Here’s the sequence of events:

Wednesday morning I received an email alert from a company I use that my automatic monthly payment was declined.  Knowing full well it wasn’t a balance issue I assumed correctly that my bank had cancelled the card.  As I travel extensively and rely on the card exclusively I made my way to a local branch later that morning.  Along the way I called into the service center and confirmed my suspicions, that Visa informed the bank that my card was part of a range of numbers that was possibly exposed via a breach.  I asked if it was possible to learn the name of the offending vendor and was told (same as last time) that Visa doesn’t share that information.  As I am now a two-time victim it’s easy to spot the trend and hard to ignore the possibility that it might have involved the same vendor both times.  It wound up taking three visits to a branch to straighten me out and actually get a functioning card in my wallet.  The inconvenience is more than benign as I use the card in several places and will now need to make manual, one-off payments with the temporary card while awaiting the permanent card so that I can update the affected accounts.  By the time this is all said and done it will have resulted in my exhausting more than a half day of billable time trying to fix a problem I didn’t create.

A few things need to change.

• First, as part of the breach notification the card issuer needs to share with the cardholder the source of said breach.  I’ve been hit twice in six months, there’s a better than even chance that it involved the same vendor and/or processor and I deserve to know if that’s true.
• Second, affected cardholders should receive status updates providing details about the breach including the suspected source, the techniques potentially used and a description of any follow-up actions including investigative and (hopefully) criminal prosecution.
• Third, issuers need to have a better system in place to address breaches.  The fact that I have to overtly take action in order to replace the card is a joke.  I’m a billable resource and taking time out to wait to talk to a customer service representative results in loss of income; I’m being punished twice as a result.  I should have been offered the option to have a card overnighted to me or have been able to receive a card at any teller window and have it activated right there and then (I had to first activate at an ATM before I could use the temporary plastic).  The card replacement process needs to be streamlined.

We collectively as an industry and a society need to accept that both identity and card theft is a mainstream occurrence and adjust accordingly.  Legislation is needed to further insulate the victims (like me) from any extended damage or inconvenience and ensure as smooth a process as possible to allow us to continue living our lives.  Because right now I don’t just feel like a victim, I feel like I’m being punished for being one and treated like I simply don’t matter.

Hey Washington, make the industry tell us what’s going on and to treat the consumers better!

Oh, and PCI Security Standards Council, how’s that framework working out for you?  I’m thinking the only one benefiting from your content are the practitioners making money by supporting it.

Seriously, something needs to change.

Doesn’t anyone remember the great Heartland breach of 2009?  Seriously, anyone?

I’ve never tried to quantify what percentage of the work we do within the regulatory compliance domain is focused on the safeguarding of customer data but off the top of my head I’m thinking it’s high.  And when you factor in that there’s an entire industry focused exclusively on protecting credit card information (PCI) you’d think that not only are breaches getting harder to pull off but that we’re becoming less tolerant as a society in accepting them.  But there’s a general lack of outrage exhibited when these incidents occur, the media doesn’t much care to cover it properly and really in the end they wind up being something of a non-issue.  And as I learned recently when my own bank card was compromised, the banking industry seems to simply accept that these things are going to happen.  Instead of getting better at preventing breaches they’ve instead managed to streamline the process where they shut down the accounts in question and reissue new ones.

You often hear that any security solution is only as good as its weakest link.  It seems to me that financial institutions are no closer to figuring how to truly lock everything down and with the constant evolution of technology where we’re always adjusting to new exposures, new threats and new challenges we’ll never actually get there.  There’s never a point where an infrastructure is truly hardened and where the weakest link is something so obscure as to not even present a credible threat.  Despite regulatory and industry requirements and sometimes intense scrutiny we’ve reached a point where the only thing that’s improved is in how quickly we repair the damage.  PCI hasn’t stopped things from happening (it hasn’t and don’t debate me on its merits because every time there’s an issue with a PCI-certified company there’s an excuse).  GLBA hasn’t stopped things from happening (too many moving parts and not enough pressure applied from the enforcement divisions).  It’s just not getting better and I can’t see that improving anytime soon.

