Do the Marriott cybersecurity settlements send the wrong message to CISOs CFOs CSO Online
Topics
Events
Newsletters
Resources
Community
Home
Business Operations
Do the Marriott cybersecurity settlements send the wrong message to CISOs, CFOs?
evan_schuman
by Evan Schuman
Contributor
Do the Marriott cybersecurity settlements send the wrong message to CISOs, CFOs?
News
10 Oct 2024
10 mins
Cyberattacks
Data Breach
Legal
To partially close the loop on the fallout from three major data breaches between 2014 and 2020 impacting more than 344 million customers, Marriott has settled both with the Federal Trade Commission and almost every American state. But the terms of the settlements are worrying some cybersecurity executives.
data privacy data breach
Credit: Lightspring / Shutterstock
Years after having been hit by a trio of major data breaches between 2014 and 2020, Marriott announced on Wednesday settlements both with the US Federal Trade Commission (FTC) and a group of the attorneys general (AGs) from almost every US state.
But the settlements disappointed many in the cybersecurity community, as both the monetary penalties and the cybersecurity requirements negotiated seemed woefully insufficient for a company the size of Marriott, which reported revenue of $23.7 billion last year.
The lackluster list of cybersecurity requirements sends the wrong signal to enterprise CISOs throughout the country, said Richard Blech, CEO of encryption company XSOC. “It gives CFOs an out. ‘Oh my God, that’s all that we have to do?’ This allows them to just check the box. They can then minimize [security spend] so that they think they don’t have to spend any more money,” Blech said. “It is going to take all of the CISO’s negotiating power away. It will slow down the CISO doing something, as it will allow the CFO to say ‘Let’s put it in next year’s budget.’ They compromised.”
The two deals — with the states and the FTC — were negotiated separately, but in parallel. The security requirements list that each published have overlaps, but the lists are not the same.
The states collectively negotiated a $52 million payment. The state AGs involved represented 49 US states plus Washington, DC; California did not participate.
California explained that it did not participate because “the data at issue in this breach was, at the time, not covered by California’s data breach laws. We addressed that through AB 1130, which was inspired by this breach. Please see the October 2019 press release announcing this legislation,” said an email from the California Attorney General’s press office.
Security requirements in the settlements
The cybersecurity requirements from the states included:
A comprehensive information security program that would be “incorporating zero-trust principles, regular security reporting to the highest levels within the company, including the chief executive officer, and enhanced employee training on data handling and security.”
Data minimization and disposal requirements.
Component hardening, conducting an asset inventory, encryption, segmentation to limit an intruder’s ability to move across a system, patch management to ensure that critical security patches are applied in a timely manner, intrusion detection, user access controls, and logging and monitoring to keep track of movement of files and users within the network.
Increased vendor and franchisee oversight, with a special emphasis on risk assessments for “Critical IT Vendors,” and clearly outlined contracts with cloud providers.
In the future, if Marriott acquires another entity, it must in a timely manner further assess the acquired entity’s information security program and develop plans to address identified gaps or deficiencies in security as part of the integration into Marriott’s network.
An independent third-party assessment of Marriott’s information security program every two years for a period of 20 years for additional security oversight.
Marriott will give consumers specific protections, including a data deletion option, even if consumers do not currently have that right under state law. Marriott must offer multi-factor authentication to consumers for their loyalty rewards accounts.
The FTC requirements included:
Data minimization: Marriott must implement a policy to “retain personal information for only as long as is reasonably necessary to fulfill the purpose for which it was collected. The companies also must share the purpose behind collecting personal information and the specific business need for retaining it.”
Comprehensive information security program: Marriott and Starwood are required to establish, implement, and maintain a comprehensive information security program and certify compliance to the FTC annually for 20 years. The information security program must contain robust safeguards, and undergo an independent, third-party assessment every two years.
Data deletion: The companies must provide a link for customers to request deletion of personal information associated with an email address and/or a loyalty rewards program account number.
The FTC found that Marriott had “deceived consumers by claiming to have reasonable and appropriate data security. Despite these claims, the companies unfairly failed to deploy reasonable or appropriate security to protect personal information. Under the proposed order, Marriott and Starwood will be prohibited from misrepresenting how they collect, maintain, use, delete, or disclose consumers’ personal information.”
