We hope you can join GSI at Interface 2010, the industry's leading security and disaster recovery conference offered today. Interface is a single-day IT conference addressing the advances in information security, disaster recovery, business continuity, data storage and regulatory compliance. The conference is put on by Face-to-Face Events, and will truly hold up to that name. Interface prides itself on educating, as opposed to selling, and provides the optimal setting for “B2B matchmaking” and quality face-to-face time.

GSI will be exhibiting at the conference, so please stop by our booth to learn how we can help with your security and business needs. GSI's security and disaster recovery expertise is second to none. We were the first hosting company in the world to meet the stringent security criteria imposed by the payment card industry (PCI) in 2004, by becoming 100% PCI DSS compliant for managed services. Since then, we have helped numerous clients achieve and maintain their own security compliance, and we continue to perfect our processes and ability to address the critical security needs of our clients.

Interface will be held Thursday, May 13, at the Kansas City Downtown Marriott from 9:00 a.m. to 4:30 p.m. The event is by invitation only, so please contact Kristine Hansen, our business development manager, to RSVP. She can be reached at khansen@gsihosting.com or (816) 222-1210. Also, you can check out the events page on our website to RSVP: http://www.gsihosting.com/events

For more information about Interface 2010, you can visit http://www.f2fevents.com/. We look forward to seeing you there and hope everyone has a safe and secure day!

Congratulations to GSI's own Candace Sheldon, who was honored with being the "Most improved woman 50 or older" in Ingram's 2009-2010 Fittest Executives and Fittest Companies Challenge.

Candace joined up with three other GSI folks – Mark Hotalling, Jerad Riggin and Adam Ward – to compete in Ingram's challenge, which ran from October 1 through the end of 2009. The competition was based on the belief that a "top-down corporate emphasis on employee fitness could help achieve bottom-line results with a fitter work force." During the three-month challenge, participants were armed with detailed measurements of their own health metrics, and focused on their primary areas of concern, such as losing weight, or improving blood pressure and cholesterol levels, aerobic capacities, strength and flexibility measurements.

Candace earned the "most improved" stature due to her improvement in all categories. She attributes her success in the program to both eating healthier and exercising regularly. She and her teammates committed themselves to working out in GSI's exercise facility 4-5 days a week – specifically following the P90X workout regimen. Candace also eliminated sugar, flour products, and alcohol from her diet – instead snacking on fruits, vegetables and more protein-rich foods. She followed the guidance of a nutritionist and also hit the tread mill every evening after work. And the results were great – she lost 9 pounds during the competition (even including the holidays) and another 6 since then. Not only that, but Candace is now seriously motivated to continue her fitness routine.

Candace signed up for the Ingram's challenge as part of GSI's corporate team, motivated by the thought of getting in better shape and losing a little weight, as well as the desire to set a good example for her GSI co-workers in promoting wellness. The support of her teammates, she says, made it easier to achieve positive results. Just like the premise GSI stands on as a company – that the support our GSI ServerHeroes lend one another enables us to collectively achieve great things for our clients.

"If you really decide you want to do something and are diligent in your approach, you can achieve anything," says Candace. Simply enough said, but a lesson for all of us in our personal and professional lives. Candace's success brings home the reason why I'm proud to work for a company like GSI with dedicated co-workers like her – true to GSI's tagline, "Let's get it done right," we have the desire to achieve, and we take the extra measures to do so.

Further Reading

• Ingram's Magazine, Feb 2010 > Fittest Execs/Companies
• Ingram's Magazine, Feb 2010 > Fittest Execs/Companies > Most Improved Individuals

Part of selling GSI's managed services is dealing with the competitive comparison issue, as prospective clients attempt to determine which managed service provider is the best fit for their IT management needs. The need to compare GSI versus our competition is understandable, but what do you do when there is little to compare us against?

The old and overused idiom, "Apples to Oranges" comes to mind, but does not accurately describe the situation. GSI is most often compared to "hosting" companies because we have hosting capabilities, but to say we are just a hosting company is grossly inaccurate. GSI is a managed services company with hosting capabilities. We provide the entire service – soup to nuts. Most competitors, while they claim to offer a total solution, barely get to the soup.

Maybe a metaphor using the auto repair industry can help clarify our situation as it relates to comparison shopping.

