Laurie Williams, Professor, Department of Computer Science, North Carolina State University

By Laurie Williams

According to a recent IBM Tech Trends report, both educators and students view security as extremely important. In fact, 56 percent of students and 44 percent of educators ranked it as one of the top three issues the IT industry will face over the next two years. In addition, a UK government report said that it may take 20 years to address the current cybersecurity skills gaps.

To help try and change that, North CarolinaStateUniversity is partnering with IBM to help better prepare the next generation of engineers with a secure-by-design focus and curriculum.

Why dedicate so many resources to building cybersecurity skills? The world operates with interconnected systems and as technology progresses these systems will only proliferate. The linchpin to success in securing these systems is in the design stage – not at the end of the process.

At North Carolina State University, my students are focusing on healthcare systems, specifically building and analyzing electronic medical record applications. The students leverage IBM AppScan to test these applications for potential vulnerabilities. Critical cyber systems must inspire trust and confidence. They must predictably protect the integrity of data and resources as well as the privacy of data owners, and perform securely, safely, and reliably.

Earlier this year, I had the opportunity to collaborate with IBM researchers to identify common themes and pinpoint some of the major challenges academic institutions are facing in relation to building next generation cybersecurity skills. Four common trends were identified:

1.)    Information security is increasing in relevance. No longer just a highly-specialized area, information security impacts people every day. It has become personal in an interconnected world that’s reliant upon smart phones, social media, e-commerce and cloud services. In other words, information security impacts us every day.

2.)    Increasing attention and demand from students, private industry and government agencies. More and more industries, from banks and financial services companies to aerospace and defense firms, as well as healthcare providers, are seeking graduates with specialized security skills. Training an expert cybersecurity workforce is now a national priority for many countries.

3.)    The field of cybersecurity has significantly expanded with more domains to secure and more ways to attack. This means more to teach and to learn. Today, attacks are extremely hard to detect; attackers are stealthier and more evasive. In response, academic programs are expanding beyond traditional areas like cryptography and countering sniffing and denial of service attacks. Cybersecurity education now covers new areas like cyber-physical attacks, the protection of heterogeneous systems and real-time security data analysis.

4.)    Academic programs are evolving from teaching purely the principles and theory of security to focus more on the practices. This is largely driven by the demands of industry and governments, as well as by students who want to focus more on real-world problems and practical challenges.

While these may be the four common themes we identified, in reality it will take all of us to create a more secure future.

______________________________________

Laurie Williams is a Professor in the Computer Science Department of the College of Engineering at North Carolina State University (NCSU). Her research focuses on software security particularly in relation to healthcare IT; agile software development practices and processes; software reliability, software testing and analysis; open source software development; and broadening participation and increasing retention in computer science. Laurie has more than 170 refereed publications.

Laurie received her Ph.D. in Computer Science from the University of Utah, her MBA from Duke University Fuqua School of Business, and her BS in Industrial Engineering from Lehigh University.   She worked for IBM Corporation for nine years in Raleigh, NC and Research Triangle Park, NC before returning to academia.

Christopher Padilla, Vice President, Governmental Programs, IBM

By Christopher Padilla

This week, nearly 200 of IBM’s senior leaders representing all 50 states are on Capitol Hill to urge action on policies that will drive innovation and economic competitiveness. With more than 300 congressional delegation meetings, our executives are addressing a range of issues critical to U.S. business.

As public-private collaboration becomes increasingly critical to overcoming challenges that no single sector can handle alone, we look forward to working with U.S. congressional leaders on the following issues:

Share Information on Cyber Threats to Protect the Nation’s Critical Assets
Individuals, companies and governments are facing higher risks of cyber attacks as the world becomes more inter-connected. Now, more than ever, it is imperative to develop innovative measures to protect critical assets such as our energy and financial industries. To achieve this goal, private sector advances in innovation should be complemented with legislative policies that promote the collaboration needed to ensure cybersecurity.

