Skip navigation

With the fast pace of the changing technology landscape and new usage models such as Cloud Computing,  IT Consumerization, and social computing security remains one of the highest priorities for IT. I decided to sit down with Intel’s CISO, Malcolm Harkins and ask his perspective on these various security challenges.


I got Malcolm’s thoughts: security and the cloud, security and IT Consumerization, security and social media, how Intel IT is ‘rethinking’ their security architecture to support all these new models and finally, what does he mean when he talks about the greatest security challenge is the misperception of risk.


Take a look at each of these very short (~1 minute) videos. The first one embedded here is security and cloud computing. I will release the other topics during the month of May. I hope you will comment and give your perspective on these topics and let us know what your IT organization is doing to enable these new usage models. I look forward to the discussion! And since I’m asking, what other security topics would you like to ask Intel IT?


Employee Productivity.


I was reading a blog today from Dan Ortega, Senior Director of Product Marketing for mobility products at Sybase, titled the "10 reasons to mobilize".


I agree with Dan on the many benefits of IT organizations who embrace mobility - however, I believe the single biggest benefitof embracing mobility today is improving employee productivity.  Improving productivity and efficiency of workers by providing choice and freedom of work-model and style are behind many of the 10 reasons Dan cites.


The Intel IT organization has been focused on mobility for over a decade and has seen first-hand the variety of benefits for IT, our business and employees.  The demand for mobility is increasing dramatically today with new devices, growing popularity of social media solutions and the demand for global collaboration.  As we seek to capture and create business value from these technology and usage trends, we are finding key productivity advantages of embracing IT consumerization trends (facts in the Intel IT annual report) along with the need to securely adopt personal hand-helds and re-define our security policies to improve business agility.


The Intel IT organization first adopted the mobility "bug" over 10 years ago that began with our shift from desktop-based PCs to laptop-based PCs.  That transition was extremely beneficial to Intel and helped us reduce costs in IT by 67% over the course of a decade.  Mobile TCO reduction.JPG

While this was good for both IT and financials, the gradual evolution of our mobile business PC strategy delivered business value in other areas  also (figure below) that provided our employees with better performing, more secure tools to enable them to do their job with more efficiency - while on the go away from their desks.  Flexibility was a key advantage in the both the ways (and where) employees could work and the ways that IT could deliver access to a variety of business applications in a variety of different computing models all while improving both security and manageability of the fleet.


These key lessons have made mobility a way of life inside Intel IT.



Has your IT organization embraced Mobility?

What benefits did you gain?

What challenges did you or do you face today?


Chris P


Come over for coffee

Posted by Rob@Intel Mar 23, 2011

Thanks to Google you can see where I am right now. This is part of their latitude service and is aimed at allowing us keep track of friends. My mobile phone constantly tells Google where I am and that information is passed to people that I choose. In this case I have agreed to allow you to see which town I’m in.


Click here to find me


I think this is a great example of a personal service which a company may not like. It would be an interesting conversation to know who owns the position information of you when you are at work. If you make the information public is it OK to use for time and attendance monitoring? I don’t have the answer but there are plenty of these services out there.


What other service are there where an employee can expose data in this way? We know that tagging your position on facebook  (Checking in) is common practise.I would be interested in hearing your thoughts and ideas around what is acceptable policies for a company to have on personal services.



Congratulations.jpgGreat news from the Microsoft Digital Crimes Unit (DCU).  They, in cooperation with US federal authorities, took down the Rustock botnet.  Rustock was one of the most prolific spam engines, specializing in those annoying fake-drug email solicitations.  According to the Microsoft DCU blog, at its worst, Rustock was capable of sending 30 billion spam email messages a day.


Just as I predicted in my year end blog Security Predictions for 2011 and Beyond attackers would be targeted with more ferocity from governments, service providers and organizations worldwide.  Case in point.


This botnet consisted of nearly a million infected computers worldwide, being used to flood the internet with the spam.  With the main control servers offline, these systems, while still infected, cannot get instructions from their masters.