I’ve long ago decided that vigilance on my part is my only true defense against identity theft.  I’ve written previously on how I check every physical detail of every ATM I ever use to make sure the equipment is legitimate, that there’s no hidden cameras recording my PIN and that I never use the privately leased machines you find all over the place.  I also double-check gas pumps to make sure a portable device isn’t scanning my credit card (I get strange looks all the time when I wiggle the card scanner to see if it’s loose).  And I’ve turned on every email alert possible to track activity on my checking account (much to my wife’s chagrin).  I almost never use a smartphone app or web-based solution to conduct my banking because I don’t completely trust the technologies (or rather the people who can exploit them).  And to be clear, none of my concerns stem from what I see while doing my day-to-day fieldwork.  It’s all based on what I know happens out in the real world.

Until breaches are treated as a true threat to our personal security and receives the scrutiny it so richly deserves none of this is going to get better.  When a breach of over one million credit card accounts is prefaced with the word “only” and that’s perfectly acceptable to all involved we’re still obviously a long way off from solving the problem.

Now we have GRC software solutions that oddly enough promise to automate GRC-related tasks.

The first problem with any such assertion is that GRC is too broad a spectrum of activities and disciplines – most solutions are focused on addressing subsets therein.  On one end you have the security-centric solutions, on the other end you have the risk-centric platforms and somewhere in the middle is a crowd of offerings that try and touch on everything but none particularly deeply.  So the first thing a stakeholder needs to understand is what they’re looking to accomplish before they set out to select a product.  You can select ten different GRC vendors and discover ten different interpretations of the discipline.  And within those ten solutions there are vastly different approaches.  Some are similar to ERP packages where their approach is somewhat hard-coded and you have to do things their way (or spend big bucks to customize).  Some are remarkably configurable and can be made to fit your processes like a glove (but that requires a steep learning curve and expanded time frames).

The second problem is that because most vendors selling to the GRC market tend to use common terms their internal definitions can be quite different.  Some solutions pitch risk assessments which are little more than questionnaires (e.g. very little to no risk-related elements such as inherent and residual risk) whereas others provide questionnaires that are absolutely risk assessments but only appear as such upon inspection.  If you’re looking for a true risk-oriented solution you might go with the former when it’s the latter you truly need.  But the terminology is so similar it’s hard to differentiate and the only way you’ll get to realizing that is after you take the software out for a test drive, not something every vendor is willing to provide (and I’m not talking about a two hour demo, I’m talking about a true trial period).  You think you’re comparing apples to apples and it may turn out that you were comparing apples to car batteries without knowing it.

The third problem is that after a while it’s easy to become snow-blind during the selection and evaluation process.  Because of the common language, because of apparently similar functionality you start looking for factors unrelated to what you really need to focus on as a way to separate out the solutions from one another.  You’ll consider solutions as prequalified because a competitor is using it thinking that their needs are similar to yours.  But they may be focused on information security activities where your institution is looking for automated risk assessment capabilities.  You’ll start shopping on price and contract terms thinking that competing solutions are so similar it really comes down to who offers the best deal.  But software vendors usually know their market and the correct price points based on what their solutions offer – if two or more products appear evenly matched on functionality but one is much cheaper there’s usually a reason.  The more expensive solution may come pre-loaded with all the related content you’ll need to effectively use it whereas the cheaper solution might require you to obtain your own licenses.  It’s not intentionally misleading but that’s a detail easy to overlook during the vetting process.

GRC is an awesome concept working towards one day becoming an awesome discipline but it’s not quite there just yet (a point I routinely beat to death, I know).  It’s spread out too far and wide and depending on who you’re talking to about it can get widely (if not wildly) varying definitions of what it is.  So it’s no wonder that trying to find an automated GRC solution is equally challenging, the vendors are trying hard to figure out what nail to hammer as well.   They all do some things remarkably well but at the expense of doing some things either partially or not at all.  Thus the reason that it’s not uncommon in larger companies to find multiple GRC solutions installed; different business functions have unique needs and they purchase whichever is closest to meeting those needs.  It’s an expensive approach but for the foreseeable future an necessary evil.

I think we’re getting closer to a point in time where a common dialogue will be accepted by the audit and compliance community.  The OCEG folks have poured the foundation and it just needs a little more time to harden in terms of broad acceptance.  When I see their content displayed prominently next to all the COBIT binders at my clients I’ll know that time has come.  I predicted in 2007 that once we’re in the midst of a full-blown economic recovery GRC will quickly rise in prominence due to increasing regulatory pressures, almost identical to the way COBIT soared into the forefront of the industry fueled by SOX.  I see no reason to alter that prediction, I’m just not sure when the recovery will officially begin.

