Information Week 2012-05-07
Transcript of Information Week 2012-05-07
-
7/31/2019 Information Week 2012-05-07
1/19
Next >>
Bring your own cloud >
Teradata acquires marke
Wish list for Apples iOS 6
Infor remade in Oracles
Table of contents >>
May 7, 2012
Plus
From clouds to mobile to software development,
threats can be found everywhere. Well help you
prioritize. >>
By Michael A. Davis
informationweek.com
THE BUSINESS VaLUE OF TECHNOLOGy
15th Annual Strategic Security Survey
-
7/31/2019 Information Week 2012-05-07
2/19
CONTENTSTHE BUSINESS VALUE OF TECHNOLOGY May 7, 2012 Issue 1,332
This all-digital issue ofInformationWeekis part of our 10-year strategy to reduce the publications carbon footprint
COVER STORY
QUICKTAKES
6 Infors Oracle MakeoverThe CEO of Infor, Charles
Phillips, is remodeling it in
the image of his old company
8 Apple Wish ListWhat wed like to see in the
next version of Apples
mobile operating system
9 Digital Marketing DealTeradatas acquisition shows
the rising importance of
marketing technology
3 Research And ConnectInformationWeeks in-depth reports, events,
4 CIO ProfilesTheres more we can do to transform busine
mobile, says Sybases CIO
5 Global CIOThe world is quickly moving from bring you
to bring your own cloud
CONTACTS
18 Editorial Contacts 19 Business Contacts
6
informationweek.com
4
Previous Next
10 Pick Your BattlesSome threats are more dangerous
than others. Our Strategic Security
Survey offers guidance on where
to focus your efforts.
-
7/31/2019 Information Week 2012-05-07
3/19
Links
Top Th
Hackti
crimin
threats
our sur
are figimplementing continuous monitoring and t
informationweek.com/gogreen/042312gov
GET INFORMATIONWEEK GOVER
Federal Government Cybersecurity Just released
Amazon S3: Web Hosting On The Cheap Just released
NoSQL Everywhere? Not So Fast Just released
Boost Security Via FFIEC Compliance Just released
IT Spending Priorities Coming May 14
Mobile Security Coming May 14
NEVER MISS A REPORT
State Of Storage
We highlight technologies that might
not yet be on your radar and offer advice
as you plan your 2012 storage strategy.
informationweek.com/reports/storage2012
Safeguard VM Disk Files
Get our best practices for backing up
virtual machine disk files and building a
resilient infrastructure.
informationweek.com/reports/vmbackups
Integrated Security Services
Find out how to choose a securitypartner without getting burned.
informationweek.com/reports/integrated
Monitor Your
Cloud Providers
IT pros must find
ways to measure
the performance
of cloud providers. The challenge is to
define a strong governance model for
cloud offerings while ensuring that
security is maintained.
informationweek.com/reports/cloudmonitor
Manage ID In The Public Cloud
As companies use of public cloud-based
services increases, identity management
becomes a more complicated issue forenterprise IT professionals.
informationweek.com/reports/cloudid
INFORMATIONWEEK REPORTS
informationweek.com
Get our 800-plus reports at reports.informationweek.com
FOLLOW US ON TWITTER AND FA
Next Steps In Cybersecurity
In this InformationWeek Governmentv
experts will assess the state of cybers
government. It happens May 24.
informationweek.com/gov/cyberevent
Enterprise 2.0 Conference
The Enterprise 2.0 Conference brings t
experts to explore the latest innovatiosocial software, analytics, and more. In
e2conf.com/boston
MORE INFORMATIONWEEK
Previous Next
Resources to Research, Connect, CommentTable of Contents
@informationweek fb.com/inform
What you need to k now.Now.
Download Our Free iPad App
-
7/31/2019 Information Week 2012-05-07
4/19
informationweek.com
JIM SWARTZVP of IT and CIO, Sybase
Degrees: Muskingum
College, BA in political
science
Leisure activities:
I volunteer at a state
park, where I help
visitors and patrol trails
on horseback
Best book read recently:Steve Jobs, by Walter
Isaacsonit improved
my appreciation of the
reality distortion field
and the intersection of
technology and the
humanities
If I werent a CIO, Id
be ... a cowboy heading
into the sunset
CAREER TRACK
How long at Sybase: 11 years
Career accomplishment Im most proud of:
Creating an environment where IT is a test
bed and first adopter of the technology the
company sells. IT interacts with engineering
to give feedback for product development
before general availability.
Most important career influencer: Dr. J.R.
Beyster, founder of SAIC, taught me that al-
though my team and I may make many mis-
takes, well certainly fail if were not afforded the
opportunity to correct them. New ideas leading
to success often come from the corrections.
Decision I wish I could do over: I wish Id
given more attention to how the separation of
peoples personal and business lives has be-
come blurred by the introduction of new tech-
nologies, such as mobility and the real-time
access to information. Theres a lot more we
can do to transform business processes by
thinking mobile first.
