It's almost a given that Redden, chief security officer at Brazos Higher Education Service, a Waco, Texas-based company that services billions of dollars in student loans, will be summoned to brief his worried board of directors.
Redden says he lays the groundwork for such command performances by proactively communicating with the board on an ongoing basis to keep them up to date on everything that IT is doing to protect the enterprise and how his team is preparing for the inevitable.
Even then, "I wouldn't be foolish enough to say I stay ahead of the bad guys," says Redden. "The bad guys stay ahead of everybody."
That observation is likely the reason why 50% of the 182 IT professionals who participated in Computerworld's Forecast 2016 survey said they plan to increase spending on security technologies in the next 12 months.
What's more, when respondents were asked to name the most important technology project currently underway at their organizations, security came in second -- chosen by 12% of those polled -- trailing cloud computing by just two percentage points.
"When you look at the amount of money big organizations [spend] to prevent breaches and they still get breached, you've got to assume you'll be attacked too," says Dale Denham, CIO at Lewiston, Maine-based Geiger, a $150 million distributor of promotional products. "You have to have a plan in place."
Attackers are getting more numerous, better organized and more powerful. And the number of entry points they can use to access vulnerable networks is rising exponentially as televisions, printers, cameras and even cars are IP-enabled. Gartner estimates that the number of connected things in use will hit 4.9 billion by the end of this year, up 30% from 2014, and will reach 25 billion by 2020.
One recent example of the ever-evolving kinds of security threats enterprises are facing is a piece of persistent malware dubbed SYNful Knock that was discovered last September on Cisco routers.
"It's the first time anything has been publicly disclosed about an exploit of Cisco routing and switching equipment," says Darren Van Booven, cybersecurity officer for the Idaho National Laboratory in Idaho Falls. "It's a great example of the kind of threats organizations now have to mitigate. They require constant changes in our strategy."
John Nai, CISO at PayPal, says in 2016 he'll pay close attention to "infrastructure hygiene," which, he says, "is super important to us." Beyond that, Nai says he believes in keeping a firm eye on the basics. "A lot of companies focus on advanced capabilities," he notes, "but you really need to be brilliant at the basics: Make sure you're patching your infrastructure, patching your desktops and have the right operational capabilities to see what's going on in your network."
Slim pickings in the labor pool is another management concern: There simply aren't enough security professionals to go around, and those who are in the job market can command sky-high compensation packages that are out of reach for many companies.
Those are just a few of the security-related issues that IT leaders lose sleep over. But most of them say they're not staying up late worrying; they're up making plans to take action. They're preparing to fine-tune anti-intrusion strategies, train -- and retrain -- employees, and create disaster plans for the breaches and attacks they say they know lie ahead.
Bigger budgets, better-trained users
Security execs may be getting called to board meetings more frequently for explanations, but they're often leaving those meetings with more resources to spend on protecting enterprise systems and data. The high-profile breaches have helped raise awareness among even the least technical board members about the critical importance of security. (See The board will see you now for more on the changing relationship between security and the C-suite.)
"Instead of going to the board or CIO and struggling with justifying every security expense, I have the board and CIO coming to me," says a CISO from a midsize manufacturing company who declined to be further identified.
"In some ways, the high-profile breaches have done the selling for me. It's almost an open checkbook," he says. But make no mistake, he adds: "The threats are still there and they are certainly scary."
Across the board, security managers say they'll spend at least some of the money being added to their security budgets on further investments in awareness and training programs. "One of the biggest challenges is with employees. Most of the problems we've had come from emails they've opened that could have Trojans or malware," says Redden.
"It all goes back to user training," he adds. At Brazos Higher Education Service, he says, "we've pulled most remote users back in for additional training. We talk about not letting anyone access their laptop. It's not a personal device. We stress that very highly. Endpoint protection is the No. 1 issue."
Training is also on the docket at Loyola University Maryland in Baltimore. "Our largest challenge is our end users, so we're really ramping up our cyber awareness training," says Louise Finn, CIO and associate vice president of technology services.
In 2016, the university's recently hired security operations director, Patricia Malek, will be conducting face-to-face scenario-based training with employees in all business units. "And we're not just training on the university's policy, but providing training on the personal side, emphasizing personal control over and protection of data," Finn says.
The Bank of Labor in Kansas City requires employees to take part in a security awareness training program annually. But Shaun Miller, the bank's information security officer, says that schedule renders the program "worthless" because threats change so quickly.
To help people remain vigilant, Miller sends out phishing emails "the same way the bad guys do." If users click on the links in these messages, they're sent to a landing page and get immediate feedback about what they should have done differently. "I'm not doing this to get employees in trouble," Miller says. "I'm doing the same thing audit firms would do. People learn [best] from their mistakes."
Hire in or contract out?
Among respondents to the Forecast survey who said they expect to add staff in 2016, 25% named security initiatives as the factor driving that decision. And 33% said security was the skill they expect will be the most difficult to hire for in 2016.
In interviews, executives at small and midsize organizations say they will hire people with broad IT and security skills, rather than highly experienced experts in specific security areas, such as intrusion detection or firewalls.
Many companies are adding expertise not by hiring, but by contracting with the growing number of security services providers. As one CISO put it, one of the advantages of contracting is that it's a way of sidestepping the threat of having sought-after security employees poached by other organizations.
Frankie Duenas, CTO at Cabrillo Credit Union in San Diego, heads a small department of six IT professionals whose duties range from security and networking to programing and daily operations, and he also outsources for security assistance when necessary. "We have a budget in place to throw at security" -- either to respond to emerging threats or to respond to a need for more sophisticated security software and/or services, Duenas explains. "We're going to double that [contingency] budget next year because hacks evolve quickly, and we need to have that pot to pull from."
At Geiger, Denham says he hires third parties to handle both intrusion detection and intrusion prevention services. The company also works with outside auditors on compliance with the PCI Data Security Standard.
"I don't expect we'll hire more [security professionals into IT]," he says. Instead, Geiger will continue to turn to service providers as new needs arise.
"You're never finished with security. You can't do it all, and you can never do it fast enough," Denham says. "There's always more to do than IT can handle."
The bottom line is that security is a critical enterprise issue that never goes away. It never ends because hackers always find new ways to do damage.
For example, the industry has made great progress in fighting phishing attacks, according to PayPal's Nai, but as it has done so, the bad guys have refocused their efforts elsewhere -- on disseminating malware, for example.
"As we continue to improve in certain areas, the bad actors don't go away," Nai says. "They don't go out and get legitimate jobs. They simply move to another attack vector."
This story, "Forecast 2016: Security takes center stage" was originally published by Computerworld.