In the meantime keep participating in the dialogue, keep trying to define what GRC means to you and to your organization and every now and again share those ideas with some of the decision makers who are shaping the discipline, they need to hear from everyone as they mature the thing.  As long as we in the audit and compliance domain keep moving things forward we’ll get GRC to where we need it to be, I’m certain of it.

So I called up in an attempt to resolve things and was informed that it wasn’t my spending that caused a problem, it was the fact that one of the vendors I completed a transaction with reported a breach.  Because my card number was potentially included in that breach I was shut down.  I was fortunate that my bank is setup to help customers manage these situations fairly effortlessly (I don’t love them most of the time but this event won them some points with me) and after a brief stop at a local branch I had a temporary card and was able to continue on my trip.

A few items of note surfaced as a result of this experience.  The first is that my bank would not reveal the vendor that reported the breach.  The customer service representative I spoke with claimed that she didn’t have access to the information which I sort of believed.  But when I asked how I could find that information out she replied that they typically don’t share it.  I thought that a bit odd.  Shouldn’t I as a consumer be able to make informed decisions about who I do business with?  I should be able to find out who the vendor is so that I can decide whether or not I’ll continue to give them any of my hard earned dollars.  The second thing that I found curious was how seamlessly the replacement process was.  They had a stack of temporary cards about five inches thick and a process so well defined and efficient that it almost seemed like I was asking to borrow a pen so I could sign something.  When I returned to the car my son who had been waiting for me assumed they weren’t able to help me because I was out so fast.  How often does this sort of thing happen?  And to make their degree of efficiency that much more notable a friend of mine experienced something similar and it took her bank over a week to get a new piece of plastic into her hands.

I recognize that this is a sign of the times we now live in.  We use plastic everywhere, our sensitive account information is digitized all over the place and security controls protecting that information are only as strong as their weakest link.  It’s why you’ve heard me say many a time that requirements like PCI are an excellent starting point but by no means the end-all to be-all for securing the perimeter.  All it takes is one USB storage device to go missing, one new appliance added to a network with default values unchanged, one person printing off a report with NPPI and forgetting to pick it up from the printer and viola, a breach is born.

I’m frequently onsite at clients of wildly varying sizes and I find something every day that makes me realize that sometimes the best weapon against a company being embarrassed by some sort of exposure is just dumb luck.  Regardless of whether they have a well formed team of risk and compliance folks working hard to protect information assets or just a single person serving in a related function it comes down to human nature both in terms of those not following the rules and those who are ready to exploit that fact.  A prime example is that when I find sensitive information left exposed I collect it and either dispose of it properly or lock it up to share with the appropriate party as a “for instance”.  However in those places where less honest people make similar discoveries  that same information becomes a commodity to be sold to those who indulge in things like identity theft.  Like I said, it comes down to pure dumb luck.

And so I’m left wondering if my now deactivated and defunct bank card was the victim of human nature, a sophisticated scheme to access otherwise properly secured sensitive information or just plain incompetence.  And while I’m glad that my bank was swift to react and protect me I wish they’d extend that to also inform and educate me as well.  I mean honestly, if I’m going to be forced to memorize a whole new series of numbers shouldn’t I at least be allowed to know who’s to blame?

This was someone who for all intents and purposes had nothing to gain from doing something so blatantly stupid.  As an auditor he was likely aware of the logging capabilities available on the host (mainframe system).  He also had direct knowledge of the audit culture and the degree of scrutiny they placed on certain internal artifacts and/or repositories.  But in the end his basic human nature created an override allowing him to indulge his curiosity.  For me that meant that you could never assume that any manner of stored information was ever truly safe and secure

Thus began my basic mistrust of storing sensitive information in electronic repositories.