Requirements not specific enough
The concern about the requirements was not solely that they were too low level, but that they were not sufficiently specific to be meaningful. For example, they did not specify the nature of the multi-factor authentication to be used or the particulars of a proposed zero-trust effort.
CSO Smart Answers Learn more
Explore related questions
How do data breaches impact consumer trust in companies?
What are the benefits of implementing zero-trust principles in information security programs?
What role do CISOs play in preventing data breaches?
How do CFOs prioritize cybersecurity spending in their budgets?
What are the benefits of implementing multi-factor authentication for consumer accounts?
Ask a question
Ask
Two FTC attorneys involved in the Marriott negotiations, who asked that their names not be used, said in an interview with CSO that providing many of the specifics would not have been practical, given that the agreement is written to last 20 years.
“This is a 20 year order. What is state-of-the-art today will not be state-of-the-art in 2044,” said one of the FTC attorneys. “It would be like specifying that data was to be backed up with something like an 8-track tape.”
The FTC staffers said that many of these requirements would be new to Marriott, but they then clarified that they meant ‘new’ as in capabilities they didn’t have during the initial breaches in 2014 through 2020. They stressed that they did not know what Marriott has added since then.
Marriott did not respond to a request to clarify.
The company did, however, issue a generic statement responding to the settlements.
“As part of the resolutions with the FTC and the state attorneys general, Marriott will continue implementing enhancements to its data privacy and information security programs, many of which are already in place or in progress,” said the statement. “Protecting guests’ personal data remains a top priority for Marriott. These resolutions reaffirm the company’s continued focus on and significant investments in maintaining and adapting its programs and systems to assess, identify, and manage risks from evolving cybersecurity threats.”
Penalties insufficient, say experts
Roger Grimes, a defense evangelist at cybersecurity training company KnowBe4, cautioned security executives to not assume that the Marriott issues, which were mostly due to sloppiness and cutting corners, are unique to the hotel chain.
Don’t think Marriott “is a uniquely bad company poorly implementing cybersecurity controls while the majority of the rest of the world is doing everything right. Most organizations have large gaps in their cybersecurity controls. Most are not doing many basic things right. Marriott is far from an unusual bad actor,” Grimes said. “Most companies are doing cybersecurity controls like Marriott is doing, which is to say, likely doing a lot of the right things, but also with many gaps and many poorly implemented controls. Cybersecurity is often talked about as something we need to take very seriously, but in practice, most organizations have serious gaps.”
Matthew Webster, CEO of security firm Cyvergence, said he was also concerned about the settlements’ particulars.
“There are more questions than answers here regarding Marriott, but this settlement seems woefully insufficient. There are obvious challenges that need to be addressed,” Webster said. “There are the obvious failings such as poor detection methodologies, such as a SIEM, NGAV, EDR, but there are larger pictures to consider.”
Blech stressed that these lists are not likely what the states or the FTC wanted, but it was the best agreement they could get from Marriott.
“It was based on a settlement. That means compromise, which is not good. Marriott does not give a damn about the monetary penalty, that’s just the cost of doing business for them. What they settled for is just a minimum of what they should have been doing anyway and now are made to do it, which they probably dislike far more than the monetary penalty,” Blech said. “They really should be penalized far more, as in losing some of their properties; that would be far more punitive and effective. A three time offender is just not acceptable.”
Blech added: “Given the level of the breaches, they certainly did not engage in best practices or proper cybersecurity hygiene, especially with access controls. And clearly they did not use encryption properly, or at all, where needed.”
Indeed, Marriott falsely said in court for five years that it had been using robust authentication, when in reality they had not used any encryption at all.
A ‘cascade of multiple failures’
“The fact that it took Marriott years to detect cybercriminals lurking in their systems is unacceptable and could’ve been avoided had their IT leaders been more proactive and strategic about cyber hygiene,” said Marc van Zadelhoff, CEO of email security firm Mimecast. “This was not one small miss but a ‘Black Swan’ event that was a consequence of a cascade of multiple failures.”
Robert Kramer, a VP/principal analyst for Moor Insights & Strategy, said that the key problem behind the breaches were security issues within the Starwood systems that Marriott inherited during the acquisition.
Marriott’s failing was that they suffered from “a huge lack of due diligence during the acquisition,” and that the new security mandates “are not going to be enough,” Kramer said. “They are not doing nearly enough that is out of the box,” such as using blockchain ledgers.
