James Turner

As cloud services - typically Software as a Service - become increasingly accepted, the IT industry is gaining valuable experience in the actual risks of putting data in the cloud. Most of these risks centre around data confidentiality. Knowing the actual risks, rather than the fear, uncertainty and doubt that vendors and security consultants can throw at the cloud, enables CIOs to make informed choices and recommendations to the business on cloud usage.

Whether in the domain of IT security, or in corporate fraud, when an organisation has been successfully attacked, what makes the difference is knowing that the attack occurred, and knowing as soon as possible. For organisations working to make their IT security budget go further, having a third party service provider check security logs is proving to be a cost effective form of selective outsourcing. Of course, this service doesn’t make an organisation perfectly secure, but early knowledge is vital to incident response and loss minimisation.

Organisations are finding that there are potentially many benefits to deploying a single smartcard that can perform multiple functions. A unified smartcard carries the possibility to reduce costs, improve security, and improve user experience. However, the complexity of a smartcard deployment is a function of the number of business units and processes that will be touched, and so thorough research and planning is essential. Strong political will from an executive sponsor is also imperative to success, and can be generated with a business case that is explicit on what the intention, and ranked objectives, of the deployment are.

Despite the apparent value of the DSD’s Top 35 Mitigation Strategies report, organisations considering executing its recommendations will have to weigh up the business impact of implementation. In some instances, a mitigation strategy may be too intrusive on business operations. For some, the cost of ongoing support may be too high. However, the most significant barrier will be communicating risk to the business, and the need for a given strategy (particularly the more intrusive ones!). In order to realise the benefits of this resource in improving an organisation’s security posture, the report will need to be translated into business impact in order to gain executive buy-in.

Tim Cook, the new CEO at Apple, is noted for his excellence at managing Apple’s supply chain, and while he has spoken about engagement with the enterprise space, this will only be a token gesture from Apple. Enterprise IT does not play to Apple’s strengths. Apple will continue to focus on being great at what it already does: designing for, and selling to, consumers. This presents a challenge for enterprise IT departments because in the absence of meaningful enterprise support from Apple, enterprise IT must aim at negating the impact of any device’s form-factor.

Just as the influx of personally owned mobile devices is reaching a peak in enterprises, there are new options for mobile device management (MDM) which are being driven by three factors. The three factors are: HTML5, Exchange ActiveSync, and carriers moving up the value chain in an IP-centric world. Ultimately, all three options will have appeal to different types of organisations, and different applications. Due to the rate of maturation of these factors, CIOs should expect that an MDM platform deployment will have a shelf life of less than two years.

Back when I was at university, I had two particularly interesting lectures in the same week; one from the school of management, and one from the school of marketing. What made them so interesting was the timing as well as the content of the two lectures. Management said, “perception is not reality”. Marketing said, “perception is reality”. (I agree with both...

There are three key areas of risk to an organisation in enabling staff access to social networking sites. These three areas relate to: the data being shared with the site, the people using the site, and adherence to organisational policies. The point of greatest impact to address all three areas of risk is in training the users to interact with these social networking sites safely and securely. The employees are consumers of IT both at work and at home and their personal risk appetite will guide their behaviour in both locations, so education is vital in order to change behaviour. The importance of this point will become increasingly obvious as organisations explore mobility and BYOD (bring your own device) initiatives.

The Stuxnet worm was a turning point for the development of malware. Over the last few years even the anti-malware vendors have been acknowledging that the signature-only approach for AV is insufficient. We must assume that we will not be able to detect the malware itself, we must rely on being able to spot the ripples of its passage. The next 12-18 months will see the early majority of organisations (pragmatists) crossing the chasm and joining the early adopters in looking at anomaly detection and event correlation products.

The latest Verizon Data Breach Investigation report (2011) continues many of the themes drawn out since its first publication in 2008. However, the DBIR is not a best practice guide on how to secure organisational data; it is an aggregation of cases where organisations failed to secure theirs. Consequently, the DBIR should be viewed as a document which identifies worst practice, and provides instructions on how not to be a follower of worst practice. Some of the breaches that have made headlines this year show that even well-resourced organisations can overlook the basics of IT security.