Security experts weigh in on what they would like to see in 2015 to make their jobs wrangling users, infrastructure, and data easier.
The new year ahead is a good time to reflect on what infosec professionals need to keep users and data safe—before the inevitable race to stay ahead of the crises and firefighting begins in earnest. In previous years, SecurityWeek asked experts to talk about their security resolutions. This year, security experts weigh in on their 2015 wish list—things they would like to see happen in their organization and the security industry as a whole.
Information security is a tough job. There is an element of fortune telling to figure out where the next threats will come from, as well as continuous gate keeping to monitor everything that comes in and out of the organization.
Intent and motives matter, since the same action can be malicious, negligent, or benign based on the circumstances. Locking things down annoys users, so there has to be controls in place to let users do what they want while still maintaining a certain level of protection. When something goes wrong, such as the case of a failed compliance audit, regulatory investigation, data breach, cyber-attack, or data theft, there is always finger pointing and recriminations.
Faced with these challenges, what do CSOs/CISOs, information security practitioners, and other experts wish for? The gamut of responses ranged from the serious (implementing new controls) to humorous (a time machine). At the heart of all the responses was the recognition that security is visible and their jobs are on the line when things go wrong.
“If I was a practicing CISO right now, the very first thing on my wish list would be a 'keep me from getting fired' gift card,” said Eric Cowperthwaite, vice-president of advanced security and strategy at Core Security and the former CISO of Provident Health and Services. The card would be something CISOs can hand to the CEO after the inevitable attack, breach and theft of critical assets and say, “can't fire me this time,” he said.
CISOs should demand access to the CEO and support of the senior executives in the company to define and protect the crown jewels, said Renee Guttmann, vice president of information risk management and member of the Accuvant Office of the CISO. Most CISOs want more attention and funding from the executive team—and a seat at the executive table to provide updates periodicall, said Guttmann, who formerly served as CISO at Coca-Cola. CISOs also want to be recognized as playing as critical a role within the organization as the CFO or COO.
“In 2015, CISOs will be asking for a corner office, with a view,” said Michael Daly, the CTO of Cybersecurity & Special Missions at Raytheon.
Talking to a Board Which 'Gets' Security
Most CISOs would love to switch the conversation with the board of directors from the whys of security to the hows. Even after the past year of almost non-stop breaches, it's clear that the need to proactively implement good security is poorly understood—or simply ignored—at the highest levels of business, said Geoff Webb, senior director of solution strategy at NetIQ.
“If I could give every CISO on the planet a New Year's wish, it would be to have that conversation changed from 'Why should I invest in security' to 'How do we get the job done,'” said Webb.
CISOs want the support of their executive management to put in place the level of security consistent with the amount of risk the organization is willing to accept, said Marc Maiffret, CTO of BeyondTrust.
Having the Industry Step Up
Several of the experts expressed their frustration on the state of the information security industry. “It's clear that after Target, JPMC, Sony and many other highly publicized, massive attacks perpetuated in 2014, the industry needs new tools to find these attackers before they are able to successfully complete their damage,” said Mike Mumcuoglu, CTO and co-founder of LightCyber.
For years, CISO have been promised more effective security technology was on the way, and that they just needed to spend “just a little bit more” to significantly improve their security. “It hasn't quite worked out the way it's been promised,” said Ken Levine, CEO of Digital Guardian. CISOs should be asking for technology that works better than what's been delivered to date for a price that reflects its actual value, he said. And that doesn't mean yet another piece of technology blasting millions of alerts since it's not possible to process them all.
“Memo to the security industry, giving me hundreds of thousands, if not millions of alerts is about as effective as giving me none,” Levine said. “Will you please tell me which alerts I need to worry most about!”
There is a lot of conversation about security analytics, but it's still just a lot of promises and not enough reality. “This is all vendor hype as none of the technologies integrate enough of the products in my environment to make the data useful without me having to put asterisks next to the data in my presentations,” said Mike Davis, CTO of CounterTack.
It would be nice to have security reports that show the state of the organization that “don't put people to sleep,” said Gil Zimmermann, CEO and co-founder of CloudLock.
It's not just technology that needs to change—the way the industry treats standards also need to change as well, so that standards are actually treated as something that works across platforms and organizations. “Too many standards that aren't interoperable between products prevents me from deploying different tools,” Davis said.
Along with standards, the industry needs to define security and risk metrics for making informed decisions and managing a security program. Other c-level executives have a set of metrics they can use to explain what they are doing and what the effects to the business are. At the moment, there is no consensus on key performance indicators or a widely adopted set of quantifiable metrics, so cyber-security decisions are “perceived as mere guess work by boards of directors and other corporate executives,” said Jonathan Trull, CISO of Qualys and former CISO of Colorado. The lack of trust in CSOs and security community as a whole is a major barrier to obtaining additional funding and resources.
“CISOs must be able to answer the question: For x amount of money spent on cyber security, what will be the return?” Trull said.
Cool Tools That Need to Exist
Along with asking for better security technology to make the day-to-day operations as well as overall risk management possible, security professionals have their own list of products that would make their jobs easier—and more fun.
Zimmerman said a “one-year paid membership to tech gadgets of the month club” would be a good thing for a CISO to have.
