Archive

Archive for March, 2013

Cyber-security and the Chief Information Security Officer (CISO)

March 3, 2013 Leave a comment

Last week at RSA Conference 2013, I had the opportunity to attend some Chief Information Security Officer (CISO) round-table sessions (or the RSA version of it with ~100 people crammed in cramped seats staring at 4 CISOs on stage and praying that a fire alarm doesn’t set off a mad rush to the exits).  Here is what I took away:

Investing in CISO budget after a breachWhat is a CISO’s job all about?

  • Predicting potential risk-exposure to the firm and keeping the CEO’s name out of the front cover of the New York Times.
  • Responding to the Board’s concerns about enterprise risk management.  Reducing the risk to your CEO of “material weakness” in internal controls.
  • Building business relationships with the CFO so that CISO budgets can be linked to corporate goals like innovation.
  • Educating the C-suite on how to present on risk profile to share-holders and customers.
  • Determining the level of risk that is acceptable to the firm as a cost of doing business.
  • Dealing with shrinking budgets and intense scrutiny over new head-count in the CISO team.
  • Using “loss avoidance” rather than ROI to get approval for projects – Advanced Persistent Threat (APT) detection, Distributed Denial of Service (DDoS) attacks, and big-data.  This could involve explaining to the CFO how the cost of a project is far lower than the cost of a data breach.
  • Operationalizing cyber threat indicators to drive product selection, investments and training.
  • Addressing the Bring Your Own Device (BYOD) issue.
  • Working effectively with internal auditors who may often overstep their bounds in interpreting regulations like HIPAA or Sarbanes-Oxley (SOX).
  • Managing up so that the Chief Technology Officer (CTO) or Chief Information Officer (CIO) will go to the c-suite to get you the budget you need.
  • Tying CISO projects to network availability or uptime.
  • Using technologies like Data Loss Prevention (DLP) to detect data loss via email.
  • Implementing security for home grown applications by implementing coding guidelines at the start of an internal project.
  • Sharing threat intelligence on topics like DDoS attacks across the organization and between like organizations.

What causes the most angst among CISOs?

  • Dealing with geographically dispersed sales people.
  • Having to effectively educate employees on proper security as opposed to relying solely on technologies like encryption.
  • Having to build high performance teams of the best individuals with expertise in Virtual Desktop Infrastructure (VDI), application virtualization, data flow mapping and business flow mapping.
  • Lack of visibility into the pedigree and origin of internal hardware and software.
  • Creating contingency plans for legacy apps (especially in sectors like healthcare and education) that may not work with VDI and Citrix.
  • Projects like encryption and two-factor authentication (2 out of 3 factors: something known, something possessed and something unique about a person).
  • Developers who try to outsource bug management to a CISO and technologies like Web Application Firewall (WAF) instead of doing internal code reviews!  Developers must understand that the WAF is for dealing with legacy code which cannot be rewritten in a cost-effective manner.
  • Identity and Access Management (IAM) projects which have seemingly no end in sight.

What causes the least angst?

  • Security for mobile devices – every vendor and his brother is offering a solution in this area.
  • Noise around newly minted marketing terms like “big data”.  Vendors don’t seem to realize that it is not big data itself but big data analytics and the resulting insights which are of use.

What challenges do CISOs face today?

  • Fraud detection and IT security groups working in silos, with little or no interaction.
  • Info-sec and audit departments not always in lock-step.
  • Responding quickly to cyber-attacks and implementing damage control
  • Moving big data systems into the cloud as the economics of the cloud become more compelling.

What is most interesting to a CISO?

  • Micro-virtualization capabilities where a micro virtual machine traps malware and analyzes it for the IT administrator.
  • Industry wide ways of dealing with cyber-threats.
  • The context around big data.  For instance while enterprise storage vendors would love to see  you collect and archive petabytes of big data blindly, the CISO is more likely to use geo-location and HR data for co-relation but unlikely to see value in just blindly collecting and archiving such data for extended periods.