Each year brings a new set of challenges for CISOs. Whether they’re in retail, manufacturing, financial services or public sector, a lot of CISOs are facing the same challenges. GDPR fuels several of them, as does the continuing shift to the cloud and the march towards encryption. Here from from Chris Hodson, EMEA CISO at Zscaler, a cloud security product company, are six key challenges that should be on everyone’s radar throughout the year.
Challenge 1: Do you need all that technology?
In most cases in life and in business, we buy products because we have problems to solve. But “need” doesn’t seem to be driving today’s security technology purchases. Organisations don’t seem to be sure what they truly need to protect themselves.
Ten years ago, companies could purchase easy-to-implement defence mechanisms for a traditional end-to-end architecture, including several forms of Intrusion Prevention Systems (IPS); a Demilitarised Zone (DMZ) for third-party access; a firewall in front of the web server; and antivirus on end points. Most technology addresses only one type of threat, resulting in a patchwork of tools in most enterprises.
Today, the technology landscape is crowded and confusing. Many CISOs don’t know if they need antivirus, enterprise protection platforms, or enterprise detection response. They hear about solutions for malware sandboxing and threat access, and they wonder if these tools will help create a secure work environment and if they have the right controls for devices like mobile phones.
The short answer: no single solution is going to keep an organisation safe if they don’t understand why they have the solution. Businesses need a layered set of solutions and an ability to tie technology investments to risk reduction measures. They need to start with the problems instead of the products. CISOs shouldn’t buy a machine learning platform because they have read about it online. It’s important to identify problems and find safeguards to mitigate those risks.
Challenge 2: Being strategic when taking the digital transformation step.
Cloud technologies, continuous integration (CI), and DevOps are no longer the new guys in the room. Organisations are experiencing tangible cost savings, quality improvement and time to market with tools like CI.
Unfortunately, the security team can often be left behind in this DevOps whirlwind. In a world of two-week sprints and ‘failing fast’, it’s no longer suitable for infosec to be engaged at the end of a project. Many CISOs are trying to work in a much more cross-functional fashion, embedding themselves into project teams and offering guidance much earlier in the development lifecycle.
To make progress on the cloud journey, organisations need to gather all the business units involved in the cloud around a single table – including network architects and security – to create joint processes and workflows. In this way, they will make progress right from the start and inevitably save money and improve the organisational perception of the security function.
Challenge 3: GDPR, and everything that goes with it.
It could be said that roughly 80 percent of data is outside a CISO’s control. That’s worrisome, as many CISOs say they’ve inherited their data privacy programme. Thirty years ago, many organisational departments used notepads and calculators to manage their data. They certainly wouldn’t have handed the notepads over to the CISO and said, “Here, this is your responsibility now.” But it’s becoming increasingly common for departments to tell CISOs that they have to manage all business data.
Unfortunately, technology is the only delivery mechanism for storing personally identifiable information (PII). GDPR is focused on businesses understanding why they have certain information, where the information came from, whether consent to store information was obtained, and how they ensure that information stays accurate and up-to -date. By default, these burdens are falling on CISOs. IT has inherited the requirement to decide how to control the information.
The challenge is not exclusively a technical one: organisations have to learn to differentiate between why and where that information was obtained, as opposed to simply managing technical controls. Processes and workflows must be established in order to sort out responsibility for data.
Challenge 4: Third-party management is more complex.
Digital, mobile businesses are not static within the confines of a data centre. The need to be agile and “fail fast”, which means that companies are increasingly leveraging partnerships to deliver on customer demands. Organisations have a hard-enough time assessing their own risk: the risks posed by third parties that they choose to work with are even more onerous.
In fact, we’re moving beyond simply assessing third-party risk; now, as Gartner notes, businesses must worry about fourth-party and fifth-party risk farther along the technology supply chain. As use of public cloud solutions grows, we’re creating many new partner relationships.
An adjacent challenge to third-party management is that we aren’t assessing risk quickly enough. Penetration testing that takes five days is too slow in a world where attackers can gain the upper hand in just a few minutes. The security industry needs better tools and techniques for assessing third-party resources. The need for security assurance has never been higher, but CISOs are a pragmatic bunch; insisting that a provider instantaneously allows a full infrastructure penetration test simply isn’t working, for reasons of change control and service availability for other customers. Many CISOs are now shifting from a model of testing to one of contractual agreements, SLAs and Cyber Security Ratings.
Challenge 5: Encryption – the snowball that doesn’t stop rolling.
As recent reports confirm, encrypted traffic is on the rise. We will soon be living in a world where almost all websites are delivered via HTTPs. The ‘blind spot’ keeps growing for organisations who are not inspecting encrypted communication. A security controls framework is ineffective without visibility. CISOs therefore increasingly appreciate the need to inspect all content traversing their internet gateways.
Though encryption remains only part of the security puzzle. Front loading the internet with the ‘silver bullet’ of encryption only serves to protect information in transit between two parties and does not maintain security hygiene overall – something that is essential moving forward.
First, we must get encryption right. For years, issues have occurred around implementation and the way organisations are deploying and consuming cryptographic services. For example, not verifying certificates, revocation lists or allowing self-signing certificates can all cause a break in security. In addition, encryption is only valid against those who shouldn’t have access to data. Encrypted information is still accessible if a hack is undertaken via legitimate means e.g. phishing to access an admin account.
When it comes to security on the web today, we must continue to look at the basics alongside encryption. Patching, application upgrades, sufficient IAM solutions are all strong security principles that must be applied without fail. If any one of these is missing or compromised the security chain will be broken. Indeed, we also must not confuse security with privacy. As encryption does become the norm – and it undoubtedly will – it is crucial that we clarify and separate ‘security’ from ‘confidentiality’ to determine what technologies are most suited in each instance.
Challenge 6: The perception that the cloud itself is insecure.
Perceptions are coming to the fore that the cloud is introducing new threats, but whether this is based on reality is yet to be determined. When Amazon Web Service was down for several hours in February 2017, it caused massive follow-on problems across the internet. The reason for the outage was incorrect command line argument(s) and human error. There is never going to be a foolproof control for genuine mistakes but it’s unfair to call this a vulnerability introduced through cloud computing.
Cloud adoption continues to grow, and as it does, such an explicit delineation of cloud and on-premise will not be necessary. Is the world of commodity computing displacing traditional data centre models to such an extent that soon all computing will be elastic, distributed, and based on virtualisation? Will all computer access be service-based and ubiquitous?
Cloud computing requires an institution to apply the concept of trust, allowing a third-party to manage data on their behalf. At first glance, this unfamiliar approach sounds radical and dangerous although pragmatism and context suggest otherwise. Companies have been relying on third parties to manage information for centuries; the difference with cloud computing is that the information is in digital form.
An organisation is idiomatically only as strong as its weakest link. Whilst it is prudent to acknowledge the threats and vulnerabilities associated with public cloud computing, there are myriad risks to the confidentiality, integrity and availability which exist across enterprise environments and these are significantly more easily exploited.