This is a positive step forward, but not a complete resolution until infected systems are cleaned and protected from future re-infection.  Sadly, it is likely most owners of infected systems are unaware of their contribution to the problem.  So the battle, not just with the malicious owners of botnets but also with the uninformed end-users of bot-infected computers, continues.  This is a victory to be sure, but the dip in spam may be short-lived as the void will probably be filled by others.  Unfortunately, the war will continue to rage in our Inbox's.  Still, this is a positive step forward in prosecuting those who abuse the Internet with fraudulent and annoying emails.


A well-earned congratulations to the hard working Microsoft folks in the DCU.  Well done and keep pressing forward.


Reference Links:

Two weeks ago PMI announced their new credential for Agile.  In summary, PMI’s new Agile credential (not officially named but assuming it might be titled ‘PMI-APP’ or ‘Agile Project Professional’), is the 6th credential which will be offered  in May, 2011 as an open enrollment pilot.  Ideal candidates for the credential are already PMP credentialed with 1500+ hours of Agile project management experience over the last 2 years.  The proctored exam is 120 questions with a maximum 3 hour timeframe.  Cost of the credential for PMI members is $435 USD.   As our IT is actively considering a program to accelerate adoption of an Agile Lean development practices this year, our setting organization goals for a # or % of PMI Agile Credentialed PM’s might also be a prudent initiative coinciding with our new Agile PM practitioners.


A week later I’d been scheduled to give a presentation on the PMI Credentials at the monthly PM CoP (Community of Practice) meetings and had a slide on the above information.  A few days afterwards I was asked to officially be the Intel IT PMO PMI Credential Mentor which was doing unofficially anyway.


Why am I happy about taking on more work -so as my passion is in helping my Intel pm colleagues it’s a win-win and can’t wait to start in Q2.  When you do something you like and get paid for it – it doesn’t get much better than that.  You might be thinking ‘is he that simple to please…?’.  The answer is no and coupled with the cool PMI news my Internal Cloud program is doing great.  We are ahead of schedule for the quarter already at over 46% virtualization (our Q1 goal) and might hit 48% over the next 2 weeks.  All other secondary metrics look healthy so with my program running well I have fewer issues to deal with and therefore more time to mentor. No surprise as several people in our teams got together and wrote an excellent whitepaper just released from IT@Intel on Applying Factory Principles to Accelerate Enterprise Virtualization.  We are becoming the experts in all areas. 


To cap off everything else, our CIO, Diane Bryant was acknowledged by Computerworld as a top CIO and in her article mentions what asked what is the most important technology to the business, her response is: "Virtualization is driving increased efficiencies in our data centers and the productivity of our employees." – That’s my program!


It does not get much better ... Life is good!





As project managers, most of us would have banked on the traditional IT tools for managing our projects collaterals. Most of us would be using a content management system for storing and managing our documents/ collaterals, and have other project management tools for assisting in scheduling and tracking the projects.  We also end up spending considerable amount of time on communications – setting up face-to-face meetings, virtual meetings, email communications and phone calls.


This is where Enterprise 2.0 can help us out. Enterprise 2.0 is broadly defined as use of Social Computing platform/ Web 2.0 for business use. While project team members work towards a common project goal, a community is setup for people with common interests. By combining this mode, we have an opportunity to use the Social Computing tools, such as wikis, blogs, discussion forums, activity feeds for our project collaboration.


For example, instead of sending the status reports through an email, the project manager can use the blogs to share the status with the team and stakeholders. The advantage here is that, the status report does not get lost in the email archives, and the stakeholders and team members have an option of commenting on the report. Work gets transparent. Similarly, using wiki to create requirements or other collaterals, will reduce the needs for having meetings to collaborate.  Activity feeds can be used for sharing the status. If a team member A is waiting on team member B to complete her tasks, through microblogging/ activity feeds they can keep each other updated. Depending on how comfortable the team is with using these tools, we can develop a good workflow or business process model for project management.


At Intel, I see many groups using Wiki for their project management activities – as the container for their project work. Some of us setup alerts/ RSS feeds to get informed about the changes to these pages, which affect our work. We are yet to utilize all the capabilities listed above for our project management activities, but are planning to evangelize these capabilities to project teams.


In your projects, do you use Social Computing tools? Would you like to share your “ahas” with us, when you have used these tools, and moved out of the traditional mode of communication? We would love to hear your thoughts and ideas.