ON THE JOB
IT budget: $52 million
Size of IT team: 200
Top initiatives:
>> Moving Sybase onto SAP Business Suite.
Well retire our legacy business applications in
favor of adopting the systems and many of the
processes of our parent company. This will give
us the best tools to sustain our growth.
>> Extending mobile device management to
include new flavors of operating systems, in
support of our bring-your-o
gram. Well expand our supp
Android, RIM, and Windows
How I measure IT effective
satisfaction is a great indica
community at large at least
gauge how were doing and
to improve.
VISION
One thing Im looking to do
better collaboration. Comm
be simple and direct.
What the federal governm
priority should be: Digitize
allow digital signatures. In th
would improve process time
and save money. In the long
would allow the governmen
and intelligence from the da
doable from a technology p
Ranked No. 38 in the 2011
CIO
profilesPrevious Next
Table of Contents
-
7/31/2019 Information Week 2012-05-07
5/19
globalCIOPrevious Next
Table of Contents
State Of Storage
Did you know 32% of companies
have more than 100 TB of data?Or that 24% have data growing at
25% or more a year? Learn more
about these and other findings inour State of Storage report, free
with registration.
DownloadDownload
informationweek.com
I recently interviewed Chris Yeh, VP of plat-
form for Box, about the big news that Google
has entered the cloud storage market with
Google Drive. I took notes on my iPad using
the Penultimate handwriting app, and when I
was done, I backed the file up to Dropbox, a
cloud storage rival for Box.
To let my far-flung colleagues know I was
writing this column, I posted a message to our
Google Groups message board, an online app
that lets staff writers and our dedicated free-
lancers see what everyones working on.
Did I mention were a Microsoft collaborationsoftware shop? So when I wanted to know if my
much-faster colleagues had filed their Google
Drive articles yet, I IMd an editor using Microsoft
Messenger, and he sent me their stories using
Microsoft Entourage email. I wrote this column
in Word. To post to InformationWeek.com , I
pasted the text into a Web-based content man-
agement system, TeamSite. I used Quark soft-
ware to publish in this digital magazine.
Is this insane? To get these 600 words to you,
I used two consumer cloud services, one en-
terprise cloud service, and three on-premises
enterprise software packages.
Actually, I think this is increasingly common,
and office workers at your company would tell
similar stories of piecing together enterprise
and consumer software to get their jobs done.
And Im not complainingI felt incredibly ef-
ficient using all these tools. This is just reality
in a world thats fast moving from bring your
own device to bring your own cloud.
BYOC pressure will force IT to deal with
cloud storage, whether its Google Drive, Mi-
crosoft SkyDrive, Apple iCloud, Dropbox, Box,
or some other. All these services let peoplesave files online, access them from different
devices, and share them with other people. All
of them offer some level of free storage, with
additional storage and in some cases admin-
istrative controls for business IT (for a price).
Yeh, of Box, thinks one of the make-or-break
factors for business adoption of cloud storage
will be which services build healthy developer
communities and close ties with other soft-
ware-makers. Remember that backup I did of
my notes to Dropbox? I used Dropbox be-
cause the Penultimate app has an integration
with Dropbox. Box has sim
taking app PaperPort Note
Yeh says Box isnt fretting G
tryits validation of the
terizes Drive as an extensi
appealing mostly to heavy u
ductivity apps. Box position
player completely focused o
what it needs. Yeh notes tha
led to massive fragmentat
Quickoffice to work in Offi
Expert to mark up PDFs, an
mented world, its really heplatform-agnostic approach
IT organizations have a lo
ing through features and
that works for the compan
remember is that employe
that process before they
into cloud storage. BYOC h
ITs involved or not.
Chris Murphy is editor of Informatio
by him at informationweek.com/ch
[email protected] or on Twit
Google Drive: Bring Your Own Cloud Is Here
http://prevpage/http://prevpage/ -
7/31/2019 Information Week 2012-05-07
6/19
Charles Phillips, Oracles former co-president
and now CEO of Infor, reintroduced his com-
pany at its recent Inforum customer event in
Denver as the worlds largest software startup.
In reality, its an old company being remade in
the image of Oracle: aggressive, product-ori-
ented, and acquisition-minded.
At about $2.8 billion in revenue, Infor is the
third-largest enterprise applications vendor. It
started buying up dozens of enterprise applica-
tions in 2002, and some of its ERP systems dateback to the green-screen era.
Phillips and his lieutenants, many of whom are
former Oracle executives, swooped in to redirect
the company during the last 16 months. Duncan
Angove, one of two former Oracle executives
serving as co-presidents (sound familiar?),
quipped that theres no truth to the rumor that
theyre renaming the company Inforacle.
Infors transformation kicked into high gear
when it acquired Lawson Software last July for
$2 billion, making Infor the biggest name in
ERP after SAP and Oracle. Infors primary ven-
ture capital backer is Golden Gate Capital.
