Keep your customer data safe and your company’s name out of the newspapers, that’s a good first goal. Keep your confidential data out of the hands of competitors or foreign adversaries, that’s also important. Assure customers and partners that you are safe to do business with? That’s essential, too. How about keeping your CEO from testifying before Congress about a data breach? Wow, this list is getting long.
Truth is, it’s not easy being a chief security officer (CSO) or chief information security officer (CISO) these days, but then again, it never was. Threats are everywhere, thanks to both external agents (hackers) and internal hazards (disgruntled employees). Confidential data, including financial and customer info, is stored in data centers, laptops, mobile devices, and cloud services, and maintaining security across these systems is no easy feat.
Industry rules and government regulations are tougher, and bad actors are finding new ways to get into networks, subvert the Internet of Things, and harm you via phishing scams and malware. Meanwhile, you need to convince customers, insurers, and regulators that your products and services are secure, because more of your interactions with customers depend on having good data.
For the CISO, this translates to a set of big picture priorities like we described, such as maintaining your customer’s trust and keeping the organization’s name out of the headlines. To accomplish those big priorities, here are six essential areas where security executives will spend their time, mental energy, and money in 2019.
1. Gain threat visibility across all platforms
You can’t secure what you can’t see, and that’s why the top CISO goal for 2019 is to gain true visibility into cloud, mobile, and on-premises assets—and be able to quickly see and correlate risk and incidents across all those platforms.
Oracle
Having data spread across multiple tiers of applications and cloud services, and sometimes out on unauthorized services, “has greatly impacted the CISO’s ability to have unified visibility,” says Greg Jensen, senior principal director of cloud security at Oracle, and co-author of the forthcoming Oracle/KPMG Cloud Threat Report 2019.
“Hidden in the mounds of security data across every enterprise could be the fingerprints and tell-tell signs of an attack,” Jensen says. But here’s the problem: only 16% of CISOs are able to collect, analyze, and respond to 75% or more of their security event telemetry, according to the Oracle/KPMG research, which will be released in February.
The typical data compromise, CISOs in the survey say, leads to two key actions by the company: First, hold leadership accountable. Second, provide increased funding to ensure it won’t happen again.
The key to avoiding that wrath, believes Jensen, is increased visibility by the security team. Everywhere.
2. Understand the new perimeter
Thanks to cloud computing, mobile devices like smartphones, and IoT, the classic enterprise perimeter is an obsolete notion. This means that operations—both security and IT—must change assumptions about safe traffic, trusted users, and the idea that there is a single demarcation point between public and provide clouds.
“The new perimeter has been pushed up into the cloud and into the hands of every user in the form of their identity,” says Jensen.
istockphoto
CISOs are now grappling with new approaches to managing those perimeters. Those options might include “next-generation” firewalls that run in the cloud, new identity management systems that consolidate identities across the enterprise and into the cloud, and attack-detection and analysis systems that can spot sophisticated hybrid attacks.
3. Nurture a culture of security
“Security is first and foremost a cultural norm,” says Mary Ann Davidson, Oracle’s chief security officer, a key contributor to the Oracle/KPMG Cloud Threat Report. “If it is not a cultural norm, you will lose.”
This is particularly true for providers of cloud services, software, and hardware, like Oracle. Accomplishing that requires following industry-standard compliance processes for software development, data protection, and access management. Davidson is involved in areas such as the company’s secure coding standards and response to vulnerability reports for Oracle itself and for its customer-facing products and services.
But culture must always go hand-in-hand with policies and best practices. For example, when it comes to developing secure software, “Every single developer is personally responsible for the code he or she writes,” says Davidson. “Security is not quality assurance’s job, the white-hat hackers' job, even the security people's job—every single person has some responsibility for security.”
Davidson emphasizes that the popular drive toward rapid development using cloud technologies, Agile development techniques, and continuous integration/continuous deployment can encourage secure software development—as long as there’s no pressure to take shortcuts. When done right, security is built into all of those approaches.
