Tag Archives: security

Organizational Resilience:   Compliance risk strategy for 2023

05 Thursday Jan 2023

Posted by in Uncategorized

Leave a comment

Tags

, , , , , ,

Photo by Anca Dorneanu on Pexels.com

One of the two key areas of research focus for me this year is organizational resilience.  In 2023, a number of regulations have been updated, creating new requirements for businesses to follow, new areas of risk, and more money and time spent adjusting to these changes.

Compliance strategies help cement trust in professional partnerships and vendor relationships.  If your firm is trying to qualify for cyber insurance, or simply looking to obey the law and avoid fines, your business is up against increasingly tough compliance measures. It is no longer sufficient to be compliant only once per year, scramble in the two weeks before the audit, and then forget about it for the rest of the year.

What compliance tech trends should IT management adopt as they build and refine their technology roadmaps?  

Let’s start with some of the regulatory drivers for these trends.

Regulatory Issues to watch

European Union Digital Operational Resilience Act (DORA)

The EU is applying regulatory pressure in the financial sector with its Digital Operational Resilience Act (DORA)DORA is a “game changer” that will push Financial Services (FS) firms to fully understand how their ICT, operational resilience, cyber and TPRM practices affect the resilience of their most critical functions as well as develop entirely new operational resilience capabilities.

One key element here is that DORA introduces a Critical Third Party (CTP) oversight framework, expanding the scope of the FS regulatory perimeter and granting the European Supervisory Authorities (ESAs) substantial new powers to supervise CTPs and address resilience risks they might pose to the FS sector.


German Supply Chain Due Diligence Act (SCDDA)

On January 1, 2023, the German Supply Chain Due Diligence Act took effect. It requires all companies with head office, principal place of business, or administrative headquarter in Germany – with more than 3,000 employees in Germany – to comply with core human rights and certain environmental provisions in their supply chains. SCDDA is far-reaching and impacts multiple facets of the supply chain, from human rights to sustainability, and legal accountability throughout the third-party ecosystem. It will addressing foundational supply chain issues like anti-bribery and corruption diligence.

From 2024, the number of employees will be lowered from 3,000 to 1,000. And Switzerland, The Netherlands, and the European Union also have drafts of this type of regulation in the books.

PCI DSS 4.0

Payment Card Industry Data Security Standard (PCI DSS) is the core component of any credit card company’s security protocol.  In an increasingly cashless world, card fraud is a growing concern. Any company that accepts, transmits or stores a cardholder’s private information must be compliant.  PCI compliance standards help avoid fraudulent activity and mitigate data breaches by keeping the cardholder’s sensitive financial information secure.

PCI compliance standards require merchants to consistently adhere to the PCI Standards Council’s guidelines which include 78 base requirements, more than 400 test procedures and 12 key requirements.

When looking at the changes in how PCI has evolved over the years up to PCI 4.0, there is a departure from specific technical requirements and toward the general concept of overall security.  PCI 4.0 requirements were released in March 2022 and will become mandatory in March 2024 for all organizations that process or store cardholder data.

The costs of maintaining compliance controls and security measures are only part of what businesses should budget for PCI certification. Businesses should also account for audit costs, yearly fees, remediation expenses, and employee training costs in their budgets alongside technical upgrades to meet compliance standards.

Tech Trend changes

Zero Trust presents a shift from a location-centric model to a more data-centric approach for fine-grained security controls between users, systems, data and assets. Zero Trust as a model assumes all requests are from an open network and verifies each request this way. PCI 4.0 does not mention zero trust architecture specifically, but it is evident that the Security Standards Council is going that way as a future consideration.

Passwordless authentication gained a lot of attention and traction this year. Major companies, such as Google, Apple, and Microsoft, are introducing passwordless authentication based on passkeys. This is a clear sign that the game is about to change.  As the PCI DSS focuses on avoiding fraudulent activity, so does newer authentication protocol approaches to verify and confirm identity.

Third-party risk management is quickly evolving into third-party trust management (TPTM), with the SCDDA creating a clear line in the sand for global organizations. TPTM is a critical consideration when standing up an enterprise trust strategy. Enterprise trust is a driver of business development that depends on cross-domain collaboration.  It goes beyond cybersecurity and focuses on building trusted and lasting third-party relationships across the core critical risk domains: security, privacy, ethics & compliance, and ESG.

Final thought – Cyber Insurance in 2023

If some of these compliance drivers lead to a desire for financial protection,  cyber insurance is one mitigation element for strategy to address C-level concerns.   But wait – this is not as easy as it used to be.

