We all know that the role of the CISO is changing; we’re expected to have the professional toolkit of an astute business leader, technical guru and possess a PhD in PowerPoint. That’s all adding to the less well-documented challenges we face daily, irrespective of industry.
Challenge #1 information overload
In the world of IoT, cloud, mobile and SaaS, the first challenge is we’re generating too much information.
The issue with detect and respond is that we’re now logging everything. To detect and respond, we need to know what we’re looking for. Loosely-coupled systems and point solutions exacerbate the issue. Logging in isolation does not fix the problem.
When discussing the use of threat intelligence in the context of terrorism, Bruce Schneier once wrote that we were in danger of having the same needle, just with a much bigger haystack. The same could be said for cyber-security. CISOs need reliable indicators of compromise and threat intelligence if they’re to find the needle in this ever-growing haystack.
Challenge #2: Attacks are being sensationalised and regulations are forcing us to disclose
It seems that every cyber-attack these days is immediately attributed to a sophisticated state-sponsored campaign. This rhetoric feels like a means to placate the public; the view being that the complexity of attack was such that no organisation could defend themselves. We need to think about the tools, techniques and procedures that the actor is adopting. But in a world of cloaking and anonymisation, can we ever be truly sure who is attacking us?
Another consideration is the GDPR. A 72-hour window for the reporting of breaches will mean that companies will need to better understand their data-flows and have a more comprehensive view of the threat landscape. It is likely that such stringent regulation will force organisations to implement structured cyber-incident response plans with the goal of replicating attacks, understanding responsibilities and returning information promptly and accurately.
Challenge #3: Ransomware – the threat of 2016
Ransomware has become a profitable business for the bad guys. We’re seeing numerous affiliate schemes where criminals are leasing ransomware infrastructure to other criminals and taking a percentage of the profits. This evidences the same service-based model we see in all industries. With this framework, the barriers to entry are lowered, and more criminals are turning to ransomware.
A challenge for the organisation is ‘to pay or not to pay’? The cost to organisations could be high although when compared to the costs of data loss, still a price they’re willing to pay. CISOs might adopt the moral high ground and call out that payment is supporting extortion but at the end of the day, downtime costs money. In some cases, peoples’ lives are on the line. CISOs are starting to look at ransomware 2.0 – the logical evolution of ransomware is to target the myriad of network connected appliances we’re calling the ‘Internet of Things’.
Challenge #4: Internet of Things – the ‘other’ threat of 2016
With the definition of ‘computer’ becoming more opaque every day, the race to secure corporate assets is on. It’s not just traditional office equipment: printers and projectors we need to consider, it’s less obvious devices like the refrigerator and coffee maker.
All these devices create access points with which hackers can infiltrate a company’s network and it’s for CISOs to implement a consistent set of security controls. The question is, if we’re not providing security assurance for all devices under our control, are we negligent if these devices start attacking other machines? Security used to be about protecting the confidentiality, integrity and availability of our data; have the tides turned? Does the CISO now need to worry about the protection of our critical internet infrastructure? If so, a significant paradigm shift will be needed in the way we approach cyber-security.
Challenge #5: I’m worried about DDoS-ing myself!
All employees now have phones, tablets and laptops connecting to the outside world and software-as-a-service applications. This is increasing the network demands of organisations.
The problem for CISOs is that their pipe to the web was not specified for such sustained volumes of traffic and they are concerned that without bandwidth optimisation and packet shaping technologies, the increased amount of traffic will prevent access to legitimate business applications.
For the security controls, this adds another burden. Can our security gateways cope with the increased throughput? If they can now, what about with the exponential growth of encrypted traffic? Often concessions around security control have to be applied just to keep the lights on.
Challenge #6: My board wants meaningful metrics
Central to these challenges and concerns is managing the expectations of boards that generally are not comprised of security professionals. Increasingly they are funding new cyber-security programmes and initiatives without understanding that while they mitigate the risks of a breach, no framework is infallible.
Quite often, they don’t know what information that want or need. What they don’t need to know about are the 350,000 anti-malware alerts that demonstrate the tool they paid for is working. They simply need assurance that they have playbooks, which are rehearsed and understood by all stakeholders.
Convincing the Board of security credibility means being able to pinpoint what indicators of compromise look like, shorten the time from infection to identification and reassure them that recovery from attacks will be swift.