Posted by Chris Sullivan - VP Customer Solutions on Tue, Oct 27, 2009
With 34 successful books and decades as a regular contributor to rags like WSJ, HBR and The Economist, many regard the late Peter Drucker as the most influential thinker on management and leadership in modern times.
As a slick communicator, Drucker was very fond of saying that "If you can't measure it, you can't manage it."
Think about that for a second, "If you can't measure it, you can't manage it". Should we have been thinking this way about mortgage backed securities?
- With traditional mortgages, originators make and service their own loans. The service provider knows the borrower and takes care to ensure that the borrower has the ability to repay because if the don't, they take the loss. It's also worth noting that there's not much leverage. The originator is limited in how much they can loan by their own deposits.
- With the mortgage backed securities (MBS) era that began in the late 1970s, providers pool individual loans by the thousands and convert them into bond like instruments that are floated to investors as claims to principal and interest. Selling these assets means that the originator has more cash to make more loans. The resulting leverage and liquidity is very seductive to the original provider but the new provider and the real customer can no longer see each other so you can't manage it. To complicate things, these new providers also want leverage and liquidity so they abstract their securities yet again into even bigger pools and sell them to even bigger investors (like the Chinese government ;). No one can see anything but we have lots of leverage and liquidity so everyone is happy until....
- Until some of those individual mortgages fail. With all those layers of abstraction it is impossible to separate toxic assets from good ones so investors stopped buying, which seizes capital markets, so no individual or business can get a loan... and you find yourself in the worst economic down turn in 80 years.
Drucker would have said that this leverage & liquidity was the opiate that led everyone to abandon transparency and reason and, ultimately, to our collective doom. He would have said that a system like this where the service providers deliberately abstract the actual services in a series of layers, each of which might be repackaged and resourced to a different provider until the customer and the provider have no traceable connection to each other is a disaster in waiting. He would have said that... Wait.. Am I thinking about MBSs or cloud computing - I honestly can't tell.
I can tell that the insightful and pragmatic Drucker would have made a great CISO. He would have worked tirelessly to put in place an effective framework for information governance, provisioning and access compliance before moving aggressively into the cloud so that, when his company did, they could maintain transparency and control and still get liquidity and leverage.. And he would still have his job next year ;)
Did you know?
- In April 2009, the FBI raided 5 data centers in an attempt to gather evidence related to an ongoing fraud investigation. As part of these raids, they physically seized computers and storage for dozens of companies because they were co-hosted - The action effectively shut them all down until the evidence was processed.
- "Computers have enabled people to make more mistakes faster than almost any invention in history.... with the possible exception of tequila and hand guns" - Mitch Ratcliffe
Posted by Todd Chambers - CMO on Thu, Oct 22, 2009
Recently, reports have surfaced revealing that user log-in credentials for more than 30,000 Web-based email accounts - including those from AOL, Gmail, Hotmail and Yahoo Mail, among others - have been stolen and made publicly available on the Internet. It's interesting to note that analysis of the stolen Hotmail passwords showed that 42% used only letters, nearly 20% only numbers, and the most frequently-used passwords overall were - you guessed it - "123456" and "123456789."
Although these particular attacks occurred with consumers' personal, Web-based email accounts, the cautionary message applies equally to enterprises. Companies need to keep in mind that "cross-over" will inevitably exist between employees' personal and business accounts - work-related emails may be forwarded to or sent directly to and from personal accounts or employees may also choose to replicate "personal" passwords for work applications. These bad password practices, among others, can expose more than employees' personal information, opening the door to corporate security and compliance risks that can potentially result in serious financial and reputational losses.
Enterprises need to ensure they've put in place sound password safeguards that ensure optimized security and compliance with password policies while still promoting ease-of-use and productivity for employees. Our customers are achieving these benefits through self-service password management and synchronization which has been seen to reduce password-related Help Desk calls by more than 80%. Users are able to access their password profiles and make changes at any time, rather than only when the Help Desk is open, and the new passwords are automatically applied across all other relevant applications and systems. IT staff can set and enforce self-service password policies in accordance with industry regulations and internal best practices, such as requiring more complex passwords - like minimum password length, mixed cases and numeric or other special characters - and more frequent password renewal, among other things. But whatever the password management solution, companies need to be keenly aware of the potentially bad personal password practices that employees may carry over into the workplace as well as the increasingly blurry lines between personal and work-related applications and access to them.