Five years ago, a firm could fill out a one-page cyber insurance application and answer a handful of questions. Fast forward to ransomware and other cyber threats and now getting insurance with favourable terms, conditions, pricing coverage and low retention is tough.

Insurance companies prefer enterprises that are instituting robust security controls and incident response plans — especially those prepared to deep dive into their cybersecurity architectures and planned roadmaps. In terms of compliance strategy development,  there needs to be a risk-based led approach to cybersecurity to allow an insurer to offer a favourable insurance option.

Advertisement

Two key trends for 2023

20 Tuesday Dec 2022

Posted by in Uncategorized

Leave a comment

Tags

, , , , , ,

Organizational resilience and workplace analytics

Photo by SevenStorm JUHASZIMRUS on Pexels.com

In our annual quest to find and resonate on the topics that mean the most in the new year going forward, I want to talk about my two research areas for this Spring.

ORGANIZATION RESILIENCE

Organizational resilience for me is top of mind. This combines a number of factors — cyber resilience, employee motivation and commitment, resource allocation and supplier relationships, core competencies and agility to go to market. In a time when economic factors, levels of demand uncertainty and regulatory risk all put the organization on edge, how resources are allocated, supported and made agile will allow organizations to pivot more flexibly.

Technologically, we have been focusing on productivity and collaborative work this last year. My concerns are echoed by a recent paper in the MIT Sloan Management Review. The authors, Jonathan Trevor and Matthias Holweg, both at Oxford, stated that collaborative technologies do help bond hybrid and remote workplaces, but these tools and platforms still haven’t made the grade as far as replicating in-person settings. This is where I am putting my own efforts this Spring in looking at work as an experience (WaaE) and the worlplace as an experiential location.

In their paper, they claim that organizations and the technology they employ have done a good job of keeping everyone connected and in tune with what’s going on, but still can’t fully replicate the innovation seen in face-to-face workplaces. Perhaps their most significant observations are how organizations face challenges getting people together in one place at the right time, and the fact that employees in the survey “complained that work had become more transactional and operational in the hybrid environment. They missed feeling engaged and noticed a decline in the infusion of new ideas.

Being resilient as an organization is about harnessing the resources in a timely and effective manner. The ability to be innovative will hinge on how agile and supple an organization can be.

Having the right place to work to be agile and innovative will be critical. A part of this MIT survey looked at real estate usage. According to their study, ” The top planned changes cited by our sample are additional social areas (80%), creativity spaces (75%), meeting rooms (74%), shared offices (74%), and hot-desking (71%). Corner offices are on their way out.”

WORKPLACE ANALYTICS

Which leads me to the second critical area I am examining this Spring.

Workplace analytics combines occupancy analytics, visitor management systems and more traditional facilities management tools in examining usage. This is normally used by facilities managers, corporate real estate teams and the C suite to understand spending and costs.

But what we really want to examine is utility, in other words, how the workplace served its function in supporting work.

Key question I will be asking: How does the infrastructure support the work activity? Can we take a pulse on a regular basis to see what contribution technology in the workplace makes in making work happen productively and with purpose?

As an example, I bring up the latest survey recently from Relogix, a workplace analytics firm, on global workspace usage.

This report suggests that the last six months or so have been relatively static regarding those coming in and those remaining remote. But what is interesting is the shift between individual offices and the collaboration spaces that were once connected to them, both of which declined, whereas general meeting spaces and casual social spaces doubled and quadrupled.

People are looking to engage with other people if they make the commute into the office. Where does technology play a role here and can we make the workplace a destination and an experience?

Assuming you are not commuting during the holiday period, I wish you a wonderful season and a happy new year. May 2023 be productive, full of good health and wonderful innovation!

Alea

Can service and security co-exist? What is the Glue that brings them together?

01 Wednesday Jun 2016

Posted by in Uncategorized

Leave a comment

Tags

, , , , , , , , ,

There are a number of pilot implementations on smart access for providing services for the last mile for eCommerce.   These include DHL having access to your vehicle by means of a smart access code to your car locks in order to leave a package you ordered in the trunk (boot for my British friends), working together with Audi and Amazon to create a trial service for Audi users. Volvo has also started addressing this area.

The audit ability of who has had access to your vehicle, particularly from an auto insurance perspective, would be a concern as to know who exactly has been in the vehicle in case of theft of personal objects of value.   However, there is a trend for your vehicle to be more of a storage facility than just a transport option, as discussed here.   Personally, while moving house recently, my car became a storage locker as well!