IBM believes we can build stronger, more efficient defenses against cyber threats by enabling better information sharing and providing clear authority for the private sector to defend its own networks, as proposed in the Cybersecurity Intelligence Sharing and Protection Act (CISPA). Passage of this bill, together with legislation to boost Research & Development related to cybersecurity and updating the Federal Information Security Management Act, as well as President Obama’s recent executive order creating open collaboration between industry and government, will enable us to make significant progress toward securing our cyber networks.

The sooner CISPA becomes law, the sooner we can strengthen U.S. cybersecurity. We look forward to making this point on Capitol Hill this week, and we thank Chairman Mike Rogers (MI-8) and Ranking Member Dutch Ruppersberger (MD-2) for their bipartisan leadership on this important piece of legislation.

Support the U.S. Talent Pipeline through STEM Education
Despite the nation’s overall unemployment rate, the high technology industry is in the midst of a skillscrisis – not a jobs crisis. The Bureau of Labor Statistics expects the U.S. to add at least 1.2 million computing jobs between 2013 and 2020. But American universities won’t produce even half the number of graduates needed to fill those positions, if they continue at their current pace.

To advance our economy and remain competitive in the global marketplace, the U.S. needs to cultivate a stronger STEM workforce ready to meet the demands for high-tech, high-skilled jobs.

That’s why IBM is taking significant steps to reduce the skills gap by making sweeping changes to U.S. academic and workforce development programs – including educating students in Science, Technology, Engineering and Mathematics (STEM). We have entered public-private partnerships with governments, school districts and postsecondary institutions to launch grade 9 – 14 schools focused on developing STEM and workplace skills. Graduates from these schools will receive both a high school diploma and an associate degree in technology, and will be first in line for jobs at IBM.

Our company also has more than 200 academic partnerships in the U.S. alone focused on Big Data analytics as well as internships with IBM Watson (our research division) that provide skills development and professional training opportunities. These are just a few examples of IBM’s commitment to increasing America’s STEM skills and employment readiness.

Encourage More High-Skilled Immigration
To continue innovating and driving economic growth, American companies must have access to the best talent.  Despite the best efforts of the private and public sectors to develop the next generation of high-skilled U.S. workers, we still have a skills shortage.  Highlighting the problem, two weeks ago the U.S. exhausted in just five days its cap for visas for high-skilled foreign workers needed to help fill the gap.

The current U.S. laws intended to address companies’ access to global talent were established nearly 25 years ago. Much has changed since then. We now operate in a globally-integrated world where new technologies such as Big Data, analytics, cloud, mobile and social technologies are transforming how we achieve our goals.

As Capitol Hill continues to discuss comprehensive immigration reform, IBM is urging lawmakers in both the U.S. Senate and the House of Representatives to increase companies’ access to highly-skilled workers and to boost resources in STEM education and workforce training. Additionally, IBM believes that international students and workers in high-skilled fields should have the opportunity to stay in the U.S. as qualified workers. Immigration reform that allows employers to bridge the skills gap through greater access to high-skilled workers will play a pivotal role in driving economic growth and innovation here in America.

We greatly appreciate the opportunity to discuss IBM’s viewpoints with lawmakers this week. By working together, we believe we can blaze a smarter path to America’s future economic competitiveness.

Technorati Tags: Big Data, cybersecurity, IBM Smarter Computing, IBM Smarter Planet, innovation, Smarter Education, STEM

Sandy Bird, CTO, IBM Security Division

By Sandy Bird

Technorati Tags: Big Data, cloud, cyber security, cybersecurity, IBM Smarter Planet, innovation, security, smarter security

Kris Lovejoy, General Manager, IBM Security Services

By Kris Lovejoy 

As companies and individuals continue to connect in new and exciting ways – through the cloud, mobile technology and social media – each are becoming more informed and empowered. However, this always-on, real-time, hyper-connected world is not without its pitfalls. And while privacy, security, and performance tend to garner the headlines, the growing risk to reputation is gaining increasing attention.