“A time machine so I can go back in time and make a bunch of different investment choices,” said Core Security's Cowperthwaite.
“'X-Ray Data Goggles' to give me a deep look into the network to determine where my critical or sensitive data is, what assets support the data, and what controls keep the data safe,” said Arlie Hartman, a consultant at Rook Security.
“'Information Security Pocket Translator' to refine my message to the board, to speak their language, and enable the business to work within acceptable risks,” said Randy Wray, a consultant with Rook Security.
Having Necessary Tools on Hand
CISOs want to be able to proactively track specific adversaries as they “walk” their way through the network, said Rick Howard, CSO of Palo Alto Networks. By identifying indicators of compromise as part of an attack, CISOs will be able to determine their response. “In my perfect fantasy world, I would like to be able to track adversaries — criminals, spies, hacktivists, and ankle biters — by watching for sets of Indicators of Compromise at every link in the Kill Chain,” he said.
CISOs need the attacker profile, not the actual identity. If the attacker is a spy out to steal mergers and acquisitions documents, and those documents are on the organization's network, then the internal security team should be on high alert. Otherwise, the team can deal with the threat without turning this into an emergency firefighting situation, he said.
Failing that perfect scenario, CSOs and CISOs should have technology configured correctly—oftentimes organizations discover too late the settings they thought they were getting weren't turned on when the technology was initially turned on. “We spend gazillions of dollars to buy the latest and greatest, and yet fail to squeeze as much efficiency out of it as possible,” said Howard. While it may be more interesting to talk about nation-state attacks, CSOs need to focus on device configuration. “We should at least get that right before we move on to the sexy stuff.”
Target has set a very public precedent for financial liability in the case of a targeted attack on personal financial information. As a result, every major financial, retail, and online entity will be looking into cyber-insurance, said Mike Mumcuoglu, CTO and co-founder of LightCyber. Cost-effective data breach insurance will be on many CISO wish lists this year, he said.
Effective Collaboration With Others
Security is much more visible in that people are more aware and pay attention when something goes wrong, but it's not yet viewed as a joint effort. There is still the sense that users do their own thing while the security folks in the backroom keep things humming. There needs to be formal agreements between business, IT, and security teams to integrate information security into the process instead of treating it as an add-on commodity, said Chris Blow, a consultant with Rook Security.
“It would be nice to have an IT team and user base that cares about security as much as the security team,” Zimmermann said. “Or being included in conversations about new technology developments, purchases, or deployments before final decisions are made.”
It would also help the CSO to have “better clarity from legal on what a breach is, what an incident is, and what we can safely ignore,” Davis said.
IT should “actually follow the security guidelines we built instead of always getting a risk waiver,” added Davis. The waiver means IT essentially says it understands the risks and doesn't have to implement the proper controls or take specific tasks to resolve an issue. This doesn't help the organization's overall security. Vendors also need to think about security—whether it's in their software development cycle, the patching system, or even maintaining their cloud infrastructure. “Tired of getting vendor software that isn't secure and I can't make secure,” he said.
Speaking of software development, proper tools are critical. All developers should have security training so that they think about security right from the design phase, said Steven Lipner, chairman of SAFECode and partner director of program management at Microsoft's Trustworthy Computing group. Each developer in the organization should receive a full toolbox for static analysis, current compilers, and fuzzing tools to build code that contains even fewer vulnerabilities, and make it even harder to exploit any that remain, he said.
Legions of Experienced Folks
The biggest challenge for CISOs is not fighting for the ideal infosec budget, but finding and hiring employees with necessary skills and experience. CISOs want a “proper staff” of experienced and knowledgeable security professionals and are looking for the right people to handle the security fundamentals, Maiffret said.
CISOs want to hire staff who are focused on analytics and risk, not just running firewalls, Cowperthwaite said. This echoed CounterTack's Davis, who noted that universities tend to focus on network security, not realizing that network security is not the same as IT security.
“It is only one slice of the problem,” Davis said.
Turning Wishes into Reality
As the old saying goes, “If wishes were horses...” CISOs may have a long list for what they would like to see, but they can't just sit back and wait for their wishes to be granted. CISOs should make a New Year's resolution to become a corporate business leader, said Trull. CISOs need to become more integrated into c-suite conversations, focus on the integration between DevOps and security teams, learn the business and understand the financials, and learn to speak the language of other executives including the ability to calculate and demonstrate a return on investment for cybersecurity spending.
Security leaders must align themselves more closely to business strategy and “operationalize on the fundamentals of good IT,” said Rafal Los, director of solutions research and member of the Accuvant Office of the CISO. The goal is to get business leaders to see security as a strategic asset and not a drag on the budget.
CISOs must “resolve to be more than a technical security professional and to take responsibility for making difficult risk-benefit decisions that drive the business forward,” Trull said.
All of these wish list items sounded reasonable, but there was a sense of frustration among security experts about the obstacles in their way. The technology was not available, other C-suite executives and the board remained uninterested, or the integration with IT was too tense. Would 2015 be the year when information security professionals would get a seat at the table and be able to work with the organization to improve security?
If the wish list items were too much to ask for, “would you consider coming up with some sort of solution that would allow CISOs to take Sundays off?” Levine said.
Related Event: Request an Invitation to the 2015 CISO Forum