4. Align security operations with IT operations
The goal of security operations team (under the CISO) and the IT operations team (under the CIO or CTO) can appear to be at odds. To vastly oversimplify: The security team’s #1 job is to keep data safe, and this often means saying “no.” The IT team’s #1 job is to do projects, seize opportunities, and help the business grow revenue, and this skews toward saying “yes.”
“CISOs often don’t look through the same lens as their CIO counterparts,” says Jensen.
Indeed, CISOs often feel the burden of resolving any misalignment between SecOps and IT ops falls overwhelmingly on them, with the broader IT team less likely feeling pressure to compromise.
For example: 89% of CIOs say their organizations sometimes delay a patch, while 99% of CISOs say their organizations sometimes delay. “CISOs are more aggressive with regards to patch management,” Jensen says. One reason companies turn to cloud-based services is because, in some cases, that patching and upgrading is handled by the cloud provider, such as it is with the Oracle Autonomous Database.
CISOs bring a mindset of “you must prove you can be trusted.” Back to that culture question: IT operations broadly would do well to take more of that view, especially with the risk of unprotected assets on cloud servers, databases, and mobile devices.
5. Address the risks from inside the firewall
Employees and contractors represent a threat—sometimes intentionally, sometimes not. Perhaps a disgruntled employee wants to steal and release data, or otherwise cause mischief. Perhaps a happy but poorly trained employee clicks on a phishing scam and gives away a key password or installs malware giving a hacker remote access. In any of those cases, an attack won’t be launched through the perimeter, but from within the network, or from within an authorized device.
This brings up the question of encryption: Whether confidential data is stored in a data center, on end-user devices, or in the cloud, CISOs need to assess whether it should be encrypted, and if it is, use strong key management. That applies to service providers too; CISOs need to review software as a service, cloud storage, and other vendors for encryption capabilities and practices to ensure that the customer information is appropriately protected. In some cases, that can even mean that the vendor’s employees—who may have access privileges similar to the customer’s employees—can’t see it.
Security training was one of the biggest areas of security investment in 2018, the Oracle/KPMG research found, in large part to stem insider risk. Driving this training is the push to ensure all employees are aware of the data security risks and compliance requirements that continue to grow each year, with email still a top form of attacks. Research from the security firm FireEye found 91% of attacks started with a phishing email attack, Jensen says. Another common attack comes from misuse of privileged accounts by employees. That’s when an employee uses borrowed, stolen, or hacked administrative credentials to perform a function or access data he or she isn’t supposed to use.
The need for more training and education isn’t just about general employees, it also extends to building security skills among the IT and cybersecurity teams, who need constant training to help defend against tomorrow’s threats. Security talent isn’t easy or cheap to hire and retain.
6. Manage security in the cloud
Shadow IT is a big concern for CISOs. Employees find it convenient to store and share confidential business information on free file sharing platforms such as Google Drive, Microsoft OneDrive, or Dropbox, or in collaboration services like Slack and Evernote. Developers can spin up free or inexpensive accounts for code sharing on platforms such as GitHub or SourceForge. Developer teams can even develop and launch entire apps, complete with customer data, using cloud resources that never show up on an IT budget.
“Organizations are dealing with a huge conundrum around shadow IT and the use of unsanctioned cloud apps by employees,” says Jensen. “This becomes a priority for the CISO to ensure employees are not placing confidential data on services without permission.”
The security concerns aren’t only in free or low-cost services. “Say a trusted employee based out of New York suddenly starts to access the company’s cloud-based enterprise resource management from overseas, in a time frame out of the norm, and processes financial transactions ten times higher than normal,” Jensen says. CISOs increasingly are investing in systems that can spot those kind of red flags, and take steps such as forcing the use of multi-factor authentication.
A Thankless and Vital Job
In 2019, CISOs have a lot on their plate, as they ensure data security while also helping the business grow. It’s a tough job, and often thankless. By focusing on these priorities, CISOs can do their part to keep the organization on the right path by reducing risks and focusing on turning the “no” into a “yes.”
