No Such Thing as Security “Best Practices”

Linda Stutsman is managing director of the International Information IntegrityInstitute. I-4, as it’s known, was founded in 1986 by SRI International (formerly StanfordResearch Institute) to promote the sharing of security-related information and helpcompanies address critical security issues. Operated by IT services company Getronics,I-4 works with its global members to explore security issues and identify cost-effectivesolutions to security threats.

Before joining I-4 in June, Stutsman was senior vice president of corporate information security at Bank ofAmerica, and previously served as chief information security officer at Xerox. She spoke recently with contributingeditor Bob Violino about her experience in corporate IT security, her role with the I-4 consortium and why shedoesn’t believe in best practices.

Baseline: What do you see as the biggest threatto corporate information and computing centerstoday?
The biggest threat is the same threat we’ve always had: It’s notunauthorized access to information—it’s abuses of authorizedaccess to information. It’s not a new threat, but there are newways of abusing that same access. I’ve been in this businessfor a very long time, and 25 years ago we didn’t have to worryabout employees taking pictures of customer information withtheir cell phones. We didn’t have to worry about employeeswith USB drives on their key chains. There are new ways ofthinking about old threats. It’s not just employees. This canbe by employees, customers, business partners or outsourcingpartners who have authorized access.

What can be done about abuses of authorizedaccess? What are the best technology and policysolutions?
Some companies are dealing with data leakage by more carefullylimiting the scope of authorized users on the policy implementationside, and on the technology and process side byrestricting methods of access, via thin client, and by pilotingdigital rights management for controlling usage—scalingcontinues to be an issue. There’s more extensive access monitoring,where legal or forensics have helped define patternsof access to information, for example. It’s a combination ofpeople, process and technology solutions.

What about information security threats from theoutside? What are organizations concerned aboutmost right now?
There’s a growing awareness of application-level vulnerabilitiesof Internet-facing applications. Companies are investing intechnologies and processes to help applications people understandand correct the problems in a timely manner.

On a broader scale, what are some of the key riskmanagementissues facing organizations today?
I-4 is involved in risk-management issues across the board.Because of the nature of the wide breadth of industries in I-4,it’s the regulatory environment that is one of the biggest issues.The landscape of regulatory requirements is an immense challenge.It’s just very tough for businesses to keep up with thechanging requirements. You have the federal level—Sarbanes-Oxley is an example—and then multiple state-level privacylaws and regulations. Then add in the industry regulations suchas HIPAA [Health Insurance Portability and AccountabilityAct], and the global regulations such as the European UnionData Directive and Basel [recommendations on banking lawsand regulations issued by the Basel Committee on BankingSupervision, an institution created by the central bank governorsof the G-10 countries].

Exactly what kind of security information sharingand problem solving does I-4 handle?
We share case studies about experiences; I’m not going to saybest practices because I believe there are no best practices.We share information about real life, practical security solutions.We share war stories. We have select vendors come inand talk about their strategies. We don’t talk so much aboutproducts, but about thought leadership and strategic visions.We also have [representatives from] universities come inand talk about research, where they think security is going.We talk about things that are happening today rather thanfocusing on older threats and technologies. For example, wesaw phishing as it was happening because we had a membercomment that his company was dealing with it, almost inreal time. We discussed solutions to phishing way before thepublic first saw it.

How detailed are the discussions about specific securityincidents?
Because we’re a confidential group we can get down to adetailed level—we’re truly sharing useful information. Typicallywhen it’s a public group you don’t get down to a detailed levelof discussion because you don’t know who you’re sharing with.[In I-4] you’re getting data you can take back to your officeand adjust to your own needs. You’re networking with othercolleagues, and when you run across problems you can callsomeone to help solve the problem.

Are there other examples, besides phishing, of securitythreats that I-4 members discussed before theywere generally known?
I-4’s history has many examplesof topics introduced early in theirmaturity cycle. I’ve spoken withsome of the I-4 founders and theyactually talked about data protectionin 1988, how to safely connecta company to the Internet, how theWeb would change the world, aboutthe disappearing perimeter in 1997,quantum computing and crypto in2002 and managing offshoring in2003.

You mentioned a momentago that there are no bestpractices in security. Can youexplain what you mean?
I don’t believe in best practices.

“Best” is contextual. What is a best practice for one organizationmay not be a best practice for another. In one industryit might be a best practice but for another type of companyit might not work or it might be overkill. Members considerwhat their colleague organizations have done that’s new or differentcompared to what their own approach to related situationshas been and apply the thinking within their business risktolerances. I believe each company has to take the best of eachsolution and customize it. There may a best practice within anindustry but it’s tough to go across industries.

How do you plan to change I-4’s focus, and what areyour ultimate goals for the organization?
It’s really way too early for me to say right now. I’m in discoverymode; I’m talking with members and working with themember advisory committee. I’m listening, I’m asking questions.Any changes we make will be thoughtful, and they willbe member-influenced changes. I-4 has not only survived for21 years, but has thrived for 21 years. There’s a lot that’s rightwith I-4, so any change will be very slow, purposeful, strategicchange. But again, it’s way too early right now to tell what thatchange will be.

Do you think your previous experience at Bank ofAmerica and Xerox will help or hurt you manage acorporate security consortium?
It will absolutely help. My experience with information securityin general will help. I think the fact that I’ve been a memberof I-4 will also help. I’m aware of what I-4 is all about, and Ithink the fact that I’ve been participating in I-4 for almosteight years will have an impact. I’ve seen it evolve over thoseeight years and l’ve seen the information security field evolveover the last 25 years. Also, coming from two different industries,manufacturing and financial services, gives me some goodperspective.

How has the information security field evolved overthe years? What have been the biggest changessince you began working in the field?
The most important changes have been, on the technical side,the immense growth of “connectedness”in all aspects of businessprocesses and work life, and on themanagement side, the recognitionthat information security organizationsand people work best whenserving the business. The securitypeople are helping businesspeopleunderstand the risks and securityimplications of their plans andactivities, and are helping to securethose business processes within therisk environment.

During your tenure at Bankof America and/or Xerox, dideither organization experiencea security breach? Whathappened, and how did you or the organizationrespond?
Every organization at some time experiences some type ofsecurity breach. But I can’t really comment in detail on that. Iwasn’t part of the investigative teams at either of those companies.

I can say that at Xerox it was more around early responseto viruses and being able to contain them and shut things downwhile we did cleaning and prevented damage to our systems—the emergency response team had to deal with things like theMelissa virus.

Any advice about security for CIOs and CSOs?
I’d say treat information security as a business problem, nota technology problem. It’s a business problem because informationis a business enabler. My entire career has been spent[looking at information security] that way. We are in the businessof business, not in the business of information security. Ifinformation security is implemented correctly, you should bethere to help support the business goals. Information securityshould never be an end unto itself.