Standards Effort Points to Automation Via Common Markup Language O-ACEML for Improved IT Compliance, Security

Transcript of a BriefingsDirect podcast from The Open Group Conference on the new Open Automated Compliance Expert Markup Language and how it can save companies time and money.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: The Open Group.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you're listening to BriefingsDirect.

Today, we present a sponsored podcast discussion in conjunction with The Open Group Conference in Austin, Texas, the week of July 18, 2011.

We’re going to examine the Open Automated Compliance Expert Markup Language (O-ACEML), a new standard creation and effort that helps enterprises automate security compliance across their systems in a consistent and cost-saving manner.

O-ACEML helps to achieve compliance with applicable regulations but also achieves major cost savings. From the compliance audit viewpoint, auditors can carry out similarly consistent and more capable audits in less time.

Here to help us understand O-ACEML and managing automated security compliance issues and how the standard is evolving are our guests. We’re here with Jim Hietala, Vice President of Security at The Open Group. Welcome back, Jim.

Jim Hietala: Thanks, Dana. Glad to be with you.

Gardner: We’re also here with Shawn Mullen, a Power Software Security Architect at IBM. Welcome to the show, Shawn.

Shawn Mullen: Thank you.

Gardner: Let’s start by looking at why this is an issue. Why do O-ACEML at all? I assume that security being such a hot topic, as well as ways in which organizations grapple with the regulations, and compliance issues are also very hot, this has now become an issue that needs some standardization.

Let me throw this out to both of you. Why are we doing this at all and what are the problems that we need to solve with O-ACEML?

Hietala: One of the things you've seen in last 10 or 12 years, since the compliance regulations have really come to the fore, is that the more regulation there is, more specific requirements are put down, and the more challenging it is for organizations to manage. Their IT infrastructure needs to be in compliance with whatever regulations impact them, and the cost of doing so becomes a significant thing.

So, anything that could be done to help automate, to drive out cost, and maybe make organizations more effective in complying with the regulations that affect them -- whether it’s PCI, HIPAA, or whatever -- there's lot of benefit to large IT organizations in doing that. That’s really what drove us to look at adopting a standard in this area.

Gardner: Jim, just for those folks who are coming in as fresh, are we talking about IT security equipment and the compliance around that, or is it about the process of how you do security, or both? What are the boundaries around this effort and what it focuses on?

Manual process

Hietala: It’s both. It’s enabling the compliance of IT devices specifically around security constraints and the security configuration settings and to some extent, the process. If you look at how people did compliance or managed to compliance without a standard like this, without automation, it tended to be a manual process of setting configuration settings and auditors manually checking on settings. O-ACEML goes to the heart of trying to automate that process and drive some cost out of an equation.

Gardner: Shawn Mullen, how do you see this in terms of the need? What are the trends or environment that necessitate in this?

Mullen: I agree with Jim. This has been going on a while, and we’re seeing it on both classes of customers. On the high-end, we would go from customer-to-customer and they would have their own hardening scripts, their own view of what should be hardened. It may conflict with what compliance organization wanted as far as the settings. This was a standard way of taking what the compliance organization wanted, and also it has an easy way to author it, to change it.

If your own corporate security requirements are more stringent, you can easily change the ACEML configuration, so that is satisfies your more stringent corporate compliance or security policy, as well as satisfying the regulatory compliance organization in an easy way to monitor it, to report, and see it.

In addition, on the low end, the small businesses don’t have the expertise to know how to configure their systems. Quite frankly, they don’t want to be security experts. Here is an easy way to print an XML file to harden their systems as it needs to be hardened to meet compliance or just the regular good security practices.

Gardner: One of the things that's jumped out at me as I’ve looked into this, is the rapid improvement in terms of a cost or return on investment (ROI), almost to the league of a no-brainer category. Help me understand why is it so expensive and inefficient now, when it comes to security equipment audits and regulatory compliance. What might this then therefore bring in terms of improvement?

If you have these hundreds, or in large organizations thousands, of systems and you have to manually configure them, it becomes a very daunting task.

Mullen: One of the things that we're seeing in the industry is server consolidation. If you have these hundreds, or in large organizations thousands, of systems and you have to manually configure them, it becomes a very daunting task. Because of that, it's a one-time shot at doing this, and then the monitoring is even more difficult. With ACEML, it's a way of authoring your security policy as it meets compliance or for your own security policy in pushing that out.

This allows you to have a single XML and push it onto heterogeneous platforms. Everything is configured securely and consistently and it gives you a very easy way to get the tooling to monitor those systems, so they are configured correctly today. You're checking them weekly or daily to ensure that they remain in that desired state.

Gardner: So it's important not only to automate, but be inclusive and comprehensive in the way you do that or you are back to manual process at least for a significant portion, but that might then not be at your compliance issues. Is that how it works?

Mullen: We had a very interesting presentation here at The Open Group Conference yesterday. I’ll let Jim provide some of the details on that, but customers are finding the best way they can lower their compliance or their cost of meeting compliance is through automation. If you can automate any part of that compliance process, that’s going to save you time and money. If you can get rid of the manual effort with automation, it greatly reduces your cost.

Gardner: Shawn, do we have any sense in the market what the current costs are, even for something that was as well-known as Sarbanes-Oxley? How impressive, or unfortunately intimidating, are some of these costs?

Cost of compliance

Mullen: There was a very good study yesterday. The average cost of an organization to be compliant is $3 million. That's annual cost. What was also interesting was that the cost of being non-compliant, as they called it, was $9 million.

Hietala: The figures that Shawn was referencing come out of the study by the Ponemon Institute. Larry Ponemon does lots of studies around security risk compliance cost. He authors an annual data breach study that's pretty widely quoted in the security industry that gets to the cost of data breaches on average for companies.

In the numbers that were presented yesterday, he recently studied 46 very large companies, looking at their cost to be in compliance with the relevant regulations. It's like $3.5 million a year, and over $9 million for companies that weren't compliant, which suggests that companies that are actually actively managing towards compliance are probably little more efficient than those that aren't.

What O-ACEML has the opportunity to do for those companies that are in compliance is help drive that $3.5 million down to something much less than that by automating and taking manual labor out of process.

Gardner: So it's a seemingly very worthwhile effort. How do we get to where we are now, Jim, with the standard and where do we need to go? What's the level of maturity with this?

We want to encourage adoption by as broad a set of vendors as we can, and we think that having more adoption by the industry, will help make this more available so that end-users can take advantage of it.

Hietala: It's relatively new. It was just published 60 days ago by The Open Group. The actual specification is on The Open Group website. It's downloadable, and we would encourage both, system vendors and platform vendors, as well as folks in the security management space or maybe the IT-GRC space, to check it out, take a look at it, and think about adopting it as a way to exchange compliance configuration information with platforms.

