2016 has been a tough year for IT security and the trend seems to be continuing into 2017. We have now become accustomed to groups such as Anonymous that have wreaked havoc on a number of large government and corporate organisations. A new frontier in cyber threats has opened. The driver for cyber intrusion is no longer fame, but theft of intellectual property, financial information, blueprints and other classified information for financial gain.
Within the article, I will cover five challenges that are currently facing CSOs and suggest some solutions to these.
The Ever Increasing Threat Landscape
Problem: The threat landscape seems to be growing exponentially. The rise of Advanced Persistent Threats, Cyber Espionage as well new and emerging technologies such as IoT has opened up a new frontier in cyber threats where the driver for cyber intrusion is no longer fame, but is more geared towards stealing of Intellectual Property, etc. for financial gain. We have all heard about Stuxnet, Duku and Flame. These changed the face of modern warfare and propelled it in the cyber age. Considering these new threats begs the question – what do we do?
Solution: The game may have gotten tougher, but it is still the same game. In order to mitigate these threats, organisations need to take a methodical approach to IT security. A simple security framework, such as one described here, along with intelligence-led security would help. Start off by referring to and using a globally accepted standard such as the ISO 27000 series or CoBit. Using the guidance and controls contained within these bodies of knowledge, perform a risk analysis to assess how strong your organisation’s security controls are compared to how strong they should be as described by these standards.
Taking a risk based approach is critical to IT security as it is often hard to justify IT security spend. IT security is like insurance – we seldom see the benefits as we are spending money to avoid ‘something’. That is why it is important to understand what it is that we are avoiding and if this event occurred, then what the cost to the business would be. Also ensure that you understand what you are protecting and why. Classify your information, at least at a high level. Understand what this information is and how critical is it to your organisation. Without this understanding a risk analysis becomes very difficult to conduct as you do not know what you are protecting and why. The why is important as well, as this is what you use to determine the controls that you need to apply to protect the information. There is no point spending more money to protect the information than it is worth.
Once you have identified the control gaps in your organisation, put a security roadmap in place to address these. Treat this activity like a program of works with the appropriate discipline applied. Link each initiative and project to clearly defined business outcomes and measure and demonstrate Return on Investment in terms of the risks that are being mitigated relative to the value of the information being protected. The project is likely to span 18-24 months and should cover people, process and technology.
Once you have remediated the gaps, then the real work begins. There is a famous saying that the wise look for the next highest mountain to climb once they have conquered one and the next process is not too dissimilar! Once you have addressed the gaps then the maintenance phase begins. Ensure that you have a plan in place to monitor your security environment for threats 24x7 so that you can activate the relevant countermeasures.
It is also important at this stage to engage in what is called intelligence-led security. Simply put, it is about having relevant intelligence about threats and vulnerabilities related to your environment and protecting yourself against them. There are many organisations that provide very useful threat information including from sources such as the open, deep and dark web. Importing this information along with your vulnerability information into your Security Information and Event Management (SIEM) tool will allow you to detect threats faster and much more accurately. This process will greatly enhance your capability to pick up Indicators of Compromise, the investigation of which can prevent or minimise damage. In addition to this, it is important have a robust response plan in place as breaches can and will occur!
An important part of the maintenance phase is to review your environment regularly through activities such as a risk analysis, vulnerability analysis and penetration testing at least every six months to ensure that nothing has deteriorated. Pay particular attention to user education as users can usually be the weakest link in the chain (think ransomware attacks!), and disaster recovery considerations as if the worst was to happen, then you will need a plan to bring things back up again. Only with this methodical approach can you thwart the ever increasing risk of cyber threats.
More Compliance Burden
Problem: PCI DSS (Global), Mandatory Data Breach Disclose Laws (Australia), Cybersecurity Fortification Initiative (CFI) (Hong Kong) – the list goes on. With so many compliance requirements now being heaped on organisations, how does one stay on top of these? The questions that arise include:
- What do all of these mean?
- Do they apply to me?
- What do I need to do to comply?
- How should I budget for these?
- Where can I get resources to achieve compliance?
- How do I keep the rest of the IT function going?
Solution: The reason why I have spent a bit of time on the previous section is that all of the above can largely be covered by the process described above. Compliance only becomes a burden if it is treated as a ‘tick box’ exercise and not integrated within the overall security framework. A robust security framework will more than cover any compliance requirement. Compliance requirements typically only specify minimum standards whereas a security framework should be geared to achieve more than this. And if you are failing to meet your compliance requirements, then you are not protecting your IT environment adequately and a security framework is either not in place or implemented incorrectly. So the trick here is to integrate your compliance requirements into your overall security framework. Satisfaction of these requirements, including resourcing and budgeting for them, will be achieved as a by-product of your security framework.
