After a challenging day at the office, many CSOs and CISOs spend their harried nights wishing for a better and easier way to accomplish the tough tasks they face at work. I know I have. I've spoken with a lot of my peers this year and thought I'd compile a list of these wishes and pain points—and provide an opportunity for us to share recommendations on how to tackle these tough tasks.
Here are the top eight wishes I've heard in the last year:
1. We need simplicity, not complexity.
There's simply too much going on in our IT worlds. New cloud computing, mobile, and social networking technologies and innovations are flooding our infrastructure. There are so many technologies in our businesses—at best soldered together—but definitely not talking to each other.
Unfortunately it is only getting worse. Declining operational efficiency and effectiveness affects the whole organization. Too many security solutions offer 1,000 features, but most people only leverage 100. To be effective, we need solutions that actually talk, share intelligence, and learn from each other.
2. We don't want to be overwhelmed by too much data and information
Firewalls, AV, IDS/IPS, load balancers, routers, switches, DLP, web security gateways, MDM, email gateways, Active Directory, thousands of applications, thousands of databases, etc. We are overwhelmed with data that we aren't necessarily looking at on a regular basis. I've asked many CISOs: "What value are you getting from your IDS or firewall logs?"
Most responded that they have little to no value because there is just too much data. And it isn't going to scale for the future. Even items like SIEMs are not intelligent. They are complicated to run and they simply turn data into information. But information isn't what we need. You still need to collate and analyze the information to understand what actions to take. Even then, it's going to take more than action lists. CSOs need a guiding compass that provides an effective overall risk management strategy.
3. We need to turn data into wisdom.
CSOs need data, so they can use their wisdom to make the best security decisions. To get there, data needs to be translated into information. And that information needs to provide intelligence. Intelligence will help CSOs build their security wisdom. The more intelligence CSOs receive, the bigger the benefit. Unfortunately, many of the solutions I list above aren't translating information to intelligence. They are simply providing information, which leads to reactive actions vs. proactive actions.
4. We need a predictive risk posture view.
I'm talking about a pressing need for a risk-based approach that is simple to implement. Most of today's buying decisions are gut-based on old experience and yesterday's threat landscape. And while governance, risk management, and compliance (GRC) solutions exist, usually these solutions are rule-based and are not intelligent, are overly complex, and don't take a data-centric view. [See What's next for GRC?]
Many of the good risk and compliance solutions are also very expensive and few companies can afford them. We need a GRC solution that easier to deploy and manage. As more CSOs partner with others and continue cloud adoption, GRC will be the tool of the future to help manage risk because they will have less and less direct infrastructure control.
5. We need visibility, control and protection for our data at all times.
This is about the DATA, not the device or outlet. So whether it is on a handheld, a tablet or in the cloud, we need to know where our data is, who is using it, when it is accessed—even if it was just created. We also need control of the data. This includes enabling data collaboration, knowing when it leaves our partners, and having a kill switch if our data is not in the right place. We should be thinking about our security program from the ground up.
6. We want to allow BYOD.
We want to enable the business by allowing BYOD, but most CIOs are not fans of mobile device management (MDM). They want security and data protection, but not necessarily to lock down or control the device. It makes it even harder when we get pressure from our executives to allow personal devices on the network. We need to be able to easily allow any device to access our network and data, but have full visibility and control of the data.
I believe the future is a hybrid of DLP and DRM mixed with virtual sessions. And for certain applications, data is then routed back into the data center. I do not believe the future is MDM. It just applies all the old ways of endpoint security to a new paradigm of mobile devices. It doesn't solve the real problem.
7. We NEED to stop spear phishing.
This is the number one way that most targeted attacks compromise users. Phishing may be an old method, but a researched, well-orchestrated socially engineered lure is very effective. I have asked 200 CISOs "How many of you feel confident you can stop a spearphish attack on your CEO?" And not one said they could. We have to think out of the box to solve this problem. The most successful way to solve this is by mixing science and humanities together.
One great example is PhishMe.com. [Disclosure - I recently joined the executive board for phishme.] I've found that, depending on the technology and awareness, up to 70 percent of employees will click on a spear phish lure. Your security technology needs to be mixed with your awareness program because 15 percent will still click.
You need an email security solution that uses cloud-based spear phishing protection, which catches and inspects any never-before-seen URLs, before they hit your network. Your standard spam filters cannot do this. Lastly, many spear phishing emails avoid your company email system and target your CEO's Gmail account. So you need a web security gateway that can protect your user when they click on a spear phish link. There are very few web security gateways that are spear phish-aware. This is key.
8. We want an easy way to measure and market our success.
This is a big one. Security is a board room problem, but we have to be able to convince the board that it is a BOD problem, while measuring the trend to impart success. We have to address so many new security challenges and emerging threats. How can we possibly demonstrate our value to our CEO and Board of Directors? I've addressed a few of my best practices here, but would also love to hear your suggestions.
Did I miss your main pain points? If I did, leave me a comment below and let's discuss. If you've got suggestions on how to address some of these challenges, please feel free to post them as well. In addition, send me a message on LinkedIn and I'll try to help you through some of the best practices I've seen to address these challenges.