We want to encourage adoption by as broad a set of vendors as we can, and we think that having more adoption by the industry, will help make this more available so that end-users can take advantage of it.

Gardner: Back to you Shawn. Now that we've determined that we're in the process of creating this, perhaps, you could set the stage for how it works. What takes place with ACEML? People are familiar with markup languages, but how does this now come to bear on this problem around compliance, automation, and security?

Mullen: Let's take a single rule, and we'll use a simple case like the minimum password length. In PCI the minimum password length, for example, is seven. Sarbanes-Oxley, which relies on COBiT password length would be eight.

But with an O-ACEML XML, it's very easy to author a rule, and there are three segments to it. The first segment is, it's very human understandable, where you would put something like "password length equals seven." You can add a descriptive text with it, and that's all you have to author.

Actionable command

When that is pushed down on to the platform or the system that's O-ACEML aware, it's able to take that simple ACEML word or directive and map that into an actionable command relevant to that system. When it finds the map into the actionable command ,it writes it back into the XML. So that's completing the second phase of the rule. It executes that command either to implement the setting or to check the setting.

The result of the command is then written back into the XML. So now the XML for particular rule has the first part, the authored high-level directive as a compliance organization, how that particular system mapped into a command, and the result of executing that command either in a setting or checking format.

Now we have all of the artifacts we need to ensure that the system is configured correctly, and to generate audit reports. So when the auditor comes in we can say, "This is exactly how any particular system is configured and we know it to be consistent, because we can point to any particular system, get the O-ACEML XML and see all the artifacts and generate reports from that."

Gardner: Maybe to give a sense of how this works, we can also look at a before-and-after scenario. Maybe you could describe how things are done now, the before or current status approach or standard operating procedure, and then what would be the case after someone would implement and mature O-ACEML implementation.

Mullen: There are similar tools to this, but they don't all operate exactly the same way. I'll use an example of BigFix. If I had a particular system, they would offer a way for you to write your own scripts. You would basically be doing what you would do at the end point, but you would be doing it at the BigFix central console. You would write scripts to do the checking. You would be doing all of this work for each of your different platforms, because everyone is a little bit different.

We see with small businesses and even some of the larger corporations that they're maintaining their own scripts. They're doing everything manually.

Then you could use BigFix to push the scripts down. They would run, and hopefully you wrote your scripts correctly. You would get results back. What we want to do with ACEML is when you just put the high-level directive down to the system, it understands ACEML and it knows the proper way to do the checking.

What's interesting about ACEML, and this is one of our differences from, for example, the security content automation protocol (SCAP), is that instead of the vendor saying, "This is how we do it. It has a repository of how the checking goes and everything like that," you let the end point make the determination. The end point is aware of what OS it is and it's aware of what version it is.

For example, with IBM UNIX, which is AIX, you would say "password check at this different level." We've increased our password strength, we've done a lot of security enhancements around that. If you push the ACEML to a newer level of AIX, it would do the checking slightly differently. So, it really relies on the platform, the device itself, to understand ACEML and understand how best to do its checking.

We see with small businesses and even some of the larger corporations that they're maintaining their own scripts. They're doing everything manually. They're logging on to a system and running some of those scripts. Or, they're not running scripts at all, but are manually making all of these settings.

It's an extremely long and burdensome process,when you start considering that there are hundreds of thousands of these systems. There are different OSs. You have to find experts for your Linux systems or your HP-UX or AIX. You have to have all those different talents and skills in these different areas, and again the process is quite lengthy.

Gardner: Jim Hietala, it sounds like we are focusing on servers to begin with, but I imagine that this could be extended to network devices, other endpoints, other infrastructure. What's the potential universe of applicability here?

Different classes

Hietala: The way to think about it is the universe of IT devices that are in scope for these various compliance regulations. If you think about PCI DSS, it defines pretty tightly what your cardholder data environment consists of. In terms of O-ACEML, it could be networking devices, servers, storage equipment, or any sort of IT device. Broadly speaking, it could apply to lots of different classes of computing devices.

Gardner: Back to you Shawn,. You mentioned the AIX environment. Could you explain a beginning approach that you’ve had with IBM Compliance Expert, or ICE, that might give us a clue as to how well this could work, when applied even more broadly? How does that heritage in ICE develop, and what would that tell us about what we could expect with O-ACEML?

Mullen: We’ve had ICE and this AIX Compliance Expert, using the XML, for a number of years now. It's been broadly used by a lot of our customers, not only to secure AIX but to secure the virtualization environment in a particular a virtual I/O server. So we use it for that.

One of the things that ACEML brings is that it has some of the lessons we learned from doing our own proprietary XML. It also brings some lessons we learned when looking at other XML for compliance like XCCDF. One of the things we put in there was a remediation element.

For example, the PCI says that your password length should be seven. COBiT says your password length should be eight. It has the XML, so you can blend multiple compliance requirements with a single policy, choosing the more secure setting, so that both compliance organizations, or other three compliance organizations, gets set properly to meet all of those, and apply it to a singular system.

One of the things that we're hoping vendors will gravitate toward is the ability to have a central console controlling their IT environment or configuring and monitoring their IT environment.

One of the things that we're hoping vendors will gravitate toward is the ability to have a central console controlling their IT environment or configuring and monitoring their IT environment. It just has to push out a single XML file. It doesn’t have to push out a special XML for Linux versus AIX versus a network device. It can push out that ACEML file to all of the devices. It's a singular descriptive XML, and each device, in turn, knows how to map it to its own particular platform in security configuring.

Gardner: Jim Hietala, it sounds as if the low-hanging fruit here would be the compliance and automation benefit, but it also sounds as if this is comprehensive. It's targeted at a very large set of the devices and equipment in the IT infrastructure. This could become a way of propagating new security policies, protocols, approaches, even standards, down the line. Is that part of the vision here -- to be able to offer a means by which an automated propagation of future security changes could easily take place?

Hietala: Absolutely, and it goes beyond just the compliance regulations that are inflicted on us or put on us by government organizations to defining a best practice instead of security policies in the organization. Then, using this as a mechanism to push those out to your environment and to ensure that they are being followed and implemented on all the devices in their IT environment.

So, it definitely goes beyond just managing compliance to these external regulations, but to doing a better job of implementing the ideal security configuration settings across your environment.

Gardner: And because this is being done in an open environment like The Open Group, and because it's inclusive of any folks or vendors or suppliers who want to take part, it sounds as if this could also cross the chasm between an enterprise, IT set, and a consumer or mobile or external third-party provider set.

Is it also a possibility that we’re going beyond heterogeneity, when it comes to different platforms, but perhaps crossing boundaries into different segments of IT and what we're seeing with the “consumerization” of IT now? I'll ask this to either of you or both of you.

