CSOs need to be more introspective about their business

The CSO of identity management vendor, Okta, says that security professionals need to do a better job in understanding their organisation’s wider business before presenting their risk assessment to upper management or at the board level.

In an interview at the company’s annual Oktane conference in Las Vegas , David Baker, argued that the board is unlikely to take the CSO “seriously” if they’re not prepared to say why their security recommendations are more important than other priorities within the business.

“CSOs needs to be very introspective about the business and ask themselves that if they make their organisation spend a certain amount of money to fix a particular security risk, how is it going to impact the business as a whole? Why is it more important than not hiring this person or why is it more important than not doing this product feature and so on. That’s where often times the CSO is lacking,” Baker says.

“If the CSO can’t answer that then the board will simply assume that they don’t really know what the risks are because the risks are inherent to the business and the business includes many facets.”

Baker noted that the secret to security success for large companies comes from simplifying operations, outsourcing as much as possible and keeping applications password free.

“Keep operations simple by automating how things are built, which might be public cloud or building your own private cloud. Regardless of the cloud model, you now have a means by which you can buy a thousand hardware servers and just plug them in and then go operate them all as if there just one machine. Having automation is very good because it requires less people which means you have less decision makers that can make the wrong decision.”

“Secondly, outsource as much operational tasks as possible.

“You don’t necessarily need to configure and run an exchange server or run an Active Directory server both of which can be accident prone and hard to find people who know how to do it really well. So you might go to Office 365, or Google and have them run your backend business which includes email, documents, file sharing and so on. These are things that if you’re running in-house becomes an attack vector. So going to the cloud for those commodity types of applications is a big advantage.”

Slack’s CSO, Geoff Belknap, echoed a similar sentiment stating that there’s “no inherent risk with using public cloud” so long as it is approached in a non-traditional mindset.

“If you approach public cloud as if it’s the same as your data centre, you will make mistakes. If you approach it thoughtfully and think about authentication, about how you manage change and how it’s different, I think you will find a lot of the simple mistakes you can make can be addressed by automation.”

Rapid7’s CSO, Josh Feinblum, however urged organisations to “demand better” from vendors by talking to them directly on the phone or in-person instead of solely relying on spreadsheets and questionnaires.

“Get the vendor to explain their security organisation to you, how their two-factor authentication is setup in the backend, what there network segmentation looks like,” says Feinblum. “Tell them, I’m not signing on the dotted line till you provide a commitment to me that you have two-factor authentication everywhere and jump posts because, if not, it means basically anybody that wants to target you can steal my data.”

David Baker agreed with Feinblum on the importance of using a SSO (Single sign-on) product in conjunction with two factor authentication to keep the user environment password-free.

“Those are really easy things that you can do to increase your security posture,” Baker concluded.