Today, everyone is handling customer data, all industries have a web presence, and a breach has a catastrophic effect on stock price, shareholder confidence, and your board credibility. Granted, regulations in certain industries which require prescriptive controls but good security hygiene should not be reserved for those in government or financial services. The days of ‘we’re not a target of cyber criminals because we only sell ‘x’’ are long gone. Criminals vary from the state-sponsored looking for targeted intel through to the opportunistic seeking to make a few dollars.
However, as 2017 gets underway, here are a collection of CISO challenges that I see in the field. These issues are not reserved for a particular vertical; they apply to all organisations with a digital presence and sensitive information.
Challenge #1: Information Overload
In the world of IoT, cloud, mobile and SaaS, the first challenge is we’re generating too much information. The issue with detect and respond is that we’re now logging everything. To detect and respond, we need to know what we’re looking for. Loosely-coupled systems and point solutions exacerbate the issue. Logging in isolation does not fix the problem.
When discussing the use of threat intelligence in the context of terrorism, Bruce Schneier once wrote that we were in danger of having the same needle, just with a much bigger haystack. The same could be said for cyber security. CISOs need reliable indicators of compromise and threat intelligence if they’re to find the needle in this ever-growing haystack.
Challenge #2: Attacks are being sensationalised & regulations are forcing us to disclose
It seems that every cyber-attack these days is immediately attributed to a sophisticated state-sponsored campaign. This rhetoric feels like a means to placate the public; the view being that the complexity of attack was such that no organisation could defend themselves. We need to think about the tools, techniques and procedures that the actor is adopting. But in a world of cloaking and anonymisation, can we ever be truly sure who is attacking us?
Another consideration is the planned breach notification legislation, likely to come into force later this year. This will require organisations to publically admit when they have suffered a data breach. The impact this could have on their reputation an ongoing business operations could be very significant. Ensuring the best possible security protection mechanisms are therefore in place is vital.
Challenge #3: Ransomware - the Threat of 2016
Ransomware has become a profitable business for the bad guys. We’re seeing numerous affiliate schemes where criminals are leasing ransomware infrastructure to other criminals and taking a percentage of the profits. This evidences the same service-based model we see in all industries. With this framework, the barriers to entry are lowered, and more criminals are turning to ransomware.
A challenge for the organisation is ‘to pay or not to pay’? The cost to organisations could be high although when compared to the costs of data loss, still a price they’re willing to pay. CISOs might adopt the moral high ground and call out that payment is supporting extortion but at the end of the day, downtime costs money. In some cases, peoples’ lives are on the line. CISOs are starting to look at ransomware 2.0 – the logical evolution of ransomware is to target the myriad of network connected appliances we’re calling the ‘internet of things’.
Challenge #4: Internet of Things - the next big target
With the definition of 'computer' becoming more opaque every day, the race to secure corporate assets is on. It’s not just traditional office equipment: printers and projectors we need to consider, it’s less obvious devices like the refrigerator and coffee maker.
All these devices create access points with which hackers can infiltrate a company’s network and it's for CISOs to implement a consistent set of security controls. The question is, if we’re not providing security assurance for all devices under our control, are we negligent if these devices start attacking other machines? Security used to be about protecting the confidentiality, integrity and availability of our data; have the tides turned? Does the CISO now need to worry about the protection of our critical internet infrastructure? If so, a significant paradigm shift will be needed in the way we approach cyber security.
Challenge #5: I’m worried about DDoS-ing myself!
All employees now have phones, tablets and laptops connecting to the outside world and software-as-a-service applications. This is increasing the network demands of organisations.
The problem for CISOs is that their pipe to the web was not specified for such sustained volumes of traffic and they are concerned that without bandwidth optimisation and packet shaping technologies, the increased amount of traffic will prevent access to legitimate business applications.
For the security controls, this adds another burden. Can our security gateways cope with the increased throughput? If they can now, what about with the exponential growth of encrypted traffic? Often concessions around security control have to be applied just to keep the lights on.
Challenge #6: My Board wants meaningful metrics
Central to these challenges and concerns is managing the expectations of Boards that generally are not comprised of security professionals. Increasingly they are funding new cyber security programmes and initiatives without understanding that while they mitigate the risks of a breach, no framework is infallible.
Quite often, they don’t know what information that want or need. What they don’t need to know about are the 350,000 anti-malware alerts that demonstrate the tool they paid for is working. They simply need assurance that they have playbooks which are rehearsed and understood by all stakeholders.
Convincing the Board of security credibility means being able to pinpoint what indicators of compromise look like, shorten the time from infection to identification and reassure them that recovery from attacks will be swift.