Criminals: Motivated Primarily by Profit
It is a different day and age today than it was 20 years ago. The advent of big data has given rise to the big data criminal whose only goal is to disrupt for personal or ideological gain. The threat is comprised of three major threat actor groups: criminal, hacktivist and nation-state. The criminal is motivated primarily by profit. The hacktivist desires to make some political or social statement or to create a negative impact due to some social or political cause. Nation-state actors are generally motivated by espionage or a covert political statement and want to inflict damage, cause cyberwar or serve some other selfish interest. Some would include a category for corporate espionage, but that can fall under a criminal profit motive.
The most consistent threat for most companies is the criminal threat. The bad guys want money, and if you have something they can monetize, you can bet some opportunistis thinking about how to get to you. Criminals have become more efficient, also. As an example, ransomware is an attack that can be launched indiscriminately with the criminal not needing to do anything until contacted by the victim. This type of attack has grown from a nuisance to a serious threat to enterprise file systems.
Need to Build Resilient Organization
In the face of increasing threats to IT, OT and IoT, security and risk leaders need to build resilient organizations that can withstand attacks and continue to attain enterprise objectives. What is your take on managing risk and delivering security in a digital world? As long as there is technology and information, threats will emerge and morph. The criminal will continue to find ways around our defenses, and we must be in a continuous improvement mode. But it is important that we stick to the fundamentals of the security profession. We must conduct or refresh our enterprise risk assessment, define risk tolerance and tune our programs accordingly. A proper and mature security program is built to be resilient and to weather the storms of the “risk de jour.” If an organization has not built-in that resiliency, it should be the first priority. Otherwise, it is not a program, but more a game of whack-a-mole.
"A proper and mature security program is built to be resilient and to weather the storms of the ‘risk de jour’"
Strategic Realization in a Safe and Secure Manner
With the advancement of technology, how would you describe your own role as CIO/CXO has changed in the past couple of years? Change is not the word I would use; it is more of an evolution. The CISO has continued to evolve from a technical security person to a business risk executive as the profession and need has shifted. In a mature organization, security is at the table during the development of the business strategy so they can enable strategic realization in a safe and secure manner. In the old days and in less mature organizations, security is on the tail end of strategy or initiatives and is forced to try and secure already or near-deployed technology. This is a no-win scenario because security is forced into a position of potentially making recommendations that go against potential business solutions, making security into a department of “no”. Another potential challenge is that security goes along to get along, accepting a risk that could have been avoided.
Cloud Computing— Imperative for Enterprise
Cloud computing is now a mission critical part of the enterprise. Please share some lessons learned in securing your cloud and achieving compliance objectives. A company’s cloud strategy must address the company’s risk tolerance and regulatory requirements. These factors may affect the type of cloud services. For instance, a highly regulated company with client personal identifiable information may not be able to use a public cloud or shared infrastructure. They may find that only a private cloud with heavy contractual language will fit their need. Of course, a private cloud arrangement could prove to be more expensive than internal hosting. The best arrangement in cloud service is where the data is encrypted and the key is held by the company versus the provider. This arrangement provides much more flexibility to the company in meeting their regulatory requirements.
What are some of the other technologies you think should be adopted in the near future? We need to continue to automate threat intelligence and the resultant automated protections. As mentioned previously, we need to broaden the ability of companies to use public cloud infrastructure but protect the data through encryption and key management, where the key is not with the provider.
• IoT: What are the barriers to using IoT in enterprise security-vulnerability management? In the broadest sense, we do that now with vulnerability management appliances embedded in the network. While not generally thought of as IoT, they both possess a single-purpose computing device. The devices that are generally thought of as IoT devices are lightweight, small devices that serve a single purpose–DVRs, reverberators, etc. These generally have not been designed to be secured and in their present state are not securable; they just do not have the computing capacity. The National Institute of Standards and Technology (NIST) is working to publish standards to make IoT more secure. Until that issue is solved, they will not serve a security purpose.
• Big Data: Tech-savvy agents are buying data subscriptions and teaming up with firms that identify potential buyers using increasingly precise metrics, to target prospective clients in competitive markets. So, how is real estate using big data to track clients? Industries are using data to profile customers and potential customers. This opens up a new level of privacy concerns that will continue to evolve.
Adopting a Recognized Framework
Companies must build an effective and defendable security practice. One reason that so many companies have adopted the NIST Cybersecurity Framework is that it is as near as possible to a federally prescribed standard as anything. Although built with critical infrastructure in mind, it is a very adoptable and measurable framework. So, first it is important to adopt a recognized framework. Next, the maturity of the program should be independently assessed and then the recommended measures for maturity implemented.
The reality is that anyone can be breached, but if you have taken the appropriate and reasonable measure to defend based on your risk profile, you most likely have a defensible program.