I would like to welcome you to the tenth edition of the Intel IT Performance Report. In this edition you will discover the key IT initiatives and strategies that delivered solid business results for Intel in 2010, and our focus areas for the future. As IT professionals, we look forward to sharing and learning with you as we all strive to deliver greater business value – and a competitive advantage – to our companies.  Let us know what you think or if you have similar IT initiatives at your company.


Every IT organization seems to be under constant performance pressure. The pace of business is increasing. Budget pressure is always present. The complexity of regulatory compliance is exploding. Employees expect full support of the latest, often consumer-orientated, technologies... yesterday.


This pressure is amplified as our businesses become even more dependent on IT. The business looks to us in IT for a competitive advantage—solutions for faster product development and delivery cycles, business intelligence and automated analytics tools for better decision making, and an overall reduction in the cost of doing business. On this journey to forge a competitive advantage, we are faced with limitless challenges. To be successful, we need to market IT.


Marketing is a Skill

Marketing often has an undeserved negative perception as an instrument of deception and manipulation, or a creative “spin” of reality. Marketing is actually about understanding customer requirements and translating the value of a product or service into terms the user can understand and appreciate—a skill that is critical to achieving the goals discussed above.


Marketing Helps Us Connect with Business Partners


Proper marketing creates a connection between IT and our customers and partners. Effective marketing means connecting with customers at a personal level, transaction by transaction. The result will be delivery of the right services at the right time, based on the unique needs of the audience, and increased trust.



Marketing Can’t Replace Good IT Practices and Execution

Developing better relationships with our customers and using marketing techniques will not mask poor IT performance or service. However, marketing can re-enforce positive impressions and help deliver the competitive advantage our businesses want. I often hear IT professionals state, and I agree, that we must run IT as a business—optimize investment decisions, prioritize our programs like a portfolio, and monitor progress, making required course corrections. If that is the case, what business would choose to

forgo marketing and miss the opportunity to understand its customers’ needs? We should embrace the concepts of marketing in IT.



Four Effective Ways to Embrace IT Marketing

Intel IT has embraced the importance of marketing our organization’s capability and solutions to our partners and employees. Here are a few of our “best practices.”


1. Annual Performance Report. For the past 10 years, our IT organization has published an IT Annual Performance Report to communicate our operational strategies and results to our partners, employees, and other IT professionals. IT is often the silent hero, or visible to customers only when something goes wrong. People often know only the part of IT that they rely on, but don’t have an appreciation for the breadth of IT’s responsibilities. It’s easy to cry, “why aren’t you prioritizing me” when you don’t realize there are other programs on the priority list. Documenting and communicating the breadth of services we offer and the value we provide has helped us

change that perception.


2. Productivity Tips for Employees. For the past five years, the Intel IT Products and Services Communications team has published an internal bi-weekly corporate-wide newsletter (we call it Digital Edge) focused on the technology and solutions available from Intel IT. Digital Edge articles educate Intel employees on a variety of information technology topics to help them improve productivity and take advantage of new IT products and services. Over time, readership of this newsletter has grown to 70 percent of its distribution, an incredibly high readership for a “pushed” communication. Some of these articles have been republished for external consumption at


3. IT-to-Admin Audiocasts. No one markets to a homogeneous population, and therefore segmenting your customers is imperative. We found that the administrative assistant community is a key influence point that propagates awareness of IT service and perception. IT hosts a series of quarterly audiocasts for Intel’s administrative assistant community. This format provides quick, timely updates to an influential audience, with IT experts on hand to answer questions.


4. Offering Information at Users’ “Point of Need.” Our IT communications and training teams develop content to help employees learn and make the most of IT solutions. Our internal IT intranet portal offers the latest “IT news,” optimized search, and a comprehensive product catalog. We monitor support calls, chats, and submitted help tickets to identify topics that warrant additional focus. A new focus for us is to deliver this content at the user’s “point of need”—for example, when an employee goes to investigate, order, or download a specific product or application, they also get the

information, tips-and-tricks, and training on how to best use that specific product.


