Jiri’s Notepad

Panelists: Jon Collins (Freeform Dynamics), Adrian Seccombe (CISO/Enterprise Architect, Eli Lilly), Geoff Harris (ISSA-UK Chairman), Abdellah Cherkaoui (CISO Sodexho)

24th April

Jon Collins
We need to allow enable business to do what it needs to do. We also need to have some stick to keep things under control. At the same time too much security/control can be bad leading to lowering of end-user productivity. It can also lead be self-defeating leading employees to circumvent security mechanisms that are too cumbersome.

Geoff Harris
Geoff provided some definitions:

• Operability=functionality+availability+performance+ease of use
• Security=confidentiality+integrity+availability
• Compliance=his interpretation is that it sets and enforces minimum level of security (e.g. PCI DSS, COBIT, SOX, MPS, etc).

The biggest tradeoff is between operability and security. It cannot be said which one is more important as this tradeoff depends on the risk appetite of different organisations.

Adrian Seccombe
The question about the relative importance needs to be re-stated as a question about achieving the business value of information. To get an infinitely secure system you should switch it off and bury in a concrete undersea bunker, but this won’t provide any business value. The right question is therefore “How can we put our information asset at appropriate risk to achieve the maximum valueâ€?.

The answer to this will differ system to system and organisation to organisation. The appropriate level of risk needs to be negotiated with business asset owners. For these negotiation to be successful, they need to be done in the context of enterprise architecture and delivery processes. Such processes integrate security with the enterprise-wide architecture discipline and processes (Adrian’s role is CISO and Senior Enterprise Architect).

The big challenge today in balancing these three aspects is to respond to the fundamental transformation of companies from tightly knit internally integrated companies into flexible network organisations. Eli Lilly, which is an example of this, is transforming from a fully integrated pharmaceutical company to a company dependent on flexible collaboration, time-bound use of external partners and outsourcing. This is not easy and requires lots of balancing. There is no magic wand and to do this, but integrated processes are more useful than checklists.

There is another aspect we need to cope with and that is the fact that most of our enterprise data is moving outside the company – into the cloud, onto the internet. Competencies that drive value out of our business are also moving outside. We all need to figure out how to secure the cloud and how to manage cloud providers, preferably before we move our assets out there. This is still 3-5 years away but it is clear now that to do this successfully will require new thinking, new approaches and new products.

Jericho provides probably best overview of the new capabilities that we need:

• Onboard and offboard people (all types, employees, contractors, partners)
• Manage risks across collaborative frames
• Manage information assets in the cloud, processes to manage assets outside direct control
• Manage devices, services in the cloud to identify the asset, determine the user determine how trustworthy
• Onboard and offboard enterprises, support them during the period of collaboration, and then offboard them whilst maintaining security

Question from the audience: How does this fit with IT Service Management and BCP standards?
Answer: IT Service Management is a key discipline allowing management of cloud service suppliers. Ability to comply with ITIL, Cobit etc will be critical for the suppliers.

Abdellah Cherkaoui
Abdellah focused on the compliance angle. The challenge Sodexho, as one of the first European companies that has to comply with SOX, was how to cascade compliance requirements down to subsidiaries, partners etc. Cost of compliance was very important. At a certain price point the non-US based business needs to ask if the cost of compliance is worth it. Another problem – incompatible international laws.

Adrian Seccombe: As an American company, Eli Lilly did not have the option to de-list from SOX and so the approach they took was to achieve compliance at the lowest cost point. The key for that was to select the right auditors. (Many auditors were doing more than law required to get a repeat business).

John Collins: How to provide services out of the cloud? How to determine whom to trust and with what?

Adrian Seccombe: To do this, Eli Lilly decided to do the information classification exercise using the traffic light colours: white – public, green – company+collaborators, amber – sensitive, red – named people and certified systems only. E.g. Canteen menu on the intranet is public, IPR on drug sensitive, fire alarm system is red. This information can be used to decide which services can be sourced from the cloud.

John Collins: We are at the point of making this change but we have not achieved it yet. We are mostly consciously competent in getting in relationships across organisations, but consciously incompetent at developing technology to support them.

Overall rating: 4.5/5 (First half was fantastic and overshadowed the second half, which got a bit rambling and tedious, but overall probably the best session at the conference)