With that in mind imagine my horror as technology began a rapid progression away from centralized storage and started spreading out first within the infrastructure to distributed applications and eventually breaching the walls of the data center and finding new homes elsewhere in other companies  so-called data centers.   Beyond the fact that you don’t truly know how secure your data ever truly is (notwithstanding reports and attestations to the contrary), it now also has to traverse communication lines that despite what you may want to believe are vulnerable in a number of very real ways.  And we’re not just talking business data, we’re talking social security numbers, bank account numbers, credit card numbers and, and, and……

I simply don’t trust that any sensitive data is ever truly protected anymore.  I operate under the assumption that there are two common states with regards to data security, known breaches and those yet to be discovered.  When I’m challenged with the logic that we’re always told about confirmed breaches eventually and so we know exactly how much has been exposed I laugh.  All that means is that the hackers and criminal element slipped up along the way; a confirmed breach indicates someone made a mistake.  I truly believe that a successful breach is never detected, that the perpetrators behind it figure out the proper balance between skimming data and moving it around for illicit gains so that it never hits the radar.

And I think the threat comes from all over the map.  I think it’s often internal, someone on the inside behind the firewall and locked doors or someone with legitimate access to databases.  I think it’s sometimes along the way between a transmissions point of origin and its destination.  And I think it’s often at points of exposure along the way.  I just don’t believe that there aren’t rogue employees at offsite storage facilities that know how to rig the system and grab media with all manner of PII and NPPI with no one ever the wiser.  I reject the notion that it’s impossible for employees of the popular SaaS companies to gain undetected access to a wide variety of information typically considered private and secured.  I think this happens regularly (if not often) and that as long as we remain blissfully ignorant this will continue to happen indefinitely.

I use only one rule when it comes to how best to protect sensitive data: if the human element is involved in any way your data is at risk.

And if you’re not truly yet at risk, if there’s been no concerning or inappropriate attempts to access your choice data that’s either because they haven’t gotten to you yet on their to-do list or your choice data isn’t as choice as you might think.

If I had it my way everything would be moved back to Big Iron in an internal data center and I’d go hog-wild slapping every conceivable monitoring tool and detection devices wherever possible.  Short of that I’d select solutions that could only be run behind my firewall and on telecom pipes that I directly controlled to further minimize my exposure.  Oh and I’d probably fire anyone who ever even mentioned migrating to the cloud just to set an example.

I read an article in which Reid Hoffman, LinkedIn’s founder was quoted this past summer as saying that privacy was for old people.   To be at least a little fair he was making a point about transparency of data and how it’s shared is an important component of social networks.  Young people are more interested in enhancing the experience and less concerned about revealing too much information in exchange for making that happen.  But really, isn’t it both a bit self-serving and irresponsible for someone atop the world’s largest professional social network to be thinking along those lines?

First of all it sort of makes him seem like a visionary rather than irresponsible for allowing LinkedIn to take certain liberties with regards to protecting my personally identifiable information (PII) in exchange for furthering the platform – he’s not irresponsible, he’s forward thinking.  Second he marginalizes the concerns of experienced people by making such a statement as if to say “you’re too old to understand that it’s more important to be out there too much rather than not enough” – it conveys a message that I’m not cautious, I’m slow to adapt and that’s primarily because I’m not young.  Third it makes it so much easier and cheaper for LinkedIn to continue building out their platform if security isn’t their top priority – wouldn’t we rather have them introduce cool new features rather than enhance their controls?

Well Mr. Hoffman here’s what I have to say about all of this.  What you call old, I call experienced.  I’m not concerned about my privacy because I have a dated way of thinking, I’m concerned because I know too much about identity theft and the damage it can cause.  I know that sites such as LinkedIn and Facebook have made it sooo much easier for the criminal element to develop profiles on people and figure out how to crack passwords, hijack email accounts and obtain information that allows them to assume someone’s identity.   I know that features such as TripIt and Foursquare allows criminals to figure out when people are going to be away from home and plan break-ins accordingly.  I know that it’s much easier to obtain inside information by trending activities on LinkedIn (e.g. I always know when someone works for a company facing downsizing or layoffs based on the type of profile updates they’re making).

And you’re right that privacy is for old people.  So are life insurance, money management and parenting.  We’ve worked long and hard to get what we have and we understand the value of losing it.  Anyone much under the age of twenty-five likely hasn’t a clue as to why privacy is such a big deal because their exposure is so much less.  If someone stole my identify when I first started my career they would have had access to a few hundred dollars, maybe one or two credit cards with ridiculously low limits and have discovered that my house was sparsely furnished with hardly anything worth stealing.   I could have repaired most of the damage from a stolen identity within a couple of paychecks.  At that point I would have totally thrown caution to the wind and have leveraged the full offerings of today’s social networks in order to market myself both professionally and socially.  At this point I simply want to protect myself from unnecessary risks and exposures.

