CSOs demanding more from cybersecurity tech

CSOs and CISOs are becoming more powerful, and their wielding that power to demand more from their technology vendors, to throw out underperforming tech, and to take more risks on new and innovative approaches

CSOs and CISOs are becoming more powerful, and their wielding that power to demand more from their technology vendors, to throw out underperforming tech, and to take more risks on new and innovative approaches.

Boards are genuinely more concerned about cybersecurity issues, said Larry Ponemon, chairman and founder at Ponemon Institute. And budgets have been rising to match.

Over the past 10 years, cybersecurity budgets have increased by 593 percent, he said, adjusted for inflation, though 493 percent of the increase is a result of a shift of spending from other areas of technology.

That has emboldened CSOs and CISOs, he said. "It's really changing the nature of IT security spending."

Shorter product lifecycles

For example, companies are less likely to make long-term bets on any one security technology.

"CISOs are more focused on measuring results and replacing technology that's not delivering," said Todd Inskeep, advisory board member at the RSA Conference. "The most mature companies have realized the pace of technology means three-year cycles are becoming standard."

In fact, he said, some technologies have even shorter lifecycles.

For example, this summer Gartner recommended that companies re-evaluate and potentially replace their mobile device management capability every 18 to 24 months.

[ ALSO ON CSO:  Why security leaders must seize the opportunity to implement cloud and improve security ]

"We don't do five-year contracts anymore," said Alissa Johnson, CISO at Kalamazoo, Michigan-based Stryker, a Fortune 500 medical technology firm. She is also a former deputy CIO to the White House. "We've got to be agile, we've got to be flexible, so that if something happens, we have the ability to bring someone else in or look at new products."

Senior management is behind her, she said, with a heightened awareness of cybersecurity from both senior executives and board members.

"The board members are sitting on multiple boards, so they come to a board meeting already prepared for a discussion of cybersecurity because they've heard it on other boards," she said. "At least one of those companies have been affected by some type of cyberbreach or incident."

Ready to switch

Houston-based healthcare provider Kelsey-Seybold Clinic still has five-year technology cycles for some types of technology, such as storage and infrastructure. But when it comes to security, three-year horizons are more the norm.

And the organization, which serves about half a million patients in 19 locations in the Houston area, is more willing to pull the plug on underperforming systems.

"We've demonstrated willingness to push one piece of technology out and bring another piece of technology in," said Martin Littmann, the company's CTO and CISO. "If I look at the antivirus space, the McAfee suite has served us pretty well but I think they're behind in terms of their practice, so we look at doing a three-year maintenance renewal or a one-year maintenance renewal."

Littmann reports to the executive staff, and the board, all of whom are practicing physicians. But even though they may not have a technology background, they are becoming more and more educated on cybersecurity, he said, both as a result of his own efforts and because of the recent space of high-profile data breaches in the healthcare space.

[ ALSO ON CSO: Millions of records compromised in these data breaches ]

This has made the clinic's leadership savvier about implementing security technologies, both within and outside the budget cycle, he said.

"As the threat actors evolve in their methods and capabilities, we have to evolve the technology to keep up," he said. "It's an arms race."

Ironically, although budgets are growing, companies are also becoming less tolerant of waste, said Ponemon.

Take, for example, shelfware, he said. That's what happens when a company buys a technology product that might be best of breed but does not integrate well with existing systems, or that a company doesn't have the in-house expertise to deploy correctly.

"Organizations are thinking about who's going to implement it, who's going to monitor it," he said. "Security technologies are very complex tools and if they're not implemented well it's not going to do what you think it's doing and you may miss some catastrophic type of attacks. We're seeing more and more organizations saying, 'If we're going to buy a specific technology, we're also going to hire people to run that technology or buy a managed service.'"

Looking for new approaches

To stay ahead of new threats, cybersecurity leaders are also more willing to take a chance on new technologies, new approaches, and startups.

"We always have to be proactive and be ready and anticipate," said Stryker's Johnson. "That's what the boards want -- they want us to move before anyone else moves, be ready, be agile. The ecosystem is changing constantly."

For example, Stryker has found that its users have been switching to cloud services at a fast pace.

"This is a problem that you will hear from most CISOs," she said. "We not only have to secure our endpoints, but we've got to keep hold of the data, and it's hard to contain, hard to keep within a certain scope. I remember back when you were defining your security perimeter. There is no security perimeter any more!"

In November, Stryker is deploying technology from Skyhigh Networks to warn users about unapproved cloud services and suggest corporate-approved alternatives.

For example, the company has decided on Office 365, and users will get a few months to move all their documents from other platforms to Office 365.

Other cloud services will have a shorter transition period.

"If it's a URL shortener, the cooling off period might be a bit shorter, because there is no good business case to continue it longer than a month or two," Johnson said.

After that, employees will no longer be allowed to use unsafe cloud providers, she said.

"Cloud technology is a technology that is here, has proven to be helpful," she said. "But it has to be done securely."

Other new technologies that companies are starting to look at involve threat-sharing and intelligence tools, according to Ponemon.

"When you have a budget, you can do more things," he said. "And one of the beneficiaries of the new budgets are some of the smaller emerging companies that have a great tool."

Copyright © 2015 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)