Why the CISO needs security analytics
Bryan Casey 270003BSJV BFCASEY@US.IBM.COM | | Tags:  analytics 2012 pulse security data ciso
0 Comments | 4,747 Visits
Much has been made about the topic of security intelligence over the course of the last few weeks, especially in light of IBM's recent announcements around the integration of the QRadar Security Intelligence Platform with our other core security competencies such as endpoint management, threat mitigation, database activity monitoring, identity and access management and application vulnerability scanning. We've talked a lot about the technology that surrounds the security intelligence world, but to me one of the most interesting elements of this discussion is around the people who actually deploy and use the technology every day.
Yesterday I was listening to John Kindevag of Forrester research talking about the things we need to do to "get off the reactionary hamster wheel of security." What does this mean? Well, at a high level, it means what any security professional would expect it to mean, which is that we need to stop fighting the losing battle of reactionary security. Now, that doesn't mean there won't be incidents you need to react to, because that will always be the case. Rather, he provided a set of ideas around how to more proactively and comprehensively address security, and an incident response plan was certainly an element of this. While incident response is certainly about reaction to events, it can still be a part of a pre-established plan around security.
There were five main discussion points that John had:
1) That the security leader will need to evolve from a technical leader to a more strategic player in organizations
2) That we should embrace a 0 trust model
3) The need to better understand, control and even "kill" your data
4) Embrace security analytics
5) Plan for failure
What stuck out to me was the relationship between the topics of security intelligence/analytics and the way we see the job role of the CISO changing. To begin with the CISO, John started a lot of this discussion by talking about how the security team, basically by necessity, has to be some of the smartest people in your entire organization. The amount of complexity they need to deal with, using limited resources, is at best a daunting task. However, John also said that the CISO can no longer be just the technical leader, they need to be a strategic business leader, and in doing so, open up new opportunities, and maybe even budget for their organizations.
What struck me most though was the sense that the security team will also need to be among the most tenacious groups in order for them to be successful. On the one hand that does mean fighting for budget and resources, on the other it means an attitude change to "we sweep nothing under the rug." John mentioned a few discussions he had where organizations didn't have the mechanisms in place to understand if they had been breached, and in some cases, the lack of insight was driven by a sentiment around "what we don't see, we don't have to spend time and money fixing." Two things jump to mind here, one is the need for measurements around security success that go beyond the breach (and as John would also add, are not about cost savings) but also the need for organizations to embrace the idea that they need to see everything that potentially impacts their security posture. This is where security analytics come into play.
Earlier in the day yesterday, before John spoke, Brendan Hannigan, the GM of IBM Security Systems, also delivered a talk around security intelligence and he joked with the audience about how they were logging more then they knew what to do with, and IBM was going to ask them to bring in more. Like John, Brendan was arguing for the need to see more. However, both men also realize that we reach a point very quickly where the volume of data we have is not possible for a human to analyze and then do something with. For that reason, organizations need security technology, such as the QRadar Security Intelligence platform, so that we can distill, using analytics, vast amounts of data into a smaller, more manageable number of security events that require investigation.
John closed with some thoughts around how important the profession is in general. This is something that I think anyone would agree with, especially as more and more of our lives are lived through various digital channels. Today's security leaders are responsible not only to their own business, but also for the sensitive personal information of their clients/customers, or in other words, when taken as whole, basically everyone in the world.
To read more, IBM is doing a series of papers on Security Essentials for CIOs over the coming months, and that series can be viewed here.