Golden Gate and Summit Partners have in-
jected more than $1 billion into the companyin the last six months.
The new money has fueled hiring and ag-
gressive growth plansabout 1,700 of the
companys 13,000 employees have been hired
within the past year, includ
opers to ramp up new prod
Infors ERP strategy is sp
try. Rivals like Epicor, Mic
SAP also talk up industry-sp
but Phillips says Infors mu
better cover micro-verticafor doesnt just serve the f
industry, it has functionality
bakery, and meat processing
Infor isnt alone in offering
informationweek.com
LARRY 2.0
Execs Remake Infor In Oracles Image
QuicktakesPrevious Next
Hiring? Job Hunting?Check Our Salary Survey
Our free report on U.S. IT salaries
includes detailed breakdowns ofmedian compensation by skills,
geography, job title, experience,
and more.
DownloadDownload
Previous Next
Table of Contents
-
7/31/2019 Information Week 2012-05-07
7/19
-
7/31/2019 Information Week 2012-05-07
8/19
Apple sold out its Worldwide Developers Con-
ference being held in June in just two hours.
Why all the interest? WWDC is where devel-
opers learn how to take advantage of Apples
forthcoming desktop operating system, OS X
10.8, dubbed Mountain Lion.
The next version of Apples mobile operating
system, iOS 6, is also being worked on. Whether
Apple reveals anything about iOS 6s features
at WWDC remains to be seen. But whenever
iOS 6 arrives, here are a few features we hope
will be included:Siri API:This would let third-party develop-
ers add voice interaction to their apps. While
there are ways to write apps that interface with
Siri, it would be better to have full Apple sup-
port for Siri integration.
Intent system: What are Intents, you ask?
Theyre a way for apps to find out about and
communicate with each other. Intents are useful
because they allow apps to borrow functions
from other apps and exchange data in a stan-
dardized way.Apple needs to write its own ver-
sion of Android Intents. Theres already an equiv-
alent project for HTML5, called Web Intents.
Scripting: The Web has ifttt.com. Android
has Tasker. What iOS needs is a way to script
app actions based on certain conditions. For
example, if app A issues a notification, auto-
matically send this type of SMS message. There
are ways to enable automation in specific iOS
apps, but a condition-monitoring mechanism
really ought to be run at the operating system
level. Such a system could support listening for
external requeststo do things like silence
your iPhone upon entering a movie theater.Support for external storage: While iCloud
is nice, nothing beats having data in hand; iOS
should add support for MicroSD cards.
Auto app updating: If you have a lot of apps
on an iOS device, youve probably had days
when you had more updates than you do fin-
gers. While this isnt an impossible burden, it
would be nice to have the option to let specific
apps update themselves in the background au-
tomatically during low network usage.
Programmable call handling: Perhaps this
could be part of the scripting system. Wouldnt
it be nice to be able to rout
people to voice mail at spe
in specific locations?
Configurable audio aler
gle audio notification whe
why not allow the user to cu
played upon receipt of a m
Browser choice: Support
mobile browser plug-ins. A
iOS in, too, should Google
such a beast. Competition
tion and helps users.Alternate keyboard sup
can make use of innovati
Swype. Should iOS users be
size fits all?
Better (or replaceable)
apps for YouTube, Weathe
functional but uninspired. If
let users uninstall default ap
update its own apps more f
from competition, Apples n
the way Microsoft Internet
1990s. Thomas Claburn
informationweek.com
10 FEATURES WE WANT
Our Wish List For Apples Next Mobile Operating System
QuicktakesPrevious NextTable of Contents
Previous Next
It took 2 hours to sell out ApQUICKFACT
http://prevpage/http://prevpage/http://prevpage/ -
7/31/2019 Information Week 2012-05-07
9/19
Teradatas acquisition of eCircle, a European
digital messaging business, offers the latest
sign of how mobile and social are driving a
surge in digital marketing.
Like competitors Exact Target, Responsys,
and Silverpop in North America and Emailvi-
sion in Europe, eCircle delivers digital ads and
marketing pitches via email, social channels,
and websites. Teradatas digital marketing unit
Aprimo already had some of eCircles capabil-
ities, but Teradata thinks eCircles technologyis more mature and capable.
The idea is to build out our capabilities and
extend our reach into the channels weve
been trying to grow into around social, mo-
bile, and the Web, says Teradata CMO and ex-
ecutive VP Darryl McDonald.
Based in Munich, eCircle is a privately held firm
with about 1,000 customers and 400 employ-
ees, and it will be merged with Teradatas Ap-
rimo unit, expanding that firms geographic and
services footprint. Terms of the deal, expected to
close in the next two months, werent disclosed.
In addition to mobile and social capabilities,
eCircle brings us content-creation and con-
tent management capabilities, says Stephanie
Miller, VP of digital messaging at Aprimo. That
content might include microsites, landing
pages, websites, and other mechanisms for in-
teracting with consumers. Of course, all the
data generated in digital marketing campaigns
has to be gathered and analyzed, and thats
where Teradata comes in.