Moving to the cloud

Hietala: I'll make a quick comment and then turn it over to Shawn. Definitely, if you think about how this sort of a standard might apply towards services that are built in somebody’s cloud, you could see using this as a way to both set configuration settings and check on the status of configuration settings and instances of machines that are running in a cloud environment. Shawn, maybe you want to expand on that?

Mullen: It's interesting that you brought this up, because this is the exact conversation we had earlier today in one of the plenary sessions. They were talking about moving your IT out into the cloud. One of the issues, aside from just the security, was how do you prove that you are meeting these compliance requirements?

ACEML is a way to reach into the cloud to find your particular system and bring back a report that you can present to your auditor. Even though you don’t own the system --it's not in the data center here in the next office, it's off in the cloud somewhere -- you can bring back all the artifacts necessary to prove to the auditor that you are meeting the regulatory requirements.

Gardner: Jim, how do folks take further steps to either gather more information? Obviously, this would probably of interest to enterprises as well as the suppliers, vendors for professional services organizations. What are the next steps? Where can they go to get some information? What should they do to become involved?

Hietala: The standard specification is up on our website. You can go to the "Publications" tab on our website, and do a search for O-ACEML, and you should find the actual technical standard document. Then, you can get involved directly in the security forum by joining The Open Group . As the standard evolves, and as we do more with it, we certainly want more members involved in helping to guide the progress of it over time.

It removes the burden of these different compliance groups from being security experts and it let’s them just use ACEML and the default settings that The Open Group came up with.

Gardner: Thoughts from you, Shawn, on that same getting involved question?

Mullen: That’s a perfect way to start. We do want to invite different compliance organization, everybody from the electrical power grid -- they have their own view of security -- to ISO, to payment card industry. For the electrical power grid standard, for example -- and ISO is the same way -- what ACEML helps them with is they don’t need to understand how Linux does it, how AIX does it. They don’t need to have that deep understanding.

In fact, the way ISO describes it in their PDF around password settings, it basically says, use good password settings, and it doesn’t go into any depth beyond that. The way we architected and designed O-ACEML is that you can just say, "I want good password settings," and it will default to what we decided. What we focused in on collectively as an international standard in The Open Group was, that good password hygiene means you change your password every six months. It should at least carry this many characters, there should be a non-alpha/numeric.

It removes the burden of these different compliance groups from being security experts and it let’s them just use ACEML and the default settings that The Open Group came up with.

We want to reach out to those groups and show them the benefits of publishing some of their security standards in O-ACEML. Beyond that, we'll work with them to have that standard up, and hopefully they can publish it on their website, or maybe we can publish it on The Open Group website.

Next milestones

Gardner: Well, great. We’ve been learning more about the Open Automated Compliance Expert Markup Language, more commonly known as O-ACEML. And we’ve been seeing how it can help assure compliance along with some applicable regulations across different types of equipment, but has the opportunity to perhaps provide more security across different domains, be that cloud or on-premises or even partner networks. while also achieving major cost savings. We’ve been learning how to get to started on this and what the maturity timeline is.

Jim Hietala, what would be the next milestone? What should people expect next in terms of how this is being rolled out?

Hietala: You'll see more from us in terms of adoption of the standard. We’re looking already at case studies and so forth to really describe in terms that everyone can understand what benefits organizations are seeing from using O-ACEML. Given the environment we’re in today, we’re seeing about security breaches and hacktivism and so forth everyday in the newspapers.

I think we can expect to see more regulation and more frequent revisions of regulations and standards affecting IT organizations and their security, which really makes it imperative for engineers in IT environment in such a way that you can accommodate those changes, as they are brought to your organization, do so in an effective way, and at the least cost. Those are really the kinds of things that O-ACEML has targeted, and I think there is a lot of benefit to organizations to using it.

Gardner: Shawn, one more question to you as a follow-up to what Jim said, not only that should we expect more regulations, but we’ll see them coming from different governments, different strata of governments, so state, local, federal perhaps. For multinational organization, this could be a very complex undertaking, so I'm curious as to whether O-ACEML could also help when it comes to managing multiple regulations across multiple jurisdictions for larger organizations.

Those are really the kinds of things that O-ACEML has targeted, and I think there is a lot of benefit to organizations to using it.

Mullen: That was the goal when we came up with O-ACEML. Anybody could author it, and again, if a single system fell under the purview of multiple compliance requirements, we could plan that together and that system would be a multiple one.

It’s an international standard, we want it to be used by multiple compliance organizations. And compliance is a good thing. It’s just good IT governance. It will save companies money in the long run, as we saw with these statistics. The goal is to lower the cost of being compliant, so you get good IT governance, just with a lower cost.

Gardner: Thanks. This sponsored podcast is coming to you in conjunction with The Open Group Conference in Austin, Texas, in the week of July 18, 2011. Thanks to both our guests. Jim Hietala, the Vice President of Security at The Open Group. Thank you, Jim.

Hietala: Thank you, Dana.

Gardner: And also Shawn Mullen, Power Software Security Architect at IBM. Thank you, Shawn.

Mullen: Thank you, Dana.

Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions. Thanks again for listening, and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: The Open Group.

Transcript of a BriefingsDirect podcast from The Open Group Conference on the new Open Automated Compliance Expert Markup Language and how it can save companies time and money. Copyright Interarbor Solutions, LLC, 2005-2011. All rights reserved.

You man also be interested in:

• Enterprise Architects Increasingly Leverage Advanced TOGAF9 for Innovation, Market Response, and Governance Benefits
• Open Group Cloud Panel Forecasts Cloud s Spurring Useful Transition Phase for Enterprise Architecture
• The Open Group's Cloud Work Group Advances Understanding of Cloud-Use Benefits for Enterprises
• Exploring the Role and Impact of the Open Trusted Technology Forum to Ensure Secure IT Products in Global Supply Chains

Enterprise Architects Increasingly Join in Common Defense Against Cyber Security Threats

Transcript of a sponsored podcast on how private enterprises and government agencies can combat the growing threat of cyber crime and the looming threat of cyber terrorism.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: The Open Group.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you're listening to BriefingsDirect. Today, we present a sponsored podcast discussion, coming to you from The Open Group Conference in Boston, the week of July 19, 2010.

We’ve assembled a panel to examine the need for improved common defenses -- including advancing cooperation between enterprise architects and chief security officers -- to jointly defend against burgeoning cyber security threats. The risks are coming from inside enterprises, as well as myriad external sources.

We’ll learn more about the nature of these borderless, external, cyber security threats, as they emerge from criminal enterprises, globally competitive business sources, even state-based threats, and sometimes a combination of these. We’ll also hear recommendations on developing smarter processes for cyber security based on proven methods and pervasive policies.