Last night I watched a story on the news about how insurance companies are using Facebook as a way to investigate disability fraud as well as profile policyholders who engage in high-risk activities in order to decide who’s too risky to insure.  Do you think those people think their privacy is an issue for the old?  And doesn’t LinkedIn process credit cards for its paying customers?  Is PCI for old people too (now that would be a newsworthy quote)?

I’m sure at some point Reid Hoffman has backtracked on his statement in some measure because whether you hear it in or out of context it still sounds awful.  And I can only imagine that officially LinkedIn will point out that he’s no longer running the company (officially anyway).  And I also realize that his statement didn’t convey in any way that LinkedIn didn’t value privacy just like I know from firsthand experience that LinkedIn as designed allows me to throttle what I share with the rest of the community in a way that I’m comfortable with.  But still, comments like that make my blood run a little cold and make me jump online right away to make sure that I’ve kept my information sharing to a minimum.  Because in the end while “I’m older and I have more insurance” I don’t want to have to use it.

Seriously, it’s a big deal.  And so far it’s much adieu about nothing.

I don’t know what the actual hold-up has been.  A draft of the new guidance was leaked online last year (ironic, don’t you think) and heavily circulated a while back but no one in any position of authority has offered word one as to whether or not that’s close to what the official document will look like.  But here’s my question to stakeholders throughout the banking industry: Why are you waiting for the FFIEC to spell out what you need to do?

I suppose if you’re committed to doing the bare minimum expected by the examiners and not interested in extending your solutions to adequately protect your customers that’s a sound strategy.  But why do you need anyone to tell you what to do?  Shouldn’t you be continually assessing your environment, keeping current with existing and emerging threats and designing controls to reign them in?  That’s not only a solid business practice it’s also heavily implied by, wait for it, FFIEC guidance.  That’s right folks, if you’re supervised by any of the FFIEC sponsoring agencies they’re already expecting you to conduct  periodic assessments and modify your infrastructure to mitigate and manage identified risks.  But that’s really more theory than practice.  All too often management is willing to wait and see what their annual exam reveals and only address those things that the examiner cares about.  And because examiners typically operate under the constraints of limited hours they look at what they can and the rest just has to wait (and sometimes wait and wait and wait).  So while a key requirement may not be satisfied, if the examiner didn’t have time to look into it the gap remains unchanged.  Again, why does that happen?

I recently brought up this very topic during an internal meeting within my practice and one of our subject matter experts laughed at my naivete.  As he pointed out so matter of factly, the only reason most of the FFIEC-centric activities ever really happen is because financial institutions don’t want to fail an exam.  Rare is the management team that builds out their controls in an attempt to address the so-called “industry best practices” and instead does what they believe necessary to keep their examiners happy.  And so if the FFIEC doesn’t spell out minimum requirements to authenticate and protect online banking solutions there’s little chance the industry will move in the right direction.

But what if the guidance falls short of what’s necessary to get the job done?  What if it only frames the problem but doesn’t actually tell you how to solve it?  Remember, the primary purpose of guidance is to raise awareness to the issue but not necessarily how to fix it.

I offer as a for-instance the most recent publication from the PCI folks.  They just released a new document providing guidance for virtualized infrastructures (which is really a fancy term for cloud computing).  I’ve been somewhat outspoken on this very topic because I’m not confidant that in-scope infrastructures have done enough to address traditional PCI guidance in a somewhat homogeneous environment – now these same companies are chomping at the bit to move things into the Cloud.  If you couldn’t properly secure and monitor a configuration where each device could be identified and configured how are you going to be able to do it on a platform where you never really know where your information passes through?  But the leadership atop the PCI council at least decided to try and frame not only the challenge but also provide some direction on what to do about it.  And their guidance boiled down to this: No one can tell you how to secure relevant parts of the Cloud configuration so the only way to be properly compliant is to make the entire configuration compliant.  I’m sure that when the audience first downloaded the document they were hoping to find directions for a clear path to being able to leverage the latest and greatest technology without having to boil the ocean.  Instead they were told that you have to assess the environment and introduce PCI-related controls anywhere there’s a possibility in-scope data might pass.  With that one broad stroke of a digital pen they pretty much made Cloud computing a much more costly investment for those who need to comply.  Their guidance didn’t solve the problem, it just defined it more clearly and delivered the bad news that there would be no shortcuts available in effort or cost.  And while it may not be popular guidance it is, ultimately right.