Those of us who are used to having house cleaning services know the dilemma of giving someone access to your home without your presence.   Anyone who has rented out part of their home for AirBnB has had to deal with this issue.

The latest pilot that caught my eye was in Sweden, where a combination of postal courier and grocery stores are testing a service that stocks your refrigerator while you are not home, so you can come home to a fully stocked kitchen.  PostNord is running this pilot with 20 homes in Sweden.

Here you would have to have a smart lock installed on your home which can be opened with the smart phone app of the courier service.   The company that has created this lock is called Glue AB and it allows residents to decide remotely who to give access to their homes.    You can see the video on the project here.

Is “in-fridge” delivery the next wave of on-demand commerce services?  Will this encourage people to think differently when it comes to opening up their homes (cars, or other personally owned objects) for convenience services?    Will access control to your home, intelligent alerts and secure encrypted technology give you greater peace of mind as Glue states on its homepage?

I think the audit ability (again insurance and theft/damage) with immutability would be useful, and could easily be tracked and audited not only for damage, but for performance (e.g. number of hours house cleaner worked, correlated to access to the home).  Can this be tied to the objects themselves, with an IoT component?

Smart access is a growing trend that I will continue to be examining and discussing in the coming months.

 

 

 

 

 

 

 

 

Webinar on securing IT assets

02 Monday May 2016

Posted by in Uncategorized

Leave a comment

Tags

, , ,

Having secure IT assets should enhance the overall user experience by ensuring security is more effectively and more seamlessly embedded into everyday IT and IT services provisioning activities. But IT assets have a lifecycle, and they need to be protected differently during this lifecycle. Automation of the protection process allows the core competencies of the staff to be focused on more strategic aspects of asset security than patch management or stolen passwords.

I recently shared a webinar with Dell and Markit on IT asset management and information security, which you can listen to on InfoSecurity Magazine here.

Some of the points I was making in my presentation on IT asset management were:

  • The lifecycle cost of an IT asset begins with planning and design and continues through procurement, adoption, operations, maintenance, rehabilitation/renewal, and disposal/replacement.
  • IT asset management (ITAM) seeks to optimize costs through each stage of this lifecycle, while meeting established levels of service, reliability, and risk. In today’s enterprise, ITAM plays a dual role of asset management and risk protection.
  • Protection levels can be performance-related (critical value to the business), or customer/regulatory related (impacting response times, complaints, information availability, etc.).
  • Risk is the exposure and uncertainty assumed due to the opportunity for significant damages. And data from IDC had previously forecasted that by this year, 25% of large enterprises will make security-related spending decisions based on analytical determinations of risk.

But what kind of IT assets bring the most concern to the enterprise today? Half the world’s population will be on mobile Internet by 2020. And the key drivers behind the growth in the mobile worker population include the increasing affordability of smartphones and tablets combined with the growing acceptance of corporate bring your own device (BYOD) programs. In addition, innovations in mobile technology such as biometric readers, wearables, voice control, near-field communications (NFC), and augmented reality are enabling workers in completely new ways, increasing productivity by enhancing communications and business workflows.  And these devices need to be secured to protect the enterprise.  But it is not just about endpoints, but also the network and the physical assets of the enterprise that are impacted by IT asset management not being automated and hardwired into the organization.

So one of the key points I made was that the key to a successful IT asset management program is the legwork performed before selecting solutions, including evaluating your existing IT environment, gaining executive sponsorship, setting program goals, committing the appropriate human resources, and designing strong processes that support your organization’s business objectives. Before getting started with your asset management security program, it is important to achieve the following milestones to ensure not only that the right solution is selected, but that the processes are formally established, understood, and documented.

One of the discussion points between myself and my fellow presenters was the fact that older IT assets are not as well documented as the newer ones.  I mentioned in the conversation that I had a 10 year old Dell from previous employment that was still able to access that domain. ( I am not sure which was the more startling statement, then 10 year old Dell still worked or that it could still log on to the systems of my previous employer!)   We discussed the concept of good practices (ISF Standard of Good Practice) and the importance, not only from a risk perspective but also from a compliance agenda, to be able to reduce the risk of information security being compromised by weaknesses in hardware / software and protect assets against loss, as well as support development of contracts and meet compliance requirements for licensing.

One other point I made in the presentation was around encryption. It is necessary that an IT department have an encryption plan to provide reasonable assurance that all enterprise owned devices, such as laptops, can be identified and encrypted. Encryption is at the heart of a complete endpoint security solution. When you safeguard the data, you reduce the risk of compromising sensitive customer or employee information, confidential files, and your company’s reputation.  So you need to make it easier to identify and activate new devices as they come on the network for their usage of encryption.  And to find the older devices as they log back in for software updates into the network.

