Earlier this year, CISOs and CSOs that are members of Wisegate, an invitation-only, business-social-networking group comprised of CSOs and CISOs, took part in a webinar predicting the top IT security threats. Called Hype or Reality, the webinar looked at topics including security and cloud computing, BYOD/BYOx, security awareness and counter-attacking hackers.
Recently, Wisegate asked some member CISOs and CSOs the following questions to get their observations about how these trends and concerns are panning out. Wisegate shared the answers from several CISOs.
Of all the “Most-Hyped”2013 IT security threats discussed in the Wisegate webinar, (Security/Cloud Computing, BYOD/BYOx, Security Awareness and Counter-Attacking Hackers), going into August, which topic do you believe has turned out to be the most legitimate issue/concern for CISOs and why?
Tim McCreight, Chief Information Security Officer, Government of Alberta:
Of all the “Most-Hyped”2013 IT security threats discussed in the Wisegate webinar, (Security/Cloud Computing, BYOD/BYOx, Security Awareness and Counter-Attacking Hackers), going into August, which topic do you believe has turned out to be the most legitimate issue/concern for CISOs and why?
I believe cloud computing has moved from hype to reality for some organizations. Cloud computing appears to have gained traction over the other topics we discussed during the seminar. Part of the reason may be the perceived economic benefits, or the amount of information that’s presented to business executives on the benefits of cloud computing. I’ve also seen a number of the “big players” in IT begin investing in cloud strategies. There’s been some significant announcements by major players about their cloud offerings, or their soon-to-be-launched initiatives. It makes for compelling ready by business teams, because the value proposition is compelling.
David Sherry, CSO, Brown University:
While I think that all of the “most-hyped” security threats have legitimate concerns for CISOs, the security and privacy issues relative to cloud computing continue to be in the forefront, and for several reasons. When you consider the loss of control through click-through agreements, exposure of sensitive information through inappropriate sharing decisions, middleware or app agreements that allow control, and orphaned accounts and data, the cloud continues to be something that needs to be focused on. While policies, contracts, awareness, alternatives, and other solutions should all be part of your tookit, the continued evolution and adoption of cloud technologies requires diligent focus and constant assessment.
Candy Alexander, longtime CISO at several industry leading companies, including Long Term Healthcare Partners:
The whole trick with Cloud Computing is to really look at where the “real” control is – the service provider, and to know their level of security, their processes and abilities to mitigate risks; then ensure that the Service Level Agreements and Statements of Work are appropriate to the contract. I know many will think I am over simplifying it, but that’s what it comes down two.
As for Security Awareness, that’s been an issue and concern since the beginning of computer use. It is a constant and something that we need to address (and should have addressed) all along.
Counter-Attacking Hackers is a sticky issue and I really don’t think it is something that most organizations should get into; from an ethical, legal and skillset perspective. Let’s face it, there are a lot of them and few of us in comparison. Besides, they share knowledge, skills and resources better than any technical group I know of. It crosses technological, geographical, cultural and age barriers.
So, I’m pulling away from many of my colleagues on this one. I would have to say that it is BYOD/BYOx and the complexity that is brought into the environment with the use of BYOD/BYOx. The challenge is how to identify and manage all the pieces of the environment, all the while ensuring that access to the data and use of the data is appropriate and intended.
With us of the BYOD/BYOx, there is no standardization of hardware and applications which leads to complications of managing the environment, controlling the environment and protecting the environment. With the introduction of the mobile environment, each mobile device owner is now able to control what apps they will use, how data can/will be move around, etc. I have run across situations that users where running rouge applications to get their jobs done without IT or Security knowing about it. For the organizational and corporate environments, there needs to be some level of having the ability understand what is being used, how it is being used and where it is being used. Many organizations believe that they simply need to use a MDM and it’s done, which is not true. There are too many variables in this environment that are constantly needing monitoring and determination of risk.
Of all the “Most Hyped” 2013 IT security threats discussed in the Wisegate webinar, which one has had the least impact on IT Security and CISOs industry-wide?
Tim McCreight: I haven’t seen BYOx materialize as quickly as I thought it was going to in 2013. Perhaps it’s the logistics behind the initiative – technically, I believe we can address a number of the key issues that concern security executives (data separation, encryption, network segmentation) but I think some of the stumbling blocks may still be the lack of policy, or dealing with other issues like onsite support for personal devices and questions about stipends or compensation.