Having to do more with less
Problem: The GFC saw a worldwide squeeze on IT budgets and this trend just never went away! Unfortunately this has become a double edged sword as while budgets are being constantly squeezed, security threats are for ever increasing. Interestingly enough there is a correlation between a weak global economy, high unemployment and cybercrime. All of a sudden you have a whole bunch of talented people with no source of income with some of them turning to crime as a means of supporting themselves. So the question arises – how do we balance IT and IT security needs, and the books at the same time?
Solution: This particular issue requires an innovative approach. I have seen some companies leverage a combination of onshore and offshore resources to support the entire employee base. Today CIOs and CSOs can explore a structured global sourcing approach. With a combination of onshore and offshore resources, balance in terms of cost and security can be achieved. Specify relevant performance and security standards and outsource the ‘rudimentary’ components. Maintain some onshore resources to perform governance over the work performed offshore to ensure quality and security. Remember – the key to a good outsourcing methodology is to outsource the work, not the accountability so that you stay in control. A similar model lends itself well to managing and monitoring security logs and events. It is often cheaper to use a specialist provider of managed security services who can lower costs by providing a cost leveraged model as opposed to having these costly resources in house and having to retain them.
Lack of Skilled Resources and Staff Retention
Problem: IT security resources tend to be quite scarce in the market and costly. Furthermore, due to this scarcity, these resources move about in the market quite a bit. Finding scarce resources and then having to replace them can be quite a costly and time consuming exercise.
Solution: Implement a talent recognition program and employee development program that recognise and reward performance above market standards. Remember, monetary rewards alone will not retain staff. Providing an interested environment to work in and other non-monetary benefits such as flexible working hours, gym memberships, etc. will go a long way towards retaining key talent. Security staff tend to be hungry for knowledge. Having a good staff training and development program is essential. Having well engaged staff has its benefits as they tend to stay and spread the word which in turn helps attract more talent into the organisation.
Consumerisation of IT and New Technologies bringing New Challenges
Problem: The last 12-24 months has a number of consumer IT devices creep into the organisation. Many of us have staff walking around with personal iPhones, iPads, etc. that are connected to the corporate environment. Furthermore, related to the above point, it is almost mandatory to allow staff to bring their own devices into work in order to retain them! Add to this the cloud phenomenon along with IoT and you have a paradigm shift in IT security that requires a completely new approach as outlined below.
Solution: Bring Your Own Devices (BYOD) requires are layered approach to security. Having robust policies in place that are clearly communicated to staff is key to ensure that staff know their obligations and do not put corporate information at risk. Providing some level of security on the end devices is required as well. Technology in this space is maturing and there are a variety of Mobile Device Management (MDM) solutions in the market that can help. And finally, secure your internal network and corporate assets. Treat all user devices as untrusted machines and segregate your corporate information accordingly using technologies such as microsegmentation.
IoT devises require security built into them by design. It is important to ensure that the devices are built with appropriate authentication, authorisation, accounting and encryption controls in place. As you can see, the same basic controls as before applicable here. It’s just a matter of applying them! The complexity arises from the fact that IoT devices tend to be made and managed by non-IT personnel who may not understand the IT security controls that need to be applied. The convergence of IT and OT has led to its own set of issues and these can only be resolved by IT and OT teams working together and implementing the required IT security disciplines at the design, as well as, maintenance phases.
The other item I touched on earlier was cloud. It is important to take a business and risk driven approach to cloud adoption. Understand the value of your information. Understand the controls you need to apply to protect this (as dictated by security framework discussed earlier) and only put information in the cloud that can be secured to the standards that you dictate. Without a doubt there are cost savings to be had, but make sure you have considered the following risks:
- Non-compliance with Privacy and other relevant laws
- Loss of Intellectual Property
- You will be subject to local laws where data resides – data protection laws, redress issues
- Ambiguity surrounding data ownership esp. upon sale or bankruptcy of provider
- Lack of a robust infrastructure and/or DR provisioning
- Complexity and lack of control when logging and monitoring data
- Adequacy of security over data
Separation from other cloud provider’s customers
Within this brief article I have tried to cover what I believe are the top five key challenges facing CSOs today. With considered and careful effort, these issues can be overcome and could be turned into an opportunity for the organisation if managed well.
Ashwin Pal is the Unisys Director of Security Services responsible for Unisys’s security business in the Asia Pacific region.