ISACA Survey: Cloud Caution"Essentially, We're Dipping Our Toes in the Water"
"Essentially, we're dipping our toes in the water," says John Pironti, an ISACA adviser, in an interview with BankInfoSecurity.com's Tom Field [transcript below].
Prior to his current position, Pironti was principal enterprise solutions architect and principal security consultant for Unisys Inc. He has also held technical and management positions at AT&T and Genuity Inc.
The Barometer is an annual, global survey that helps gauge current attitudes and organizational behaviors related to the risk and rewards associated with IT projects and emerging trends. The headlines from the survey indicate that cloud computing and mobile devices are top risk issues for organizations.
Larger organizations remain cautious when it comes to what they put on the cloud. These larger organizations typically place marketing websites and collaboration-type tools on the cloud. "They're not truly putting out a lot of customer data or production applications," Pironti says.
The starting point for most organizations, from a risk perspective, is to move the lowest risk solutions to the cloud, where they may be better served and get better activity and performance. "But there's still trepidation to the idea of putting our trusted processes, production activities, sensitive data and customer information into cloud environments," he says.
In an exclusive interview about the study's results, Pironti discusses:
- This year's top headlines, including cloud computing trends;
- Tips for organizations looking to get a handle on emerging technologies;
- How organizations should analyze the Risk/Reward Barometer.
Pironti, CISA, CISM, CGEIT, CRISC, CISSP, ISSAP, ISSMP, is an adviser for ISACA and president of IP Architects. He has designed and implemented enterprisewide electronic business solutions, information security programs, and threat and vulnerability management solutions for global clients in a range of industries, including financial services, government, hospitality, media and entertainment, aerospace, and information technology [IT].
Previously, he was chief information risk strategist at Archer Technologies and CompuCom, and a principal enterprise solutions architect and principal security consultant for Unisys Inc. He has also held technical and management positions at AT&T and Genuity Inc. Pironti is a published author and writer, is frequently quoted by business and technology media outlets, and is a speaker at industry conferences on e-business and security topics.
2011 Risk/Reward BarometerTOM FIELD: I'm fascinated by this new barometer that you've just released. What can you tell us about the mission of this study?
JOHN PIRONTI: What ISACA has learned very early on is that our membership and the constituency at large are interested in understanding risk as a perspective of IT and business process and as we begin our journey together through IT security and IT governance management. The risk/reward barometer is a way to tap the industry and constituency to say what is interesting to them. What are they looking at as far as their risk perspectives to try and bring some commonality to the conversation across different industries, different groups and different people, so people can understand how others are looking at risk/reward? We think of that barometer as a moving target that will adjust based on new technologies, new concepts, maturity and things of that nature that will help us to set the tone of where we are from a risk perspective as we're adopting new and exciting capabilities.
FIELD: Give us a sense of how many people are being surveyed and where in the world they are, please.
PIRONTI: The survey for this round was done as a global survey. A fair amount of survey respondents are from the United States, but we did actually get a global perspective. We had about 800 respondents this time, and we hope to have more going in the future. But as to our first round, we were very happy with the results. The survey results that we gave you in this particular round are going to be the U.S. survey results that we'll speak of today, but the international one should follow soon.
Mobile Devices & 'Bring Your Own Device'FIELD: Let's talk about some of the year's top headlines, because I noticed that two particular topics came up that are of interest to anybody in any organization today.
PIRONTI: The top headlines really came out to the idea that mobile devices and employee-owned devices are the areas of biggest concern and considered the biggest risk right now inside of enterprises. We're seeing a lot of work going on with the "bring your own device" conversation, and a lot of organizations are assessing and analyzing whether or not that's a good idea - the obvious benefits being that they can get access to the latest and greatest technologies without having to have cost. The obvious concerns are, as we introduce these new capabilities, what is our ability to properly secure them and align them with our risk profiles to make sure that we're comfortable with them being used in the corporate environments?