Let’s Take Charge of Our Own Destiny through Marketing

We all seek better partnership with our business stakeholders. We want to improve IT’s ability to create a competitive advantage for our respective organizations. I believe there is a need to “market” IT. Create the connection between IT and the business - that’s marketing! Certainly, marketing is alive and well inside Intel IT.


How are you working to market your department's accomplishments and expertise?


Do you have a formal plan in place?

Targeted Computer.jpgThere is a race for the security of our computers.  It has been going on for years.  Attackers, who seek to compromise systems and the defenders who struggle to protect them, are all heading toward the same finish line, the core hardware components.  In the computers we rely on every day, the core is the hardware itself, consisting of components like the processors, logic systems, and physical memory.  These are the hearts and brains of our beloved systems.  If we look at the entire technology stack, the users sit at the top and hardware is the foundation at the bottom.  Applications interact with users above and rest on top of operating systems.  Operating systems function with the firmware below, which is the interface to the hardware at the bottom of the stack.  The hardware does all the actual computation while everything above is a dynamic web of instructions, rules, and data to be processed.  Together, these layers represent structure by which all modern computer systems operate and each layer can be attacked. 

The history of significant computer compromises has a repeating pattern.  Original attacks targeted the very users who operated the systems.  People can be manipulated into revealing information and unknowingly assist their attackers.  These methods were time consuming, relying on the slow interaction of the targeted people, and needed refined communication skills to be truly effective.  Defenders began to establish processes and protocols for users.  Coupled with training, it made people less susceptible to exploitation.


System Stack Attack Evolution.jpgSuch barriers created limitations at the people level and attackers soon expanded to the insecure applications in the software layer.  They went further down the stack, bypassing the savvy users and moving into an environment which moved much faster and required less influencing skills.  This was innovative and up to this point, application writers paid little attention to coding securely.  Attackers found countless numbers of vulnerabilities to exploit.  The defenders responded over time by designing software to have more security, thus making it more difficult for attackers to find weaknesses.  


So they evolved again, went lower in the stack, and opened another front.  They targeted the operating systems, which applications rely on for structure and view with authority.  Again, due to poor coding the attackers found great initial success in taking control of operating systems and therefore undermine most of the security controls protecting the applications.  OS vendors, adopting the lessons of application writers, responded with better coding, quality assurance testing, and regular patch updates to secure their products.


Today, we have attacks targeting people, applications, and operating systems.  But the cycle continues.  Attackers keep going lower, leading the charge beyond the operating systems to gain access and control of our computer systems.  Next up is the firmware and eventually the hardware.


Security researchers, system hackers, and malware writers are diving lower in the stack.  The closer you get to the core, the more power you possess.  Stealth can be attained from layers above, system control, and the breadth of access grows.  Pervasiveness becomes an interesting ally as once a flaw is detected, it becomes much more problematic to fix.  The trade-off is firmware and hardware hacking is more difficult, requiring significant technical understanding, but more research is being focused on the areas by the industry.  Every year the community grows to support the flood of new technology demanded by consumers.  More tools are being developed to look, test, dissect, analyze, challenge, and compromise the lower domains.  Organized, highly talented, and well-funded groups of researchers and hackers will lead the way.  The “writing is on the wall”.  The battle is getting lower and will eventually target the core.  It is just a matter of time.


The core must be defended rigorously and preparation is imperative if the defenders are to win.  Security service providers and the designers of hardware/firmware must work together.  System architects and engineers have the home-field advantage.  They must learn and apply the lessons of the application and OS coders now, before they are surprised.  Security principles must be applied from the beginning of the design process.  Added security features, both passive and active, need to be intertwined into products to assist security providers.  Quality assurance is more important than ever and it is inevitable that some weaknesses will eventually be found.  The team must be ready to respond to address exploits, something which is much more difficult at the core, requiring creative solutions embedded in advance.  


Whoever can control the core first wins the race.  We must win.  The security of our computers hangs in the balance.

This article "Why US productivity can grow without killing jobs" in the McKinsey Quarterly made me stop and think this morning since improving employee productivity is such a big focus for us inside Intel IT and we see our role as facilitating productivity and business efficiency as a core function and an IT best practice .