A new study by the Economist Intelligence Unit commissioned by IBM reveals that reputational risks extend far beyond faulty products or shoddy services. Companies face serious risks to their brand if their IT is compromised. From stolen customer data to hacked passwords – an IT security breach can lead to dramatic and negative sentiment about a company and its image.    

The study was conducted through interviews and online surveys with more than 400 executives in 23 industries like banking, insurance and energy, where technology is essential to their operations.  

Click here to view the embedded video.

Of the executives surveyed, 75 percent said IT risks can impact customer satisfaction and brand reputation, while a striking 61 percent said IT security breaches remain the greatest threat to their company’s reputation.

Yet despite the concern, few of the companies surveyed are doing something about it. For example, although 70 percent of companies surveyed think they can manage IT risks related to data breaches, data theft, and cybercrime, only 32 percent are using the latest security threat intelligence technology. Furthermore, only 13 percent of respondents admit to having endured data theft and/or cybercrime. That’s in stark contrast to recent surveys from such organizations as the Ponemon Institute (The Impact of Cybercrime on Business, May 2012) which calculates that organizations will face an average of 66 cyber attacks per week that cause business disruptions.

The good news is that the study shows companies are beginning to pay closer attention to the connection between IT risk and the risk to reputational in tangible ways. To get a jump on planning, here are some best practices from organizations that engage in reputational risk management:

Be proactive rather than reactive. Be prepared to invest in developing comprehensive reputational risk management strategies that include controls over IT risks—particularly those related to security and business continuity.

To help even further with these growing challenges, IBM today is announcing enhancements and new offerings around security analytics that are designed to help our customers protect their data where it resides. 

Technorati Tags: data breach, IBM, IT security, reputational risk, risk, security, Smarter Planet

John Potter, Vice President, Hosting, Applications and Cloud Solutions, AT&T Business Solutions

By John Potter

Technorati Tags: cloud, cloud network, cloudcomputing, IBM, Smarter Planet, urban infrastructure, virtual private network

By Clinton McFadden, IBM X-Force Research and Development

For security officials, the first half of 2012 was marked by intelligence and sophistication – which, when it comes to securing a computer network, are not always positive traits. Yesterday IBM released the results of the X-Force 2012 Mid-Year Trend and Risk Report. The report highlights a sharp increase in browser-related exploits, weaknesses around password security, and growing operational challenges in the adoption mobile “bring your own device (BYOD) programs and policies since last year. In fact, half of all the Chief Information Security Officers interviewed indicated that mobile BYOD security is their greatest near-term technology concern.

The continued growth of both persistent and emerging attacks makes it all the more critical for businesses across all industries to bolster their security efforts. As part of ongoing efforts to assist global clients and invest in growth markets IBM this week announced a new Security Operations Center in Wroclaw, Poland providing real-time analysis and security notifications that keep businesses ahead of the most pressing and progressively complex security threats.

Here are the major trends we are seeing based on our analysis:

• Back to basics – password security: When you consider the increased number of social networks people participate in – from the more personal ones, to professional sites – email addresses and passwords are the common denominators in managing online identity. In 2012, we’ve seen numerous headlines announcing usernames and passwords pulled from popular sites and posted publicly – and for people who use the same password across multiple accounts – from social sites to corporate logins to banking credentials — this kind of breach can have a dangerous ripple effect. To prevent these problems, end users should implement a password or passphrase, which is a combination of words or even an entire sentence that makes the password longer, more complex and therefore more difficult to crack.

• It’s a mobile world: As mobile continues to become more pervasive in our daily lives, cyber criminals are (not surprisingly) following suit, causing mobile security to become the next big IT headache. The good news on this front is that IBM X-Force research found that mobile vulnerabilities and exploits decreased in the first part of 2012 – to the lowest levels since 2008 – likely due to the fact that developers are investing in security enhancements as well as in-house discoveries of vulnerabilities. However, there are still a number of smart phone users falling victim to SMS (i.e. text message) scams. Many times, these are a direct result of seemingly legitimate applications that actually contain malicious code.

