Posted by Chris Sullivan - VP Customer Solutions on Thu, Jan 07, 2010
Here's an old adage that we've all heard - the value of the whole exceeds the sum of the parts. Is it true? Well, according to the governments of the United States and Japan it is. If you include the skin, the human body is comprised of 65% oxygen, 18% carbon, 3% nitrogen and 9 other common and inexpensive elements down to a mere 0.00004% Iodine. Taken in their parts, 170 lbs of that is worth about $4.50.
But if you put it together in the right way, you can come up with the likes of Einstein, a Warren Buffet, a Gandhi, a Mother Theresa, an Alfred Bernhard Nobel.
It's similar in our space. We have all the elements - provisioning, compliance, role management, governance, sensitive data analysis, sensitive activity analysis, entitlement management and even security in the cloud (which we all know to be the next big thing until the next big thing comes along). Where we are collectively weak is the ability to put all of these things together in sophisticated ways where the whole exceeds the value of the sum of the parts - and by a whole lot.
With that, here are my 3 predictions for 2010:
- 2010 will not be about the cloud. We've been living in the clouds for years and Courion has already has been weaving our customer's provisioning, access
compliance and access assurance frameworks into those clouds with connectors like GE Pharmacy, Fedlink, Equifax and Salesforce. That's not interesting.
- Companies will take advantage of commoditized pricing for custom connectors to dramatically increase the systems and applications for which they automate
compliance, risk management and controls today.
- Companies will realize a dramatic increase in the value of what they already have by pulling together all of the elements in sophisticated ways to assure access
and predict and remediate risk before breaches occur - Identity Intelligence and Analytics will be the next real big thing.
Did you know?
I presume you know that the Nobel Prizes (including the coveted Nobel Peace Prize) come from the institute of the same name. But did you know that the philanthropist who founded the institute was also the inventor of dynamite and he made his fortunes in the 1800s as a major arms manufacturer and dealer?
Define irony.
Posted by Chris Sullivan - VP Customer Solutions on Tue, Nov 03, 2009
This week, I was thinking about using a quote about the "burden of knowledge" to stimulate some thinking around managing risk or, more specifically, managing liabilities. Unfortunately, the term is not easily attributed to any one person. In some form, the term has been used by Nobel Laureates, heads of state and philosophers for literally thousands of years. What's more interesting is its use as a foundational element of legal systems all over the world.
For risk managers, this is important stuff. Your company can be found negligent and therefore liable for damages caused either directly or indirectly because of something you either knew or should have known. In such cases, legal systems consistently magnify findings against plaintiffs who are found to be "grossly" negligent.
What does all this mean? In legalese, ordinary negligence is for "want of great diligence" and gross negligence is for "want of slight diligence." Still unclear? So was I, so I called my lawyer and he gave me more mumbo jumbo. Then I called my nephew who is in law school and he said "Uncle Chris, if you should have known something you are negligent - you are liable. If you actually knew and did nothing, then you are grossly negligent - You are $&%!(d".
I get it now. So if you turn on a DLP solution and it generates 1,000,000+ critical alerts a week because there's lots of sensitive information moving around your company, then you are left with obvious 3 options:
- Eradicate the sensitive information that is, by the way, required to run your business
- Hire an army of security analysts to ferret out and address the small number of real concerns
- Shut off the DLP system because if there is one unaddressed misuse in those 1,000,000 alerts that you knew about.. You did nothing... You are $&%!(d
Think I'm being dramatic? This exact scenario was presented to me by the CIO of a Fortune 100 company less than a year ago. He chose option 3 and, not surprisingly, he does not want to be quoted for this article.
What if you buy some fancy new attestation software that will process data dumps of access rights from your key systems and help you identify risks? That's helpful right? Not if you don't remediate those risks. If you don't, then you knew, you did nothing and you are...
A more sensible approach would be to put in place an Access Assurance framework to ensure that the right people have the right access to the right resources and they are doing the right things:
- If your DLP system finds Protected Health Information then bounce it off the Identity Management solution to see if the people who have access to it are clinicians. In most cases, they will be and you've automated away most of the unnecessary work.
- What's the risk of verification if your access certification process finds issues and you can't automate the requisite remediation?
By thinking holistically, you can take an approach that automates away rote work to ensure that you do know what you should know and that you can deal with it efficiently and effectively.
Did you know?