The new stipulations “do not dive into enough details to make sure that this doesn’t happen again,” Kramer said. “This is all about implementing policies without a delivery mechanism of the right success factors.”
“The FTC did not come out hard enough, with specific details. They needed to be much harsher. They should not get off with this kind of slap on the wrist. This does not show the proper level of concern about what is needed,” Kramer said. “And that undermines what is required to have advanced security. It undermines what enterprises need to require as a standard. It undercuts the spending that the CFO will receive from the CEO.”
Kramer specifically referenced the states’ requirement for Marriott to be “incorporating zero-trust principles.” Said Kramer: “It’s just far too loose. It’s an idea. There is no basis and no specificity in what they need to do to implement it. To say ‘principles’ is ludicrous. It’s a bunch of words just to put words out there. It means absolutely nothing. There is no meaning to it.”
Katell Thielemann, distinguished VP analyst at Gartner, said that she expects future settlements for other companies to potentially be more stringent.
“Now that this playbook is in place, I can see it being invoked more frequently and with increasing security mandates as the consequences of the breaches warrant,” Thielemann said. “Should another cyber attack result in different impacts for individuals — for instance, direct financial harm — or society — for instance, as a result of the increasing attacks on critical infrastructure — the mandated security actions should ratchet up commensurate with those impacts. Now that the playbook is in place, it will hopefully not take 10 years for such settlements to be reached.”
Related content
news
CrowdStrike failure: the beginning of the end of software without guarantees?
CrowdStrike’s crash-inducing security software update raises concerns about suppliers’ responsibility to offer quality guarantees for their products.
By Francisca Domínguez Zubicoa
01 Aug 2024
8 mins
Legal
Security Software
news
Federal judge greenlights securities fraud charges against SolarWinds and its CISO
Although the court dismissed most of the SEC’s charges in its lawsuit against SolarWinds, the by far most serious charge – securities fraud by both the company and its CISO – survived. CISOs have little reason to celebrate.
By Evan Schuman
19 Jul 2024
6 mins
CSO and CISO
Legal
Vulnerabilities
news analysis
US Supreme Court ruling will likely cause cyber regulation chaos
The ruling could weaken almost all US federal cybersecurity regulations, including SEC incident reporting, FCC data breach reporting, and CISA cyber incident reporting rules.
By Cynthia Brumfield
02 Jul 2024
9 mins
CSO and CISO
Regulation
Government
PODCASTS
VIDEOS
RESOURCES
EVENTS
SUBSCRIBE TO OUR NEWSLETTER
From our editors straight to your inbox
Get started by entering your email address below.
Enter your email here
Subscribe
evan_schuman
by Evan Schuman
Contributor
Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for CBSNews.com, RetailWeek, Computerworld and eWeek and his byline has appeared in titles ranging from BusinessWeek, VentureBeat and Fortune to The New York Times, USA Today, Reuters, The Philadelphia Inquirer, The Baltimore Sun, The Detroit News and The Atlanta Journal-Constitution. Evan can be reached at [email protected] and he can be followed at http://www.linkedin.com/in/schumanevan/. Look for his blog twice a week.
The opinions expressed in this blog are those of Evan Schuman and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.
More from this author
Show me more
Popular
Articles
Podcasts
Videos
feature
How AI is becoming a powerful tool for offensive cybersecurity practitioners
By John P. Mello Jr.
17 Oct 2024
8 mins
Penetration Testing
Threat and Vulnerability Management
Security Practices
Image
podcast
CSO Executive Sessions: Guardians of the Games - How to keep the Olympics and other major events cyber safe
07 Aug 2024
17 mins
CSO and CISO
Image
video
CSO Executive Sessions: New World Development’s Dicky Wong on securing critical infrastructure
16 Oct 2024
12 mins
Critical Infrastructure
Security
Image
About
About Us
Advertise
Contact Us
Foundry Careers
Reprints
Newsletters
BrandPosts
Policies
Terms of Service
Privacy Policy
Cookie Policy
Copyright Notice
Member Preferences
About AdChoices
E-commerce Links
Your California Privacy Rights
Privacy Settings
Our Network
CIO
Computerworld
Infoworld
Network World
LinkedIn
X
Facebook
Copyright © 2024 IDG Communications, Inc.