• Playing in the sandbox: On a positive note, the report found that there was a drop in PDF vulnerability disclosures during the first six months of the year, thanks in large part to sandboxing technology. This technology works by isolating an application from the rest of the system, so that if compromised, the attacker code running within the application is limited to what it can do or what it can access. However, motivated attackers will always try to find ways to break out of a sandbox – so it’s important to remain vigilant despite this promising new approach.

Continue the conversation at the IBM Institute for Advanced Security site.

Technorati Tags: computers IBM, mobile, networks, passwords, security, threats

By Kris Lovejoy, general manager, IBM Security Services

There’s no question that protecting a business from IT security threats is getting increasingly complex for companies of all sizes – particularly with the rapid adoption of innovative technologies like mobility, cloud computing, big data analysis and social collaboration. Increased concern about privacy protection, regulatory compliance and rapid globalization add additional dimensions of complexity.

It is clear the ability to succeed in their efforts is hindered by the lack of security skills and requirements to work with tighter budgets. According to Frost and Sullivan’s 2011 (ISC)2 Global Information Security Workforce Study, a lack of skills has made many cybersecurity professionals under-qualified to adequately secure organizations from threats associated with adoption of social media, cloud computing, mobile devices and software applications.  The 2010 Center for Strategic & International Studies (CSIS) report called “A Human Capital Crisis in Cybersecurity” documented a need for 30,000 cybersecurity professionals in the United States, with only 1,000 positions filled.

Click here to view the embedded video.

Put simply, chief information security officers (CISOs) and chief information officers (CIOs) are trying to do more with less.  In security, this can be a recipe for disaster.

Nearly 2,400 North American and European enterprise executives and technology decision-makers queried in a commissioned survey conducted by Forrester Consulting on behalf of IBM said:

• 72% battle escalating and evolving threats.
• 75% struggle to help the business make the right internal priority choices.
• 68% have little time for proactive and preventative projects due to existing responsibilities.
• 53% come up short because new resources are hard to find.

The need for industry skills is becoming ever more important, particularly for those industries facing challenges brought on by an outdated security approach. Consider the challenges utilities providers face, particularly in the management of Smart Grids. With the increased use of connected digital technology to generate, transmit, and deliver power, the industry is looking to improve cybersecurity measures and develop a new, more sophisticated approach to business management.

• IBM is calling for a new approach to Smart Grids and how electric utilities staff and manage their cybersecurity and security-related compliance missions.
• To start with this new approach, IBM is recommending a list of cybersecurity best practices, such as “security as risk management,” which taps into historical data and documented experience used to mitigate the impacts of threats such as severe storms and natural disasters to provide metrics that senior management can use to evaluate return on investment.
• And to reinforce this new approach, IBM is recommending the appointment and empowerment of a C-level security executive with enterprise-wide authority.

The right security skills are a major part of the equation. However, companies can also be more effective if they combine that with the use of security intelligence tools to benefit their businesses by staying ahead of the threats. With a skilled trusted advisor who can help map out an appropriate security strategy based on experience, industry knowledge, and other tools such as analytics, companies can stay ahead of increasingly sophisticated threats and manage their risk-aware culture.

A great way for companies to remain prepared is to partner with the right advisor to identify potential blind spots and recommend intelligent, proactive solutions.

Technorati Tags: IT security, Kris Lovejoy

By Jack Danahy, Director for Advanced Security, IBM

There’s an evolution going on in the executive suite–emerging technologies like mobile, cloud and embedded devices are making the world more instrumented, and at the same time, producing huge amounts of data. Senior executives are paying close attention to these emerging technologies, not only because of the opportunity to learn more about behavior, but also because of the potential security risks they pose. With this, security is increasingly moving beyond simply a technology issue to a business issue.

