This month Gartner analysts Jay Heiser and John Pescatore discuss the ultimate hot topic in security these days: cloud computing. Both will attend the Gartner Security and Risk Management Summit, June 21 – 23, to present their latest research. Jay will chair the Risk Management and Compliance Program.
Q: Cloud computing has been a hot topic for a while. What’s the latest?
JP: Is it safe for businesses to use cloud computing? It depends on the business and it depends on the type of cloud computing. There are lots of different styles of taking advantage of what public and private cloud computing has to offer. The question, of course, is security. What types of things are realistic for business use depends on cloud computing providers’ demonstrating adequate levels of security.
JH: About a third of the potential market is still holding back on cloud computing because they don’t believe it’s safe enough or don’t have a way to know if it’s safe enough. Some are taking the plunge in an “ignorance is bliss” mode, and the rest are only taking limited advantage of it. Very little information is available about how the products are actually built, and the mechanisms to determine appropriate security and continuity have yet to finish evolving.
Until these mechanisms and standards mature, organizations are mostly on their own to figure out how to evaluate their cloud security needs and make decisions appropriately. Existing certification does not address all that’s needed. There’s a desperate need for some kind of neutral third party to step in and start standardizing how we evaluate and certify the security of cloud offerings. Buyers don’t have the time and expertise to check this out themselves. We need a rating system, but we don’t have anything suitable right now. ISO 270001 is a great certification for environments that are well understood, but it doesn’t address all the relevant risk aspects of cloud computing. SAS 70 is more commonly used, but it was never intended for this type of evaluation, and the results can be deceptive when applied to cloud computing.
JP: The imperative now is to know your risk profile, understand the risks cloud computing can create, minimize those risks, and move forward appropriately. What we’re seeing at the low security end—consumer-oriented enterprises, city governments, small businesses—is organizations trusting the provider to vouch for security. The city of Los Angeles using Google, for example. At the high end—the Department of Defense, the banking and high finance industries—they want to keep security separate from cloud. They won’t trust Google or Microsoft to maintain security for them. In the middle, many organizations will be okay as long as they can run their favorite security as part of the cloud. There’s no one-size-fits-all approach. You have to consider your risk profile and find the best fit.
How much security do you really need? If security is critical, don’t put it out there.
Q: And yet the allure of cloud computing can get to the best of us.
JH: There is something of a war going on within the enterprise between “We must have this new thing!” and the security professional who wants to take a more nuanced approach and say, “Let’s decide what your needs are and take an appropriate strategy.” Nobody wants to say no to a great new idea, but we have to find ways to temper that impulse and look at the risks involved. At the conference, we’ll give some support to help people push back against the pressure to make high-risk moves. Can this outside service do as good a job as we can at protecting our data? There’s no secret sauce out there to figure out how secure these arcane outside offerings are.
JP: On the other hand, it’s quite possible that outside security groups might be doing a better job at this. Sometimes the in-house guys aren’t able to do a great job keeping systems secure. The key is to give the people the tools to tell the difference and make a smart choice.
Cloud computing is currently the flavor of the month. It’s at the peak of over-inflated hype and expectation. Some of it’s just that, hype. But once you get past the hype, there can still be good business reasons to do this. We’re just saying you need to take the time to ask yourself how much security you need, do you have to add it back in, what will that cost, and is it really going to save you money in the long run?
JH: That’s right. Businesses in many cases are skipping a lot of the relevant expenses, looking short term, ignoring long term. Security is the biggest inhibitor of cloud computing right now. But three years from now, integration will be recognized as an even bigger problem.
Q: Given the uncertainty, how do you proceed?
JP: Look at the case studies of real business use of the cloud and their security approach. We’ll present a bunch of these at the upcoming conference. You need to use models and tools that enable you to make the best decisions—we’ll give you those as well. How do you do cloud computing most securely? You need to make security part of the evaluation process as a key factor in the decision and you may need to use cloud-based “security as a service” to make sure your use of cloud computing is safe. If there are black holes where you simply can’t verify security and you need security, you have to say no.
Q: Isn’t it up to the vendor to do this legwork and demonstrate security?
JH: Absolutely. It’s all about that other buzzword, transparency. Do they provide you with adequate proof of secure practices when it comes to confidentiality, data integration protection and availability. Do they provide you the ability to control your data? What evidence do they offer that they can do all of that reliably?
JP: It is really the responsibility of the enterprise to select product and service vendors that do demonstrate their offerings are secure. At most companies, personal data is in every one of their applications, so invariably their cloud computing activities will involve that kind of data, and the enterprise (not the vendor) always bears the ultimate responsibility if there is a data disclosure incident.
Q: Silver lining?
JP: You have some big security challenges around cloud computing, but at the same time there are some exciting new opportunities in security as a service and cloud-based security services, where we’re seeing big growth. This can help make cloud computing securable, but also the cloud-based delivery model is great for delivering security for other purposes, especially mobility. Delivering security to a mobile workforce is a real challenge, and cloud-based security can help. Cloud computing doesn’t just let bad guys do more bad things, it lets the good guys do more good things, too.