Tera dat a acquire d Aprim o in Decembe r
2010 to gain access to deeper digital market-
ing capabilities, but Aprimo still operates as a
standalone business.
In big data-oriented digital marketing, Tera-
datas Aster Data platform
ing the multistructured d
analyzing email, Web, and
keting campaigns. Aster
doop-style MapReduce pro
in analysis of unstructured,
media comment streams a
Teradata also recently in
data 700 Appliance for SAS
Analytics, the latest from a
ship with SAS. Purpose-banalysis teams who develo
tomer segments, the ap
tackle within a matter of
analysis that would take
dreds of hours on a conv
server.
In a marketing scenario, fo
using SAS could take adva
700 speed to develop fine
segmentations and mode
sponsive campaigns.
Doug Henschen (dh
informationweek.com
ECIRCLE ACQUISITION
Teradata Deal Points To Social And Mobile Marketing Push
QuicktakesPrevious NextTable of Contents
Previous Next
Of course, all the data generated
in digital marketing campaignshas to be gathered and analyzed,
and thats where Teradata comes in.
-
7/31/2019 Information Week 2012-05-07
10/19
Some threats are morelikely than others.Our survey offers
guidance on whereto focus your efforts.
Whats the biggest challenge facing security
preventing breaches, meeting compliance dem
vying for executive attention. Its managing co
InformationWeek2012 Strategic Security Surv
weve been running this study for 15 years, an
never, ever been simple. But over the past deca
have piled up; we have too many fancy techn
ploy and long-winded policies to enforcewithBy Michael A. Davis
Next
Table of Contents
Previous
2012 Strategic Security Survey
-
7/31/2019 Information Week 2012-05-07
11/19
informationweek.com
that any of them will reduce risk.
So lets break it down. Prioritize the threats
most likely to affect your company. If you try
to block every conceivable attack, youll
stretch your people and resources so thin
that something is bound to break. Stop wor-
rying about what you cant control or pre-
dict and focus like a laser on where you can
make an impact. That includes tried-and-
true basics like strong access control. It in-
cludes taking a hard look at potential cloud
providers security claims, and writing Web
apps and business software with an eye to-
ward reducing vulnerabilities. It means be-
ing prepared for when a salesperson leaves
an iPad in a taxi or has her phone snatched
out of her hand.Well provide guidance on these areas in this
article and go into more depth in our full 2012
Strategic Security Survey report. Well also
delve into what 946 business technology and
IT security professionals from companies with
100 or more employees told us in our latest
in-depth look at the security landscape.
Whats In That Cloud, Anyway?
Our 2012 State of Cloud Computing Survey
shows adoption of public cloud on a consis-
tent upward pace; just 27% of 511 respon-
dents from companies with 50 or more em-
ployees arent in the marke
Unfortunately, in 2011, only
gic Security respondentsthe security of cloud provi
number jumped to 29%.
14% rely on the self-aud
provide. An example is th
used set of auditing stand
SECURITY SURVPrevious Next
Get This AndAll Our Reports
Our full 2012 Strategic Security
report is free with registration.This report includes 44 pages of
action-oriented analysis, packed
with 38 charts.
What youll find:
> Security guidance on cloud,mobile, and more
> How to get value from collecting
security metrics
DownloadDownload
Previous Next
Table of Contents
2012 2011
Are Mobile Devices A Threat To Your Companys Security?
Yes, a significant threat
Yes, a minor threat
Not yet, but they will be
No
Data: InformationWeek Strategic Security Survey of 946 business technology and security professionals at compani
employees in March 2012 and 1,084 in March 2011
25%
24%
21%
20%
10%
10%
http://prevpage/http://prevpage/http://prevpage/ -
7/31/2019 Information Week 2012-05-07
12/19
informationweek.com
say attest to controls they have in place.
We dont recommend blindly accepting these re-
ports. One reason is that SSAE 16 attestations contain
different sets of scope and system descriptions, so
one providers SSAE 16 may be dramatically different
from anothers. A better bet?The Clou d Securi ty
Alliance explicitly lays out a set of security best prac-tices for cloud providers across a variety of domains,
including encryption, data center management,
cloud architecture, and application security. The
CSAs guidelines are much more prescriptive, and the
group offers the Security Trust and Assurance Reg-
istry, a free, publicly accessible registry that docu-
ments the security controls inherent in various cloud
offerings. All providers can submit self-assessment
reports that document compliance with CSA-pub-
lished best practices.When it comes to cloud computing risks, the most
prominent concern among our survey respondents is
unauthorized access to or leak of customer informa-
tion. Thats unchanged from 2011. Other top concerns
include worries about security defects in cloud tech-
nology and the loss of proprietary data.