Over my career, I see three conflicting emotions or perceptions about productivity


  • Management is always trying to drive productivity and efficiency - hey, that is their job .. make the business go faster, cost less and be more competitive.
  • A common fear is that if we improve worker productivity or efficiency is that someone, somewhere will lose a job.
  • Yet, we (or at least I) feel really good when I can get more done and as individuals we are rewarded for it in our performance reviews.


The McKinsey article talks about the short term and long term effects and I found it interesting history lesson. 


So what can or should IT organizations do about productitivity.  My opinion -- Embrace IT, Drive IT, Create IT and Enable IT.


IT plays a huge role in driving productivity amongst employees.  Inside Intel IT our management team sees Employee Productivity as one of Four core ways that IT delivers value to business.  In the 2010-2011 Intel IT Annual Performance Report, CIO Diane Bryant shares why, as well as how we are taking innovative steps in IT investment, operations and solutions to bolster productivity. These range from supplying richly configured mobile business PCs as a standard computing platform, enabling and allowing personal devices to access corporate services for flexible work models, enabling collaboration tools, deploying social media platforms and implementing IT service desk solutions that proactively look for performance issues across our PC fleet to find, detect and correct issues before they happen.  Additionally, we are using IT to accelerate the time it takes to design and build next generation micro-processors and, the time it takes to respond to customer change orders in our supply chain and finally, to improve the automation processes within Intel's factories.


The result. Intel employees are more productive and Intel's business is more competitive. 


I'm all for increasing productivity - and IT plays a key role in making it happen. I agree with the McKinsey article findings, driving productivity increases the capacity for new business opportunities - which, in my mind, grows business and creates jobs - not drive them away.


Do you Agree:

  • Is productivity good or bad?
  • Does IT have a role?




For more IT Best Practices on creating Business Value, check out the home of IT @ Intel at

I have talked to many organisations over the last few years about how they have approached consumerization. For those that have made it work the best there seems to be some common themes. So here you have the Rob’s guide to some basics that may help you:

  1. Assuming that staff can remember their “terms and conditions of employment” and relate it to the device in front of them. Always create a separate agreement that does not reference anything else and explain what’s expected of the employee. There is a big difference in signing a contract saying you will protect company data and associating that to backing up your Iphone onto your home computer where the rest of the family can read company files.Woman cafe table_7373.jpg
  2. Trying to stop the unstoppable. There are some things like USB sticks that it’s possible to stop with technology but it’s very hard. If you’re not going to use software to ensure that only company USB sticks are used then allow them. Far better to get the users on side, have a relevant policy and then mitigate the risks then to pretend that because it in a document that your staff should have read you have nothing to worry about.
  3. Mitigating risks though policy. It’s great to have legal backing but it won’t get your data back. Sure you may be able to enforce in a court that an employee has to bring in their personal device for you to look at, or that you can make anyone that’s stolen a device give it back, but the damage has been done. View legal enforcement as a backup not the primary in risk mitigation.
  4. Trying to apply company owned attitude to consumerized devices. Look at Consumerization as a way to wipe the slate clean and start again. You may want to start off with tighter VPN controls e.g. only allow HTTP access to your network. Antivirus is a great example; the requirement is to stop virus and malware from taking data. Antivirus is one solution, not the requirement. In reality it may be that you need to install AV software but don’t forget that there are many ways of reducing virus risks. The same is true of other technologies, I can think of a smart phone which has really good controls and protects the data without encryption better than other devices which do have encryption. In this case the requirement is protecting the data, not dose the device use encryption.
  5. Not accepting diverse technologies and having a strategy for them. The whole point of consumerization is that the consumer chooses the device. This is inconvenient for any IT department. A scaling solution where more secure device get access to more resources is a far better idea than a minimum set of requirements that the device has to meet to get access to everything. A side effect of doing this means that you need to know what devices are connecting and that also adds a layer of management.

There are many more of course but that’s plenty of excitement for today. Hay now when we speak of consumerization we may think of an employee owning the hardware, we may even think about them owning the software but what about them owning the service? What do I mean by that? Well in the next blog we will investigate!

Employees.jpgWhen employees and employers say farewell, it can be a pleasant or difficult situation.  Regardless, significant risks exist when former employees continue to have access to their previous work environments. 