Events
Newsletters
Resources
Community
Home
Business Operations
Do the Marriott cybersecurity settlements send the wrong message to CISOs, CFOs?
evan_schuman
by Evan Schuman
Contributor
Do the Marriott cybersecurity settlements send the wrong message to CISOs, CFOs?
News
10 Oct 2024
10 mins
Cyberattacks
Data Breach
Legal
To partially close the loop on the fallout from three major data breaches between 2014 and 2020 impacting more than 344 million customers, Marriott has settled both with the Federal Trade Commission and almost every American state. But the terms of the settlements are worrying some cybersecurity executives.
data privacy data breach
Credit: Lightspring / Shutterstock
Years after having been hit by a trio of major data breaches between 2014 and 2020, Marriott announced on Wednesday settlements both with the US Federal Trade Commission (FTC) and a group of the attorneys general (AGs) from almost every US state.
But the settlements disappointed many in the cybersecurity community, as both the monetary penalties and the cybersecurity requirements negotiated seemed woefully insufficient for a company the size of Marriott, which reported revenue of $23.7 billion last year.
The lackluster list of cybersecurity requirements sends the wrong signal to enterprise CISOs throughout the country, said Richard Blech, CEO of encryption company XSOC. “It gives CFOs an out. ‘Oh my God, that’s all that we have to do?’ This allows them to just check the box. They can then minimize [security spend] so that they think they don’t have to spend any more money,” Blech said. “It is going to take all of the CISO’s negotiating power away. It will slow down the CISO doing something, as it will allow the CFO to say ‘Let’s put it in next year’s budget.’ They compromised.”
The two deals — with the states and the FTC — were negotiated separately, but in parallel. The security requirements list that each published have overlaps, but the lists are not the same.
The states collectively negotiated a $52 million payment. The state AGs involved represented 49 US states plus Washington, DC; California did not participate.
California explained that it did not participate because “the data at issue in this breach was, at the time, not covered by California’s data breach laws. We addressed that through AB 1130, which was inspired by this breach. Please see the October 2019 press release announcing this legislation,” said an email from the California Attorney General’s press office.
Security requirements in the settlements
The cybersecurity requirements from the states included:
A comprehensive information security program that would be “incorporating zero-trust principles, regular security reporting to the highest levels within the company, including the chief executive officer, and enhanced employee training on data handling and security.”
Data minimization and disposal requirements.
Component hardening, conducting an asset inventory, encryption, segmentation to limit an intruder’s ability to move across a system, patch management to ensure that critical security patches are applied in a timely manner, intrusion detection, user access controls, and logging and monitoring to keep track of movement of files and users within the network.
Increased vendor and franchisee oversight, with a special emphasis on risk assessments for “Critical IT Vendors,” and clearly outlined contracts with cloud providers.
In the future, if Marriott acquires another entity, it must in a timely manner further assess the acquired entity’s information security program and develop plans to address identified gaps or deficiencies in security as part of the integration into Marriott’s network.
An independent third-party assessment of Marriott’s information security program every two years for a period of 20 years for additional security oversight.
Marriott will give consumers specific protections, including a data deletion option, even if consumers do not currently have that right under state law. Marriott must offer multi-factor authentication to consumers for their loyalty rewards accounts.
The FTC requirements included:
Data minimization: Marriott must implement a policy to “retain personal information for only as long as is reasonably necessary to fulfill the purpose for which it was collected. The companies also must share the purpose behind collecting personal information and the specific business need for retaining it.”
Comprehensive information security program: Marriott and Starwood are required to establish, implement, and maintain a comprehensive information security program and certify compliance to the FTC annually for 20 years. The information security program must contain robust safeguards, and undergo an independent, third-party assessment every two years.
Data deletion: The companies must provide a link for customers to request deletion of personal information associated with an email address and/or a loyalty rewards program account number.
The FTC found that Marriott had “deceived consumers by claiming to have reasonable and appropriate data security. Despite these claims, the companies unfairly failed to deploy reasonable or appropriate security to protect personal information. Under the proposed order, Marriott and Starwood will be prohibited from misrepresenting how they collect, maintain, use, delete, or disclose consumers’ personal information.”