BYOD Is No Big Deal
Even as the cloud transforms the way IT delivers ser -
vices to end users, mobile devices are transforming the
way end users consume services. And as with any tech-
nological upheaval, mobile devices introduce their
[COVER STORY]SECURITY SURVEYPrevious Next
Table of Contents
Previous Next
http://prevpage/http://prevpage/http://prevpage/ -
7/31/2019 Information Week 2012-05-07
13/19
-
7/31/2019 Information Week 2012-05-07
14/19
informationweek.com
Previous Next
Table of Contents
Previous Next
ing (see our latest MDM research here).
While were all for using MDM software, IT must un-
derstand its limits. In a heterogeneous bring-your-own-
device environment, not every security feature will be
available for every device typethere are more than
200 versions of Android in the wild. No MDM vendor
could keep up, so shop based on what you support.Mobile malware is also a risk, though not to the
same degree as it is on PCs. For now, the architecture
and security controls on smartphones and tablets sig-
nificantly reduce the impact that mobile malware can
have. And because most mobile malware comes dis-
guised as legitimate apps rather than attempting to
exploit a software vulnerability within the devices
OS, a little prevention goes a long way. Curated app
stores, such as Apples, tend to do a good job of
screening out malicious apps. The Android market ismore like the Wild West, but Google has been making
an effort to remove bad apps. One option is to lever-
age MDM software that includes application white-
listing, which allows only IT-approved apps to be
loaded. However, given that most users own their mo-
bile devices, you may have limited success.
Build Secure Software
Most vulnerabilities that let attackers get in affect
Web and desktop software. If your organization writes
such applications, youd better find exploitable flaws
before the bad guys do. However, our respondents
[COVER STORY]SECURITY SURVEY
Copyright 2011 Hewlett-Packa rd Development Company, L.P.
For more information go towww.hpenterprisesecurity.com.
HP Enterprise Security has what youneed to secure your applications,information and operations. Backedby our unparalleled security researchteam, we can help you protect your
enterprise and identify risks beforeyou even know they exist.
cyber threats.
mobilty. cloud.
social media.
introducing more
than just a little risk
to your business?
http://prevpage/http://prevpage/http://prevpage/ -
7/31/2019 Information Week 2012-05-07
15/19
informationweek.com
arent exactly optimistic: Whether an applica-
tion or architecture is done internally or by a
vendor, it is rare that an application is even
mostly secure, says a senior systems manager
with AT&T, who adds that many products and
architectures have yet to catch up with best
practices that are a decade and a half old. Andthe problem is only getting worse as we adopt
cloud. How can we expect vendors who are
still stuck in the mid-90s or earlier to give us
anything with some semblance of security and
integrity in the cloud environment? he asks.
If that strikes close to home, youre probably
among the majority of respondents who have
yet to establish a secure software develop-
ment life cycle (SDLC) and run application se-
curity reviews. Thirty-three percent of respon-dents do use secure SDLCs, with most of them
saying the tactic is somewhat or very effec-
tive. Why just 33%? We suspect many of those
without SDLCs have run into a significant bar-
rier: their developers.
Developers arent anti-security per se, but
they arent incentivized to care about it. Most
live and die by how fast and bug-free they
produce new applications or add features to
existing apps. They care about functionality
and delivery dates. Security doesnt directly
support those objectives. Furthermore, most
security pros are lost when it comes to com-
municating with developers. And there are a
multitude of SDLC frameworks out there, in-
cluding agile, waterfall, and scrum; we rarely
run across people trained to take an SDLC and
customize it to include security components.
Thats not to say you should give up. We rec-ommend a two-step process to increase the
security of your software. First, focus on train-
ing and encouraging developers to use se-
cure coding practices, so that they dont write
vulnerable code in the first
wards for bug-free apps. Se
and static source code a
vendors such as Veracode
of your quality assurance p
allow a security or QA tea
tions and identify vulnerathen be remediated befor
While 61% of respondent
opment processes implem
metrics gathered from co
SECURITY SURVPrevious Next
Table of Contents
Previous Next
2012 2011
Does your company perform its own risk assessments of cloud service providers?
Risky Business
Yes, we conduct our own audits
We want to conduct our own audits but providers are generally uncooperative
No, we use providers self-audit reports
No
We dont use cloud services
Data: InformationWeek Strategic Security Survey of 946 business technology and security professionals at compani
employees in March 2012 and 1,084 in March 2011
29%
18%
9%
6%
14%
9%
15%
28%
3
http://prevpage/http://prevpage/http://prevpage/ -
7/31/2019 Information Week 2012-05-07
16/19
informationweek.com
than half of those using secure SDLCs integrate
those metrics into developer training. That
number should be closer to 100% because its
vital to identify recurring problemswhen de-
velopers see what mistakes they keep making,
they can adjust their practices accordingly.
Security Insurance
Even if your company does all the right
things, its still possible to get breached. And
those breaches can be expensive, particularly
if personally identifiable data is stolen. No one
wants to have to notify customers and take
other steps, such as setting up credit monitor-
ing services.