To help broaden the scope of enterprise architecture, and to develop a leverage point for "mission architecture"-levels of security and defenses, please join me in welcoming a security executive from The Open Group, as well as two cyber security experts who are presenting here at the conference.

Allow me to introduce you to retired Air Force Lt. Gen. Harry D. Raduege Jr., chairman of the Deloitte Center for Cyber Innovation, and who co-chairs a cybersecurity commission under President Obama. Welcome.

Gen. Harry Raduege: Thank you very much, Dana. It’s good to be here with you.

Gardner: We’re also here with Usman Sindhu, researcher at Forrester Research.

Usman Sindhu: Thank you, Dana. Good to be here.

Gardner: And Jim Hietala, Vice President of Security at the Open Group.

Jim Hietala: Hi, Dana.

Gardner: Let’s start with you, Harry. Tell us about the nature of the threat. Perhaps there's a level of the intensity about these external threats that the enterprise practitioners, the architects, don’t perhaps quite appreciate yet.

Raduege: Thank you very much. At this conference, we've put a few of these areas that you’ve mentioned into perspective. As far as cyberspace, it’s a tremendous opportunity for us to gain the benefits of being able to communicate, not only nationally, but also internationally, and across all borders, in the area of cyber security.

But, with that openness, come these new threats. The vulnerabilities that we have of operating in cyberspace are magnified by the threats. These threats are in the areas of identity theft, information manipulation, information theft, cyber crime, and insider threats that are prevalent in many of our organizations and companies today. Also, the threat of espionage, of losing lots of intellectual property from our businesses, and the cyber attacks that are taking place, the denial-of-service (DOS), and also the threat that we see on the horizon -- cyberterrorism.

Gardner: If you're a business or a government agency, perhaps a multinational corporation, is there a commonality, or is everyone getting hit the same by these sorts of things? Who's vulnerable, who isn’t?

International problem

Raduege: The Internet and all of our connections in cyberspace are across all nations of the world. In fact, this is an international problem, and so an opportunity for us to take advantage of it. Basically, Dana, we’re all in this together.

This is the significance of this type of a gathering, to talk about the real benefits of cyberspace, but also to talk about the issues of cyber security that are facing us all. The importance of the underlying foundational aspects of having a great enterprise architecture is pointing more toward a mission architecture for business success.

Gardner: Are there standards, practical ways that cut across the different types of organizations that perhaps are in the works, but that other people aren’t aware of? And how important is education toward moving against some of these common threats?

Raduege: A number of organizations like The Open Group are working on the common standards that are so important for the international community to comply with and to have as guiding factors. Education is very important, developing a cyber mindset across all people of the world, not only in the government organizations, but for industry, and also the individual users at home.

The aspects of education and training and awareness of what’s going on there in cyber is paramount for proper operation, but also for the protection of your critical information.

The aspects of education and training and awareness of what’s going on there in cyber is paramount for proper operation, but also for the protection of your critical information.

Gardner: Harry, are there things that are going on within governments, and not just in the US, that are buttressing the protections and reducing the risk for enterprises and that maybe enterprises aren’t aware of? How could that cooperation between public and private perhaps improve?

Raduege: Since everyone is member of this international community in cyberspace, everyone’s trying to address the issues that are so common to each one of us. Many people are bringing best practices to the table. We’re learning from each other’s experiences. As I mentioned earlier, we’re all in this together.

The international cooperation and collaboration, and the opportunity to meet and discuss these areas, are very valuable to all of us individually, and to our companies and to our nations.

Gardner: Usman, you had an interesting presentation. Tell us about this notion of "smarter" organizations. How is it that organizations, particularly enterprises, need to adjust their thinking in order to better protect themselves?

Sindhu: We’re living in a very exciting time in terms of the innovation, as well as the adoption of technology. Inventor Ray Kurzweil talks about the law of accelerating returns. He says that we're experiencing 20,000 years of adoption and technology growth. In the 21st Century we'll have a lot of innovations and more technology adoption in a much more accelerated fashion.

The smart concept

That’s where the smart concept comes in. This entails smartening our physical infrastructure, our critical infrastructures like utility, healthcare, financial services, transportation, public safety, and also city administrations, down to the IT system itself.

It will use of lot of IT enablement from either the cloud or communication infrastructure, things like RFID technologies, 4G technologies, and solar technologies, to embed lot of situational awareness, analytics, and locationing into the systems.

The need for this is present, if you look across the board at some of the incidents or some of the events. The BP incident shows us that the inefficiency, the number of physical infrastructures that are siloed, present a huge opportunity for technology growth.

This is a smart kind of a concept that embeds itself into smart city infrastructure where all the different components embed all the IT technologies together. There are other initiatives like smart grid or smart healthcare that are embedding these IT technologies as well.

That's a great way to start the 21st Century with this innovation, but the need for security arises at the same time. As Gen. Raduege mentioned, cyberspace is a new frontier, or information security in the cyber world, is a new frontier.

Today, many organizations, including the public and private sector, are waking up to the fact that technology alone is not the answer.

That’s where we have to address lot of different issues and problems around policy, architecture, and best practices. It’s only going to get more serious, as we connect a lot of different systems that were not connected in the past.

Gardner: So, from Forrester Research’s perspective, this smartness isn’t just a technical smartness, but it’s also the policies, the methods, and best practices. Tell me why best practices fit into this notion of smartness, and then maybe revisit how the threat increases with that interconnectivity.

Sindhu: Traditionally, security has been a point technology. Even in the government space, there has been a lot of focus around just technologies. Earlier today, in other sessions, we saw how the importance of point technologies has been overemphasized, rather than risk analysis and the process.

Today, many organizations, including the public and private sector, are waking up to the fact that technology alone is not the answer. It’s the process and people as well. That’s where deriving these best practices would be a key in collaborating with the private and public sector and bringing in an architecture that supports all three silos.

As far as this interconnectivity is concerned, you'll see lot of different business-to-business (B2B) and business-to-consumer (B2C) interactions. It happens today. Today, business partners and distributors do business on the go, on social media, either Twitter feeds or Facebook, or something I call ad-hoc communication through their mobile devices. This is the nature of today’s interaction. This is the nature of B2C and B2B interactions.

Perimeter notion

With that, threats increase manifold, because we tend to look at more of a perimeter notion of security. If you look out there, we're actually in a stock market situation, where information is flowing all over the place and we have no perimeters, so to speak. We need to understand this re-perimeterization, rather than de-perimeterization. How do we put security control at proper threat levels?

Gardner: One area where increased connectivity is not a threat is in connecting more of the enterprise stakeholders who perhaps have a role or a piece of the security puzzle, for them to be a bit more cooperative and coordinated. Tell me how smartness fits into collaboration between architects, chief security officers, and other stakeholders?