Requirements not specific enough
The concern about the requirements was not solely that they were too low level, but that they were not sufficiently specific to be meaningful. For example, they did not specify the nature of the multi-factor authentication to be used or the particulars of a proposed zero-trust effort.
CSO Smart Answers Learn more
Explore related questions
How do data breaches impact consumer trust in companies?
What are the benefits of implementing zero-trust principles in information security programs?
What role do CISOs play in preventing data breaches?
How do CFOs prioritize cybersecurity spending in their budgets?
What are the benefits of implementing multi-factor authentication for consumer accounts?
Ask a question
Ask
Two FTC attorneys involved in the Marriott negotiations, who asked that their names not be used, said in an interview with CSO that providing many of the specifics would not have been practical, given that the agreement is written to last 20 years.
“This is a 20 year order. What is state-of-the-art today will not be state-of-the-art in 2044,” said one of the FTC attorneys. “It would be like specifying that data was to be backed up with something like an 8-track tape.”
The FTC staffers said that many of these requirements would be new to Marriott, but they then clarified that they meant ‘new’ as in capabilities they didn’t have during the initial breaches in 2014 through 2020. They stressed that they did not know what Marriott has added since then.
Marriott did not respond to a request to clarify.
The company did, however, issue a generic statement responding to the settlements.
“As part of the resolutions with the FTC and the state attorneys general, Marriott will continue implementing enhancements to its data privacy and information security programs, many of which are already in place or in progress,” said the statement. “Protecting guests’ personal data remains a top priority for Marriott. These resolutions reaffirm the company’s continued focus on and significant investments in maintaining and adapting its programs and systems to assess, identify, and manage risks from evolving cybersecurity threats.”
Penalties insufficient, say experts
Roger Grimes, a defense evangelist at cybersecurity training company KnowBe4, cautioned security executives to not assume that the Marriott issues, which were mostly due to sloppiness and cutting corners, are unique to the hotel chain.
Don’t think Marriott “is a uniquely bad company poorly implementing cybersecurity controls while the majority of the rest of the world is doing everything right. Most organizations have large gaps in their cybersecurity controls. Most are not doing many basic things right. Marriott is far from an unusual bad actor,” Grimes said. “Most companies are doing cybersecurity controls like Marriott is doing, which is to say, likely doing a lot of the right things, but also with many gaps and many poorly implemented controls. Cybersecurity is often talked about as something we need to take very seriously, but in practice, most organizations have serious gaps.”
Matthew Webster, CEO of security firm Cyvergence, said he was also concerned about the settlements’ particulars.
“There are more questions than answers here regarding Marriott, but this settlement seems woefully insufficient. There are obvious challenges that need to be addressed,” Webster said. “There are the obvious failings such as poor detection methodologies, such as a SIEM, NGAV, EDR, but there are larger pictures to consider.”
Blech stressed that these lists are not likely what the states or the FTC wanted, but it was the best agreement they could get from Marriott.
“It was based on a settlement. That means compromise, which is not good. Marriott does not give a damn about the monetary penalty, that’s just the cost of doing business for them. What they settled for is just a minimum of what they should have been doing anyway and now are made to do it, which they probably dislike far more than the monetary penalty,” Blech said. “They really should be penalized far more, as in losing some of their properties; that would be far more punitive and effective. A three time offender is just not acceptable.”
Blech added: “Given the level of the breaches, they certainly did not engage in best practices or proper cybersecurity hygiene, especially with access controls. And clearly they did not use encryption properly, or at all, where needed.”
Indeed, Marriott falsely said in court for five years that it had been using robust authentication, when in reality they had not used any encryption at all.
A ‘cascade of multiple failures’
“The fact that it took Marriott years to detect cybercriminals lurking in their systems is unacceptable and could’ve been avoided had their IT leaders been more proactive and strategic about cyber hygiene,” said Marc van Zadelhoff, CEO of email security firm Mimecast. “This was not one small miss but a ‘Black Swan’ event that was a consequence of a cascade of multiple failures.”
Robert Kramer, a VP/principal analyst for Moor Insights & Strategy, said that the key problem behind the breaches were security issues within the Starwood systems that Marriott inherited during the acquisition.
Marriott’s failing was that they suffered from “a huge lack of due diligence during the acquisition,” and that the new security mandates “are not going to be enough,” Kramer said. “They are not doing nearly enough that is out of the box,” such as using blockchain ledgers.