In response, some companies are turning to
cyber-risk or cyber-liability insurance to recover
some costs. The way these insurance plans work
is simple: Your company implements security
policies and processes, then the insurance
provider reviews them and places a ranking on
the company. Based on the ranking, you pay a
premium to receive a certain insurance value.While it sounds straightforward, the process
can be complicated. You know how difficult
it is to evaluate the controls of a cloud ven-
dor, so you can imagine what an insurance
carrier or agent will have to go through to
scope and assess your environment. In gen-
eral, we think cyber-risk policies are over-
priced and generally not worth the cost of
the premiums. Survey respondents seem to
agree: only 18% have cybe
If your company intend
with this kind of insurance
exercise to stage a mock br
you analyze the types of
stolen and provide a base
potential costs. A mock bdouble duty as a test of
sponse program.
Insurance policies will di
and the language and trig
these policies are comple
have lawyers on hand, and
cussions around determi
breach and the resulting
the carrier will pay out. M
cover the cost of fixing sycessful attack, for example
count for that in your incid
Most Valuable Practice: A
Security pros chose ident
agement as the most valu
tice in our 2012 survey. Thi
encouraging result, becau
in fact, the most important
every company, yet very
spend enough time on it.
Lets walk through a b
SECURITY SURVPrevious Next
Table of Contents
Previous Next
2012 2011
Does your company have a formal secure software development life cycle policy and process?
Secure Development
Yes
No
Dont know
Data: InformationWeekStrategic Security Survey of 946 business technology and security professionals at companies with 100 or more
employees in March 2012 and 1,084 in March 2011
33%
38%
44%
46%
23%
16%
-
7/31/2019 Information Week 2012-05-07
17/19
informationweek.com
access control is so critical.
A nonadministrative user opens a phishing
email on his workstation and is infected by
malware. The malware connects to a com-
mand-and-control server, and the attacker
starts to execute commands on the compro-
mised workstation. In the case of an advancedattacker, the next step might be to upload a
tool that looks for weak service account per-
missions. Or the attacker could look for pass-
word hashes on the workstation, in the hopes
that an administrator logged in to the work-
station at one time and the password hash
was left behind. An even easier route is for the
attacker to impersonate the user and start
browsing through the network.
Each of these attacks can be prevented by ac-cess control measures. First, properly configur-
ing permissions on service accounts can pre-
vent a nonadministrative user from escalating
his privileges on the workstation. Permissions
are a critical portion of identity management,
but too often companies focus only on user
identities. Permissions are just as important.
The next possible attack vector can be pre-
vented by password management for admin-
istrative users. Its easy enough to set policies
requiring two-factor authentication for do-
main administrators or for password rotation
to occur in a given timeframe (say, every 30
days) or simply to require a very complex
password with 15 or more characters. These
policies can thwart password cracking or pre-
vent an attacker from using the password toelevate privileges.
And even if an attacker manages to gain
control of the user account on the worksta-
tion, other identity management controls can
still come into play. One option is negative de-
tection, which looks for actions that users
shouldnt be taking based on their roles. For
example, if the attacker, posing as the work-
station user, attempts to access an accounting
file server, but the user is in the engineering
department, negative detection controls
would alert the security team.
Pedestrian tools such as
word management may la
citement of more cutting-e
ucts, but they represent th
managing risk in a sane wFocus on elements of yo
that you can control. You c
when an attacker might co
or what fancy zero-day m
with. But those unknow
much when youve taken s
most likely risks and put
those areas. If you have to
position of strength.
Michael A. Davis is CEO of consult
Write to us atiwletters@techweb.
SECURITY SURVPrevious Next
Table of Contents
Previous Next
Identity or password management
End user security awareness training
Patch management
Log analysis, security information management, vulnerability analysis, or research
Virus or worm detection and analysis
Data: InformationWeek 2012 Strategic Security Survey of 946 business technology and s ecurity professionals at orgemployees, March 2012
4
38%
35%
What Security Practices Are Most Valuable To You?
http://prevpage/http://prevpage/http://prevpage/ -
7/31/2019 Information Week 2012-05-07
18/19
informationweek.com
Print, Online, Newsletters, Events, Research
UBM TECHWEB
Tony L. Uphoff CEO
John Dennehy CFO
David Michael CIO
Scott Vaughan CMO
David BerlindChief Content Officer,TechWeb, and Editor inChief, TechWeb.com
Ed Grossman Executive VP,
InformationWeek BusinessTechnology Network
Martha Schwartz ExecutiveVP, Group Sales,InformationWeek BusinessTechnology Network
Joseph Braue Sr.VP,Light ReadingCommunications Network
Beth Rivera Senior VP,Human Resources
John Ecke VP of Brand andProduct Development,InformationWeek BusinessTechnology Network
Fritz Nelson VP andEditorial Editor,InformationWeek BusinessTechnology Network, andExecutive Producer,TechWeb TV
UBM LLC
Pat Nohilly Sr.VP, StrateDevelopmentand Business Administra
Marie Myers Sr.VP,Manufacturing
INFORMATIONWEVIDEO
informationweek.com/v
Fritz Nelson [email protected]
INFORMATIONWEBUSINESSTECHNOLOGYNETWORK
DarkReading.comSecurityTim Wilson, Site [email protected]
READER SERVICESInformationWeek.comThe destination forbreaking IT news, and instant analysis
Electronic Newsletters Subscribe toInformationWeek Daily and other newsletters atinformationweek.com/newsletters/subscribe.jhtml
Events Get the latest on our live events and Netevents at informationweek.com/events
Reports reports.informationweek.comfor original research and strategic advice
How to Contact Us
informationweek.com/contactus.jhtmlEditorial Calendar informationweek.com/edcal
Back IssuesE-mail: [email protected]: 888-664-3332 (U.S.)847-763-9588 (Outside U.S.)
