It’s New Year and new security threats are constantly evolving. So, what lies ahead for the CISO’s in 2015? Read on to know more about them.
Welcome to the New Year 2015! Again it’s that time of the year when you start to implement the new security best practices and not repeat the mistakes which you have committed in the previous year. On this aspect, have we learnt from the best security practices from the last year? Perhaps, yes or perhaps no! As the saying goes that security is not an end-product, rather it is a continuous process that CISOs should be prepared throughout the year. Based on this context, we present the featured article on the new security challenges that CISOs would encounter this year and consolidate on the new security strategies.
It was last year that the company ‘Target’ was the target of large data breach and it is still yet to come to its terms on the negative reputation and also the sales impact it might have in this year. In the normal sense, it’s often hard for the companies who become the target of such data breaches to recover and re-impose its reputation and boost up its business activities.
According to IBM’s 2014 Global Cost of Data Breach Study report, it is estimated the average cost of a data breach for a US company is $201 per record. Currently in the US, the average number of records compromised in a data breach for an organization is over 29,000. Looking at the other way, that is over 5.8 million USD. So from a CISOs perspective, if one were to reduce the number of security and privacy breaches, say in terms of number of compromised records by a certain percentage, it would mean saving a huge amount for the organization which could end-up in lost profits, legal fees, or even worse negative reputation.
On the Information security front, it is imperative for CISOs to consider the following aspects in 2015.
Validation of Open Source Tools
Cyber attacks like Shellshock and Heartbleed have shown us the conviction that various organizations have devoted in open source projects and the resources that these projects need to work with. In several cases, Industry experts suggest that there are no alternatives to using open source solutions. Conversely, while implementing open source solutions one should ensure that they have specific procedures to vet open source tools and ensure their maintenance is not ignored. The real challenge in this year lies in instituting such procedures. In other words, it means teaming up more effectively with the open source communities in creating such tools and also working on these issues internally.
Creating Awareness & Priority of Technology
Nowadays, cyber attacks are common and often the security breaches are due to vulnerabilities and individual negligence. Even though BYOD may be a successful concept in some organizations, it is still far off from the mass adaption in companies. In organizations where BYOD is implemented, it is the onus of the CISO to ensure creating awareness on best security practices and also ensure that they are being followed by enforcing compliance. Process and tools that enforces compliance like the two-factor authentication which are widely implemented must be widely used by the CISOs. The CISOs should create awareness on such tools to the relevant professionals in their organization.
Mandatory Updating of Cryptography Solutions
As Google has announced that they no longer issue digital certificates to websites using the weak and outdated MD5 and SHA-1 encryption algorithms, it is time that CISOs update their cryptography technology. Keeping with the security trend, it should be mandatory for CISOs to implement security using the new cryptography technologies in their organization’s system.
CISOs role continues to gain acceptance in authority and reporting the security scenario. Today’s CISOs are responsible for building a strategy and implement that strategy from the perspective of risk management.
In the following brief section, let’s take a look at the role of the CISO in dealing with risk management.
Enhancing Risk Management
Improving risk management involves CISOs to quantify the threat/vulnerability measurement, preventing threats and maintain ongoing crucial communication with the top executives through reports. One of the key challenges for the CISOs is that the network is dynamically varying and network scans for threats are done on scheduled basis rather than real-time basis for detail analysis. Given the changing scenarios, the threat landscape is dangerous, sophisticated, and mysterious for the CISOs.
To address these issues, Industry experts recommend organizations should embrace continuous monitoring through real-time situational awareness on network activity accompanied by data-driven decision making as a security initiative.
Balancing the Dual Role
Gone were the days, when the CISO were in charge of information security and were attributed to firewalls, security devices and applications, monitoring, and breach detection which were all defensive in nature. In the new world of risk management, the CISO’s role is slowly changing from security expert to being a business strategist. Nowadays, organizations are measured in terms of agility in their responses. Hence the CISOs are sought to help prioritize and align security with business strategy. So the CISOs are expected to maintain the traditional roles of Information Security and Risk Management and business leader.
Apart from the technical challenges that CISOs face in an organization, managing funds for the up-gradation or new projects are a major concern especially when it comes to budgets. From an Industry and organization perspective, there is talent crisis with respect to the skill sets of CISOs.
In this brief section, let’s know more about these issues from a wider perspective.
Usual Budget Constraints
As always there is a budget-strategy disconnect between the CISOs and the financial board. The unstable economy and growing commitment to cyber-security have led to an increase in the budgets. Often, the CISOs have been unsuccessful in tapping supplemental resources from the business leaders. Nevertheless, budgets are still not sufficient to fully implement effective cyber-security projects and that remains one of the top challenges for every CISOs in most organizations. Experts believe that sometimes requisite budgets are not sanctioned by the top executives due to additional barriers for CISOs to implement successful security initiatives. This lack of well-thought and fully vetted cyber-security strategy and priorities from the CISO may often result in top executives cutting down huge budgets.
Inadequate Skill-sets & Talent Crisis
Often, there is a talent crisis in the Industry for the CISOs who are expected to meet the security challenges of today and future. Along-with with it, there is also a dearth of skill-sets amongst some professionals who do not understand the nuances of IT Security. The skill sets needed for effective cyber-security protection and monitoring are in heavy demand across all sectors. For the CISOs, the private sector opportunities and salaries are traditionally better that those offered by government. It’s no wonder that CISOs in the government sector are struggling to recruit and retain professionals with the right skills, and they will need to establish career paths and find creative ways to build their cyber-security teams.
THE ROAD AHEAD
New technologies and new security threats are changing the risk landscape daily. Today’s CISOs need to communicate effectively with senior executives and business leaders on matters relating to Information Security, risk management, compliance and take the lead in ensuring that escalating cyber threats are under control using various security technologies. There is a greater need for CISOs to proactively monitor and evaluate major IT trends and security threat landscape developments. The CISOs should have an idea on the potential future security and privacy issues so that they can confidently engage in creating the business strategy for the year and ensure security is no longer an after-thought process when deciding and implementing strategic initiatives.
The New Year will obviously bring new threats and hence every CISOs should work to prevent the vulnerabilities that are not foreseen. The new generation of CISOs have the potential to get ahead of the security and privacy concerns for this new year 2015 and after.
Have a great security year – 2015!