• Space. Every auto repair shop must have a garage in which to put the equipment and vehicles involved. Much like IT hosting companies must have data centers. It is a given that one garage looks much like another. Picking an auto repair shop solely on the presence of a garage would not be prudent. The need for them to have a workable and available garage is a requirement, but you need more criteria to narrow down your comparison. The same goes for hosting companies and their data centers.
• Range of services. Another area of comparison is the type of auto repair services and the expertise with which they are provided. A lot of shops provide standard services and have qualified technicians to provide those standard services on the most common vehicles. These services work fine for a standard high-production vehicle. What happens if your vehicle is a specialized, custom-built unit? The number of auto repair shops that can provide you services drastically decreases. Your selection now depends on the unique traits of the specialized services you require. This applies to IT services, as well. IT systems requiring advanced security and regulatory compliance necessitate specialized services, and narrow your service provider options.
• Who performs the actual work? Let's muddy the waters a bit and carry the metaphor further. Say you have narrowed your auto repair provider selection down to three shops. They all three advertise knowledge of your specialized vehicle. Each shop defines their services using similar terms. Even so, as you dig into one shop's methods, you find that they provide work space and tools, but do not actually do the work. You and your brother-in-law will need to be available to actually perform any work. This kind of discrepancy can be very difficult to discover when picking an IT services provider, and it is painful to realize it after contracts have been signed with an auditor breathing down your neck.
• Do they need direction from you? So, now you are down to two shops that may be able to perform work on your specialized vehicle. As you question the two, you again find a deficiency in one of them. They have the capabilities, the tools and the space, but they can only do exactly what you tell them to. They cannot or will not assist with designing your solution, and cannot point out issues you will encounter, much less account for them. This, again, puts you in a hot seat. Your services contract has turned into space and tools for you to implement.
• Finally ... the needle in the haystack. The last shop you review meets all the requirements and represents the complete solution. Almost like having a dedicated race crew to work on your specialized vehicle. Clearly this is the best choice for the services you need, but it was not easy to identify them. There were not many clues to lead you to them. All the same terminology was used to describe the services, and all three shops were giving assurances that you would get the services you expect.

There are only a small handful of managed security service providers that actually take on the specialized tasks for regulatory compliance, yet you will find many claiming to do so. They all use the same language to describe what they provide, but many simply provide the tools. Since most regulatory requirements include an analysis component, any service provider that is not doing analysis along with data collection will not meet the requirements. Yet they will advertise a fully compliant service offering by assuming the client will spend the time necessary to cover the analysis needs.

When GSI states that a service we provide can meet a requirement, we mean that the service fully meets the requirement. Just as if a full IT team were hired on. The challenge is educating prospective clients on the difference when being compared to providers with less-developed ideas about services.

When a company fails to show even basic security capabilities, causing a breach, a knowledgeable public takes their business elsewhere.

An interesting site to read through is the Ponemon Institute, which includes independent research on privacy and IT security issues.

One of studies that caught my eye involved the cost of data breach.

The study I reviewed dealt with data from 2008, and compared the data to 2007. It also reviewed the impact of both direct and indirect costs. Direct costs are the efforts taken to remediate the direct causes and cleanup of a breach. Examples would be: hiring consultants, implementing technologies, or providing credit protection. Indirect costs tend to be costs to business that are not directly attributable to a breach, yet still feel the impact of a breach. Examples would be: customer churn, lost prospects, reputational impacts, or additional support costs.

The overall result of the study shows that direct and indirect costs are rising. This reflects the vast amount of attention that has been given to breaches -- even as far as state governments legislating how the breach victims must be notified. As companies involved in data breaches learn the proper ways to handle the event, the costs will rise due to their increased engagement. In the past, a breach could be handled internally with little external involvement. No longer is this the case. A company with a breach had better be able to show due diligence by engaging professionals to remediate.

Additionally, the general public, which is increasingly plugged in and online, has become savvier regarding how their data should be handled and protected. When a company fails to show even basic security capabilities, causing a breach, a knowledgeable public takes their business elsewhere.

Something to note is that customer churn rates due to a breach event were highest in the healthcare industry. It seems folks care more about their doctors/hospitals losing their information than they do their financial institutions.

One of the most relevant discoveries in this report is that breaches involving third-party or partner mistakes are the most expensive to remediate, and that 44% of the breaches reviewed involved third-parties. There is not really a good reason as to why third-party involvement causes a breach to be more expensive, but we can guess that inefficiencies are introduced when a third-party must be taken into account. The lesson is to only share data with third-parties you are sure have a good security program that includes event handling capabilities.

Below are some statements directly from the report that I found relevant. These do not represent the full report, and an interested person should read directly from the links provided below.

Over the past four years, lost business cost component grew by more than $64 on a per-victim basis, or a 38% overall percentage increase. Our research finds organizations in highly trusted industries, such as banking, pharmaceuticals and healthcare, are more likely to experience a data breach with high abnormal churn rates. In contrast, retailers and companies with less direct consumer contact seem to experience a lower overall data breach cost.

The most significant cost decrease concerns ex-post response, which implies organizations are becoming more cost-efficient in their management of the data breach. Despite efficiency gains, consulting, legal defense and, as mentioned previously, lost customer business have increased in this year’s study.

The range of total cost among the 43 data breach incidents contained in this year’s study is a minimum of $613k to more than $32 million. The magnitude of the breach event ranged from 4,200 to 113,000 lost or stolen records. As in prior years, data breach cost appears to be linearly related to the size or magnitude of the breach event.

In this year’s study, average abnormal churn rates across all 43 incidents is 3.6%, which was measured by the loss of customers who were directly affected by the data breach event (i.e., typically those receiving notification). The abnormal churn or turnover rate in 2007 for customers receiving notification was 2.7%.