Reprints Wrights Media, 1-877-652-5295Web:wrightsmedia.com/reprints/?magid=2196Email: [email protected]
List Rentals Specialists Marketing Services Inc.Email: [email protected]: (631) 787-3008 x3020
Media Kits and Advertising Contactscreateyournextcustomer.com/contact-us
Letters to the Editor [email protected] name, title, com-pany, city, and daytime phone number.
Subscriptions
Web: informationweek.com/magazineEmail: [email protected]: 888-664-3332 (U.S.)847-763-9588 (Outside U.S.)
REPORTERSDoug Henschen Executive Editor
Enterprise software
[email protected] 201-660-8467
Charles BabcockEditor At Large
Open source, infrastructure, virtualization
[email protected] 415-947-6133
Thomas Claburn Editor At Large
Security, search, Web applications
[email protected] 415-947-6820
Paul McDougall Editor At Large
Software, IT services, outsourcing
Andrew Conry-Murray Editor At Large
Information and content management
[email protected] 724-266-1310
Marianne Kolbasuk McGee Senior Writer
IT management and careers
[email protected] 508-697-0083
J. Nicholas Hoover Senior Editor
Government IT, cybersecurity,
federal IT policy
[email protected] 516-562-5032
Eric Zeman
Mobile and Wireless
CONTRIBUTORS
Michael Biddick [email protected]
Michael A. Davis [email protected]
Jonathan [email protected]
Randy George [email protected]
Michael Healey [email protected]
Kurt Marko [email protected]
EDITORS
Jim Donahue Chief Copy [email protected]
ART/DESIGNMary Ellen Forte Senior Art Director
Sek Leung Associate Art Director
INFORMATIONWEEK REPORTSreports.informationweek.com
Art Wittmann VP and Director
[email protected] 408-416-3227
Lorna Garey Content Director, Reports
[email protected] 978-694-1681
Heather Vallis Managing Editor, Research
[email protected] 508-416-1101
INFORMATIONWEEK.COM
Paul Travis Managing Editor
[email protected] 516-562-5217
Roma NowakSenior Director,
Online Operations and Production
[email protected] 516-562-5274
Tom LaSusa Managing Editor,
Newsletters
Jeanette Hafke Web Production Manager
Joy CulbertsonWeb Producer
Nevin Berger Senior Director,
User Experience
Steve Gilliard Senior Director,
Web Development
Pleasedirectallinquirestoreporters
intherelevantbeatarea.
Copyright2012 UBM LLC.Allrightsreserved.
Rob Preston VP and Editor In [email protected] 516-562-5692
John Foley [email protected] 516-562-7189
Chris Murphy [email protected] 414-906-5331
Art Wittmann VP and Director, [email protected] 408-416-3227
Laurianne McLaughlin Editor In Chief,[email protected] 516-562-7009
Stacey Peterson Executive Editor, [email protected] 516-562-5933
Lorna Garey Content Director, [email protected] 978-694-1681
Fritz Nelson VP and Editorial [email protected] 949-223-3608
Eric Lundquist VP and Editorial Analyst,InformationWeek Business Technology [email protected] 978-289-7306
David Berlind Chief Content Officer, [email protected] 978-462-5315
ADVISORY BOARD
Dave Bent
Senior VP and CIO
United Stationers
Robert Carter
Executive VP and CIO
FedEx
Michael Cuddy
VP and CIO
Toromont Industries
Laurie Douglas
Senior VP and CIO
Publix Super Markets
Dan Drawbaugh
CIO
University of Pittsburgh
Medical Center
Jerry Johnson
CIO
Pacific Northwest Natio
Laboratory
Kent Kushar
VP and CIO
E.&J.Gallo Winery
Carolyn Lawson
CIO
Oregon Health
Authority
Jason Maynard
Managing Director
Wells Fargo Securities
Randall Mott
CIO
General Motors
Previous Next
Table of Contents
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]://prevpage/mailto:[email protected]://prevpage/http://prevpage/ -
7/31/2019 Information Week 2012-05-07
19/19
Executive VP of Group Sales,InformationWeek Business Technology Network,Martha Schwartz(212) 600-3015,[email protected]
Sales Assistant, Salvatore Silletti(212) 600-3327,[email protected]
SALES CONTACTSWESTWestern U.S.(Pacific and Mountain states)