Another thing that was interesting was that cloud computing is starting to be accepted more as an organizational reality. There was a lot of questioning for a number of years whether or not we'd be able to use this effectively and fit it into the risk profiles. We're seeing more and more organizations becoming more accepting and embracing of cloud computing, finding ways to appropriately secure it and put it into their risk profiles in a way that they feel comfortable that they can use it without much concern.
FIELD: Great topics. Let's talk about both of them. We'll take the mobile trends first. I like this term you used, "bring your own device." What do you see as being the big concerns of the organizations that you've surveyed?
PIRONTI: I think the number one concern that we run into is the fact that when it's "bring your own device," no matter how much we try, no matter how much we do, it is still the property of the end user. Even if we put in great applications and controls, the end user still has the authority to remove, modify or change those devices. Now, we can prevent them from accessing the environments once they do so, but that doesn't help us if they're already done something in a malicious way or captured some data, stored it locally and then did the modification. It comes down to the idea of saying can we properly account for data that's being moved to those devices and properly secure them for the life of their usage in our environment? Can we ensure users that, while they have that ability, we have the ability to know what they're up to, know what they're doing and recognizing that happens so we can take appropriate actions? We're still trying to figure it out. I don't think there's one right answer yet on the best way to protect mobile solutions. We're limited in our controls based on what the vendors are offering us as opportunities for controls, and I think it will take a series of unfortunate incidents and hacking activities for us to really open up the idea to the vendors, saying we want more ability to secure things the way we want to versus the way you want us to do.
FIELD: Now, I happen to know you're out in the field today working with an organization on this area, so what tips do you offer organizations that are trying to get a handle on their mobile devices and the whole topic of "bring your own device?"
PIRONTI: That's a great question, and I follow a couple of real mantras in this area. The first thing I say is we need to embrace, but educate. My view is that the end user is our best defense as well as our greatest adversary. If we can embrace them and help them understand how we expect them to use these devices, and also help them protect their own personal information at the same time, we have a higher likelihood of success in doing just the basic things that will help us get from 80 to 85 percent of the current challenges, versus mandating that they do things that they may not like, want to do or believe in, whether they look at it as a disabler versus an enabler. If we embrace the technology, recognize that it's going to be used and leverage it in a positive way, we're more likely to have the buy-in of the hearts and minds of the people who are going to use them to actually work with us to do this well and to protect as well.
The other area I commonly focus on is we need to do a "follow the data" approach. If we take the device out of the equation and focus more on a data-focused approach, then we should have data protection integrity, and understand risks to data and information assets, no matter what platform or system they go on. And in that way, we can have a commonality that accounts for any new technology, capabilities or business processes that are brought into play. Instead of having to look at them on a one-by-one basis, we can look at it at a data level. And in that way, we can apply appropriate controls based on that conversation versus just being bound to it as a mobile device, or a fixed device or a cloud solution.
FIELD: And to be clear, just putting up a barrier, and saying "No bringing your own device," really isn't an option for organizations, is it?
PIRONTI: It really isn't. If you look at some of the ISACA surveys we've done in other areas, like our yearly shopping surveys where we do online shopping activity, last year we noted a definite increase in people who said that they would, at work, use their own personal devices, which were on carrier networks that are not protected by corporate controls and corporate policies, to do activities. Those same devices, unfortunately, end up connecting back into the corporate networks after they do their personal activities. What you don't want to do is create a situation where a user is going to take a covert action, to do what they feel they need to do to get their job done, be successful or able to carry out their life activities, and do something that you don't know about. It's better for you as an organization to be aware of the activities and put in proper monitoring, education and expectations at the management level of what you will expect employees to do as a user while using these things, so then we're not chasing down those hidden activities.
Cloud ComputingFIELD: Let's shift gears and talk about cloud computing now. It seems to me that the story this year has been that we all acknowledge that we're going into the cloud. Now we're going to take a step back and make sure that we're doing it securely. What do the barometer's findings tell you about cloud?