As for the FFIEC guidance I’d offer this as food for thought: If you have weak or deficient controls around online authentication your examiner is not going to give you a free pass because the new guidance is delayed.  They’re not going to let you off the hook if you’re missing something significant simply because no one told you it was missing.  You’re supposed to figure these things out for yourself, they’ve told you that time and time again.  And while I won’t know for sure until I know for sure, I’m expecting their guidance will be somewhat similar to the PCI Cloud publication where they frame the problem and summarize by telling you that you need to figure things out based on your own unique infrastructure.

Seriously, don’t wait for the industry to tell you what you need to do when you should already know what that is.  As Dr. Seuss advised many years ago in the great childrens book “Oh the Places You’ll Go”; Your mountain is waiting so get on your way!

The very first prediction was that the Iomega Zip Drive was going to accelerate the push into portable mass storage devices.  For about two years it blazed the trail soon followed by others but I knew the first time I laid eyes on the device I was looking at the future.

The second prediction was that Borland was going to be bought by either Microsoft or IBM.  They had launched their new Delphi development software and it was blindingly fast and easy to use and clearly set them apart from the competition in the client-server domain.  For reasons still unknown it never happened and so while I was wrong I still think I read things correctly (it’s my ego, it won’t let me be wrong for too long).

The third prediction changed my career direction.  As Y2K was nearing I outlined a concept where companies could leverage all the repositories they developed and maintained to ensure a smooth transition into the new millennium and convert it into an ongoing management tool.  It was a discipline that eventually matured into what we now call portfolio management.  While I wasn’t in a position to pursue my theory I knew I was onto something and as it turned out I was right.  Why this prediction changed my career is because it gave me the confidence to both trust my instincts and pursue new ideas even when no one else thought it would work.

Which leads me to my fourth prediction.  Back in 2002 while with Metlife I was put in charge of a bizarre project that came to be referred to as “Server Consolidation”.  After working with a vendor not of my choosing for six months and with nothing to show for my time I discovered VMware about ten minutes after they went public and knew this was what the company needed.  I immediately brought it to my bosses attention and instead of trusting me to make us all look brilliant I was instead admonished for not doing what I was told and VMware had to wait another five years before the company embraced the technology.  But while it indirectly cost me my job (I was laid-off six months later) I knew I was right and still believe it was worth taking the risk.

My instincts are screaming at me again and so allow me to share my fifth bold prediction.

My readers know that I’m a huge believer of GRC as a concept.  I write about it almost monthly and at least quarterly and track its progress closely.  I’ve participated in several related projects and constantly try and insinuate myself into newly emerging GRC-based initiatives.  The idea that each of the three core disciplines break out of their silo’s and work together is just flat out the right approach.  But that’s not the prediction.

Almost all of GRC-related activity now is driven by regulatory and/or industry compliance requirements.  While most companies would publicly reject that statement and insist that their approach is based on risks that they identify and manage, the truth is most of those risks are already being targeted by one of the many compliance requirements they operate under and need to comply with.  And after nearly a decade of dealing with one new set of requirements after another quite literally every company I’ve encountered has multiple frameworks and related initiatives to ensure compliance.  It’s resulted in massive duplication of effort and wasted time, money and bandwidth.  And because those same companies can barely keep up  with supporting these activities there’s little chance they’ll ever find a way to reorganize and consolidate their efforts so that they can reuse steps to satisfy multiple requirements.

And so here comes the prediction.  Network Frontiers Unified Compliance Framework will become to GRC what COBIT became to SOX.

For those of you who aren’t familiar with the UCF it’s a series of documents that basically maps every single regulation, requirement and framework known to man (including coincidentally COBIT) and reveals the many points of intersection that exist but are almost impossible to identify while on the ground.  While there’s more to their library than just the mapping it’s really  where their bread gets buttered.  I first discovered UCF in 2009 while working on a governance project and have been a fan ever since continuing to follow their progress and trying to spread the word about what they’re doing.

