cloud, it's inevitable; our first step will be putting email in the cloud"
"Internal clouds are good practice for leveraging external clouds and frankly a critical first step"
"Cloud will piss off regulators"
"Clouds are not universal; it's tough to negotiate regulations across country boundaries"
"To succeed, you must engage with a regulator and explain what you want to achieve"
"An excellent international standard it the Singapore regulatory authority – at the end of the day it's hard to tag data by nationality"
"Evaluating cloud providers is an exhausting process – 8 days for 1 vendor – but in 12 months we will make a move"
"How do you throttle the business for using unauthorized clouds"
"Data is already in the cloud, we just don't know it"
"Culturally you need to hang one person so the business units will engage with IT first"
"You each need to ask yourself, are you already using the cloud?"
"It's inefficient for each large financial enterprise to independently evaluate cloud providers – we need to adopt a model for all to leverage"
"We need a top 100 consortium"
"We've talked about confidentiality but what about availability? Downtime is a bigger risk than security when it comes to cloud!"
"The CIO is scared to death and relying us to evaluate cloud vendors for security"
"I believe a vendor will step in and be there with our security requirements given the clear market need"
"Right now, when asked if the is cloud secure, no one can say yes – this is especially concerning for a multi-national bank"
"As a Swiss bank we need to watch for awhile, we are skeptical; frankly the business units are afraid"
"The cloud issues are no different then our own issues, who here can say they have controls over internal data?"
"How do you distinguish cloud from outsourcing? We define it the following way: 1. Elastic (use less, costs less) 2. Scalable (not internally available) 3. Pay as you go (not locked in contract) 4. Abstracted (there is no negotiation, you get what you get. Package up insurance and distribute in tiny bits)"
"You must audit / manage a cloud vendor the same way you do an internal data center. Regulators will accept this if the cloud process is the same as the internal process."

Toronto, Q2 2010

Topic: Next Generation Information Security

"We've completely banned all social media"
"We own all the devices but by the time we lock them down they become useless"
"Developing an enterprise wide policy doesn't work; one size does not fit all"
"Although we must embrace new technologies carefully, we also must ensure we don't stifle productivity"
"Because the business units are motivated by contractual obligations to customers, we are empowered to manage the data"
"We have a committee that discussing the needs of the business units when it comes to all new technologies including social media – for now it is banned"
"Allowing a variety of mobile devices as well as social media is critical to recruiting talent and maintaining our competitive edge"
"We put tools in place to enforce critical policies but also try to remain flexible"
"We did a cost analysis on cloud and found in most cases it was cheaper to keep it in house"
"Cloud has to be driven by the business with policies to support it, so far they haven't asked"
"The public cloud is not ready for PII"
"Segregate the highest risk data and tightly control access so it is not about what the end points are doing"
"We do annual audits for our highest risk providers"
"We only support the Blackberry and no one can store any data on their phones"
"An SLA is your only protection as your data will be exposed to cloud employees"
"Like most at the table, cloud is not permitted in our company and we have no near terms plans to adopt it"
"When it comes to mobile, we take the Czar approach; we don't even allow address books on the phones"
"We do have a twitter site but it's tightly managed and monitored"
"Marketing wants social media but we have no one to monitor it"

New York, Q1 2010

Topic: Information Risk Management

"We have 3 data sources that bubble up for risk-based decisions: IT, Business, and Audit"
"The problem with people as a data source is the question you ask is not always question they answer"
"Understanding what data you need is just as hard as finding it"
"You must determine what data is critical to the business and what is minutia"
"It's just data unless it is relevant to the business"
"Even with supporting data, the business doesn't always want to fix it the right way"
"You can identify, collect, and analyze but without the proper translation it is hard to sell"
"If you can't explain it to the business, it is not going to get funded"
"It's a sorting problem; you must properly consolidate information to create intelligence"
"It's about prioritizing disparate sources of information"
"I know for sure, we have all the data that we use"
"Data is important but you must also identifying patterns of behavior within the data and look for anomalies"
"Pure technology risk management is what we try to do but the user is re-defining the technology all the time"
"How do you measure risk when the controls change everyday"
"Metrics can also be your undoing as not all metrics are meaningful but they still illicit action"
"We spin a lot of wheels investigating risks that are not a risk"
"How do you take the collected intelligence and resource against it?"
"Unfortunately you don't know what you don't know"
"How do you collect the data from outsourcers?"
"There is a difference between risk monitoring and risk management"
"It's a problem only if I don't have a bigger problem"