Sindhu: It’s a great question. One of the key aspects of smartness is cross-industry and cross-team collaboration. Today, when we start to look at some of the smart deployments, either in the vertical sectors like utilities, healthcare, or even other private-sector industries, we see more and more that security is getting attention from the board-level and C-level executive.

Similarly, enterprise architecture is getting its attention as well. Going forward, we see a great emphasis on combining these two initiatives, even though it’s still a very nascent stage at the board-level talks and C-level talks. We're not seeing a huge focus on cyber security in some instances, but of course it’s changing. It’s increasing.

It's fair to say that the security and enterprise architecture will play a key role, as both concepts mingle together to bring about best practices in architecture in the early phases into planning, deployment, and delivery of the smart services.

Gardner: How about that, Jim Hietala at The Open Group? You're all working with framework certification, defining and professionalizing the role of the enterprise architect. How well are we doing with imbuing security into that larger picture of enterprise architecture, as well as technology and process?

Hietala: I'd echo what Usman said. It’s early in the process of really bringing enhanced security into the professional enterprise architecture. So, in The Open Group Architecture Framework (TOGAF), three of the nine iterations of it, we've added significant security information and content that enterprise architecture need to bear in mind in developing architectures.

But that work is ongoing. We have a couple of projects both to enhance the security of TOGAF, and also to work to collaborate with the Sherwood Applied Business Security Architecture (SABSA) folks, another security architecture development methodology, to harmonize those two approaches.

There's a lot of work ongoing there, and there's a lot of work needed in developing reference architectures outside of purely IT. We have a document that we are updating called Enterprise Security Architecture. It will be published this fall, and updates some work that was done five or six years ago, sort of an IT reference architecture.

We see a need, as you start to look at cyber security and the different kinds of architectures, to develop new reference architectures to address some of these new applications of IT technology to everyday life. If you think about networks in cars or networks of smart devices comprising the power grid, what does security look like for those things? Our membership is starting to look at some of those and trying to determine where we can add some value for the industry.

Gardner: Let’s think a little bit more now about this notion of mission architecture. The Open Group and many organizations are involved with enterprise architecture. Harry, what do we mean by mission architecture? What does that mean and how does it relate to the concept of enterprise architecture?

Changing world

Raduege: The Internet has changed our world and the way we operate. For years, we've had enterprise architects who have been working down the hall or in the basements of organizations, and who have been trying to figure out the best way of technically aligning the Internet and all of the interconnected networks to make it work as best it could.

Now that this world of cyber has really come upon us, it has really elevated the importance of the enterprise architect into the higher levels of an organization, just because of the threats that are constantly coming upon us in our business operations and our mission success.

The enterprise architect has now gotten the attention of the C-suite executives and organization leadership. But, they don’t like to think as much about enterprise architecture, because it really has that technical connotation as my colleagues here have mentioned, we're really talking and focusing more now on the people and the process aspects of running the business properly.

The front-office people, the C-suite executives and leaders of organizations, instead of thinking about enterprise architecture from a technical aspect, are becoming much more interested in a mission architecture.

In other words, what's the architecture needed to complete my mission so that I can have success -- whatever your mission is, if it’s government activity or whether it’s industry. Mission architecture has taken on new meaning that takes into account the technical architecture, but also adds the workforce domain and the process elements of the organization.

Architecture is important, but there is no silver bullet to it. Since the smart concept is industry-wide and is global, there could be many references to architectures that could go in.

So, mission architecture is really pointing toward business success, whatever your business is, whether it’s government operations or industry.

Gardner: Usman, how do you relate mission architecture to your discussion about being smart?

Sindhu: A couple of things that come from a mission architecture perspective and a smart aspect in general, is what we're seeing in the industry as the IT risk baseline. There has been a lot of work done, and it gets even more important. How do you derive an IT risk baseline?

Architecture is important, but there is no silver bullet to it. Since the smart concept is industry-wide and is global, there could be many references to architectures that could go in. Some things have started to happen. For example, the Department of Homeland Security came over to IT risk baseline about a year-and-a-half ago. It collaborated with the IT vendors and IT sector in general and started to create this risk baseline, which comes about in the earlier phases of architecture.

As you develop a framework, you take feeds from the various industry standards and regulatory compliance mandates and you start to create a risk baseline, a risk profile that touches every single silo of people, process, and technology. Over the time, you do the collaboration, internally, but externally as well.

Also, you market the risk baseline component so that you are complying with it, but you're also educating this to your peers and your other adjacent industries. The smart concept, at its heart, would require a lot of collaboration among the public and private sectors. I see a lot of this is being driven by the government. The Department of Homeland Security is actually working on coming with the next iteration of this baseline, maybe next year.

I see a more cohesive approach, even though a lot of work needs to be done here, and in distinct industries like smart grid. There has been a lot of focus around standards. The National Institute of Standards and Technology (NIST) is working on creating a cyber security baseline and framework that touches interoperability as well as the security standards. A lot of work needs to be done. We're still at a very early stage.

Gardner: As we elevate from IT concerns to architecture and enterprise concerns -- and now we're talking at the mission architecture level -- do we run the risk of this becoming a hot potato? That is to say, no one really owns it, but it gets handed around. How do we organize an approach to a mission architecture in such a way that it's got the right level of command and control and yet is inclusive? Any thoughts around the organizational imperative, Harry?

Organizational concepts

Raduege: Maybe we can take a page from what the United States government has just recently gone through with organizational concepts, because we knew that many different activities across the federal government had a big part to play in securing cyberspace. The Department of Homeland Security, Department of Defense, the Intelligence Community, Department of Interior, Department of Commerce, Department of State, every one of those federal government activities had a specific role to play in securing cyberspace.

However, we found out that there was no one totally in-charge of orchestrating the elements and activities of our federal government. So with the President’s Cyberspace Policy Review, he decided to appoint the first ever White House Cybersecurity Coordinator, Howard Schmidt. Howard is the overarching orchestrator for all of our federal government activities, all the state and local and interfaces with industry, and also the international community.

If we're going to think about an organizational construct, our nation is led with that kind of an example of an individual at the top who provides the oversight, is also responsible and accountable for the proper operation of cyberspace and the cyber security elements.

Gardner: Jim Hietala at The Open Group, any thoughts about this organizational angle in terms of the personnel, their roles, and a rethinking of how these categories have so far been structured?

Hietala: From an enterprise perspective, looking at mission success and thinking about cyber security really is the Chief Information Security Officer (CISO) role inside a given enterprise. That probably is most relevant to address the issues. The interesting thing is that many of the new developments that we’re looking at -- whether it's smarter hospitals, smarter medical devices, smarter electrical grid -- are industry specific and they require a lot of cooperation between organizations in an industry.

There's a role for standards and industry organizations to pull together and come up with some common standards to facilitate better security.

