What Should CSOs’ New Year’s Resolutions Be in 2019?
Forget the gym and ditch the diets. They won’t keep your business safe. What New Year’s Resolutions should chief security officers be making in 2019?
Dr Cade Wells, business development manager at CENSIS
“Identify, review and manage your Internet of Things (IoT) devices. We saw another increase in the number of IoT cyber security issues in 2018. These ranged from enterprise devices, such as IP cameras, launching DDoS attacks to a casino’s IT system being breached through an aquarium thermometer. We’re likely to see another increase in the number and diversity of attacks on IoT next year.
“To help protect your organisation, first identify and inventory all of the IoT devices attached to its networks. Then, review and assess each type of device for risks, such as their attack surface size. Finally, manage your IoT devices through better configuration of passwords, network infrastructure, ports and services, and monitor your devices for unusual behaviour. As an extra half-resolution for 2019, let next year pass without your organisation being hacked via the latest ‘bring your own device’ IoT gadget, bought online on the spur of the moment!”
Chris Hodson, CISO, EMEA, Tanium
“Security teams currently obsess over either the left or the right side of the cyber-risk equation, focusing on threat actors who could invoke an event or the vulnerabilities which could be exploited. In 2019, we will see an increasing emphasis on business resilience, specifically a greater consideration of how the actions taken to balance the equation could disrupt the operations most important to a business. Right now, lots of cybersecurity tools are being thrown at vulnerabilities, without understanding how the knock-on effect could play havoc with existing infrastructure dependencies.
“To solve this issue, we will see a rise in ‘selective defence’, with companies preparing for the breaches that will impact the areas of the business that they care about most. Business executives will have responsibility for defining the applications, systems and data that are important to them, allowing security teams to apply the appropriate controls. This is because it’s almost impossible to protect every system with the same level of rigour and control and attempting to do so can create security friction and hamper employee productivity.
“Looking to regulation, the introduction of GDPR has made data security more complex this year, and it won’t get any easier in 2019. It’s been over six months since the regulation was passed and pressures for expedient reporting will further exacerbate the issue of providing high veracity incident data following a disruption. Furthermore, our recent research showed that almost a quarter (23%) of businesses decision-makers say they are not – or don’t know if they are – able to calculate the impacts of loss or exposure of protected data.
“Despite the prominence of data breaches this year, it is concerning that businesses are still struggling to take action. Our research shows that less than two thirds (61%) of business decision-makers believe that resilience to business disruptions, such as cyber-threats, is part of their companies’ wider business strategy. Next year, more than ever before, security incidents will be discussed at the highest level within businesses. Alongside this senior focus, businesses will have to foster a culture of openness with all employees and create an awareness that everyone has a responsibility for cybersecurity. IT teams will become in-house technical consultants for employees.”
Javvad Malik, security advocate at AlienVault, an AT&T company
“Spend 2019 focusing on security outcomes. To expand on this slightly, what I mean is that sometimes a CISO will do things because of drivers such as compliance, regulation, or the board. It’s not to say that those things shouldn’t be done, but one should examine every action that is being taken and ask what value it is adding.
“Similarly, CISO’s should spend less time trying to define or implement various security technologies – rather, they should ask what the desired outcome is, then work backwards to acquire the least amount of technologies that can achieve that goal.
“When it comes to third parties and partners, it can be easy to throw a long questionnaire in their direction and ask them all manner of questions relating to their security policies and procedures. But that maybe doesn’t always achieve the desired goal of security. Rather, a simpler, more pragmatic approach could be taken (in addition to a questionnaire) and help partners, especially smaller ones who may not have mature security processes, to build up relevant capabilities and appreciate what is expected of them.
“Finally, as part of this process, CISO’s should bear in mind the risk management aspect of it all – not all risk needs to be eliminated, rather it just needs to be brought to within tolerances. Sometimes this can mean doing nothing, or it can mean insuring certain assets or business units. If the focus is put on the outcomes – this all becomes a lot easier to define.”
Jon Wrennall, CTO at Advanced
“CSOs should pledge to work with technology companies that focus more on security platforms and layers from the start. The evolution of intelligent digital mesh, digital technology platforms and application architectures, combined with the addition of the Internet of Things frontier, means the threat landscape is expanding exponentially. Consequently, multi-layered security and the use of user and entity behaviour analytics will become a requirement for virtually every enterprise. Security teams will need to work with application, solution and enterprise architects to be more fluid, agile and adaptive, and consider security early in the design of every facet of the business.”
Simon Sharp, international VP, ObserveIT
“Given that the Ponemon Institute Research estimates that insider incidents cost the average business £6.9 million per year, hiring a dedicated Insider Threat Manager to join their cybersecurity team should be at the top of every CSO’s list of resolutions. While insider-led breaches can come from anywhere in the company, a considerable 77% of incidents are caused unintentionally.
“Coordinating security processes across multiple departments can be challenging. For instance, an HR professional may know that an employee has just been demoted but fails to notify IT and worrying behaviour goes undetected — before you know it, a breach that could have been stopped is missed entirely.
“For CSOs, having the right people, processes, and technology in place, with leadership that knows the whole story of the insider threat is key. Crucially, they need to choose solutions that can provide both visibility into user activity and alert when employees have stepped out of line with company policy – not only does this reduce risk of a breach, it empowers employees to make the right decisions and contribute to keeping the organisation secure.
“In 2019, CSOs must take affirmative steps to detect, investigate and stop the insider threat or risk playing catch up after a serious breach has already occurred. With the ways in which data can leave an organisation growing year-on-year — from freelance contractors with access to company systems to more employees working remotely and the proliferation of cloud applications — having a dedicated insider threat leader or department, supported by the right technology and policies, can go a long way to stopping incidents escalating.”
Bharat Mistry, principal security strategist at Trend Micro
“The CSO’s New Year’s resolution should be to find their voice in the board room and communicate the value of having security expertise embedded across the breadth of the organisation. They could also strive to learn more from other business leaders about how they can better communicate risk, so they can make sure cybersecurity is front of mind in every department.
“2019 should be the year CSOs raise the profile and status of all security professionals in the workplace. They should come out of the CIO’s shadow and take their well-deserved place in the boardroom, helping shift the mindset from cybersecurity being a part of the IT function to a business priority – a cultural shift that CSOs are at the helm of.”
John Morrison, VP EMEA sales and services, Extreme Networks
“Everyone is hoping for the same thing here, no data breaches! Throughout 2018 even the biggest players were caught out by hackers, Apple in particular were outwitted by a student. Cybersecurity Ventures has also predicted that the cybercrime damages worldwide will cost $6 trillion per year by 2021. As segmentation of applications and the network is increasingly critical for security, Chief Security Officers should look to implement a robust and well-segmented network for their businesses in order to reduce the risk of a breach in 2019. Properly implemented, end-to-end segmentation is proven to contain breaches, protect critical data, and prevent lateral movement. In addition, coupling with the use of machine-learning, the efficiency in anticipating and blocking threats can be further increased.”