Let’s examine 5 top trends that are causing CSOs to re-assess their existing priorities for mitigating risk in the enterprise.
1. Consumerization of IT
Few trends have been so surprising to traditional IT teams as consumerization of IT. Remember back when the IT department could make a careful assessment of needs and support requirements and then dictate what devices and platforms the employees would use? Those were the good old days in terms of risk management. Oh, there were always a few exceptions, but exceptions are defined by the norm,which was policies for supported devices. Now, the exception is becoming the new norm.
According to a recent IDC study, 95 percent of information workers use self-purchased technology for work. The survey is filled with interesting findings, including some disconnects between official policy and assumed policy. (67 percent of employees said it was permissible to access non-work-related websites, while only 44 percent of the employers said it was.) Telling though, is that the top barriers to enabling employee use of their own PCs and devices are security concerns.
The value that these new technologies are providing goes beyond the traditional arguments about boosting personal productivity and fostering collaboration; they facilitate a new way of communicating inside the organization, and with the customer community beyond. CIO.com in an article, 5 Reasons Why CIOs Can’t Ignore Consumerization of IT, notes: “According to McKinsey and Company, ‘word of mouth is the primary factor behind 20 to 50 percent of all purchasing decisions.’ As the control of corporate brands shifts to online conversations outside of the company's purview, organizations will increasingly value employees who can navigate the ecosystem and are influencers in their social networks.”
Without the ability to say “no”, it is left to IT to try to accommodate these new consumer devices. In terms of security impact and risk, this means no more platform “standards”, lack of ability to enforce policy or do traditional monitoring, frequent lack of enterprise management tools, and a growing percentage of “unmanaged” devices within the enterprise.
2. Cloud Computing
Cloud computing is another significant game changer. The economic case for cloud computing can be persuasive: deploying solutions while avoiding the classic hurdles of capital expenditures and operational expenditures that go with deploying and managing your own resources. The CSO has the ability to seamlessly scale up or down according to need. The cloud represents a major change in how computing resources will be utilized for large companies with existing data centers, processes and people who manage them.
From the CSO perspective, an enterprise needs to know that resources placed on the cloud have the proper level of security, yet moving to the cloud limits an organization’s ability to control systems and data. Ironically, this means that organizations that best have their data centers under control and well-managed today may take a slower approach in adopting Cloud computing benefits – which could ultimately place them at a disadvantage.
For a perspective on this topic, the risks and rewards of cloud computing are examined in the white paper, Cloud Computing: Business Benefits with Security, Governance and Assurance Perspectives, which is a collaboration between ISACA and the Cloud Security Alliance. More guidance documents on the research page of the Cloud Security Alliance site can help CSOs do a cost benefits analysis to determine if cloud computing is the right move now or in the future.
3. Advanced Persistent Threat
Over the years computer viruses have evolved from sometimes amusing nuisances to more sophisticated hacking attacks that have become technically advanced, persistent, well-funded, and motivated by profit or strategic advantage.
Today the CSO must contend with the Advanced Persistent Threat (APT), sometimes referred to as a “low and slow” approach because the APT is usually intended to serve as a long-time monitor of systems rather than as a direct, one time attack. Unlike the highly visible infections of the past, such as the ILOVEYOU virus, an APT is designed to elude detection, making the job of detection and protection all the more difficult.
Wikipedia (see their page for source references) states that definitions of APT can vary, but an understanding can be summarized by their expansion of the acronym:
- Advanced – Operators behind the threat have a full spectrum of intelligence gathering techniques at their disposal. These may include computer intrusion technologies and techniques, but also extend to conventional intelligence gathering techniques such as telephone interception technologies and satellite imaging. While individual components of the attack may not be classed as particularly “advanced” (e.g. malware components generated from commonly available do-it-yourself malware construction kits, or the use of easily procured exploit materials), their operators can typically access and develop more advanced tools as required. They often combine multiple targeting methods, tools and techniques in order to reach and compromise their target and maintain access to it.
- Persistent – Operators give priority to a specific task, rather than opportunistically seeking information for financial or other gain. This distinction implies that the attackers are guided by external entities. The targeting is conducted through continuous monitoring and interaction in order to achieve the defined objectives. It does not mean a barrage of constant attacks and malware updates. In fact, a “low-and-slow” approach is usually more successful. If the operator loses access to their target they usually will reattempt access, and most often, successfully.
