There’s no need for me to re-hash all the reasons why information security within enterprises has greater exposure in 2015 than at any time in the industry’s short history. CISOs will face the double-edged sword of increased exposure and importance within the executive ranks together with increased accountability to the CEO and Board of Directors.
Noise from the information security technology industry is also at an all-time high. Every vendor blasts a variant of the same message: "We can help protect you."
Information security budgets may increase in 2015, but challenges are still manifold. How exactly does a CISO cut through all the noise and set appropriate priorities?
1. Increase visibility into what is actually happening in your enterprise
There are two parts to this story: too much data and too little data.
Too little data - On the other hand, many have very limited security data about what is happening within fully deployed applications that run our businesses. Few (if any) applications generate alerts about security threats at runtime, when they materialize. Does your application tell you if there is an attempt at data exfiltration via SQL injection while it is running?
Information security leaders are investing in technologies that provide actionable intelligence derived from the "big data" surrounding network incidents and also shine a light onto what's actually happening runtime.
2. Raise the bar on hackers (and your competition)
Everyone has to prioritize their time and resources - even hackers. No enterprise can ever be 100% secure, but you will have the edge if you make it much more difficult for hackers to get to your data than it is for them to get to your competitors'. Hackers will gravitate towards the easier target.
Let’s face it -- information security is not unlike other competitive aspects of a business. Early adopters of new, effective technologies and processes will have the competitive advantage. It’s an exercise in Darwinism: the survival of the fittest.
3. Prioritize protection of your most critical assets
While attacks like brand defacement and temporary paralysis of websites via DDoS attacks are still on the list of concerns, the gravest danger to a CISO’s livelihood is the fact that the hacker community has evolved into a business. A business about making money.
Cash is king. Hackers can make a lot of money by successfully exfiltrating an enterprise’s crown jewels: customer data, intellectual property, and competitive intelligence.
So, when prioritizing, invest time and resources into processes and technologies that will genuinely protect critical data. This could mean ensuring strong, consistent encryption in all your applications, stripping out data that is extraneous to your core business but valuable for others, and investing in Secure Software Development Lifecycle (SSDLC) programs (to name a few).
The CISOs I've met also frequently mention their openness to outsourcing data storage and processing to organizations that make a business of protecting it. Now is the time to evaluate whether the cloud is already safer than your own infrastructure.
4. Prepare for life post-breach
Of course you hope it will never happen, but no security strategy is foolproof. A sound recovery plan in the event of a breach has become a major priority for CISOs. A good response will include answers to the following questions that your stakeholders (management, Board, customers, partners, etc.) will undoubtedly ask:
- What were they after?
- Did they get what they were after?
- How much of it did they get?
- Who is going to be impacted by this?
- Have we plugged the hole(s)?
Hackers use old-school guerilla tactics to divert attention and introduce confusion in order to give them time to cover their tracks and, more importantly, monetize exfiltrated data. You are even more vulnerable when you are busy cleaning up the mess -- and hackers know this. If your resources are focused on digging through logs and answering questions from authorities. The time you spend on remediation and forensic analysis is time lost in mitigating the consequences of the attack.
Therefore, not only do you need to monitor what is happening at runtime, but you should also be able to instantly replay what just happened. Every hour saved in promptly answering the questions above can be the difference between incurring minimal operational and customer impact versus becoming the punchline of some not-so-funny jokes.
5. Match your talent to your risk
Security teams are typically made up of a diverse set of individuals with experience and expertise in multiple functional areas. Given finite budgets, it's critical to ensure that the aggregation of your security team's capabilities matches the risk profile for the business.
Today, the vast majority of security teams are staffed with network, infrastructure, endpoint and IAM professionals. However, with the increasing understanding that applications are the soft underbelly of an enterprise’s security, it is encouraging to hear CISOs discuss the necessity to increase investment in disciplines related to application security: security architecture, vulnerability management, secure software development processes, penetration testing and security analytics.
This list is not meant to be exhaustive. Each CISO has his or her own version that's probably several pages long. However, we expect the thought leaders in the space to have most (if not all) of these on the top half of page one.