Here’s what they ‘re doing: They examine every regulation and requirement and map them to a set of generic control activities so that they identify where one activity satisfied multiple requirements.  They follow a fairly extensive process in doing so and all of their work is vetted through legal review to ensure they’re not overreaching during the process.  And they’re constantly updating the framework to make sure that as existing regulations change and newer ones emerge the UCF captures it.  Considering the accelerated pace at which regulations are being enacted these days that’s no small task.  The way the framework is leveraged is by finding the appropriate control activity that matches what you’re working on and reading across the line (it’s delivered in spreadsheet format) to find out which regulations or requirements it satisfies.  So if you’re reviewing application access in support of SOX it’s possible that same test would also satisfy GLBA requirements.  Imagine how much time and effort can be reclaimed if your GRC program was whittled down to testing a control only once and using it many times?  Also imagine how that might look to senior management.

So why am I making my bold prediction now?  Last week I learned that Network Frontiers is making their content more readily available in an online format and for free.  This will allow a broader audience to begin accessing their impressive content without first having to get someone in their management food chain to approve its purchase.  I’ve tinkered with it a bit and while I still prefer the spreadsheet format (I’m a geeky kind of guy) I love knowing that someone can read this blog post and immediately signup at their website and begin exploring.  By making it easier for the masses to access their content it will likely accelerate broader acceptance throughout the corporate world – once that happens, once program offices start relying on the content provided there will be no turning back.

I realize that GRC is way more than testing controls but consider that the UCF will also allow a company to identify where risk assessments, policies, procedures  and programs hit multiple targets as well.  It truly allows for economies of scale to be realized in ways that were just never as easy to pursue in the past.  While the framework doesn’t tell you how to build or manage a GRC initiative it will become one of its primary tools, I’m certain of it.   I’ve pointed several people in the direction of the UCF over these past two years and almost to a person their initial reactions is “wow”.  They all immediately saw its value and started considering how best to exploit it’s offerings.  And until I meet someone who upon viewing the framework shrugs their shoulders and says something along the  lines of “I don’t get it” you’ll find me standing behind my prediction. ]]> http://itknowledgeexchange.techtarget.com/regulatory-compliance/grc-is-about-to-see-its-future/feed/ 0 http://itknowledgeexchange.techtarget.com/regulatory-compliance/does-anyone-weigh-risk-versus-reward/ http://itknowledgeexchange.techtarget.com/regulatory-compliance/does-anyone-weigh-risk-versus-reward/#comments Tue, 28 Dec 2010 20:55:11 +0000 David Schneier http://itknowledgeexchange.techtarget.com/regulatory-compliance/?p=581 It’s a popular time of the year for people like myself who publish any form of content to either reflect on the year that was or make predictions on the year that’s to be. Confidentially those are typically easy pieces to write and I’m generally happy to take advantage of such opportunities. However, I’m ending 2010 preoccupied with my latest concern which has me a bit on edge, and so I’m using my last post of the year to vent.

In the past few weeks I’ve participated in several conversations that focused on both cloud computing and data warehouses. As I’ve stated previously, I have some very real concerns about security in this ever growing amorphous collection of computing resources commonly referred to as “The Cloud.” Forgive a onetime science fiction fan a little leeway but I keep conjuring up images of “The Blob” whenever I hear that phrase. It’s sort of like the dimensions of our universe; no one is really sure where it begins or where (or if) it ends. So how do you lock it down and apply the necessary controls to sensitive data? Honestly, companies have struggled for years to properly classify their data and build appropriate controls trying to protect what needs protecting and that was when the data was stored in clearly identifiable repositories and servers. Now they’re moving the same information into an architecture that is harder to segment (because it defeats the very purpose of its design) which can often change dynamically. How can you properly secure and monitor a moving target? Based on my experience, I’m thinking you can’t.