High-profile hacking and data breach incidents can quickly impact shareholder value, tarnish public perception and expose the company to law suits. This is convincing senior executives of the key role security needs to play in the modern enterprise.

IBM recently surveyed global Chief Information Security Officers (CISOs) to get a look at how their role is evolving in an increasingly interconnected world.

The study, conducted by IBM’s Center for Applied Insights reveals how the CISO role follows the historical evolution of the CIO and CFO with more strategic organizational responsibilities. IBM’s new study identifies the distinguishing traits, expectations and challenges these CISOs are facing.

Nearly two-thirds of CISOs surveyed say their senior executives are paying more attention to security today than they were two years ago– but there’s room for advancement for security as a function–only one in four security chiefs surveyed currently are playing this kind of strategic role in their firms. The study also shows that mobile security is the biggest headache facing CISOs in the coming two years.

John Meakin, global head of security solutions and architecture at Deutsche Bank – echoed many of the assessments findings and speaks to the need for security officers to take on a more strategic role via a contributed article in Forbes. John hits the nail on the head when he says “to do a better job of protecting our enterprises, we’ve got to become more open and collaborative.”

The findings of this survey of Chief Information Security Officers–and Mr. Meakin’s article in Forbes–speaks volumes to the need for technology leaders to connect and learn from each other. We’ll continue this conversation and these initiatives on our Institute for Advanced Security blog. Please check that site regularly for updates regarding the CISO initiatives.

David Jarvis, senior consultant with IBM’s Center for Applied Insights, led the CISO survey initiative and provides a succinct recap of the survey results in this short video.

Click here to view the embedded video.

Technorati Tags: cybersecurity, information security, IT security, mobile security

by Tom Cross, Manager, IBM X-Force Threat Intelligence and Security

The nature of IT security in 2011 shows evolution at work. While some positive trends and improvements have emerged in thwarting security vulnerabilities, attacker’s methods continued to adapt.

Issued today, the 2011 IBM X-Force Report shows surprising improvements in several areas of security such as a reduction in application security vulnerabilities, exploit code and spam. As a result, the report suggests attackers today are being forced to rethink their tactics to targeting more niche IT loopholes and emerging technologies such as social networks and mobile devices.

Web Application Vulnerabilities Decline :The IBM X-Force team observed a steady decline in the instances of input control related vulnerabilities since the IBM X-Force team began recording these statistics in 2007.

IBM issues the X-Force report annually to describe the state of security globally and the top threats facing clients. The report is based on the monitoring and analysis of an average of 13 billion events daily in 2011 and intelligence from across IBM’s security services.

Some examples of what we saw to indicate how threats are evolving include:

• While the number of SQL Injection vulnerabilities in publicly maintained web applications dropped by 46 percent this year, more speciality attacks targeting Shell Command Injection vulnerabilities rose 2 to 3 times since 2010.
• While traditional email spam decreased by 50 percent, there was an increase in phishing attacks that impersonate social networking sites and mail parcel services to entice victims to click on links to web pages that may try to infect their PCs with malware.
• New technologies such as mobile devices are creating new avenues of opportunity for attacks and new challenges for security pros. There was a 19 percent increase in the number of exploits publicly released that can be used to target mobile devices—which are increasingly tapping into enterprise information through the Bring your Own Device or “BYOD” programs.

Mobile Operating System Exploits: An increase in mobile operating system exploits in 2011 due to an uptick in malicious activity targeting mobile devices. Because of the two-tiered relationship between phone end users, telecommunications companies, and mobile operating system vendors, disclosed mobile vulnerabilities can remain unpatched on phones for an extended period of time, providing a large window of opportunity to attackers.