Under the best of circumstances employees will leave the company on great terms.  They could be retiring, starting their own company, taking a well-deserved break from the working world to focus on family or other personal pursuits.   Some may even to return one day as a valued employee.  Other situations may not be as positive.  Layoffs, downsizings, a competitor swooping in with a successful headhunting raid and scurrying off with important talent, can put a permanent strain on the relationship.   It really does not matter the circumstances, when an employee leaves, they take with them inside knowledge of the business and likely important information about the company. 

Most of the time this information is limited to memory as employees are usually forbidden to copy or take property when they leave as stated in their original hiring agreements.  Well-handled exit interviews will remind and reinforce this fact. 

As part of the exit process all access and credentials should also be removed or changed.  This includes login and remote access accounts, entry badges, email and company social site logins, company phones, and of course all computing devices.   As they no longer represent the company, their access and credentials should be identical to those of a stranger on the street.  It may seem cold, but it is a necessity that protects both the company as well as the departing person as legacy credentials of departed employees can be used maliciously by others as well as the former trusted worker.  It is better for all if they are securely removed.

It sounds like common sense, but a recent survey conducted by Harris Interactive on behalf of Quest Software, indicated 1 in 10 IT professionals stated they could access accounts and systems associated with a prior job.   This is a significant problem.  If this percentage were to hold true across organizations, it could represent a serious aggregate risk depending upon the number of people who leave a company.

Every organization should have a process to protect the company.  Human Resources, Information Technology, Information Security as well as the manager of the employee should be following an approved checklist to insure consistency and comprehensiveness for every exiting employee.  This process must be maintained and updated to remain effective. 

It is critical for access boundaries to be secured from people who do not have a legitimate business need.  Closing the door on former employees is an important task in managing the information security risks of an organization.


Reference Link:

Walking with Luggage.jpgThis information security strategist is changing jobs!  Well, for a while anyways.  The Intel Information Technology division, supports a variety of options for temporary job rotations across the company.  Such internal movement encourages the circulation of ideas, perspectives, constructive criticism, and the sharing of best methods and practices.  It builds a stronger business community and fosters closer employee teamwork, which can be challenging with 80k workers in 150 locations, resulting in more effectiveness across the entire organization. 

I seized an opportunity within of the Information Security team, chartered with protecting Intel's internal business operations, to partner with the product folks who are designing the security features of Intel's future products.  What a win!  Incorporate security veterans seasoned with practical experience with the brilliant designers and engineers creating security technology building-blocks for the future of the computer.

I am truly excited to dive into the security feature product side of the industry.  Intel has a coveted advantage from a security perspective, as we design the base computing hardware.  In the race for attackers to get lower in the stack, we already sit at the bottom with control of the core computing hardware and therefore reign over the most basic logic elements in the computer.  There is real power in that location.  Intel is well positioned to take advantage of this for the security benefit of all. 

When I accepted the rotation I began thinking back on all the long nights working crises, responding to incidents and investigations, all the creative solutions applied to unusual situations, and reflected on the many scars from years in the trenches.  I scratched out a wish-list a mile long, which includes my most crazy ideas to secure systems, data, networks, enterprises, clouds, infrastructures, communities, and industries at the hardware layer.  Be honest, wouldn't you do the same?

Travel Luggage.jpgSo I am packing my bags, bringing all the wacky ideas, and leaving the halls of IT for a few months.   I will get to work with some of the worlds finest engineers, product managers, and architects in the computer industry!  Although it is humbling to know I am the lowest common denominator when it comes to brains, in every meeting I attend, I do get the benefit of learning from the best and brightest.  It is great the product teams are willing to have this old security dog in their discussions. 

I think is it a fair trade, as they get to pick my brain on how the industry struggles to develop, deploy, and sustain security controls in the ever elusive goal of achieving optimal security.  As a strategist, I have the advantage of the big picture over time.  How threats are evolving, what is and will be targeted, and how the attack methods will lead ahead of the defensive countermeasures.  I will help contribute to the macro picture as they are the experts in the micro functions which constitute the very building block foundations of what could be a prerequisite for the next generation of security tools, protections, services, and defensive capabilities.