The new stipulations “do not dive into enough details to make sure that this doesn’t happen again,” Kramer said. “This is all about implementing policies without a delivery mechanism of the right success factors.”
“The FTC did not come out hard enough, with specific details. They needed to be much harsher. They should not get off with this kind of slap on the wrist. This does not show the proper level of concern about what is needed,” Kramer said. “And that undermines what is required to have advanced security. It undermines what enterprises need to require as a standard. It undercuts the spending that the CFO will receive from the CEO.”
Kramer specifically referenced the states’ requirement for Marriott to be “incorporating zero-trust principles.” Said Kramer: “It’s just far too loose. It’s an idea. There is no basis and no specificity in what they need to do to implement it. To say ‘principles’ is ludicrous. It’s a bunch of words just to put words out there. It means absolutely nothing. There is no meaning to it.”
Katell Thielemann, distinguished VP analyst at Gartner, said that she expects future settlements for other companies to potentially be more stringent.
“Now that this playbook is in place, I can see it being invoked more frequently and with increasing security mandates as the consequences of the breaches warrant,” Thielemann said. “Should another cyber attack result in different impacts for individuals — for instance, direct financial harm — or society — for instance, as a result of the increasing attacks on critical infrastructure — the mandated security actions should ratchet up commensurate with those impacts. Now that the playbook is in place, it will hopefully not take 10 years for such settlements to be reached.”
Related content
news
CrowdStrike failure: the beginning of the end of software without guarantees?
CrowdStrike’s crash-inducing security software update raises concerns about suppliers’ responsibility to offer quality guarantees for their products.
By Francisca Domínguez Zubicoa
01 Aug 2024
8 mins
Legal
Security Software
news
Federal judge greenlights securities fraud charges against SolarWinds and its CISO
Although the court dismissed most of the SEC’s charges in its lawsuit against SolarWinds, the by far most serious charge – securities fraud by both the company and its CISO – survived. CISOs have little reason to celebrate.
By Evan Schuman
19 Jul 2024
6 mins
CSO and CISO
Legal
Vulnerabilities
news analysis
US Supreme Court ruling will likely cause cyber regulation chaos
The ruling could weaken almost all US federal cybersecurity regulations, including SEC incident reporting, FCC data breach reporting, and CISA cyber incident reporting rules.
By Cynthia Brumfield
02 Jul 2024
9 mins
CSO and CISO
Regulation
Government
PODCASTS
VIDEOS
RESOURCES
EVENTS
SUBSCRIBE TO OUR NEWSLETTER
From our editors straight to your inbox
Get started by entering your email address below.
Enter your email here
Subscribe
evan_schuman
by Evan Schuman
Contributor
Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for CBSNews.com, RetailWeek, Computerworld and eWeek and his byline has appeared in titles ranging from BusinessWeek, VentureBeat and Fortune to The New York Times, USA Today, Reuters, The Philadelphia Inquirer, The Baltimore Sun, The Detroit News and The Atlanta Journal-Constitution. Evan can be reached at [email protected] and he can be followed at http://www.linkedin.com/in/schumanevan/. Look for his blog twice a week.
The opinions expressed in this blog are those of Evan Schuman and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.
More from this author
Show me more
Popular
Articles
Podcasts
Videos
feature
How AI is becoming a powerful tool for offensive cybersecurity practitioners
By John P. Mello Jr.
17 Oct 2024
8 mins
Penetration Testing
Threat and Vulnerability Management
Security Practices
Image
podcast
CSO Executive Sessions: Guardians of the Games - How to keep the Olympics and other major events cyber safe
07 Aug 2024
17 mins
CSO and CISO
Image
video
CSO Executive Sessions: New World Development’s Dicky Wong on securing critical infrastructure
16 Oct 2024
12 mins
Critical Infrastructure
Security
Image
About
About Us
Advertise
Contact Us
Foundry Careers
Reprints
Newsletters
BrandPosts
Policies
Terms of Service
Privacy Policy
Cookie Policy
Copyright Notice
Member Preferences
About AdChoices
E-commerce Links
Your California Privacy Rights
Privacy Settings
Our Network
CIO
Computerworld
Infoworld
Network World
X
Copyright © 2024 IDG Communications, Inc.