Filed Under: Analyst Commentary
This month we asked Jay Heiser, who is chairing the risk management program at the upcoming Gartner Security and Risk Management Summit, a few questions about risk management. Here’s what he had to say.
Q: What are the big issues in risk and compliance right now?
There are three issues on my mind and that are coming up frequently in client calls. The first is the growing interconnectedness of all forms of risk management, or rather the growing need for them to be more interconnected. Organizations need to bring enterprise risk management, security, business continuity and regulatory compliance together to set better priorities and to coordinate and optimize the activities of those working with risk of every kind. Otherwise, they really are not working together to support common business goals.
The second big issue is privacy and the evolution of government regulations. 2010 is going to be the year of privacy in the U.S. and the EU. In Congress, both the House and the Senate are working on privacy legislation. It’s all queued up, and the recognition of the need for such legislation is growing, and the Federal Trade Commission (FTC) is beginning to tool up in anticipation of taking a role in enforcement. We’re seeing increased emphasis on governments requiring that organizations—commercial, NGOs and government agencies—protect information pertaining to individuals better. And of course if a healthcare reform bill passes, there could be privacy issues embedded in it.
Lastly, cloud computing represents a huge issue for risk management. The upside potential business benefit of cloud computing can be tremendous, and that’s making it economically appealing to organizations across the board. However, it’s a very difficult risk assessment task, and one that does not yet have solid protocols. The same thing that makes the cloud economically appealing—the reliance on offsite systems for support—makes it really tough to assess risk. Organizations have forged ahead with cloud implementations whereas adequate risk assessment is just not there yet.
Q: Risk management is increasingly important to consumers and governing bodies. Is it top-line stuff for enterprises as well?
It wasn’t that long ago that business people weren’t even aware of risk management in any significant way. Over the years it’s been growing in recognition as a business tool, and an important mechanism for optimizing results of a business effort. Now new computing models—particularly cloud computing—are raising new issues around potential risk and creating a new requirement to be more methodical about risk assessment and control. This stuff is making its way up the priority list among business leaders.
Q: What changes do organizations need to make to meet the new imperatives that are out there?
It’s mostly about a cultural change within organizations. Not necessarily new rules or shifts in the organizational chart, it’s about raising the awareness about digital things that can go bad, increasing people’s willingness to do something about it, and improving the ability to do something about it. Perhaps the most important change is gaining a mandate from the top. This is key. As an organization, you have to undertake a more systematic approach to risk. The framework and vocabulary of risk management need to be systematically applied across the business, not ad hoc.
We need to encourage greater levels of collaboration between what previously were separate functions. To do successful enterprise risk management now, you need to bridge the silos, bring everyone together and forge a virtual team between business units, with incompatible agendas and different bosses. The goal is to make everything support the overarching business goals. You need to identify what bad things can happen and figure out how much it will cost to prevent or fix it. The business doesn’t care who reports to whom or whose responsibility it is. The business just wants to keep going. The new multidisciplinary risk management team needs to be aware of each other’s activities, speak the business language and be credible to the business.
We are moving toward a cross-disciplinary approach that brings all the specialists together, but this is not just about technology or tinkering with the organizational chart. It should be treated more as a political task that requires good communication and influence skills. To pull off a really effective multi-team approach, you need to do the hard work of building consensus between different departments with different goals.
Q: As an IT leader, I know risk management is important and complex. I also know my plate is full, expectations are up and my budget is flat. (Actually, just-released Gartner research suggests budgets will increase this year by about four percent. Nevertheless…) Where do I put my limited resources?
I’d point to a fundamental concept of risk management: Choose your battles wisely. There’s a tendency to overcomplicate the process of classifying information. We (at Gartner) have strategies that can help you make it simpler, so you can understand which data is important, and which is not, so you can spend your money protecting the important stuff. And of course this needs to be from the business perspective, not just the IT outlook. Once you’ve done that, you can identify where to put your resources. There are tools and strategies that help you quickly determine what’s important and what’s not.
Q: How will shifts in risk management affect organizations in the coming two to five years?
We will see further changes in reporting structure as organizations experiment with new roles and relationships between roles. There will be some impact on budget as new forms of computing manifest themselves as riskier. Where certain roles report and what they do will change. Cloud computing is an area where we’re doing a great deal of experimenting in how to assess, monitor and manage the risks. It’s an interesting time, with constant change as we evolve best practices around cloud computing, for example, and privacy.
Q: Any other big challenges on the radar?
Measuring risk management performance is always a challenge but we’ve made good progress in recent years on this. These days, we have new ways to measure the capability maturity of certain aspects of the IT program.
E-discovery is another area where you see many challenges, lots of expense and changing expectations. The legally enforceable expectations continue to evolve; the technologies continue to evolve. It’s an ambiguous situation that can be very costly. We’re seeing a trend toward bringing e-discovery in house to control costs as well as do the redaction necessary to prevent inadvertently providing too much information. The cloud could help with archiving, but it could also open up new difficulties for e-discovery.