Healthcare and financial service companies have the highest average rate of churn at 6.5% and 5.5%, respectively. High churn rates reflect the fact that these industries manage and collect consumers’ most sensitive data. Thus, consumers may have a higher expectation for the protection and privacy of their financial and healthcare records.

Over 44% of all cases in this year’s study involved third-party mistakes or flubs. Data breaches involving outsourced data to third parties are the most costly. This could be due to additional investigation and consulting fees. As shown in Bar Chart 5, per victim cost for data breaches involving third parties is $231 versus $179, more than a $52 difference.

Further Reading

• Ponemon Institute
• Ponemon Institute's Fourth Annual US Cost of Data Breach Study (PDF)

PCI DSS requirement 11.3.1 indicates the need for annual network penetration testing, which includes an "internal" penetration test by an experienced security tester. GSI has always supported this activity by working with whomever our clients ask to perform the testing. This requirement can be met by using experienced internal staff or third-party professionals (see 11.3 Supplement), and we have seen both. Even though the selection of who does the testing is easy to make, the location in the network from which to perform the internal testing is another matter.

The environments GSI manages at PCI levels of security are particularly isolated with strong two-factor controls required for all administrative entry points. These environments are characterized by strict firewall change-control procedures and system hardening with accompanying audits. Another feature of these secure environments is the complete lack of desktop-level systems. Environments meant to house highly secure single-function payment processing systems do not require the abundance of services seen in systems that support desktop access for users. There are not any personal directory shares, email clients, productivity packages, or Internet user communication technologies present on these systems.

All of this culminates into a distinct lack of what the PCI DSS would determine to be an "internal" network.

So where does that leave us regarding internal penetration testing for requirement 11.3?

There are two scenarios that can play out:

One is for the client tester to be placed directly into the cardholder environment. This type of test assumes the attacker has compromised at least one system in the environment. The result of this test reflects how much information could be accessed post-compromise. Many QSAs will accept this as a proper internal test of the environment even though it is not strictly adhering to the intent of 11.3. In my opinion, it is not a valid test of risk exposure for the environment, because it completely disregards the security protections it is meant to test.

The second scenario is for the client's QSA to give them a "pass" on the internal penetration test requirement with the knowledge that, by definition, an internal penetration test is not possible. There is not an internal network to test from. We are starting to see more of this as QSAs better understand how the environments are managed at GSI. This decision is not arrived at lightly and even when the QSA gives a pass for an internal penetration test, it is only after the environment meets specific criteria. We must prove that administrative access is strictly protected by two-factor authentication and VPN connectivity. We also must show that there are not any desktop networks directly connected to access shares or services. At GSI, this is easily done with configuration diagrams and firewall configurations.

I have stated in a previous article that the PCI standards will inevitably lead to risk-based implementations. The ability for highly protected environments to forgo an internal penetration test is an excellent example of how a QSA can take the risk approach into their own hands and utilize the PCI standard in a flexible way to meet the intent, save clients money, and concentrate security where needed -- all at the same time.

If you aren’t already familiar with Accelerent, but you are interested in a fantastic avenue for getting to know the KC business community, I’d like to share some information with you.  GSI is a member of Accelerent, which is essentially a corporate business development organization made up of C-level execs in the Kansas City area.  Currently, the organization has about 35 members, consisting of a wide variety of companies in the KC area.  While they continue to recruit new member companies, they are also diligent about making sure that no two member companies are from the same industry.  This is a great practice as it means that the group represents a broad spectrum of industries -- and also creates a tighter relationship among member companies without the presence of a competitive factor.

The organization hosts about 9 or 10 breakfasts throughout the year for its members and guests.  We get together, listen to a featured speaker (always someone truly inspirational with their amazing achievements) and spend time meeting corporate executives from our area – an excellent opportunity to learn more about their businesses, as well as educate others about our own.  At the last breakfast, we had more than 300 attendees – a prime opportunity for corporate networking and opening up doors for new business! 

The next Accelerent breakfast is Friday, January 22, at 7:00 a.m. in Overland Park, KS.  Peter Vidmar, the former Olympic gymnast, will be the featured speaker – and I’ve been told he is wonderful.  You have to be either an Accelerant member or an invited guest to attend.  So if you have even the slightest interest in coming, please do so, as my guest. (Please email me to RSVP.)

Now for the particulars.  Prior to the actual breakfast, there is an Expo from 7 a.m. to 8 a.m.  This is where introductions take place.  If you’d like to see a list of attendees, let me know and I can send you a list of those who have RSVP’d so far.  The next step would be for you to let me know if there is anyone on the list that you would like to meet (yes, I’ll make sure that happens!).  Obviously, you are welcome to roam the room and make your own introductions, which I also suggest.

If this is of any interest to you, email me at khansen@gsihosting.com and I can do the registration for you.  In addition, you are welcome to invite up to three clients of your own.

I sincerely hope that you – or any of your coworkers or clients you invite – decide to join us.  I promise you won’t be disappointed!