- It's official, Bing is better than Google. When researching "burden of knowledge" I noticed that Bing returned 21,500,000 results while Google returned only 16,300,000. Probably either one would have been sufficient to get me started.
- "Knowledge burdens but wisdom frees one from the burden of knowledge" - Brother Sahajananda, Benedictine monk
Posted by Chris Sullivan - VP Customer Solutions on Tue, Oct 27, 2009
With 34 successful books and decades as a regular contributor to rags like WSJ, HBR and The Economist, many regard the late Peter Drucker as the most influential thinker on management and leadership in modern times.
As a slick communicator, Drucker was very fond of saying that "If you can't measure it, you can't manage it."
Think about that for a second, "If you can't measure it, you can't manage it". Should we have been thinking this way about mortgage backed securities?
- With traditional mortgages, originators make and service their own loans. The service provider knows the borrower and takes care to ensure that the borrower has the ability to repay because if the don't, they take the loss. It's also worth noting that there's not much leverage. The originator is limited in how much they can loan by their own deposits.
- With the mortgage backed securities (MBS) era that began in the late 1970s, providers pool individual loans by the thousands and convert them into bond like instruments that are floated to investors as claims to principal and interest. Selling these assets means that the originator has more cash to make more loans. The resulting leverage and liquidity is very seductive to the original provider but the new provider and the real customer can no longer see each other so you can't manage it. To complicate things, these new providers also want leverage and liquidity so they abstract their securities yet again into even bigger pools and sell them to even bigger investors (like the Chinese government ;). No one can see anything but we have lots of leverage and liquidity so everyone is happy until....
- Until some of those individual mortgages fail. With all those layers of abstraction it is impossible to separate toxic assets from good ones so investors stopped buying, which seizes capital markets, so no individual or business can get a loan... and you find yourself in the worst economic down turn in 80 years.
Drucker would have said that this leverage & liquidity was the opiate that led everyone to abandon transparency and reason and, ultimately, to our collective doom. He would have said that a system like this where the service providers deliberately abstract the actual services in a series of layers, each of which might be repackaged and resourced to a different provider until the customer and the provider have no traceable connection to each other is a disaster in waiting. He would have said that... Wait.. Am I thinking about MBSs or cloud computing - I honestly can't tell.
I can tell that the insightful and pragmatic Drucker would have made a great CISO. He would have worked tirelessly to put in place an effective framework for information governance, provisioning and access compliance before moving aggressively into the cloud so that, when his company did, they could maintain transparency and control and still get liquidity and leverage.. And he would still have his job next year ;)
Did you know?
- In April 2009, the FBI raided 5 data centers in an attempt to gather evidence related to an ongoing fraud investigation. As part of these raids, they physically seized computers and storage for dozens of companies because they were co-hosted - The action effectively shut them all down until the evidence was processed.
- "Computers have enabled people to make more mistakes faster than almost any invention in history.... with the possible exception of tequila and hand guns" - Mitch Ratcliffe
Posted by Chris Sullivan - VP Customer Solutions on Tue, Oct 20, 2009
Welcome to Applied Wisdom, a series of vignettes that seeks to glean practical a insight for managing risk and compliance from some of history's greatest minds.
Warren Buffett, the world's richest man and undisputed king of practical risk management once said "Risk comes from not knowing what you're doing."
How simple is that? You can have all of the risk management frameworks that the big four can sell you but if you don't know who has access to what, you can't assure access, can't manage risk and you can't assert compliance to virtually any regulations. Hell, you don't even know what access to remove when someone leaves your company.
Take a tip from Buffett (Warren not Jimmy) and deploy an IdentityMaptm. It's a very simple process to discover identities from across the enterprise and bind them to unique identifiers for employees or partners or privileged accounts. From there you will be able to identify rouge accounts when they appear, disable all access on termination, synchronize passwords for users, manage accurate access verifications and accelerate forensics with speed and efficiency.
Did you know?
Warren Edward Buffet still lives in the five-bedroom stucco house that he bought for $31,500 in 1957.
The "big four" are:
- 1) PricewaterhouseCoopers at $26.2bn and 163,000 employees worldwide.
- 2) Ernst & Young at $21.4bn and 144,441
- 3) Deloitte Touche Tohmatsu at $27.4bn and 165,000
- 4) KPMG $22.7bn and 135,000
Care to share any of your "Applied Wisdom"?