Q: Certain areas of IT are experiencing explosive change. Has anything in the risk management area surprised you lately?
I’ve been fascinated by what’s happening in the U.S. government. The Obama administration is strongly encouraging cloud computing within the executive agencies. They’re moving ahead into uncharted territory pretty rapidly. The U.K. and many other governments are anxious to make use of the cloud. They’re tempted by cost savings and perhaps an element of faddishness as well as real benefits to be had in terms of increased productivity, new functionality and greater reliability. It’s an interesting time.
Filed Under: Analyst Commentary
We sat down with Vic Wheatman and Chris Byrnes, who are currently hard at work co-chairing the upcoming Gartner Security & Risk Management Summit, to discuss key trends in security and risk management. Here’s what they had to say.
Q: The security space is evolving rapidly. What’s the current state of affairs?
CHRIS: The increase in threats is the defining feature of security today, along with the increase in the number of tools and approaches to thwart them. It’s made security inherently more complex and time-consuming, and overhead has increased dramatically. At the same time, it’s more central to business than ever. Boards of directors want to know what’s going on; senior management wants to understand the current risk position. Today, it’s imperative that the security team be able to communicate with business leaders. That’s a new skill set for the tech folks.
VIC: Business still occurs on the Internet, and the Internet is still a dangerous place for business. What’s new is the threats have matured. It’s not about kids hacking around. The new threats are from organized crime, even terrorist organizations, that orchestrate sophisticated, targeted attacks designed not just to disrupt but to generate revenue for ill purposes. When it comes to maintaining a reasonable level of security in the face of these threats, we’re dealing with greater complexity and cost and more advanced skill sets, so the appeal of outsourcing to managed security services has increased.
Q: How do you see the relationship between security and risk management changing?
CHRIS: Security is a class of risk management, and risk disciplines are helpful when applied to security. Going forward, we need to take a comprehensive view of risk that includes security, but also risk management and all the disciplines within it, such as business continuity. That’s the challenge. Security involves controls that support continuous business operations. Business continuity is about planning for large-scale interruptions that cannot be prevented. Those disciplines together with other risk management disciplines give you the complete picture.
Q: What other changes do you foresee in the security and risk spaces?
VIC: The vendor and solutions community is undergoing a major period of change. The continuing stream of acquisitions is followed inevitably by a stream of imperfect integrations. Acquisitions mean cultural issues in term of bringing businesses together, but it also means technology integrations that can be a problem for the end user. Will there be a new look and feel? Can these technologies be integrated, and on what timeline? Will features be lost? Some acquisitions aren’t about delivering a superior product, they’re about getting rid of a competitor. If you’re invested in that competitor, it can be a problem. There may not be a clear migration path. It’s important to leverage every bit of information possible when deciding who to invest in.
Q: What are the hot topics those involved with security and risk need to be watching?
CHRIS: One of the hotter ones is the shift of the standard of due care, specifically when it comes to data loss prevention. We just published some new research that says content-aware data loss prevention (CADLP) will be part of the standard of due care by 2014. If it’s not part of your SDC program by then, if you don’t have a tool in that class by that time, you will be looking at increased liability.
Q: What are the top priorities for security and risk folks over the next 12 months?
CHRIS: The No. 1 security priority is user provisioning and identity management, which is fairly surprising given that you would expect these to be mature by now. But with increased complexity and new tools, people are going back to IAM for a new project. After that comes data loss prevention, antivirus, firewalls and intrusion prevention. Again, you might expect these programs to be mature, but they’re still projects. Networks are growing and throughputs are faster, so organizations are having to make technical improvements. Finally, supply chain availability risk and the PS-Prep program are two factors that will bring more formalization to BCM programs.
Q: We’re about to wrap up the first decade of the 2000s and start developing a vision that will see us through to 2020. Thoughts?
VIC: The need for overall strategy is essential, but with tactical responses within that strategy. You get ahead of the threats, but then a new threat emerges. Or complacency sets in. It’s a constant race with the bad guys that never ends. You never solve the security problem; you just try to stay ahead so they choose an easier target. We want to protect our business and to be good citizens so people want to do business with us. That takes both big-picture strategy and vigilance when it comes to tactical response.
CHRIS: We need to push security officers to try to evaluate the maturity of their security program. On the standard maturity level scale, everybody needs to be working hard to get up to a level three out of five. Ideally, you want to get all aspects of IT risk up to level four. That means establishing attention to process as a cultural norm—essentially achieving a high level of quality assurance on all security-related processes. That may sound aggressive, but it’s necessary.
For complete coverage of security and risk management priorities, join us for Gartner Security & Risk Management Summit 2010, June 21 – 23 in Washington, DC, the premier conference and meeting place for IT and business executives responsible for creating, implementing and managing a proactive and comprehensive IT strategy for information security, risk management, compliance and business continuity management, IT disaster recovery and business resiliency.
Filed Under: Analyst Commentary
