As a security professional who’s been a CISO for several years now, I often think about past accomplishments and failures, evaluate current and future threats, and think about the things that are really going to impact the role of the CISO. The past few years have proved to be sobering for cyber security professionals as several companies experienced massive data breaches including Target, Home Depot, JP Morgan, and Sony Entertainment. These breaches should give all of us pause for what the future holds in our industry.
As I write this blog post, I find myself reflecting on the following questions: Could I defend against such attacks? How could I detect similar attacks, and how quickly could I recover systems and data in the event of a Sony-type attack? I came up with a short list of things that keep me up at night and what I’d love to have in my toolbox in 2015.
Continuous, Real-Time Visibility into Corporate Assets and Systems
Monitoring and analytics should be at the heart of any security program and will take on greater importance in 2015. To make informed, risk-based decisions, a CISO must know the current status of their assets in real time, including information about an asset’s configuration status, vulnerabilities, defenses, threats, and attacks. This real-time visibility is becoming increasingly more difficult to obtain as corporate perimeters continue to erode and enterprise assets become further dispersed. Security decisions can no longer be made on a “gut feeling” but must be informed by accurate, real-time data that is continuously updated and analyzed. In addition, real-time visibility is needed to quickly identify attacks and stop them before much greater damage can be inflected. Once attackers become rooted within an organization’s systems, it becomes increasingly more difficult to identify and remove them. And now that networks and systems have become far too complex for humans to comprehend on their own, data analytics and machine learning algorithms are needed to identify and report on attacks and risks in real-time.
A More Secure Alternative to Passwords
Almost every data breach that occurred this year can be tied back to a password being compromised. Although passwords have served the security community well for several decades, the time has come to implement a more robust authentication system. CISOs need a strong authentication system that is difficult to compromise, works across multiple platforms and protocols, is easy to administer, and is not overly burdensome to end users and help desk staff. And don't forget about bullet one, we need an authentication system that lends itself to continuous monitoring so that security professionals can quickly identify in real-time when credentials appear to have been compromised and are being used to pivot throughout your networks and systems.
Security/Risk Metrics that Actually Mean Something
Unlike other C-level executives, CISOs lack an agreed upon set of security and risk metrics for making informed decisions and managing a security program. Without a widely adopted set of quantifiable metrics or key performance indicators, cyber security decisions will always be perceived as mere guess work by boards of directors and other corporate executives. Over time this will erode trust in CISOs and the security community as a whole and is a major barrier to obtaining additional funding and resources. CISOs must be able to answer the question: For x amount of money spent on cyber security, what will be the return?
Self-Healing Computers and Networks
Much like the human body, CISOs need computers, software, and networks that can automatically restore themselves to a known good state or quarantine machines that have become infected. Unfortunately, the pace at which attackers can act often far exceeds cyber security defenders. Self-healing systems are needed to close the Observe-Orient-Decide-Act (OODA) loop that is essential for winning not only in combat but in cyber security as well.
Rock Solid Cyber Security Professionals
I’m not sure who first coined the phrase but it’s true, “A fool with a tool is still a fool.” To be successful, CISOs need dedicated, professionals who are technically competent, can think like an attacker, and have the drive to see that a task gets done. We need people with “fire in their bellies,” who are driven to defend our networks and systems and root out those who have already compromised our networks. I’m looking for those who code for fun, build home labs so they have something legal to crack, read packet captures instead of novels, can recite PCI security standards from memory, and think programming in C is better left for those who can’t hack it with assembly. In addition, we need professionals who can see the bigger picture and understand that implementing additional controls comes with a cost, both in actual expenditures and oftentimes more damaging, in reduced business agility and innovation.
With the large-scale data breaches and destructive attacks we saw this year, in 2015 CISOs need to continue to evolve and become more integrated into C-Suite conversations and key business strategy. As enterprises look to their CISOs for enhanced security under limited budget, we’ll need to focus on more integration between DevOps and security teams to embed security into product and technology from the earliest stages of the development process. CISOs must also resolve to be more than a technical security professional and to take responsibility for making difficult risk-benefit decisions that drive the business forward. This will require CISOs to learn the business, speak the language of other executives, understand the financials, and be able to calculate and truly demonstrate a return on investment for the dollars spent on cyber security.