Mobile and cloud computing security: Key CISO concerns for 2010

Howard Schmidt, the president and CEO of UK-based Information Security Forum, has a distinguished career in defense, law enforcement and corporate security, which spans almost 40 years. Earlier, he served as a VP and CISO for eBay. During the Securitybyte & OWASP AppSec Asia Conference 2009, Schmidt shared with us his views on global information security issues and India's data protection regime. Can you classify the key concerns of CISOs from a global perspective?
Application security, proliferation of data on mobile devices, and managing security in new projects are the major challenge for organizations across the world. Today, data does not reside at just a single location. Hence data identification, classification and protection have become more complex.

Data and application on mobile devices will be the next big target for bad guys. Many a time, corporate personnel are not even aware of the data that they carry on mobile devices. As a result, it's difficult to recover such data. To avoid such issues you can implement simple technologies like using PIN numbers for mobile device log-ins.

Now, there are several solutions to protect the data on mobile phones. For example, if someone punches a wrong password 10 times in your mobile device, it will automatically wipe out the data. For example, the iPhone offers a "locate me" function, which uses cellular networks to let you wipe out data in case the device is stolen.

Security in the cloud is one of the most discussed topics at this moment. Aspects which you need to keep in mind before opting for cloud computing are: encryption, authentication, regulatory requirements on data storage location, data protection laws of the country hosting the data center, and notification processes in case of a security breach at the service provider's end. These parameters must be covered well under the contract. Security teams are working on next year's security budgets at the moment. What are your suggestions on this front?
During last year's downturn, people recognized that they can't lose more money by ignoring security investments. It's essential that CISOs associate business needs with risks to know what is required from an information security perspective. We have a long history of building great technologies and fixing security bugs at a much later stage. To avoid such scenarios, companies must integrate data security and privacy controls in the beginning itself for next year's new technology rollouts.

Corporates definitely need to report security breaches, since it's possible to fix a problem only if you understand the problem. However, such regulations should not have any unintended consequences.
, What are your views on the efficacy of India's data protection regime?
I think that the Indian government and private enterprises now recognize the significant impact of data protection on customer trust. Background checks, data reduction (offering limited information to solve problems), security controls, regular audits, and tests can ensure higher security. India does not have any regulation when it comes to reporting of security breaches. Do you feel that these disclosures should be mandatory?
Corporates definitely need to report security breaches, since an issue can be fixed only if you understand the problem. However, we need to keep in mind that such regulations should not have any unintended consequences. For example, a couple of years back, the U.S. debated passing a law to make spyware illegal. The way this law was written, it became illegal for antivirus providers to push updates and software patches to companies. So laws related to data protection should be thoroughly wetted before they become mandates.

Data protection laws should be easy to understand and implement. It should be interoperable across all states of India, businesses operating within India, and also for foreign companies that are engaged in business with India. A law which cannot be effectively implemented is not worth much.

Read more on IT risk management