David Sherry: It is still my opinion that counter-attacking in over-hyped, and not in the best interest of the CISO mission. I have not heard success stories where the necessary effort and achieved results of a counter-attack would be of value to the role of the CISO. I would much rather have the technology, systems and staff in place to identify and thwart an attack, and not get in to a battle.
Candy Alexander: I would say that the “Most Hyped” threat discussed in the webinar would Security Awareness. It’s the same threat we had 20 years ago. The only difference is that we still haven’t figured out how to articulate the success of a good Security Awareness program and for those programs that are lacking, how to get people to pay attention to what they are doing, to starting thinking about the potential harm that they could cause by certain actions, to believe that “it could happen to you”.
I think that this is one instance of vendors trying to push products when perhaps methodologies would prevail. It all comes down to changing people’s computing behavior – which is a very difficult thing to do – always was, always will be.
Has there been an issue not discussed in the webinar that has become a “thorn in the flesh” for CISOs?
Tim McCreight: We’re always concerned about some issue! I think we’re seeing another rise in malicious software trying to access our environments that could lead to APT investigations. I think as an industry we’re re-assessing data leakage and data protection schemes – the recent media coverage about how damning this can be for an organization is top of mind for many IT security professionals.
David Sherry: Certainly legal and regulatory compliance concerns continue to impact the role of a CISO, and there is some validity the hype I have witnessed in this area. This leads me to think that the next wave of hype is to build a regulatory compliant data center or file storage system, which could satisfy the requirements of FISMA, HIPAA, and others. This is an area where a CISO can create great value for an organization
Candy Alexander: The “thorn in the flesh” for many CISOs, myself included is learning how to take the very technical issues and threats and translate them into a business risk. It sounds a lot earlier that it actually is. A simple example would be; when you say to someone from IT, we need to monitor and lockdown the outbound ports in our gateway to ensure we are protecting the environment from things such as bots and rouge applications, they get it.
Taking that same example and putting it into business terms that non-technical people can understand is tricky. Even more tricky is making it relevant to the business. CISOs must understand the business objectives, drivers and processes before they can even begin to perform the translation of technical risk into business risk in addition to it not being compliant to many regulations and compliance requirements.
Any other thoughts?
Tim McCreight: I’m still on the awareness bandwagon. I think we still have to engage our employees with meaningful and timely information on security threats, and what organizations can do to protect themselves from some attacks. I know others have stated that user education may not work, or target the wrong behaviour. Maybe we need to look at how we’re trying to educate our users, and the programs we’ve created. If they’re not seeing the participation we hoped for, why? Is it too dry, too technical, too boring? How can we get our message across and engage our stakeholders? I personally feel we, as a profession, need to reassess what we’re doing and where we need to go.
We also need to continue assessing risks facing our organizations, and bring this information to senior management for their decision making process. I’m seeing more organizations look at how they currently “do” information security, and realize that enterprise risk management principles are part of a new approach to InfoSec. I’m really glad to see this movement away from saying “no” to projects, and becoming a collaborative member of project teams.
Candy Alexander: I would say that “what’s old is new again” and we need to stay on top of the new – while using our lessons from the old.
The analogy is back 80’s, we had terminals that had some local computing power – but all of the data was held in the data center. There was control of the data with access controls, back up and recovered. Over time, the data was moved out of the data center into the user’s control with the personal computer. We are just going in reverse now, taking the data from the local device back into a central location with Cloud Computing.
Let me explain how I think this works today, I believe are on the verge of another technological change; a continuation of the mobile environment. Computing devices are getting smaller and more mobile with some “desktop” computers are being build that are the size of a deck of cards with a cost of $100. With reduced size and cost, information or data will be even more at risk due to its ability to be used or processed anywhere. Data is what everyone is looking to exploit albeit social security numbers, credit card numbers, health insurance/care information etc..
Which means that we will need to look at how can we protect the data. That is where Cloud computing comes into play, whether it is public, private, or hybrid – we need to store it somewhere and to protect at the same time and there is no better place to do it than a central location.