How the Year of the Security Breach is Affecting the Evolving Role of the CISO
Bryan Casey 270003BSJV BFCASEY@US.IBM.COM | | Tags:  breach report ciso x-force 2011 trend ibm security
0 Comments | 3,487 Visits
When it comes to security, the challenges we face today are, in many ways, familiar business and IT challenges. Based on the events of the last year, two really significant questions have come to the forefront of the security conversation. The first is around the level of investment and how to more strategically prioritize both spend and skills. The second is around the nature of the technology conversation. Today, we need to focus more on not just buying the latest and greatest, but making sure the latest and greatest is properly deployed, configured and, as networks and IT environments change and grow, that the corresponding security technology is updated appropriately. In other words, security needs to be managed more effectively.
In the recent (published today recent) IBM X-Force Trend and Risk Report, we wrote extensively on what we're calling the "year of the security breach." Over the course of the last year it seems like every week has brought with it a new headline, and the landscape of attackers has become as diverse as the organizations they target. We are seeing everything from targeted state sponsored attacks, to organized crime, to politically and socially motivated attackers to those motivated by notoriety. While each of these groups have different sets of skills, tolerance to risk and ultimate objectives, the impact they have had on businesses has been significant across the board. You might expect that the most sophisticated attackers have been responsible for the most damaging attacks, but that isn't necessarily the case. Many inexperienced attackers who use automated tools (that often come complete with help and support) have been extremely successful at stealing information and damaging organizations, both financially and otherwise.
For a long time, many circles came to view security as a technical challenge. How good is my IPS? Is it vulnerability or exploit based? How effective is my patch management strategy? How am I successfully on-boarding and off-boarding users? What techniques am I using during application development to ensure I'm not introducing new security vulnerabilities?
Since then the world has changed a lot, and it did so without changing much at all.
We've seen an incredible number of breaches over the course of the last year, but often times at the hands of attacks that are anything but new. In the vast majority of these cases, the technology to prevent these incidents is commercially available. This reality is forcing us to ask the question, if the technology isn't the problem, then what is it? At this point, what we are really left with is questions of investment and process, and these are not technical challenges, but rather business and risk management challenges. The ability to manage risk effectively is important because in today's world there is no such thing as complete security. If there was, and you could buy it, we wouldn't be having any these conversations. The reality is that because you can't achieve perfect security (much less buy it), you need someone to make strategic business decisions about where to focus your spend and skills. In this way the job description of today's CISO is becoming less technical, and more focused on strategic business objectives and outcomes.
Additionally, many new technologies today are making it easier to connect and compute, and that general trend of connectivity and shared resources is also introducing new risks. How can we effectively balance openness with security? Cloud and mobile are transformational platforms, but to adopt these technologies in the workplace we need to be confident in their security capabilities. As the promise and value of these technologies is so significant, instead of saying "no," it is becoming the responsibility of the CISO to figure out the "how?"
The events of the last year have shown us that there need to be changes made in the way that many organizations manage security. Security needs to be handled as a strategic business challenge requiring ongoing evaluation and management and not something that is not a one-time assessment/investment. As security becomes a more ingrained element of business and IT transformation, we expect the role of CISOs to evolve accordingly.
Download the Trend Report here.
Read more about our thoughts on the Evolving Role of the CISO here.