Call us now Email a specialist
+353 1 6420100 | info@ward.ie
  • Resources
  • Blogs
    • Insights

    Irish Independent Article

    Independent-May-15thMaking the move – why Irish businesses are turning to managed information security services in the battle to protect their companies and customers from the upward spiral of security incidents.
    Like many things in the world today the arena of information security is becoming more complex on a daily basis.  While it’s natural (and partially true) to think the complexity is being driven by the increasing volume and sophistication of external threats this is really only half the picture.  Any IT executive who is responsible for information security knows only too well that the changing nature of the business environment itself brings to the table a new raft of complexities that impact information security.  From adoption of cloud and managed services to increased compliance obligations your own devices and rapidly evolving malware attacks there is little doubt that information security issues are on the rise
    With this comes increasing demands on IT departments to protect their operations in an environment that is in constant flux.
    As a result executives are starting to re-evaluate their information security strategies and look for new ways forward. One trend that has emerged is that of “security as a service”.
    Pat Larkin and Paul Hogan are co-founders of Ward Solutions, a company that specialises in the area of information security.  Here are some information security trends that they see emerging in the Irish market place.
    Information Security Officer (ISOaaS)  as a  Service
    Increased information security complexity – internal and external – means an increased need for expertise.  The range of expertise and skills that the information security role requires can no longer exist in any single resource. The question is do you need that expertise on a 24×7 basis?  Answer is, sometimes yes and sometimes no.  In most businesses there are certain times when the company needs at its fingertips access to the best and brightest brains in the area of information security.  This might be when the business is designing, developing and launching a new application or service, reassessing its information security strategy, updating its policy libraries or dealing with an actual information security incident. The need for deep and extensive expertise at intermittent intervals is creating a real demand for “security as a service” type offerings.  For one, security as a service makes better economic sense than hiring an extensive in-house team full time, but more importantly it enables the business to access specialised resources that are at the cutting edge of information security trends and innovations.
    “What we see in the market is a real demand from clients who want to be able to tap into a comprehensive range of information security skills when and where they need them. They want to have a trusted partner that they can call upon, one that knows their business and can be part of their team for as long as is required.  This demand has led us to create our Information Security Officer as a service offering for clients. On an ongoing basis we supply clients with access to the best in the business with predictable service levels and costs so as they don’t have to build and maintain full time in-house expertise” explains Pat Larkin
     
    Managed Security Service 
    From Start to Finish 
    There is little doubt about the fact that IT is a critical service provider within most businesses today. There is growing recognition that the field of information security is a very specific part of the overall IT operation, one that is highly important and that requires deep and constantly evolving levels of expertise.
    With this recognition comes a realisation that for some organisations where critical information asset are involved the best strategy forward is to outsource the end-to-end information security management of the assets to an expert in the field.
    What does this mean?  Put simply it means contracting the ongoing services of an information security expert to manage all aspects of a critical information asset within your business. Someone who can securely build the application, deploy and operate it on an ongoing basis. A partner who is responsible not only for the security of the application but also for the security and integrity of the business logic and process workflows that surround the application – in short the end-to-end secure management of an application or service that is critical to the business in terms of confidentiality of data, integrity of process and availability of service.
    “With the growing internal and external complexities around information security fewer and fewer companies are willing to take risks when it comes to critical information assets within their business.  With this comes a realisation that information security is simply not a core competency that they have.   What they want is to partner with someone who is 100% focused on this area so that they can rest assured they have done the utmost to protect their business and their customers” explains Pat.
    Selective Services
    For some companies the growing trend is to turn towards managed services for certain selected information security services.  Whether the internal driver is compliance or critically important assets the approach remains the same. Rather than bring the skill set in-house, the company chooses to outsource to a managed service provider.
    One trend emerging is the outsourcing of log management and security information event management (SIEM) driven off compliance obligations such as PCI.  The sheer volume of work involved in monitoring, reviewing and taking action to address identified anomalies makes handling SIEM internally a nightmare for many IT departments.
    “For some businesses certain regulatory requirements not only require a specialist skill set but are also highly  labour intensive and  time consuming,  More and more we see businesses looking externally for managed services to support their regulatory obligations on an ongoing basis.  It makes sense to outsource what is not core to your business” comments Pat Larkin.
    Managed information security services is a growing trend in both the local and global markets with more and more businesses turning to third party suppliers to procure specialist services that are simply difficult and costly to build in-house.
    Ward Solutions has been in the business of information security for over 15 years. The company has a team of over 60 security professionals working with over 250 clients in Ireland. It is the trusted information security partner for companies such as  CIE, Laya Healthcare, Vodafone, National College of Ireland, Bord Gáis, Fleetmatics and the Department of Jobs, Enterprise and Innovation.
    For more information visit www.ward.ie or contact Pat Larkin on (01) 642 0100
     