There's a role for standards and industry organizations to pull together and come up with some common standards to facilitate better security, maybe better frameworks or things like that, that can be leveraged across an entire industry.

Gardner: Any thoughts about getting started? Where do you get traction on a problem like this? Again, we’ve got a lot of different stakeholders and many different siloed types of activities and technologies. Where do you begin to actually get a hold on this and make some impact?

Hietala: It depends on the industry, but you get started just getting smart people in a room and trying to find consensus around the problems and potential solution. We do a lot of that here at The Open Group in different areas. We have a lot of defense work that we’re doing with the suppliers to the military and those sorts of things. We get them in a room, drive consensus, and develop standards and best practices that all of them can leverage and that help their business be more secure.

Gardner: As Harry mentioned, there are some examples in the US government. There are governments, I imagine, as well where they’ve attacked this problem. They’ve made some strides, developed some approaches and methods. Is there an opportunity for increased public-to-private cooperation and standardization and can you think of any examples of how that's working?

Hietala: Definitely there is a need for increased public-sector and private-industry cooperation. We have an initiative here, The Open Group's Acquisition Cybersecurity (ACS) Initiative. It was brought to us by the Department of Defense as a consulting effort. They wanted an organization to pull together private industry and try to drive some standards looking at the supply chains to the major IT suppliers. That work is ongoing and that would be a good reference of an initiative like that.

Gardner: Harry, how about from your perspective on getting started? Where do you get a handle on this beast?

Specific areas of expertise

Raduege: As my colleagues here have mentioned, a lot of times in private industry, there is a number of individuals who, just like in the federal government, have specific areas of expertise and responsibilities in the organization. From the boardroom perspective, this could be a little confusing. You’ll have a Chief Information Officer, a Chief Information Security Officer, a Chief Privacy Officer, a Chief Management Officer, a Chief Financial Officer, and a Chief Operations Officer.

Doesn’t this sound kind of familiar to what our federal government looked like? ... Everybody has a specific role that is very, very important, but then, who is the one person then who talks to the CEO or the board? I know a lot of organizations wrestle with that concept.

In 1996, there was actually legislation, the Clinger–Cohen Act, which was officially called the Information Technology Management Reform Act. It said that across the entire federal government, there would be CIOs appointed, and they would report directly to agency heads. That has guided our federal government for quite some time, but these aspects of all the different areas need to be brought together and focused within organizations. We really have our work cut out for us.

Gardner: To you, Usman, perhaps some thoughts about getting started on the process of getting smarter?

Sindhu: One thing I'd like to echo from the previous question as well is that it's interesting to see how long it took security to get the attention it needed. Finally, it's getting the attention at the C-level. Then, from a budget perspective as well, they're getting a much better share of the IT budgets that they had before. So, there is a good momentum around understanding security early in the development phase of a project, a product, or any other deployment.

There is still a ramp to cross at getting attention at the earlier phase from a security professional’s perspective. Cyber has to be on that agenda as a top priority.

Now, when cyber security is talked about, this is another new beast for many organizations to deal with. In fact, I was speaking to one of our utility clients, and the cyber security lead mentioned that he has no approach or visibility into the earlier phases of when the vendors are selected or when the RFPs are made. He only comes in a second tier, when he has to accredit all the different vendors.

So, there is still a ramp to cross at getting attention at the earlier phase from a security professional’s perspective. Cyber has to be on that agenda as a top priority.

As far as smart initiatives, you need to get security involved and architecture involved earlier in the phase. I normally use a three-level or a three-phased approach, when we talk about the planning.

Many of the smart initiators today -- smart city, smart grid, or smart healthcare -- are mostly in the planning phase. In a year or two, we’ll see a lot more deployments. Deployments are happening today as well, but we’ll see a lot more deployments in a year or two. Then, the delivery phase will come when the smart services will be delivered to the consumers and businesses.

The role of the architecture and security has to be involved right from the planning phase, where you manifest the value of security being built in, either to the products or in general to the architecture? That has to be the first step -- that we acknowledge the need to embed that into the overall process.

Gardner: Thanks so much. We’ve been discussing the need for improved common defenses including advancing cooperation between enterprise architects and security officers, and to jointly defend against burgeoning cyber security threats.

This sponsored podcast discussion is coming to you from The Open Group Conference in Boston the week of July 19, 2010. I’d like to thank our guests. We’ve been here with retired Air Force Lt. Gen. Harry D. Raduege Jr., chairman of the Deloitte Center for Cyber Innovation, and who co-chairs a cybersecurity commission under President Obama. Thank you.

Raduege: Thank you very much.

Gardner: Usman Sindhu, researcher at Forrester Research. Thanks for the input.

Sindhu: Thank you. It's been a pleasure.

Gardner: And, Jim Hietala, Vice President of Security for The Open Group. Thank you, Jim.

Hietala: Thank you, Dana.

Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions. You’ve been listening to BriefingsDirect. Thanks for joining and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: The Open Group.

Transcript of a sponsored podcast on how private enterprises and government agencies can combat the growing threat of cyber crime and the looming threat of cyber terrorism. Copyright Interarbor Solutions, LLC, 2005-2010. All rights reserved.

You may also be interested in:

• The Open Group's Cloud Work Group Advances Understanding of Cloud-Use Benefits for Enterprises
  
  
• The Open Group's Allen Brown on Advancing the Value of Enterprise IT Through Architecture
  
  
• Mutual Embrace of SOA and Cloud Computing Builds Into Productivity Waltz Across the IT Landscape

ISM3 Brings Greater Standardization to Security Measurement Across Enterprise IT

Transcript of a sponsored BriefingsDirect podcast on ISM3 and emerging security standards recorded live at The Open Group’s Enterprise Architecture Practitioners Conference in Seattle.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: The Open Group.

Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

Today, we present a sponsored podcast discussion coming to you from The Open Group’s Enterprise Architecture Practitioners Conference in Seattle on Feb. 2, 2010.

We've assembled a panel to examine the need for IT security to run more like a data-driven science, rather than a mysterious art form. Rigorously applying data and metrics to security can dramatically improve IT results and reduce overall risk to the business.

By employing and applying more metrics and standards to security, the protection of IT becomes better, and the known threats can become evaluated uniformly. People can understand better what they are up against, perhaps in close to real-time. They can know what's working -- or is not working -- both inside and outside of their organization.

Standards like Information Security Management Maturity Model (ISM3) are helping to not only gain greater visibility, but also allowing IT leaders to scale security best practices repeatably and reliably.

We're here to determine the strategic imperatives for security metrics, and to discuss how to use them to change the outcomes in terms of IT’s value to the business.