In our X-Force 2011 Mid-year Trend and Risk Report we identified ten steps that X-Force would suggest taking to mitigate some of the attacks that have happened this year. None of the steps we suggested is a ground breaking revelation for IT security pros. The challenge is not knowing what to do, but executing consistently across a complex, decentralized organization. In order for a security program to be successful it must have the resources, political support, and institutional respect needed to ensure compliance with best practices throughout the organization. Achieving that level of effectiveness is the true challenge of IT security leadership.

If IBM X-Force were running the IT department

To view the full report and to learn more about how to make your enterprise more secure, please visit www.ibm.com/security/xforce.

Click here to view the embedded video.

Technorati Tags: cybersecurity, IBM, security, tom cross, x-force

by Eric Z. Maass, Chief Technology Officer, Lighthouse Security Group

In the digital age, increasing amounts of data are being shared in new and often unanticipated ways. This proliferation of data, devices and connections brings a set of new security threats. And midsize companies, in particular, are feeling the heat.

While security budgets are often at risk for cuts, recovering from the damage a security breach can cause could cost a midsize much more in lost revenue and productivity. No matter how big or small a business may be, a security glitch is not an option. This is especially the case for midsize companies that operate with tight budgets and limited IT staff.

It has become more important, yet more difficult, to secure and protect critical information and related assets. Whether it’s evaluating the potential risk to the brand, understanding the financial implications of adverse events or assessing the impact of IT systems disruptions on ongoing operations, developing security intelligence – the ability to predict, identify and react to potential threats – is taking on new importance.

However, where large enterprises can rely on large IT departments with dedicated teams focused solely on addressing security concerns, midsize companies often must address the same concerns with far fewer resources.

According to Inside the Midmarket: A 2011 Perspective, security management is the top IT priority for midsize businesses around the globe. And, in the 2011 CIO Study, 60% of IT leaders from midsize firms reports plans to focus more on risk management and compliance as a means of increasing their company’s competitiveness over the next three to five years.

Midsize organizations are adopting social media and cloud services at a faster rate than large enterprises. They also are exploring flexible mobility models, such as Bring Your Own Device. As a result, midsize companies are facing a unique blend of security challenges.

One of those challenges is identity and access management. This is especially a concern for midsize companies trying to make sense of the growing array of IT assets located outside their company controlled network.

Cloud based solutions, social networks and mobile devices are difficult to manage with traditional identity and access management platforms. It becomes even more complicated for midsize firms, which tend to have a broader reliance upon external partnerships for growing their businesses.

VantisLife Insurance Company is one such midsize company. VantisLife has more than $4.2 billion of life insurance and nearly $600 million of annuities in force. 90% of all their business is submitted electronically and customer confidence is critical to their ability to compete and grow. In order to ensure their customers’ confidence in the security of their data, VantisLife decided to conduct a thorough security assessment. That assessment identified exposures in their systems that the company needed to address, specifically in terms of agent authentication and how they access data within the company’s systems.

Developing an in-house solution would have required a major investment in infrastructure. Staffing with the necessary expertise and managerial skill levels would have added pressure on the company’s resources and budgets. And, had they pursued this path, VantisLife was looking at a 4- to 6- month startup window, placing an additional burden on the company’s timeline for growth. To help meet those challenges, VantisLife chose a cloud-based identity access management solution that added significant layers of protection while maintaining ease-of-use for their customers. By eliminating barriers, VantisLife now has the ability to aggressively pursue their plans for growth on a national scale, unlike competitors that try to build-out their legacy systems.

A cloud based identity access management system can drive efficiency, security and compliance for midsize companies looking to integrate diverse external resources.

Midsize companies looking to evaluate their security needs can start with three areas: people and identity, data and applications, and infrastructure.

Regardless of which area you identify as the most vital to your business, there are many solutions spanning security, compliance, and resiliency — and often available for on-site or cloud/hosted deployments — that can help your business protect its vital assets from one year to the next.

Technorati Tags: Analytics, IBMPWLC