The results of a recent CXO study that were released by (ISC)2 have painted a picture of just how paradoxical cybersecurity can be from the point of view of CSOs, aptly outlining the challenges that these industry leaders face.
The report broke down these challenges into five primary points, the paradoxical nature of which was often supported by additional statistics. For one, though the amount of data that needs to be protected is ever increasing, security professionals have the obligation to remain flexible; allowing data to be fluid — and subsequently allowing the security perimeter to be fluid — is a typical expectation for most organizations.
Similarly, organizations are constantly trying upgrade and improve the features and functionalities of their electronic operations. This not only raises the risk of disruption, but also leads to an approach in which security is often an afterthought of application development. While the obvious solution here would be to put security at the forefront of application development, the heavy amount of resources necessary to do so makes it an often implausible approach.
In fact, the study results indicated that of the 12,396 information security professionals, 72 percent said that application vulnerabilities were their highest concern. However, only 7 percent said that significant time was spent on software development, demonstrating that the squeaky wheel doesn't always get the grease.
Mike Suby, vice president of research at Frost and Sullivan and the author of the report, said that examples of innovation trumping security include a lack of secure code assessment. Most companies simply don't do it.
"It may be too difficult or too time consuming. Companies need to run through it with security personnel and say, 'This is the objective, these are the data sets we're going to access.'"
Without that discussion, exposures could inadvertently be created. I'm punching a hole into a data set that shouldn't be there, he said.
Suby also pointed out that security patchwork is built over time. Creating a non-vulnerable system is both cumbersome and difficult, while also impeding progress towards other goals. Instead, many companies opt to pursue other business objectives. Getting to those business objectives, he said, slows down app and software development.
"The idea is usually, 'I want to do more, I can do more, but in the meantime let me build up fences," said Suby.
Equally unhelpful is the fact that a very small percentage of InfoSec professionals even have the certification for secure software development. The scarcity of people with the skill set for app security "is also a problem," explained Julie Peeler, foundation director of (ISC)2.
In fact, that particular skill set often isn't the primary focus when searching for InfoSec professionals to hire. The study's results showed that security executives that were responsible for hiring prioritized a potential new-hire's communication skills over his or her understanding of the security field. This is because security isn't just the responsibility of the security organization, said Suby.
Rather, security requires attention and awareness from the entire employee base. CSOs need to communicate with peers, to influence them and incorporate best practices in data handling, system access, and engagement with third parties.
"These people need good communication skills because security is a community activity," said Suby.
Peeler added that the top commodity in the industry is security analysts. Analysts, she maintained, are important because they are able to take information, cull it down, and communicate it to the rest of the company in a way that makes sense.
"It's not just about tech stuff. It's more about understanding how the pieces work together in a way that's best for the organization," said Peeler.
Unfortunately, even if they do find the ideal candidate, organizations often find that they can't hire more security personnel, which is yet another contributing factor to the paradoxical challenges faced by CSOs: locating and hiring skilled and experienced InfoSec personnel is difficult.
According to the report, while the education system has contributed to students' ability to leverage new information technology; such as systems, devices, and applications — the focus on security has been limited.
As such, it falls on employers to build a more security-conscious workforce, and they often cannot afford to do so. The report showed that 61 percent of respondents cited "business conditions" as the number one restraint in hiring additional security personnel for their organization.
Companies have business priorities, said Suby, and only an X amount of money. Oftentimes that means that means that hiring more security personnel — even if the company would like to — gets the boot in favor of spending the money on other company priorities.
"There are business versus risk management decisions to be made. I could hire more security personnel, or I could spend the same money on another marketing plan," said Suby.
A moving target
Meanwhile, another paradoxical concern that the study exposed is that with attackers continuously evolving and becoming smarter, the largest looming threat to a company is always that which it does not know or cannot detect. Suby maintained that a major part of these threats is the manipulation of human nature and offered up the use of DDoS attacks as an example.
"[DDoS attacks] are advancing in not just what, but how they do it," said Suby.
"What's changing is that perpetrators understand that their victims can't cover all their bases all the time. So DDoS attacks can be used to divert attention from other defenses."
This way, attackers can subsequently move to sectors that are more vulnerable, he said, with Peeler likening the process to a cybersecurity version of Whack-A-Mole.
But coming up with a standardized means of defending against these attacks presents one final, paradoxical challenge: while the ever-expanding risk footprints and evolving foes calls for more regulation in security, increased regulation effectively provides cybercriminals with a handbook on how to circumvent an organization's security.
There is usually a lockstep approach taken to regulation and compliance, said Peeler, and the study's results showed that 74 percent of respondents spent the majority of their time on governance, risk management, and compliance (GRC). But companies are being faced with these flexible, clever attackers, and that flies right in the face of such a regimented approach.
"Regulation and flexibility don't go in the same sentence," she said.
Suby agreed that while having strict, clear-cut regulations could, in theory, help increase security, it's also a dangerous approach.
"If you were building a house and had blueprints that indicated its security capabilities, if that info is shared with burglars, it's valuable to them. It's the same with regulations. Attackers know you're subjected to them. The real question is, do you really want to make your blueprints available," Suby asked.
Not all hope is lost though, as the report suggests that an effective way for CSOs to confront these challenges is to look beyond the walls of their own companies. Collaboration with others, be it in the form of outsourcing or inter-company data sharing, analysis, and best practice strategies could help combat threats.
That said, some may have concerns over, once again, sharing the "blueprint" of their security measures with others. Internal threats, for example, such as employees within companies that are looking to target competitors with attacks, could undermine the potential benefits of inter-company sharing.
But according to Suby, there are some levels of protection that organizations can still enjoy while working with others.
"For those organizations that have built-in information sharing, they have also constructed means to anonymize their data. These are industries that are designed to work together and compete. They have some level of existing engagement and migrate it into the threat sharing. It's in their communal best interest," he said.
He went on to use the example of security standards within PCI and financial services, saying that all companies involved have a vested interested in establishing a relationship of trust with cardholders. As such, there are PCI security standards to which everyone contributes by helping build and mold them.
"If we don't maintain trust, our businesses are damaged," he said.