- Threat – APTs are a threat because they have both capability and intent. There is a level of coordinated human involvement in the attack, rather than a mindless and automated piece of code. The operators have a specific objective and are skilled, motivated, organized and well funded.
Cyber threat has changed, and the primary concern is no longer malware that incidentally impacts an organization, but rather the threat of very targeted attacks for purposes of industry espionage, cyber crime or – if a company is part of critical infrastructure – cyber war.
4. Expanding Importance of Identity
Identity management has been a traditional concern for IT departments, but as perimeters fall away and applications migrate to the Cloud, the value of authenticated identity has even more importance. Similar to the other trends discussed here, some companies managing their own data centers that have implemented best practices may be faced with a trade-off of taking a step backward on this issues if new services and technologies aren’t compatible with their existing identity infrastructure.
At the same time the consequences of a breach have become more serious. Rather than just causing disruptions and potential data destructions as pranks, attackers may seek to plant malware aimed at extracting confidential data, ranging from keystroke capture to stealing funds from online banking, to exfiltrating intellectual property. Identity is front and center for many of these attacks, and with sophisticated malware, a legitimate identity can be subsumed by a criminal.
Viewed from the perspective of a technology worker, it is hardly easier. Corporate identity credentials, passwords for many web sites, different identity federation schemes (e.g. Facebook Connect) all make an individuals job of personal identity management very challenging. The reality is that individuals are probably reusing variations of the same passwords both inside the enterprise and with personal web and social networks, so that corporate identity is only as strong as the protective mechanisms in those sites and social networks.
The fact that the white house has established a program office and strategy (National Strategy for Trusted Identities in Cyberspace (NSTIC)) for identity underscores how important this issue is. NSTIC is the White House initiative to work collaboratively with the private sector, advocacy groups, public sector agencies, and other organizations to improve the privacy, security, and convenience of sensitive online transactions. Identity management will continue to a top concern for IT departments for the immediate future.
5. Increased Government Role in Cybersecurity
The role of government in cybersecurity is nothing new to the CSO who is already working to ensure compliance with regulations by the Securities and Exchange Commission, Sarbanes-Oxley, HIPAA, the European Union Data Protection Act and others. Many countries have sought to improve critical information infrastructure policy, to build effective information sharing and collaboration capabilities that addresses threats and vulnerabilities, and to coordinate on responses to increasingly complex cyber threats.
However, one could argue that these past examples of regulation have been relatively focused and, during the past few years, there is a growing awareness and support for increased international collaboration on cybersecurity. Governments in Australia, Brazil, Canada, China, Germany, India, Poland, the U.S. and the U.K. all have launched initiatives, offices, and programs to protect cyberspace. In addition the European Union and the International Telecommunications Union have also been driving efforts to expand and enhance international cybersecurity efforts. While comprehensive legislation has not yet been enacted in most geographies, policy makers are deepening their commitments to improve cybersecurity and reduce risk at the national level.
In the US, President Obama directed a top-to-bottom review of the Federal Government's efforts to defend our information and communications infrastructure, which resulted in the White House report titled the Cyberspace Policy Review. The report provides a near term action plan for addressing cyber threats with a call for collaboration. The document highlights the gravity of the current situation:
“The architecture of the Nation’s digital infrastructure, based largely upon the Internet, is not secure or resilient. Without major advances in the security of these systems or significant change in how they are constructed or operated, it is doubtful that the United States can protect itself from the growing threat of cybercrime and state-sponsored intrusions and operations.” and “Information and communications networks are largely owned and operated by the private sector, both nationally and internationally. Thus, addressing network security issues requires a public-private partnership as well as international cooperation and norms.”
As the executive responsible for the organization's entire security posture, the responsibilities of the Chief Security Officer are expanding to cover the implementation of valuable technology trends which have the potential to change priorities across the entire organization.
Old problems seldom go away, and instead, new and interesting challenges are being incrementally added to the workloads of IT departments. Along with these trends, old best practices don’t necessarily apply in the new environment and limits are imposed on the types of solutions that are acceptable for risk management.
If you haven’t done so recently, it may be a good time to step back and examine current initiatives with an eye towards how your enterprise has evolved. Keep an open mind and be prepared to assess and re-prioritize as necessary to continue to managing risk for optimal results in your enterprise.
NOTE: This article is cross-posted to the Microsoft Security Blog.