PIRONTI: What I found very interesting in the barometer finding from this year was the fact that people are starting to adopt, but they're not putting their core or secure assets in the cloud at this point. Essentially, we're dipping our toes in the water, walking out and looking at the cloud and wondering, is it rainy with a chance of hack or is it going to be okay? The starting point is to look at it from a risk perspective, take our lowest risk solutions and assets that are almost commoditized within the organizations, and start moving them into environments like cloud where they may be better served and we may get better activity, efficiency and performance than we would if we had it locally. But there's still trepidation to the idea of putting our trusted processes, production activities, sensitive data and customer information into cloud environments.
FIELD: Well, what is going to the cloud then?
PIRONTI: A lot of what we're seeing is more small business and medium business organizations who are following the simple and appropriate concept that says, "If I don't have the staff locally to do this, at least somebody else is doing this that can do it slightly better." And that's where cloud makes a lot of sense for a lot of people. For larger organizations, they're typically putting out things like marketing websites, collaboration-type tools, things that don't have core or material risk to their environments. They're not truly putting out a lot of customer data or production applications. They're putting out the supporting applications. In some cases, they're taking advantage of the analytical power that cloud computing and elastic computing allows us to have. They're putting out their business intelligence tools or their analytical tools that will crunch through numbers and data, but that data will never really be resident in the cloud for very long, if at all.
FIELD: How do you see cloud trending?
PIRONTI: The concept of cloud is something that we've seen before. I often say that it's the third time out for this concept. We started out with mainframes in the 70s, 80s and early 90s. Then we did shared infrastructure and hosting models in the late 90s. Now we're back at this all over again and we're just calling it cloud. And from that perspective, we understand the challenges. We understand the limitations and the problems that go along with it. This time out, we have more mature technology, understanding and controls that help us to mitigate some of those risks. But they still exist, and I think this is just a cycle. I think we're going back into a centralized model. In some cases, we'll move back into distributed. And I believe, personally, that the best tool at the end of the day is going to be more of a hybrid approach. We'll gain the benefits of that elastic computing capability; we'll be able to use cloud for business continuity and disaster recovery purposes; we'll be able to take advantage of some of that access to software solutions that are ready and available, like software as a service; but we'll still maintain our own presence for core activities, core data stores and core concepts as our normal operating process locally.
FIELD: Taking a step back and looking at the risk/reward barometer, as you look across the globe, do you see regional differences when we talk about the topic, such as mobile and cloud?
PIRONTI: The funny thing is in the U.S., we think that mobile solutions, activities and commerce are new and exciting concepts. As you go through European nations and the Asia-Pacific area, you'll find that they've been doing this for a number of years. In some cases, like Scandinavia, they've been doing mobile commerce since the late 90s. We're kind of catching up in the U.S. for a lot of this concept and these capabilities of using the mobile platform as a more powerful business tool versus just a gaming, phone or basic music playing-type solution. I think what we've done in the U.S. is we've moved the innovation scale much further in saying that now we have the ability to have disconnected computing capabilities where our users truly can be working anywhere, anytime, in the world efficiently and effectively without having to have a tether back to the corporate environments.
FIELD: As individuals review and interpret the findings of the risk/reward barometer, what sort of light should they be looking at this in?
PIRONTI: I think, like anything else involved with risk, it's a matter of relativity. There is no one answer or one way that an organization should look at this and say this is what the community at large is looking at so I should be allying to that. This should be looked at as an informative data point that can help people understand what is going on around them, because that's often what people are trying to understand. How are others solving the problem? How are other people looking at things? What I can tell you is some early feedback we've received already. Individuals looked at the survey in their own environment and said this has really helped them to normalize some of their activities and helped them have better conversations with their management team, because it helps to either bolster some of their points of view, or it helps them to rethink some of the things from a risk perspective, and move forward differently. I hope that this is an effective data point that people will use in their calculations of risk, in their interpretations of business activities and how they go forward. But I wouldn't indicate this as an authoritative approach of what is truly the way to be going forward in their activities.