Please join me in welcoming a security executive from The Open Group, as well as two experts on security who are presenting here at the Security Practitioners Conference. I want to welcome Jim Hietala, Vice President for Security at The Open Group. Hi, Jim.

Jim Hietala: Hi Dana.

Gardner: We are also here with Adam Shostack, co-author of The New School of Information Security. Welcome, Adam.

Adam Shostack: Hey, Dana. Great to be here.

Gardner: And also Vicente Aceituno, director of the ISM3 Consortium. Welcome.

Vicente Aceituno: Thank you very much.

Gardner: Now that we have got a sense of this need for better metrics and better visibility, I wonder if I could go to you, Jim. What is it to be a data-driven security organization, versus the alternative?

Hietala: In a sentence, it's using information to make decisions, as opposed to what vendors are pitching at you or your gut reaction. It's getting a little more scientific about gathering data on the kinds of attacks you're seeing and the kinds of threats that you face, and using that data to inform the decisions around the right set of controls to put in place to effectively secure the organization.

Gardner: Is it fair to say that organizations are largely not doing this now?

All over the map

Hietala: It's probably not a fair characterization to say that they're not. A presentation we had today from an analyst firm talked about people being all over the map. I wouldn’t say there's a lot of rigor and standardization around the kinds of data that’s being collected to inform decisions, but there is some of that work going on in very large organizations. There, you typically see a little more mature metrics program. In smaller organizations, not so much. It's a little all over the map.

Gardner: Perhaps it's time to standardize this a little bit?

Hietala: We think so. We think there's a contribution to make from The Open Group, in terms of developing the ISM3 standard and getting it out there more widely.

Gardner: Adam, what, in your perception, is different now in terms of security than say two, three, or four years ago?

Shostack: The big change we've seen is that people have started to talk about the problems that they are having, as a result of laws passed in California and elsewhere that require them to say, "We made a mistake with data that we hold about you," and to tell their customers.

We've seen that a lot of the things we feared would happen haven't come to pass. We used to say that your company would go out of business and your customers would all flee. It's not happening that way. So, we're getting an opportunity today to share data in a way that’s never been possible before.

Gardner: Is it fair to say we are getting real about security?

Shostack: We've been real about security for a long time, but we have an opportunity to be a heck of a lot more effective than we have been. We can say, "This control that we all thought was a really good idea -- well, everyone is doing it, and it's not having the impact that we would like." So, we can reassess how we're getting real, where we're putting our dollars.

Gardner: Vicente, perhaps you could help us understand the application of metrics and data for security with external factors, and then internal. What's the difference?

Aceituno: Well, you can only use metrics to manage internal factors, because metrics are all about controlling what you do and being able to manage the outputs that you produce and that contribute value to the business.

I don’t think it brings a bigger return on investment (ROI) to collect metrics on external things that you can't control. It’s like hearing the news. What can you do about it? You're not the government or you're not directly involved. It's only the internal metrics that really make sense.

Gardner: From your perception, what needs to be a top priority in terms of this data-driven approach to security inside your own organization?

What you measure

Aceituno: The top priority should be to make sure that the things you measure are things that are contributing positivity to the value that you're bringing to business as a information security management (ISM) practitioner. That’s the focus. Are you measuring things that are actually bringing value or are you measuring things that are fancy or look good?

Gardner: We've heard "fit for purpose" applied to some other aspects of architecture and IT. How does this notion, being fit for purpose, apply to your security efforts?

Aceituno: Basically, we link business goals, business objectives, and security objectives in a way that’s never been done before, because we are painfully detailed when we express the outcomes that you are supposed to get from your ISM system. That will make it far easier for practitioners to actually measure the things that matter.

Gardner: We've been talking fairly generally about metrics and data. Jim, what do we really talk about? What are we defining here? Is this about taxonomy and categories, metadata, all the above -- or is there something a bit more defined that we're trying to measure?

Hietala: There's some taxonomy work to be done. One of the real issues in security is that when I say "threat," do other people have the same understanding? Risk management is rife with different terms that mean different things to different people. So getting a common taxonomy is something that makes sense.

The kinds of metrics we're collecting can be all over the map, but generally they're the things that would guide the right kind of decision making within an IT security organization around the question, "Are we doing the right things?"

Today, Vicente used an example of looking at vulnerabilities that are found in web applications. A critical metric was how long those vulnerabilities are out there before they get fixed by different lines of business, by different parts of the business, looking at how the organization is responding to that. We're trying to drive that metric toward the vulnerabilities being open for less time and getting fixed quicker.

Gardner: Adam, in your book, I believe you addressed some of these issues. How do look at metrics? How do you characterize them? I know it could go on for an hour about that, but at the high level ...

Shostack: At the high level, Vicente’s point about measuring the things you can control is critical. Oftentimes in security, we don’t like to admit that we've made mistakes and we conceal some of the issues that are happening. A metrics initiative gives you the opportunity to get out there and talk about what's going on, not in a finger pointing way, which has happened so often in the past, but in an objective and numerically centered way. That gives us opportunity to improve.

Gardner: I suppose this is a maturation of security. Is that fair to say that we're bringing this to where some other aspects of business may have been, in say manufacturing, 30, 40, or 50 years ago?

Learning from other disciplines

Shostack: I think that’s a fair statement. We're learning a lot from other fields. We're learning a lot from other disciplines. Elements of that are going to uncomfortable for some practitioners, and there are elements that will really enable practitioners to connect what they are doing to the business.

Gardner: The stakes here, I imagine, are quite high. This is about the trust you have with your partners, your customers, and the brand equity you have in your company. These are not small considerations.

Hietala: No, they're big considerations, and they do have a big effect on the business. Also, the important outputs of a good metrics program can be that it gives you a different way to talk to your senior management about the progress that you're making against the business objectives and security objectives.

That’s been an area of enormous disconnect. Security professionals have tended to talk about viruses, worms, relatively technical things, but haven't been able to show a trend to senior management that justifies the kind of spending they have been doing and the kind of spending they need to do in the future. Business language around some of that is needed in this area.

Gardner: I have to imagine, too, that if we formalize, structure, and standardize, we can make these repeatable. Then there's not that risk of personnel leaving and taking a lot of the tribal knowledge with them. Is that fair?

I can't think of anything better than for ISM3 to be managed from The Open Group from here on.

Hietala: That's fair as well. That's something that came out today in some of the discussions. Documenting the processes and what you're doing makes it easier to transition to new personnel and that kind of thing.

Gardner: Vicente, tell us a little bit about the ISM3 Consortium, its history, and what it is that you are principally involved with at this time.

Aceituno: The main task of the ISM3 Consortium so far was to manage the ISM3 standard. I'm very happy to say that The Open Group and ISM3 Consortium reached an agreement and, with this agreement, The Open Group will be managing ISM3 from here on in. We'll be devoting our time to other things, like teaching and consulting services in Spain, which is our main market. I can't think of anything better than for ISM3 to be managed from The Open Group.

