5 fixes to help CSOs stay ahead of risks

Enterprises are having a challenging time getting ahead of their security risks, but experts say a handful of long-term improvements could help do the trick

No matter how valiant the efforts of chief security officers, or how much businesses say they focus on securing their systems, or the amount of money spent on IT defenses — many of the same IT security challenges persist.

[Detect and respond: How organizations are fighting off targeted attacks faster]

Enterprises lag in their ability to swiftly detect breaches — an important measure of security maturity. According to the 2013 Verizon Data Breach Investigations Report, 62 percent of organizations didn't detect breaches for months, or longer — and partners and customers, or others identified about 70 percent of those breaches.

There's clearly much room for improvement, but as the number, duration, and costs of attacks reveal, as well as our interviews in recent weeks, there certainly won't any quick fixes. However, according to the experts we've spoke there are a handful of areas that, if dramatically improved, would significantly shorten today's chasm between defender and attacker.

1. Close the skills gap

One of the challenges cited repeatedly during our interviews is the difficulty organizations have finding the security talent they need. Earlier this year the International Information Systems Security Certification Consortium conducted a study that found more than half – 56 percent – of organizations believe their security departments are understaffed.

The challenge here is that technology and attack methods are moving swiftly, and so are adversaries, but formal education and corporate training isn't keeping pace producing security skills needed with constant changes in mobility, cloud architectures, virtualization, and others.

"We are always seeing conversations about staffing concerns," says Daniel Kennedy, research director for information security and networking at 451 Research. "And it's not just small and mid-sized companies that are having trouble finding and retaining talent, it's a problem even at the top," he says.

2. Shifting away from a regulatory compliance mindset

One of the most necessary shifts is that from a focus on regulatory audits and compliance to security risk management. Many enterprises have spent years – justifiably – with a focus on regulatory compliance. However, many say, the focus remained too intently on compliance and not enough on the essential security of their data, applications, and infrastructure.

And despite this focus on regulatory compliance, there's little in way of improved outcomes to show for the effort. Our eleventh annual Global Information Security Survey, conducted by PricewaterhouseCoopers CSO, and CIO magazine, found that the loss or damage of internal records more than doubled in one year.

[Enterprise defenses lag despite rising cybersecurity awareness]

"This focus on regulatory compliance, rather than security, has been underway for many years," says Candy Alexander, former CISO at Long Term Care Partners, LLC, and currently a member of the board of directors at the Information Systems Security Association.

"When the focus is on compliance, you are not talking about people who are proactive about going out and making themselves more secure. They're just focused on baseline controls," says Kennedy. "Compliance is generally a lagging indicator [of risk]," he says.

[Why network security is the foundation for cyber strategy]

The result of that "baseline control" approach is "checkbox security" says Kenney and Alexander. "It's not pie-in-the sky to say that compliance should be an output of a security program, not a primary input," says Kennedy.

We looked this issue in our feature, Thinking outside the IT audit (check)box.

3. Improve incident response

As we covered previously in Beyond breach prevention: The need for adequate response, the security industry is disproportionately vested in preventative security defenses — with precious little spent on the ability to detect and respond to breaches when they (and they always do) occur.

"We need a fundamental shift from so much focus on preventative controls to detection and response," says Jay Leek, SVP and CISO at the Blackstone Group. Leek says, in a recent evaluation of the industry, that the vast majority of investments, 70 to 80 percent, are made to block attacks. "That should shift down to 50 percent," he says. With the other half going to investments that provide visibility into the activities on systems and data, as well as tools to help make swift and intelligent response.

Why is the industry so heavily geared toward blocking, rather than responding to the inevitable? Most agree that it's part human nature (believing one can block danger), part the vendor community for selling messages that attacks could be blocked, and because it's also an easier sell to make to business executives. Also most regulatory compliance mandates call for a heavy focus on preventive controls, over detection and response. "The ability to respond is absolutely necessary, but it's just not as easy to sell across the board," says Kennedy.

4. Communicating to the business, not at the business

This communication chasm still persists at too many organizations, most agree. Many security professionals still have a challenging time elevating the IT security discussion to a level that is relevant to business executives. That's largely because they continue to view themselves as security practitioners, rather than a security professional participating in the industry their organization operates, contends says Eric Cowperthwaite VP, advanced security and strategy at Core Security Inc. and former CISO at Providence Health and Services.

[How to create security awareness with incentives]

Alexander agrees. "Communication is still a very common problem. There is a challenge for many to explain complex and technical risks in a way that makes sense to a business executive. But that's what we need to do. We need to talk in their terms in order to be persuasive and reach them," she says.

What executives need to make educated IT risk decisions are security pros that understand both the technology and the nature of the business and industry they're in.

"Executives want you to gear yourself as being as responsible for the business just as much as they are. And they want you to sit down and in a collaborative way figure out how to get better security without interfering with business objectives," he says.

5. Shift to increasingly to data-based decision making

The final fix is moving from making gut decisions, working off of checklists, and blindly following best practices to more data-driven decisions. "What we are doing is playing whack-a-mole. We find the things that we are bad at (or cause breaches) and we fix it," says Jay Jacobs, vice president at the Society of Information Risk Analysts.

"The problem is that there's always something else that comes next. And the adversary is intelligent and can adapt, so they just move on [to the next vulnerability]," Jacobs says. "I think what really would be a dramatic improvement is if we start using the home field advantage that we have and start to collect the data in our environment and make sense of it," Jacobs adds.

That means better log analysis, more spending in big data security analytics, and better anomaly detection. This can give researchers more speedy insight into things that need to be investigated "I think adopting that technology would be a dramatic improvement. Unfortunately it's a pretty steep hill to climb for most organizations," he says.

George V. Hulme writes about security and technology from his home in Minneapolis. You can also find him tweeting about those topics on Twitter @georgevhulme.

Copyright © 2013 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)