Posted by Chris Sullivan - VP Customer Solutions on Tue, Oct 20, 2009
Welcome to Applied Wisdom, a series of vignettes that seeks to glean practical a insight for managing risk and compliance from some of history's greatest minds.
Warren Buffett, the world's richest man and undisputed king of practical risk management once said "Risk comes from not knowing what you're doing."
How simple is that? You can have all of the risk management frameworks that the big four can sell you but if you don't know who has access to what, you can't assure access, can't manage risk and you can't assert compliance to virtually any regulations. Hell, you don't even know what access to remove when someone leaves your company.
Take a tip from Buffett (Warren not Jimmy) and deploy an IdentityMaptm. It's a very simple process to discover identities from across the enterprise and bind them to unique identifiers for employees or partners or privileged accounts. From there you will be able to identify rouge accounts when they appear, disable all access on termination, synchronize passwords for users, manage accurate access verifications and accelerate forensics with speed and efficiency.
Did you know?
Warren Edward Buffet still lives in the five-bedroom stucco house that he bought for $31,500 in 1957.
The "big four" are:
- 1) PricewaterhouseCoopers at $26.2bn and 163,000 employees worldwide.
- 2) Ernst & Young at $21.4bn and 144,441
- 3) Deloitte Touche Tohmatsu at $27.4bn and 165,000
- 4) KPMG $22.7bn and 135,000
Care to share any of your "Applied Wisdom"?
Posted by Kurt Johnson - VP Strategy on Mon, Oct 19, 2009
Last week a former Ford product engineer (from 1997-2007) was arrested at O'Hare airport and charged with stealing 4,000 sensitive design documents worth millions of dollars. According to reports, Xiang Dong Yu, 47, of Beijing, was charged in a five-count indictment with theft of trade secrets, attempted theft of trade secrets and unauthorized access to a protected computer. Apparently he stole this data back in 2006 before he left the company and has been using it to try to gain employment with other rival manufacturers in China.
As we continue to see these instances of data theft in the news, companies need to be laser focused on implementing strong Access Assurance strategies that ensure that the right people have the right access to the right resources and are doing the right things. When an employee leaves a company or changes roles, access policies need to be enforced immediately to prevent these types of breaches, especially in organizations where proprietary data is the stock-in-trade. A complete Access Assurance solution, including detective and preventative controls, helps alert IT managers to inappropriate access to sensitive data so they are able to remediate potential risk.
We talked last week about the evidence of a growing IAM market, as organizations are clearly working to address these challenges. But IAM is moving beyond traditional boundaries in organizations and needs to encompass elements of preventative and detective controls by reaching out to various monitoring technologies to assure that information gets into the right context to drive remediation.
Posted by Todd Chambers - CMO on Fri, Oct 16, 2009
Last week at the ISSE 2009 security conference in The Hague, consultancy firms KPMG and the Everett Group fielded a survey focusing on 2009 IAM investments. Feedback from 128 respondents of organizations in 23 European countries re-confirmed the findings from the 2008 survey titled, "IAM is here to stay," with some eye-opening additions. According to the new survey, almost 90% of the CIOs and CEOs who responded said they have started one or more IAM projects in the past year, despite the economic climate and reduced IT security budgets. In fact, about 70% said they have allocated specific budgets to IAM. The main drivers of these new IAM deployments are said to be governance, risk and compliance, operational excellence and business agility.
This after Gartner forecasted in late September that the worldwide software security market will total $14.5 billion this year, up eight percent from last year. They see the trend continuing next year as well, when a 13 percent gain in revenue to $16.3 billion is anticipated in the market. And just this week, industry research firm RNCOS released a report further supporting these findings, predicting IAM market growth in various regions, including the Americas, EMEA and Asia-Pacific, of nearly 23% from 2009 to 2012, fueled by rising concerns over security breaches and identity thefts.
The Courion Access Assurance approach focuses on the necessity of showcasing incremental success and small wins in IAM deployments in order to gain support for further project. Using a "self-funding" strategy, we target the most pressing security challenges (access verification & certification, role management, access compliance...) to deliver visible business results often in under 90 days. In this way, IT security can actively involve the lines of business in proposed projects and make sure all parties are in alignment and striving for results that increase security and compliance, while increasing operational efficiency and business agility at the same time.
Ask yourself, is your organization getting the full value from your IAM initiatives?