The CISO on our panel from Markit talked about the convergence of IT asset management (ITAM) and security.  His point was the security professional had a very different point of view in the past on what an asset is because their focus is information risk. IT managers focused instead on where physical hardware was at any time; from a software standpoint, the focus was on consolidating license negotiations.  Now this is coming together, not only due to cyber threats but for protection of the rest of the assets (data or otherwise) of the enterprise.  Another point he made was that decisions regarding procurement, deployment and management of technology are not made centrally and then there is a disconnect. There is no point in putting into place sophisticated network forensic tools (from the network team) if there is no basic patch management from the desktop team.

Our main point: There needs to be a holistic view of IT asset management throughout the lifecycle of the object in question, and throughout the entire IT team as to how to address the risk profile of the assets.

IBM expands its ecosystem by opening APIs for QRadar

08 Tuesday Dec 2015

Posted by in Uncategorized

Leave a comment

Tags

, , , ,

IBM today (8 December 2015) made some interesting information security announcements. The first was that IBM is opening the APIs of its IBM Security QRadar to allow developers to build custom apps utilizing the platform’s advanced security intelligence capabilities. The second announcement is that IBM has created a marketplace community called IBM Security App Exchange to engage developers to create and share apps based on the company’s security technologies.

The rationale behind IBM opening up the APIs for QRadar is to extend the ecosystem to encourage and engage developers and partners to further utilize the capabilities of its advanced security platform and take it deeper into the enterprise. In the newly built community, IBM and partners including Bit9 + Carbon Black, BrightPoint Security, Exabeam and Resilient Systems already have populated this exchange with dozens of customized apps that extend IBM Security QRadar security analytics in areas like user behavior, endpoint data and incident visualization. This opening of the APIs allows the security community to rapidly build new QRadar applications using software developer kits. IBM Security will be monitoring and testing every application before it is posted to the App Exchange to examine the integrity of these community contributions to the platform.

To further address cyber threats in the enterprise space, there is a need for a more open and collaborative approach to security to get more developers involved and more applications integrated into the advanced platform of IBM. Enlarging the ecosystem will allow IBM to integration with third-party technologies and provide even better visibility into more types of data threats.

With thousands of customers now standardizing on IBM’s security technologies, opening this platform for closer collaboration and development with partners and customers changes the economics of fighting cybercrime,” said Marc van Zadelhoff, Vice President, Strategy and Product Management, IBM Security. “Sharing expertise across the security industry will allow us to innovate more quickly in order to help stay ahead of increasingly sophisticated attacks.”

Who benefits from this announcement are software security tool developers wanting to partner with IBM Security to get access to some of the best security analytics out there. IBM Security operates one of the world’s broadest security research and development, and delivery organizations.

IBM was also announcing today a new release of IBM Security QRadar, which further integrates QRadar with IBM BigFix endpoint security management to help customers better prioritize threats and patches on user devices.

Servicing the IoT – an industry onto itself?

11 Sunday Oct 2015

Posted by in Uncategorized

Leave a comment

Tags

, , ,

I was reading the press release from last week’s Gartner Symposium in Florida.  Although I do not agree with the timing of the events they predict, two of them are of distinct interest to me given my own areas of research in marketing automation and IoT infrastructure.

First point:  All of the enabled objects (IoT) will require service and maintenance.  Well, they do now already require service and maintenance, but with the “phone home” ability of connectivity and some level of intelligence, the down time of objects can be significantly reduced.  This will be helpful given our reliance on said objects will increase as a function of their intelligence.

It is likely that an unique service industry will develop in and around IoT objects, and those who provide service to infrastructures will need to add knowledge about internet enabled devices to their portfolio.  Real time automation again rears its head, so those with skills in simulation and utility management will benefit.

Second point: A certain percent of business content will be authored by machines.  [To be frank, given the poor writing skills of many of the millennials I teach, this can only be a good thing. 😉 ]   Seriously, there are many items that can be automated in terms of corporate communication.  I would agree that business reports can become automated and their contents more automatically disseminated. And preferably NOT in terms of increasing the volume of email!

I have to say I like their point 5, and agree with the statement: “Smart building components cannot be considered independently, but must be viewed as part of the larger organizational security process. Products must be built to offer acceptable levels of protection and hooks for integration into security monitoring and management systems.” It is clear that holistically a smarter workplace must be greater than the sum of its parts.   Integration and baking security into the workplace is a necessity for protection of corporate capital.