    Noel O'Grady News

    Ward builds out leadership team to further drive growth…

    Noel O'GradyNoel O’Grady joins Ward Solutions’ executive team as Sales Director to further drive the company’s ongoing growth and development.  Noel brings to the business strong commercial skills along with many years of experience in the information security sector having previously worked with Rits, TeleCity and Fort Technologies.
    Noel joins an ever growing team at Ward and is the 9th new hire in the last six months across a variety of executive, consulting and technology roles.

    IE Logo Insights

    Security Alert – Microsoft Internet Explorer 6-11 – What…

    IE LogoAs you may be aware, there has been a critical security vulnerability found and exploited in Microsoft Internet Explorer versions 6 through 11. Until Microsoft release a patch, here’s what the security analysts at Ward Solutions recommend users do to protect themselves and their businesses:-

    1. Avoid using Internet Explorer where possible. If you must use Internet Explorer for a certain application or site them limit your use of its to these situations only
    2. Disable Adobe Flash plugin as this is required for this bug to work

    The Microsoft Internet Explorer exploit relies on a flaw in Internet Explorer and the presence of Adobe Flash. It does require a user to visit a malicious web page, or a web page that has hosted user-provided content or advertisements. Once exploited, the flaw allows the attacker to run commands and code on the target users machine, with local user privileges.
    In short, this means that the latest IE bug works when an internet user clicks on a malicious link in Internet Explorer. There is no warning that something might be wrong, and clicking on the wrong link is all that it takes for your computer to be compromised. After you click on the link, malware may be installed on your computer without being noticed.
    If you would like further assistance or advice on this issue, please contact the Helpdesk on (01) 6420100 or via email at support@ward.ie
    References:
    [1] http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html “New Zero-Day Exploit…”
    [2] https://technet.microsoft.com/en-US/library/security/2963983 “Microsoft Security Advisory 2963983”

    Insights

    Making Information Security Pay – Enabling Your Organisation

    Making Information Security Pay – Enabling Your Organisation
    Over the last few years I have done numerous presentations on the topic of Information Security – both at C level events and more focused information security gatherings. I always start by asking the audience a simple question – which is “Do they view information security as a cost or an “asset” to their business”?
    Almost every time the majority seem to classify information security as a necessary “cost” unless the audience is made up of information security professionals or I am briefing executives following the occurrence of a recent information security incident.  In these cases, unsurprisingly the majority of people typically cite information security as an “asset” to their business.
    As I perform this less than scientific exercise over the years there are two things that continue to strike me:

    1. The consistently held view, even by some professional in the field that information security is all about prevention and insurance.  A necessary cost to try and stop bad things happening.
    2. How difficult it is for information security professionals to sell information security to their own management and board despite the well-known risks and potential catastrophes that their business could faces as a result of a compromise.

     
    However- things are changing and I do see a gradual but steady increase in the number of people starting to view information security as an asset to their business.  In my opinion this turning tide is directly attributable to two significant factors:
     
