<p> Community Trip Report Security & Risk Management Gartner Symposium/ITxpo Orlando, Florida 8-13 October 2006 Key Takeaways This Trip Report highlights the major sessions from Symposium/ITxpo for attendees interested in security and risk management. It also encapsulates questions that conference attendees asked and forecasts some emerging issues to prepare for. Many attendees reported that the best part of Symposium/ITxpo 2006 was the opportunity to meet with their peers and find out what’s going on in the real world. The session that Security & Risk Management attendees mentioned most often was a workshop where more than 30 security practitioners evaluated their own enterprises’ security maturity levels based on a Gartner model. They were all interested in finding out where they stood in relation to their peers — and getting that assessment straight from their peers using a format and standards developed by Gartner. The most important high-level messages the attendees took away from Symposium 2006 can be summarized this way:  Enterprise security is an achievable goal.</p><p> We can manage risk effectively.  The technology on the market today is up to the job.  The security battle isn’t over yet — but (despite what the trade press says) the bad guys are definitely losing. Conference Highlights These Symposium sessions were particularly valuable for Security & Risk Management attendees: Mastermind Interview: Cisco Systems CEO John Chambers Mr. Chambers answered questions from Gartner analysts David Willis and Tom Bittman. Here’s one: “What is the next frontier for Cisco?” Collaboration. "The hardware, the software, the application-specific integrated circuits have to be designed to work together." The goal is to enable the user to work without worrying about where various processes are taking place. Mastermind Interview: Microsoft CEO Steve Ballmer Mr. Ballmer answered questions from Gartner analysts Yvonne Genovese and David Smith. This is one that’s definitely on security practitioners’ minds: ”What's going on with Windows Vista OS?” "We were trying to re-engineer all major components of Windows. What we learned was, we have to innovate and integrate." The oft-delayed project remains on its currently published schedule. "Information Security Scenario: Moving to Security 3.0" The term Security 3.0 represents the security state that enterprises need to reach — security that moves forward at the same pace as the business units and also reduces the amount of the IT budget that is taken up by security, said Vice President and Distinguished Analyst John Pescatore,.  Focus on critical security processes, then architectures, then controls.  Push security requirements onto suppliers and business partners.</p><p> Focus on migration to achieve efficiency and effectiveness. "The Information Security Maturity Model" Vice President and Distinguished Analyst Christian Byrnes said that CISOs must understand the overall maturity of their information security programs, as well as the maturity levels of their overall IT operations. Developing an accurate picture of security will enable CISOs to justify and optimize security expenditures.  Document the enterprise’s current process maturity levels.  Define a desired target level.  Built a project plan to improve selected processes by one level at a time. "Oracle, SAP and Beyond: Securing Major Enterprise Applications" Major enterprise applications — including enterprise resource planning (ERP) and customer relationship management (CRM) systems and application servers — contain highly sensitive data and critical processes. According to Research Director Rich Mogull, they can be the most difficult systems to secure, and they require specific security techniques and technologies.  Use a secure development process for custom code, and demand that vendors do the same.  Understand and implement the security features of products.  Use third-party hardening and auditing tools. "Microsoft and Security" Microsoft’s IT offerings are so pervasive that the company’s plans to make a large-scale entry into the security market will have a broad impact on virtually every enterprise, said Vice President and Distinguished Analyst Neil MacDonald.  Continue to pressure Microsoft for security improvements.  Use Microsoft’s entry into security to negotiate better pricing with incumbent providers.  Leverage your installed Microsoft infrastructure. "Building Secure Application Solutions" Mr. MacDonald and Research Director Joseph Feiman believe a clear understanding of the myths and realities of application security can help to improve overall application quality and protect enterprises against attacks.  Ensure that application security is an integral component of the development and procurement processes.  Recognize the need for staff training or external expertise — or both.  Treat application security as a shared responsibility between information security and development. What People Asked About The conference attendees asked some penetrating questions. Here are a few of the most valuable: I’ve just been named CISO of my company. What do I do now? The key for the new CISO is to approach his or her new role strategically. You can’t be an effective CISO if you’re spending all your time putting out “brushfires.” From day one, you need to define a strategy, set up a tactical plan to implement the strategy — and then continuously monitor, measure and report on your progress. My manager is always demanding security metrics that demonstrate the value of what I do. How do I give her what she wants? Security programs and processes are not simple, so they’re not easy to measure. Effective metrics come with maturity — so the first step in developing the metrics you need to demonstrate the value of security is assessing your and your enterprise’s level of security maturity. Does the security organization’s reporting relationship — whether it reports to the business side of the enterprise, instead of the CIO — have an impact on the time it takes to achieve security maturity? There is some evidence that taking the security function out of the CIO’s domain can have a positive impact on security maturity. It really comes down to corporate culture. If the enterprise encourages competition and contention between organizations and their objectives, it may not work. But enterprises that support cooperative objectives tend to see improvements in security maturity when the security organization reports to the business side. How can I convince senior management that we need to make a serious commitment to security? One key element is learning to talk to key enterprise decision makers in language they’ll understand. Don’t try to convince them with information drawn from the highly specialized security publications. Use the mainstream business press and journals like the Harvard Business Review, all of which have highlighted security issues in the past few years. And focus on the risks of inadequate security practices — especially regulatory risks, such as the problems that come from failing to comply with the Sarbanes-Oxley Act. That’s something every senior executive today understands — or had better understand. What’s happening in the fight against spam? We’re definitely seeing a kind of “arms race” when it comes to spam. Our defenses are getting better, but so are the spammers — especially with image- based spam. There’s plenty of good anti-spam technology on the market, including the basic capabilities built into Microsoft Exchange’s next release. Other new products will give enterprises the ability to look into an image to see whether it’s spam, “throttle” suspicious traffic or even simulate executable code in attachments to determine whether to send the message through. Key Findings From Polling The Security & Risk Management attendees at Symposium/ITxpo were polled on many aspects of enterprise security. Here’s one of the most interesting poll results: A process view divides a security program into Govern, Plan, Build and Run functions. Do these terms (as described and broken out into tasks in the presentation) describe what you or your CISO actually do?  Yes, very well: 38%  Somewhat: 54%  Poorly: 8%  Not at all: 0% Things to Watch For The CISOs and other security practitioners attending are watching a number of current and “on the horizon” issues, including: Microsoft’s entry into the security market, the difficulties of securing enterprise applications; and the coming “Security 3.0” generation of technologies. Many of the attendees’ concerns relate directly to an issue that Gartner has identified as truly mission-critical: the need to approach security not simply as a technology issue, but as an enterprisewide process. One of the key drivers of this new approach to security is the growing maturity of compliance processes, which has resulted in a greater recognition — by all stakeholders — of the importance of risk assessment and risk management. Why is risk becoming such a concern for senior executives, corporate officers and boards of directors? For one thing, it is more and more frequently one of the ways their performance is measured and their compensation is determined. But getting enterprise stakeholders to recognize the need for effective security processes isn’t always easy. When CISOs try to move beyond technology — beyond a preoccupation with tools such as firewalls and filters — they frequently face resistance. One reason is that they’re forcing management to take a hard look at risk, and management doesn’t always like what it sees. That’s why one of the essential traits of a successful CISO today is effective communications skills.</p>