As for data warehouses: Does anyone really know how these things are being used? After a recent call with a client, I had reason to question a few of my associates who either work with or have familiarity with how companies are using their related solutions and quite frankly I’m stunned. It seems that it’s quite common for data warehouse architects to reach out and grab data from whatever systems they happen to come across without even having a legitimate reason. One of my contacts told me that the project lead at his company is fond of throwing around the CEO’s name when met with some resistance, as if not sharing data from your applications database will create a blind spot and result in the company making a poorly formed decision. I clearly remember the original purpose of a centralized repository and that was to consolidate related information that allowed management to obtain a broader perspective on their business. It was never intended to duplicate all bits and bytes so that information existed in multiple locations and it was supposed to be driven by the business, not IT. But apparently it’s now quite common for the data warehouse team to participate in the change management process to determine if enhanced or newly implemented applications should be plugged into their repository. What if there’s a table with sensitive data that’s properly secured but is now being shared with the data warehouse? Is it properly secured? Who has access to the warehouse?

So what happens when you start using a cloud computing architecture to locate your data warehouse? You can’t provide the same enhanced level of protection to all your data because there’s a very real cost associated with that. And if you can’t properly predict where the data is going to be stored (either in the cloud or in a separate repository such as a data warehouse) how do you even know where to begin?

Perhaps when you consider how much audit and assessment work this is likely going to generate over the next few years, I should be more grateful than concerned. But I’m happier when things are done right to begin with and all I have to do is prove it.

Anyway, Happy New Year to all!

Of course now that we’re facing down New Year’s Eve in exactly three weeks, we’re finding ourselves busy with all manner of work that wasn’t even on our radar as recently as Thanksgiving.  It’s like the old adage: “If it wasn’t for the last minute, nothing would ever get done.”

But why does this keep happening?  Why are these activities treated as necessary evils and not as something that helps support the business, reduces risk and maintains reputation in the marketplace?  Quite literally, all of the have-to’s thrust upon financial institutions by their regulators serve an important purpose and address some very real problems that confront us every day.  And yet despite that important fact, the vast majority of stakeholders view compliance as a bit of a drudgery and something they’d rather do later, not now.

I recently read a report that stated that nearly one of every two information security professionals spends at least 50% of their time working on regulatory compliance tasks.  The angle of the report seemed to be that it was time consuming, possibly excessive, and that the infosec people had more important things to focus on if only they could.  I was surprised by the report because I would think that somewhere in excess of 75% of every infosec professional’s work day would be consumed with tasks that are directly related to regulatory requirements.  Most of what a properly managed and matured IT organization needs to have in place dovetails quite nicely with the related regs.  I’ve written before about how I thought PCI should be applied in a broader sense (though modified somewhat when it comes to the more extreme elements) as a security standard.  It addresses just about every key security control objective and related activities, provides tools to conduct periodic assessments, and allows you to leverage what’s required with how you should conduct business.  A properly managed infrastructure shouldn’t have to jump through any special set of hoops to be compliant; it should be a natural byproduct of doing things the right way to begin with.

But when you read a report that places an emphasis on how much time compliance consumes in a work day and makes it seem as if though that’s a separate body of work apart from what the infosec person should be doing, it’s clear to see why compliance is viewed as the aforementioned necessary evil.  It’s not though; it’s actually a great assist in managing risk.

We have several clients who are all over the broad range of required activities.  They don’t approach compliance as a point in time exercise but rather as an ongoing set of actions that are ingrained within their day-to-day activities.  They identify issues with vendors before those issues impact their operations (particularly relevant in this economy).  They uncover terminated employees who continue to maintain application or system access before any harm is inflicted.  They modify and strengthen programs (e.g. Red Flags and incident response) so that they’re increasingly effective in helping to identify and reduce fraud (again, particularly relevant in this economy).  They react to findings on audit and assessments with concern and not defiance because they value the resulting improvements and the risks they help mitigate.

And what’s particularly interesting is that size doesn’t matter.  We have proactive clients whose asset sizes range from  $100M to $2B (and beyond); some with vast resources and some with scant few.  But regardless  their approach, commitment and results are equal.  They have no fear of the ball dropping in Times Square.

It’s just about too late to do much of anything if you’re already late in getting things done this year.  But it’s not too early in getting a head start on planning what you’re going to do in 2011.  Remember, an examiner won’t let you off the hook for being deficient in any area, but they will grant you more time if you have a viable plan in place to address things in short order.  For those of you who can’t be fully compliant, at least make the effort to be fully aware and prepared.  Do you really want to be the one standing in front of the board of directors or CEO trying to explain how a key business partner just up and closed in the middle of the night and you didn’t even realize they were in financial trouble?