    Raised Awareness:
    First the really obvious reason – raised awareness at every level in the organisation due to the growing number of organisations featured adversely due to some significant customer data breach or service outage.  And it’s impacting us all, as a consumer I have received 4 notifications in the last 18 months from companies holding my or my family’s sensitive data about some significant element of loss or compromise of this information.
    The traditional approaches for business case justifications for spend on information security are well documented and established.  They are typically either a compliance based argument- for example:
    “ in order to  continue taking on line payments at the volume we are doing  – we must be PCI/DSS compliant and therefore requirement 1 states that we must install and maintain a firewall configuration to protect cardholder data – without this we are not compliant and cannot do business” – QED.
    Or, alternatively a Return on Investment (ROI) argument – hopefully with some associated qualitative or quantative risk assessment analysis supporting it – for example
    ”the typical all in cost of a data breach occurring on personal or financial data is €115 per record – we process or hold 70,000 records, if the risk is that all or even a percentage of these e.g. 20% are disclosed or compromised then the potential cost to the organisation is estimated to be €1.61M – the cost of appropriately securing the Information Systems that hold these records is €30,000 capex and €6,000 opex per annum and this implementation reduces the likelihood of breach to very low probability of less than 5%” – QED..
    As you can see by default these types of arguments though perfectly valid – still to some degree reinforce the established perception of information security as necessary insurance or a risk mitigation cost.
    Positive Leadership:
    The second most significant factor in shifting organisations’ perception of information security as a cost is being driven by the positive leadership of information security managers themselves. Traditionally the information security role by virtue of its inherent risk management responsibility was typically risk averse, sometimes overly policy driven and on occasion perceived within the business as the “department of NO”. Thankfully this is a rapidly changing perception.
    The successful Information Security Officers or CISO’s that we work with have figured out that the above arguments are the bread and butter of their day job – keeping the business appropriately safe and secure.  Where they invest their remaining time is in understanding in detail their organisational needs and challenges. They actively engage with the relevant parts of the business to add value above and beyond insurance and prevention.  They look for opportunities for information security to help the business to innovate – to take managed risks, to achieve business goals and contribute to the bottom line.
    Practical Examples
    Let’s look at some practical examples:
    We do a lot of work with Higher Education and Research clients nationally and internationally. The traditional student (customer) processing models have shifted unrecognisably in this sector in the last 10 year from a primarily on campus only, manual, slow, cumbersome, paper and people based education and service delivery model to either a hybrid mix of online/virtual learning plus some on campus education, accreditation and service delivery model.  In this model students can register, pay their fees, select their courses, access academic content, submit assessments and attend virtual lectures.
    Key to this transformation is the provision, automation and integration of a heady mix of education information systems and conventional line of business systems such as student registration and administration systems, e-Learning systems, financial systems, HR systems for academic and administrative staff, timetabling systems, examination systems, research management systems and so forth.   A typical education institution has over 300+ applications, 10,000+ students, 1500+ staff, 4000+ joiners and leavers per annum and turning over €100M+ a year.  Providing seamless, secure access to services to students and staff from anywhere in the world whilst protecting personal data, financial integrity, examination and accreditation integrity, intellectual property protection, service availability and so forth is no mean achievement.
    From an information security innovation perspective CISO’s in Higher Education institutions are truly enabling partners in this transformation by utilising information security management technology solutions such as:
    Identity and Access Management Solutions:
    To automate really complex, time sensitive provisioning and de-provisioning of the large volumes of joiners, leavers and the comprehensive change management processes that all of the user in these institutes typically go through.  Enabling this transformation in a heavily automated, mobile and highly dynamic environment – with positive or improved end user experiences – whilst removing a lot of previously expensive labour intensive manual, slow, error prone processes with poor user experiences.
    Secure Mobile and Remote Access to Services:
    Enabling students, staff and researchers to gain appropriate access to services, content and data of widely varying sensitivity ranging from staff or student personal or financial data to high value research intellectual property, to accreditation and examination data and services in a seamless user experience on campus, at collaborating campuses, industry or 3rd parties literally anywhere in the world. Again CISO were instrumental in proposing governance, data handling and classification policies and frameworks to these institutions allowing them to determine who should have access to what data and services and from where. They were also instrumental in proposing secure extranet and intranet technologies, secure wired and wireless solutions, graduated and adaptive authentication, federation and authorisation models and technologies to help enable and control this secure access.
    Secure Payment Services:
    A lot of money changes hands as part of the education experience. Traditionally at registration students lined up with cheques, cash or credit cards to pay for their annual or term fees. They paid for on campus services such as printing and photocopying facilities as well as food and beverage services with cash. Aside from being a poor user experience from a user’s perspective this also placed a lot of money handing costs and risks to the institution. Once again CISO’s were instrumental in developing and implementing secure “cashless” payment systems for everything from online payments for college fees to pre-paid accounts and tokens for printing and catering services on the institution – solving both the user and the institutions problems.
    Indeed so much innovation was required in Higher Education and Research early on to deliver on the business model transformation required that a number of key security technologies were effectively pioneered, developed or piloted in this sector.
    The Institutions that were first or most successful in this transformation required the positive and constructive collaboration and innovation of their internal and external IT providers and information security resources.
    Success criteria included:

    • Increase in students attending the institution not just because of academic or research excellence but also because of the new reach of the institution to a potentially global market, the range of services offered, the service delivery models, the improved user experience and the perception of innovation.
    • Reduction in administrative cost through secure automation and integration.
    • Improved compliance and risk management through improvements in identity quality, elimination of manual, error prone, non-systemic process

     
    Conclusion 
    Appropriately protecting your organisations from information security risk is now the minimum requirement of the information security role. To add real business value CISO’s need to become partners in business innovation, constructively helping their organisation to achieve its goals by providing and suggesting solutions and model for the business to identify, manage and control the risks that the organisation needs or want to take. CISOs need to be able to actively contribute to either the top or bottom line. When they do this then then they will have no issues getting C Level airtime.