Boxing up information security risk

By Rebecca Bole on February 7, 2014
Carol J. Rizzo

Carol J. Rizzo

Advisen: What is the greatest threat to information security today?

Carol Rizzo: The false sense of security.

Businesses spend a lot of money on technology to secure information but today’s cyber criminals are sophisticated, trying to get at data that can enrich them. They use multiple attack paths, including the unwitting assistance of the company’s employees through email attachments and social media. Once in, they quietly scope the environment, identify what security software is in place and look for vulnerabilities they can exploit. Often, businesses have no idea they’ve been attacked until the data is out!

IT has done a terrific job of trying to keep up but it’s increasingly difficult to be proactive when there are so many entry and exit points to monitor and so many vulnerabilities to mitigate.

Authorized users routinely copy and paste data from secure applications into spreadsheets, presentations, word documents and email. They store their documents and data on flash drives, shared drives and in collaboration software like SharePoint. That allows data to be accessible to unauthorized people.

Further, businesses have extended their systems capabilities to customers and suppliers via the internet.

There is increasing demand for IT to support mobile devices that IT does not control and cannot monitor. All of these add risk.

Advisen: And in five years time?

Rizzo: I can’t see how the problem will be any different; but I can see how it could become potentially more dangerous.

Information Security isn’t just about data confidentiality, it’s also about assuring the availability of systems to authorized users and ensuring the data has integrity; meaning it has not been changed by unauthorized mechanisms. I fear many businesses may not have the resources to prevent unauthorized changes of data. Cyber thieves are being joined by “hacktivists” who are focused on embarrassing or even destroying companies they don’t like or agree with.

About 3 years ago, a presenter at a Black Hat Conference showed how he could deliver a lethal dose of insulin that was wirelessly connected to a continuous glucose meter. That had to make the FDA and companies like Medtronics, very nervous.

The ability to change data that a system or person uses to make decisions could initiate a wave of lawsuits and retard the advance of assistive technologies.

Large corporations already spend huge amounts of money on mitigating information security threats. A global banking institution is likely to spend over $200 million each year on security defenses. This level of security spend is untenable for smaller companies. They just can’t keep up with the level of threat they are facing. Yet, having the same risk of attack, they will become the path of least resistance for criminals and hackers.

Imagine the damage to the US economy if we can’t find a way to stem these attacks! I think the US government needs to work with American industry to fund the development of a holistic information security defense layer that can prevent or reduce these types of attacks.

Advisen: How do you view technology risk in a wider business and economic framework?

Rizzo: Information security is a business risk. Breaches can lead to lost business, fines, lawsuits, loss of intellectual property, contract breaches, etc.

Like market risk, IT risk must be continuously assessed. Technology leadership can identify potential adverse events, like a breach or denial of service, and recommend strategies for business consideration, but business leadership must make the decisions based upon on what risks are to be accepted, mitigated, transferred or avoided altogether.

I use a simple 9-box risk map to help the business understand the adverse events and impact and begin to create a dialogue and culture of security awareness.


For each event, like breach of customer data or denial of service, Technology Management should be able to answer the following questions:

What circumstances are heightening the probability of event’s occurrence?

There may be multiple factors. The ability to look holistically allows Technology leadership to develop a cohesive risk strategy and supporting action plans.

Are there specific actions that can be taken to mitigate or prevent the event?

There are often multiple actions. Business leaders must understand all the options to make pragmatic, fact based decisions, especially when the ideal option takes more time and money. A mitigation strategy might ask to delay the introduction of Bring Your Own Device (BYOD) until the skilled resources, tools and technologies to manage these devices are in place.

What are the options to avoid, accept, mitigate or transfer the risks posed by the event?

Each option should come with cost, assumptions and a timetable to implement and be considered in view of other proposed mitigations. The options are not always to deploy technology; there are also options for transferring risk like outsourcing or putting manual controls in place.

A great deal of risk is in the supply chain. Having discussions with vendors and partners can uncover risk and opportunities to improve overall security. This is especially true when partners are involved with company intellectual property or confidential information.

Advisen: With Snowden forefront of mind, how do you view access to information within your organization?

Rizzo: Access to information should be based on the need to know. Just because someone has security clearance does not mean they need to view the data to get the job done.

Infrastructure employees or contractors should only be given privileged access for 24 hours which can be renewed as needed. There should a review within a short period to ensure it’s in keeping within the requirements of the task. Access to production data should be very rare. No one should be able to see or change data without an oversight process and logs for review.

Corporations need to develop processes that routinely review access rights and become proficient at monitoring for unauthorized access to data. Access to systems should be turned off the same day as an employee’s departure.

Advisen: If you could make one change to the way information security is treated within corporations, what would it be?

Rizzo: I would like to see a change in corporate culture where the business assumes responsibility for the strategy to mitigate IT risk and demands to be routinely updated on the state of information security. When risk management is an ongoing activity, there is a greater awareness among employees that the information held within a company is a business asset to be protected.

About Carol Rizzo

Carol J. Rizzo has over 25 years in the management, development and implementation of systems and infrastructure for financial services, healthcare and defense industries. Recently, she was the Interim CISO for a major defense contractor where her mission was to institute a formal risk management and security program. Carol’s significant expertise in the management of risk, regulatory compliance, privacy and security issues is a result of her responsibilities as Chief Technology Officer for Kaiser Permanente, AIG and Citigroup and Chief Information Officer for T1D First; an online patient disease registry.

Rebecca Bole is EVP & Editor-in-Chief at Advisen. She has nearly 20 years of experience in the international insurance markets, both as an underwriter and a journalist. Contact Rebecca at [email protected].