Last month CIO Talk Radio celebrated Cyber Security month, and if there’s one thing we realized after all the shows and space we devoted to a discussion of security, it’s that security is not the issue of “best practices” and proper policies that it was just a few years ago.
The last time we participated in Cyber Security Month, our shows simply focused on strengthening defenses for education, healthcare, financial services and government, but now the CISO’s job has gotten significantly harder as more sophisticated attacks by Advanced Persistent Threats have made security a continually unchecked issue and as the CISO’s role has become enhanced to have a seat at the business table in dictating priorities.
We’ve gathered here and summed up the main points we’ve learned throughout the month. While some explore how security challenges remain tougher than ever while others are ready to move beyond perceived vulnerabilities, all amount to essential listening and reading for the curious CISO.
Cyber Espionage, APTs and Enterprises
The complexity of APTs has raised a red flag in the enterprise CISO community. Because all companies stand to be at risk and no amount of security may be enough to defend against these attacks, our guest Michael Wilson, the VP and CISO of McKesson, said that this is a corporate social awareness issue pertaining to all organizations. “We all survive or fail together,” he said. “Sharing information to understand what is happening in the context of the moment; they have to happen at the same time,” Wilson said. “How as a group of companies across borders can we share information to combat threats?”
Baby Proofing Enterprise Security
As an analysis and addendum to “Cyber Espionage, APTs and Enterprises,” it became clear that security is something of an unchecked issue. The CIO can throw plenty of money at the problem and APTs and espionage tactics make it an ever growing issue. It’s as though we’ve been “baby proofing” enterprise security, banking on ultra sophisticated defenses in the hopes that no one ever gets a scratch.
But it’s simply not realistic, and the key now for CISOs is to determine how best to respond when faced with a crisis or how to detect a breach quickly and mitigate damage. The shift has to move away from technical security to risk management, and it signals a shifting in priorities for the CISO.
Combating Retail Security Challenges
The challenging trade-off in retail regards the speed of the point of sale transaction and the time it takes to make that sale secure. Retailers are now experimenting with tools that can accelerate the POS transaction, and our guest Richard Hollinger, a Professor at the University of Florida in Gainesville, said that retailers may soon be paying for it. Very simply, if the customer doesn’t feel secure, they likely won’t return.
“My worry is that we’re not doing baby steps,” Hollinger said. “We’re doing giant leaps and we’ll leap back when there’s a giant public relations issue, and it won’t take much to get to that point.”
Is Cloud Security Still an Issue?
Cloud security has finally surpassed clichéd expectations about its vulnerability, so says Michael Nance, a CISO for Lockheed Martin. He says that while cloud may not be as equipped to handle highly sensitive data, clouds show great promise with collaboration interaction and streamed and transactions data.
But there is more potential to strengthen cloud security as the technology continues to develop, and Nance claims visualization is the key, “I would love to have a comprehensive and a private data tapestry that adequately visualizes those data threads across petabytes of data so that I can readily detect pattern disturbances based upon visualization,” Nance said.
Getting past BYOD Security Fears
BYOD may just be the new WiFi. There was a lot of fuss over its security when it was introduced, but given the right policies, it’s becoming less of a security issue. Our guest Elayne Starkey, the CSO of the State of Delaware, said it’s crucial to find the “sweet spot” of access and security, explaining that the stingy CSO will pay the price when the users themselves find creative ways to get past policies and to avoid carrying three separate devices on their hips.
“We need to find a way to support employees in the way they want to do their work and make it secure,” Starkey said.
Still on the horizon in the coming weeks
“Government’s Ongoing Battle with Cyber Warfare”, a show that explores how nation states are utilizing cyber attacks as a form of national defense and what those tactics mean for the public’s privacy. A blog post by OXFAM CIO Peter Ransom on “The Security Money Pit”, responding to the point made in the “Cyber Espionage, APT and Enterprises” show that the CIO will continually throw money at this unchecked problem.
“Cloud Enabled Security,” a Viewpoint in our Cloud Reimagined series that asks the question, “Could we use cloud to actually make our enterprise security stronger?”