We all know that the role of the CISO is changing; we’re expected to have a professional toolkit of astute business leader, technical guru and possess a Ph.D. in Powerpoint. What is less well documented are the pain points which are common across all industries. The differences often come to the fore - security execs tend to stay within a vertical, and for the majority of my career, I was no exception. I have taken the leap from the end-user or customer space, into the world of security platform vendor and in my new role, I get to speak with leaders in all industries and the similarities far outweigh any esoteric differences.
While regulation differs across industry, technology is pervasive in all fields. Everyone is handling customer data, all industries have a web presence, a breach has a catastrophic effect on stock price, shareholder confidence, and your board credibility. Granted, regulations in certain industries which require prescriptive controls but good security hygiene should not be reserved for those in government or financial services. The days of ‘we’re not a target of cyber criminals because we only sell ‘x’’ are long gone. Criminals vary from the state-sponsored looking for targeted intel through to the opportunistic seeking to make a few dollars.
I am six months into my role with Zscaler. I have had the opportunity to park any bias I may had had from personal experience and put together a collection of CISO challenges that I see in the field. These issues are not reserved for a particular vertical; they apply to all organisations with a digital presence and sensitive information.
Challenge #1: Information Overload
In the world of IoT, cloud, mobile and SaaS, the first challenge is we’re generating too much information. The issue with detect and respond is that we’re now logging everything. To detect and respond, we need to know what we’re looking for. Loosely-coupled systems and point solutions exacerbate the issue. Logging in isolation does not fix the problem.
When discussing the use of threat intelligence in the context of terrorism, Bruce Schneier once wrote that we were in danger of having the same needle, just with a much bigger haystack. The same could be said for cyber security. CISOs need reliable indicators of compromise and threat intelligence if they’re to find the needle in this ever-growing haystack.
Challenge #2: Attacks are being sensationalised & regulations are forcing us to disclose
It seems that every cyber-attack these days is immediately attributed to a sophisticated state-sponsored campaign. This rhetoric feels like a means to placate the public; the view being that the complexity of attack was such that no organisation could defend themselves. We need to think about the tools, techniques and procedures that the actor is adopting. But in a world of cloaking and anonymisation, can we ever be truly sure who is attacking us?
Another consideration is the GDPR. A 72-hour window for the reporting of breaches will mean that companies will need to better understand their data-flows and have a more comprehensive view of the threat landscape. It is likely that such stringent regulation will force organisations to implement structured cyber incident response plans with the goal of replicating attacks, understanding responsibilities and returning information promptly and accurately.
Challenge #3: Ransomware - the Threat of 2016
Ransomware has become a profitable business for the bad guys. We’re seeing numerous affiliate schemes where criminals are leasing ransomware infrastructure to other criminals and taking a percentage of the profits. This evidences the same service-based model we see in all industries. With this framework, the barriers to entry are lowered, and more criminals are turning to ransomware.
A challenge for the organisation is ‘to pay or not to pay’? The cost to organisations could be high although when compared to the costs of data loss, still a price they’re willing to pay. CISOs might adopt the moral high ground and call out that payment is supporting extortion but at the end of the day, downtime costs money. In some cases, peoples’ lives are on the line. CISOs are starting to look at ransomware 2.0 – the logical evolution of ransomware is to target the myriad of network connected appliances we’re calling the ‘internet of things’.
Challenge #4: Internet of Things - the next big target
With the definition of 'computer' becoming more opaque every day, the race to secure corporate assets is on. It’s not just traditional office equipment: printers and projectors we need to consider, it’s less obvious devices like the refrigerator and coffee maker.
All these devices create access points with which hackers can infiltrate a company’s network and it's for CISOs to implement a consistent set of security controls. The question is, if we’re not providing security assurance for all devices under our control, are we negligent if these devices start attacking other machines? Security used to be about protecting the confidentiality, integrity and availability of our data; have the tides turned? Does the CISO now need to worry about the protection of our critical internet infrastructure? If so, a significant paradigm shift will be needed in the way we approach cyber security.
Challenge #5: I’m worried about DDoS-ing myself!
All employees now have phones, tablets and laptops connecting to the outside world and software-as-a-service applications. This is increasing the network demands of organisations.
The problem for CISOs is that their pipe to the web was not specified for such sustained volumes of traffic and they are concerned that without bandwidth optimisation and packet shaping technologies, the increased amount of traffic will prevent access to legitimate business applications.
For the security controls, this adds another burden. Can our security gateways cope with the increased throughput? If they can now, what about with the exponential growth of encrypted traffic? Often concessions around security control have to be applied just to keep the lights on.
Challenge #6: My Board wants meaningful metrics
Central to these challenges and concerns is managing the expectations of Boards that generally are not comprised of security professionals. Increasingly they are funding new cyber security programmes and initiatives without understanding that while they mitigate the risks of a breach, no framework is infallible.
Quite often, they don’t know what information that want or need. What they don’t need to know about are the 350,000 anti-malware alerts that demonstrate the tool they paid for is working. They simply need assurance that they have playbooks which are rehearsed and understood by all stakeholders.
Convincing the Board of security credibility means being able to pinpoint what indicators of compromise look like, shorten the time from infection to identification and reassure them that recovery from attacks will be swift.