No Such Thing as Security "Best Practices"

Linda Stutsman of the International Information Integrity Institute says organizations must customize their security practices to meet their unique requirements.

Linda Stutsman is managing director of the International Information Integrity Institute. I-4, as it's known, was founded in 1986 by SRI International (formerly Stanford Research Institute) to promote the sharing of security-related information and help companies address critical security issues. Operated by IT services company Getronics, I-4 works with its global members to explore security issues and identify cost-effective solutions to security threats.

Before joining I-4 in June, Stutsman was senior vice president of corporate information security at Bank of America, and previously served as chief information security officer at Xerox. She spoke recently with contributing editor Bob Violino about her experience in corporate IT security, her role with the I-4 consortium and why she doesn't believe in best practices.

Baseline: What do you see as the biggest threat to corporate information and computing centers today?
The biggest threat is the same threat we've always had: It's not unauthorized access to information—it's abuses of authorized access to information. It's not a new threat, but there are new ways of abusing that same access. I've been in this business for a very long time, and 25 years ago we didn't have to worry about employees taking pictures of customer information with their cell phones. We didn't have to worry about employees with USB drives on their key chains. There are new ways of thinking about old threats. It's not just employees. This can be by employees, customers, business partners or outsourcing partners who have authorized access.

What can be done about abuses of authorized access? What are the best technology and policy solutions?
Some companies are dealing with data leakage by more carefully limiting the scope of authorized users on the policy implementation side, and on the technology and process side by restricting methods of access, via thin client, and by piloting digital rights management for controlling usage—scaling continues to be an issue. There's more extensive access monitoring, where legal or forensics have helped define patterns of access to information, for example. It's a combination of people, process and technology solutions.

What about information security threats from the outside? What are organizations concerned about most right now?
There's a growing awareness of application-level vulnerabilities of Internet-facing applications. Companies are investing in technologies and processes to help applications people understand and correct the problems in a timely manner.

On a broader scale, what are some of the key riskmanagement issues facing organizations today?
I-4 is involved in risk-management issues across the board. Because of the nature of the wide breadth of industries in I-4, it's the regulatory environment that is one of the biggest issues. The landscape of regulatory requirements is an immense challenge. It's just very tough for businesses to keep up with the changing requirements. You have the federal level—Sarbanes- Oxley is an example—and then multiple state-level privacy laws and regulations. Then add in the industry regulations such as HIPAA [Health Insurance Portability and Accountability Act], and the global regulations such as the European Union Data Directive and Basel [recommendations on banking laws and regulations issued by the Basel Committee on Banking Supervision, an institution created by the central bank governors of the G-10 countries].

Exactly what kind of security information sharing and problem solving does I-4 handle?
We share case studies about experiences; I'm not going to say best practices because I believe there are no best practices. We share information about real life, practical security solutions. We share war stories. We have select vendors come in and talk about their strategies. We don't talk so much about products, but about thought leadership and strategic visions. We also have [representatives from] universities come in and talk about research, where they think security is going. We talk about things that are happening today rather than focusing on older threats and technologies. For example, we saw phishing as it was happening because we had a member comment that his company was dealing with it, almost in real time. We discussed solutions to phishing way before the public first saw it.

How detailed are the discussions about specific security incidents?
Because we're a confidential group we can get down to a detailed level—we're truly sharing useful information. Typically when it's a public group you don't get down to a detailed level of discussion because you don't know who you're sharing with. [In I-4] you're getting data you can take back to your office and adjust to your own needs. You're networking with other colleagues, and when you run across problems you can call someone to help solve the problem.

Are there other examples, besides phishing, of security threats that I-4 members discussed before they were generally known?
I-4's history has many examples of topics introduced early in their maturity cycle. I've spoken with some of the I-4 founders and they actually talked about data protection in 1988, how to safely connect a company to the Internet, how the Web would change the world, about the disappearing perimeter in 1997, quantum computing and crypto in 2002 and managing offshoring in 2003.

You mentioned a moment ago that there are no best practices in security. Can you explain what you mean?
I don't believe in best practices.

"Best" is contextual. What is a best practice for one organization may not be a best practice for another. In one industry it might be a best practice but for another type of company it might not work or it might be overkill. Members consider what their colleague organizations have done that's new or different compared to what their own approach to related situations has been and apply the thinking within their business risk tolerances. I believe each company has to take the best of each solution and customize it. There may a best practice within an industry but it's tough to go across industries.

How do you plan to change I-4's focus, and what are your ultimate goals for the organization?
It's really way too early for me to say right now. I'm in discovery mode; I'm talking with members and working with the member advisory committee. I'm listening, I'm asking questions. Any changes we make will be thoughtful, and they will be member-influenced changes. I-4 has not only survived for 21 years, but has thrived for 21 years. There's a lot that's right with I-4, so any change will be very slow, purposeful, strategic change. But again, it's way too early right now to tell what that change will be.

Do you think your previous experience at Bank of America and Xerox will help or hurt you manage a corporate security consortium?
It will absolutely help. My experience with information security in general will help. I think the fact that I've been a member of I-4 will also help. I'm aware of what I-4 is all about, and I think the fact that I've been participating in I-4 for almost eight years will have an impact. I've seen it evolve over those eight years and l've seen the information security field evolve over the last 25 years. Also, coming from two different industries, manufacturing and financial services, gives me some good perspective.

How has the information security field evolved over the years? What have been the biggest changes since you began working in the field?
The most important changes have been, on the technical side, the immense growth of "connectedness" in all aspects of business processes and work life, and on the management side, the recognition that information security organizations and people work best when serving the business. The security people are helping businesspeople understand the risks and security implications of their plans and activities, and are helping to secure those business processes within the risk environment.

During your tenure at Bank of America and/or Xerox, did either organization experience a security breach? What happened, and how did you or the organization respond?
Every organization at some time experiences some type of security breach. But I can't really comment in detail on that. I wasn't part of the investigative teams at either of those companies.

I can say that at Xerox it was more around early response to viruses and being able to contain them and shut things down while we did cleaning and prevented damage to our systems— the emergency response team had to deal with things like the Melissa virus.

Any advice about security for CIOs and CSOs?
I'd say treat information security as a business problem, not a technology problem. It's a business problem because information is a business enabler. My entire career has been spent [looking at information security] that way. We are in the business of business, not in the business of information security. If information security is implemented correctly, you should be there to help support the business goals. Information security should never be an end unto itself.