REALITY CHECK: To be completely honest, it may not exactly be a fair trade.  I get to learn from the best and brightest, while they get stuck with a cynical, slightly paranoid, glass-half-full, InfoSec security veteran who likes to talk far too much.  Additionally, they will witness my Dr. Jekyll impersonation when discussing how security advocates may use product features to deliver security and then see me switch to Mr. Hyde as I also lament on how the same features could possibly be used by the malicious for nefarious purposes.  And my sarcasm is just a bonus to sweeten the deal. 

So off I go to the product groups, on loan for 6 months.  Much thanks to the IT CIO who supports such cross pollination of ideas and likes risk-taking now and then.  Or maybe she is just not a fan of my sarcasm.

Consumerization requires understanding people.


A great example was an Intel internal blog some years ago where two users, both doing the same job were asking for very different devices. One wanted a phone for email, finding airport lounges and applications. The other just wanted something that would make calls with good battery life. Can IT ever pick the right device for each user? I don’t think so but I’m interested in your thoughts.


My job is security specialist with Intel. I think that allowing company data on personally owned devices can be done with a better security level then most companies have today. That’s the point of this blog, looking at security of company data on personal devices.


If your company is anything like Intel you will have users trying to connect their personal devices today. If they are not they may be trying to sync their calendars with Google and user their own USB sticks to take data home to work on. You may have sales staff with customer details saved on GPS units, What about the company executives wanting the latest technology? These employees are not bad, they are not trying to do damage to the company and they just want to use the tools that they like.


Can this be stopped? Well let’s suppose that you wanted to stop all forms of consumerization, could you do it? I don’t think so, having seen the lengths that some people will go to in order to connect a personal device I believe that most businesses would not tolerate the cost or the disruption of the controls needed. Some years ago I did look at if this was possible and I came to the conclusion it would be very expensive. At this point everyone is rushing to tell me the cost of data loss, I really get that, being a security person I know protecting data is equal to protecting the life blood of a company.


So to repeat where we started, consumerization is about understanding people, how they work and behave. If every employee was a robot that did exactly what they were told you may find that you would spend very little money on security. So that’s the base line, consumerization most defiantly works if the confidence in the employees enforcing security is unquestionable. So the challenge is to work out, what you can trust the employee to do and what you need technology for. Then identify the gaps.


This sounds so simple but in reality it means a review of a company’s security position. In the next blog I will describe how Intel went about doing this. In the mean time if you’re interested there is a whitepaper on mobile device security at click on the PDF.



Unknown Metrics.jpgInformation security metrics can be very misleading when taken out of context.   Metrics are the distilled insights of data measurement and can provide valuable information to support good decisions.  Unfortunately this is not always the case, as metrics also have a dark past of being used to mislead, misdirect, distort facts, and distract audiences.  Mark Twain popularized the phrase: "There are three kinds of lies: lies, damned lies, and statistics." 

The information security industry is in dire need of good metrics to support decision making, but also represents a very easy domain to argue almost any position with poor, questionable, or unsuitable metrics.   Given the current lack of standards, oversight, sources, and varying assumptions, security data is easily misrepresented or misunderstood.  This can cause problems both intentional as well as unintentionally.   Charlatans can wield numbers to sway opinion to their benefit, while good natured advocates may use available data in ways not applicable or relevant to the situation.  The result is the same.  Bad information results in poor decisions.


The underlying details are important when looking at and incorporating metrics. In many cases, failure occurs when metrics are de-coupled from the original decision they were generated for and used for other purposes without clear consideration of the principal assumptions.  To keep reigns on the use of security metrics, it is important to understand how they are derived and what circumstances they were crafted to measure.  With the purpose of metrics being to support decisions, this information is imperative.  Some would argue that metrics without purpose is simply measurement data.


My recommendation is to question everything!  Challenge the origins of security metrics.  Know the source and what they were intended to show.  Understand the applicability and limitations.  Only then can you truly understand if what is being presented is relevant, accurate, and supportive in making intelligent decisions.