Gardner: Adam, do you have a sense of this particular standard, the ISM3? Where do you see it fitting in?

Shostack: Actually, I don't have a great sense of where it fits in. There are a tremendous number of standards out there, and what I heard today I am very impressed by. I'm going to go read more about it, but it's not something I have a lot of operational exposure to that really lets me say, "This is where it's working for me."

Gardner: Jim, do you have a sense of where it fits in, and perhaps for those of our listeners who are not that familiar, can you give a quick tutorial?

Business value approach

Hietala: Sure. In terms of where I'd place it in the information security community, it adds a business value approach to information security, a metrics and maturity model approach that you had not necessarily had there with some of the other standards that are out there.

I'd also say that it's approachable from the standpoint that it's geared toward having different target maturity levels for different kinds of enterprises. That makes sense.

One of the things we talk about is that there's an 80-20 rule. You get 80 percent of the benefit from a subset of security controls. You can tailor ISM3 to the organization and get some benefit out of it, without setting the bar so high that it's unachievable for a mid-size or small business. That's the way I would characterize it.

Gardner: I think it's really important that these things are developed and brought into an organization at a practical level for those people who are in the trenches and are down there doing the work. Is there anything about this particular standard that you think is really not academic, but something quite effective in practice?

Hietala: Well, it spans the breadth of information security. You have metrics and control approaches in various areas and you can pick a starting point. You can come at this top-down, if you're trying to implement a big program. Or, you come at it bottoms-up and pick a niche, where you know you are not doing well and want to establish some rigor around what you are doing. You can do a smaller implementation and get some benefit out of it. It's approachable either way.

It was easier to communicate with other teams, and we had metrics to understand the results we were getting from making changes in the process.

Gardner: Adam, any thoughts about this issue of practicality when it comes to security, something that's more scientific and not perhaps a mysterious dark art of some kind?

Shostack: I really liked seeing the practical extracted. "Here are the things we're measuring. Here is why it matters to the business." That's what Vicente was talking about with regards to ISM3 through the day. Getting away from these very broad, hand wavy measures of risk or improvement, down to, "We are measuring this precise thing and this is why we need it to improve," is refreshing.

Gardner: Vincente, do you have any examples of organizations that have taken a lead on this and what sort of results have they been able to provide?

Aceituno: At this moment, the one organization that has implemented the ISM3 is Caja Madrid, which is the fourth biggest financial institution in Spain, and they had very impressive results. We found six times as many vulnerabilities. We were making more than twice as many ethical hacking tests. We could bring down the cost of unethical hacking by a big percentage, and we were getting more vulnerabilities fixed.

It was easier to communicate with other teams, and we had metrics to understand the results we were getting from making changes in the process. We have knowledge management that allows us to change the whole team of people and still carry on doing exactly the same thing in the same way that we were doing it.

I think that Caja Madrid is very happy and, actually, the director of security at Caja Madrid is very impressed with ISM3.

Gardner: Who typically are the folks who would be bringing this into an organization? I suppose there is some variability and the organizational landscape is still quite diverse, but is there a methodology in terms of how to bring this into an organization?

Works either way

Aceituno: It could work either way. Either you're a top-level manager, the CISO, or whatever, and you can think, "Okay, I want to do this" and you can implement a top-down implementation of the method.

Or, you can have no support from higher management and understand that you need to put in some rigor for management and you can think, "Okay, I'm going to organize my own work around this framework."

It can work either way, as Jim was saying before. You can implement it top down or bottom up and get benefit from it.

Gardner: Jim, this is a specific Open Group question. Does this work well inside of some other framework activity or architectural initiatives? Are there some other ITIL related activities? Does this have a brotherhood, if you will, in terms of standards and approaches that The Open Group's heritage is a bit more attuned to?

Hietala: I don't know that there's a direct statement you can make about how well this will work in an enterprise architecture framework or something like that. This is more about managing security objectives and operational things that you are going to do in a information security frame within an enterprise.

It's process-oriented. So, in terms of working well with other things, it works well with ITIL. Some of the early implementations have suggested that, but there is a good synergy there. I'll leave it there.

Gardner: Adam, any thoughts, from your perspective, on how this fits into some larger initiatives around security?

We've seen over the last few years that those security programs that succeed are the ones that talk to the business needs and talk to the executive suite in language that the executives understand.

Shostack: We've seen over the last few years that those security programs that succeed are the ones that talk to the business needs and talk to the executive suite in language that the executives understand.

The real success here and the real step with ISM3 is that it gives people a prescriptive way to get started on building those metrics.

You can pick it up and look at it and say, "Okay, I'm going to measure these things. I'm going to trend on them." And, I'm going to report on them."

As we get toward a place, where more people are talking about those things, we'll start to see an expectation that security is a little bit different. There is a risk environment that's very outside of people's control, but this gives people a way to get a handle on it.

Gardner: Vicente, it seems quite important, as a first step, to know where you are, in order to know how you've progressed. This seems to be an essential ingredient to being able to ascertain your risks over time.

Aceituno: The very first step, when it comes to the usual implementing, is to understand the needs and the goals of the business and the obligations of the business, because that's what drives the whole design of the ISM system There is no need to align security goals and business goals, because there are no goals outside of business goals. You have to serve the business first.

Gardner: There really isn't much difference between the goals of security and the general goals of the business. They are inexorably tied.

Aceituno: Yes, of course, they are.

Gardner: We've been learning more about security, some new metrics, and the ability to tie this into business outcomes. I want to thank our panel. We've been talking to Jim Hietala, Vice President for Security at the Open Group. Thank you, Jim.

Hietala: Thank you, Dana.

Gardner: Adam Shostack, co-author of the book, The New School of Information Security. Thank you.

Shostack: Thank you.

Gardner: And, also Vicente Aceituno, who is the Director of the ISM3 Consortium. Thank you.

Aceituno: Thanks so much.

Gardner: We are coming to you from The Open Group Security Practitioners Conference in Seattle, the week of Feb. 1, 2010.

This is Dana Gardner, principal analyst at Interarbor Solutions. Thanks for listening to this BriefingsDirect podcast, and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: The Open Group.

Transcript of a sponsored BriefingsDirect podcast on ISM3 and security standards recorded live at The Open Group’s Enterprise Architecture Practitioners Conference in Seattle. Copyright Interarbor Solutions, LLC, 2005-2010. All rights reserved.

You may also be interested in:

• Security, simplicity and control ease make desktop virtualization ready for enterprise uptake
  
  
• Mainframes provide fast-track access to private cloud benefits for enterprises, process ecosystems
  
  
• Webinar: Modernization pulls new value from legacy and client-server enterprise applications