and Western Canada (British Columbia,Alberta)
Western Regional Director, JohnHenry Giddings(415) 947-6237,[email protected]
Strategic Account Director, Mark Glasner(415) 947-6245,[email protected]
Account Manager, Kevin Bennett(415) 947-6139,[email protected]
Account Manager, Ashley Cohen(415) 947-6349,[email protected]
Account Executive, Silas Chu(415) 947-6330,[email protected]
Account Executive, Rose Lin(415) 947-6157,[email protected]
Strategic Accounts
Account Director, Sandra Kupiec
(415) 947-6922,[email protected]
Sales Manager, Vesna Beso(415) 947-6104,[email protected]
Account Executive, Matthew Cohen-Meyer(415) 947-6214,[email protected]
SALES CONTACTSEASTMidwest, South, Northeast U.S.and Eastern Canada(Saskatchewan, Ontario, Quebec, New Brunswick)
District Manager, Jenny Hanna(516) 562-5116,[email protected]
District Manager, Michael Greenhut(516) 562-5044,[email protected]
District Manager, Cori Gordon(516) 562-5181,[email protected]
Account Executive, Kevin McIver(212) 600-3036,[email protected]
Inside Sales Manager East, Ray Capitelli(212) 600-3045,[email protected]
Sales Assistant, Bill Myers(212) 600-3163,[email protected]
Sales Assistant, Ryan Delaney(212) 600-3193,[email protected]
Strategic Accounts
District Manager, Mary Hyland
(516) 562-5120,[email protected]
Account Manager, Tara Bradeen(212) 600-3387,[email protected]
Account Manager, Jennifer Gambino(516) 562-5651,[email protected]
Strategic Account Manager, Amanda Oliveri(212) 600-3106,[email protected]
Account Executive, Elyse Cowen(516) 562-3051,[email protected]
Account Executive, Kathleen Jurina(212) 600-3170,[email protected]
Sales Assistant, Michelle Freeman(212) 600-3157,[email protected]
SALES CONTACTSNATIONALDr.Dobbs
Sales Director, Michele Hurabiell(415) 378-3540,[email protected]
District Sales Manager, Steven Sorhaindo(212) 600-3092,[email protected]
SALES CONTACTSMARKETINGAS A SERVICEDirector of Client Marketing Strategy,Jonathan Vlock(212) 600-3019,[email protected]
Director of Client Marketing Strategy,Julie Supinski(415) 947-6887,[email protected]
SALES CONTACTSEVENTSSenior Director,InformationWeek Events,Robyn Duda(212) 600-3046,[email protected]
MARKETINGVP, Marketing, Winnie Ng-Schuchman(631) 406-6507,[email protected]
Director of Marketing, Angela Lee-Moll(516) 562-5803,[email protected]
Senior Marketing Manager, Monique Kakegawa(949) 223-3609,[email protected]
AUDIENCE DEVELOPMENTDirector, Karen McAleer(516) 562-7833,[email protected]
Subscriptions: informationweek.com/magazineEmail: [email protected]: (888) 664-3332 (U.S);(847) 763-9588 (outside U.S.)
ADVERTISING AND PRODUCTIONPublishing Services Manager, Lynn Choisez(516) 562-5581 Fax: (516) 562-7307
MAILING LISTSSpecialists Marketing Services Inc.(631) 787-3008 [email protected]
REPRINTS AND RIGHTSFor article reprints, e-prints, and permissions, pleasecontact: Wrights Media, (877) 652-5295,[email protected]
Back Issues Phone: (888) 664-3332 (U.S.);(847) 763-9588 (outside U.S.)Email: [email protected]
BUSINESS OFFICEGeneral Manager, Marian Dujmovits
EDITORIAL OFFICE(Fax) 516-562-5200
United Business Media LLC600 Community DriveManhasset, N.Y.1 1030 (516) 562-5000Copyright 2012. All rights reserved.
UBM TECHWEBTony L. Uphoff CEO
John Dennehy CFO
David Michael CIO
Scott Vaughan CMO
David Berlind Chief CoTechWeb, and Editor in C
Ed Grossman Executive Business Technology Ne
Martha Schwartz ExecInformationWeek Busine
Joseph Braue Sr.VP, LigCommunications Netwo
Beth Rivera Senior VP, H
John Ecke VP of Brand aInformationWeek Busine
Fritz Nelson VP, EditoriaInformationWeek BusineNetwork, and Executive
UBM LLCPat Nohilly Sr.VP, StrateAdmin.
Marie Myers Sr.VP, Man
informationweek.com
Business ContactsPrevious Next
Table of Contents
http://prevpage/http://prevpage/