One of the most challenging aspects of information security is right sizing the budget for such expenses in proportion to the overall IT budget for a company. That is, estimating the appropriate budget related to the level of risk that an organization is prepared to accept. Some company’s may believe that comparing the percentage of IT security expense used by their competitors or organizations within their business sector is a good way to estimate their own IT Security expense in terms of percentage of an IT budget. This type of pursuit can bring about a disconnect between the perceived level of risk to information security exposure an organization is under and what is reality. Many options exist for calculating the appropriate security expense with regard to risk. There is the Annual Loss Expectancy (ALE) which is calculated using the Annual Rate of Occurrence (ARO) multiplied by the Single Loss Expectancy (SLE), or the Return on Security Investment (ROSI) can be used along with the Total Cost of Ownership (TCO) calculation. Chief Information Security Officers (CISO’s) may need the values of these calculations to feel more comfortable with their security investments.  Which brings up my challenging question of the day: is information security really an investment?


We should not forget that information security is a process which includes technology and, most importantly, people. For that reason, it is possible to consider the improvements of an IT Security program by evaluating the maturity level for an organization using a scale of measurement like Common Maturity Model Integration (CMMI) which provides different Capability Levels (0-Incomplete, 1-Performed, 2-Managed, and 3-Defined) and Maturity Levels (1-Initial, 2-Managed, 3-Defined, 4-Quantitatively Managed, and 5-Optimized)).  We can also consider using common business improvement strategies like Six Sigma, which can be used to identify improvement possibilities using measured results to justify the cost of IT Security. Six Sigma involves the use of those valuable boxes connected with arrows to define how things are currently being done and how improvements can be made. The strategy provides steps that include Define, Measure, Analyze, Improve and Control. The first step in any improvement strategy is to define the metrics for which to collect, measure and analyze the current measurement for a baseline, and then improve and control meaning that the new processes should be implemented with ongoing analysis as needed. But there needs to be metric to monitor and analyze in order to determine improvement capability. Even if that metric to be measured is time to complete the process, it could be an important metric on establishing a current baseline on which to improve upon.


Another challenge in an information security program is collecting metrics that can be monitored for how well the program is working. If there is no Information security program for which to collect metrics, then establishing this should be a priority so that the focus can be on the right options for which to improve. It can start simply with the collection of number of systems being infected by a virus or worm (malware). In my opinion, if no metrics are collected and reported to upper management, there is no security program. These metrics are important part of determining options for improvement and allow for the appropriate justification of information security expenditures.


One good example of measured improvement can be found from one of Intel’s very well written White Papers on the subject of Security Investment or (ROSI) here: Measuring the Return on IT Security Investments.


Many countermeasures can be put in place at once in order to establish a good defense in depth strategy for the IT Security program. But if IT business value proposition is important, an approach that allows implementation of security countermeasures (or improvements) one by one can allow measurements to be taken and proper value to the organization can be assessed. Whether it’s CMMI to show increased maturity level in handling a security event, Six Sigma for improvements on the process, or ROSI that shows return on the initial security investment, all can be very beneficial to cost justification as they provide indicators on just how much improvement was achieved based on the metrics collected.


The truth, in my humble opinion, is that even though all of the calculations providing justification to information security investment have some subjectivity, they are very meaningful and necessary in allowing the appropriate communication to take place about risk mitigation.  An organization’s obligation to protect its information assets is considered due diligence, and in some cases IT security controls are mandated under regulatory compliance. But unfortunately, many organizations are forced into a security program with the only purpose of satisfying regulatory compliance making it very difficult to measure business value. Security audits should only be used to verify security controls are in place and working properly, not to control the direction of a security program. Information security should be created with a defense in depth strategy in mind and the consideration of the data classification that needs to be protected. The organization’s culture plays a huge role in making strides with this and implementation of standards like ISO 17799/27002, NIST-800 series, and COBIT can also help in this strategy.


A strategy that focuses on IT Security improvements can be measured to show that it is an investment in the organization’s capability and maturity or that it is an improvement on the protection of information assets. As with any process, there is always room for improvement in IT Security. The IT Security program should be created to protect the organization and by determining the indicators for success, information security expenditures can not only be justified but can also be an investment in IT Business Value.

Filter Blog

By date: By tag: