Dangers of Security Intrusions
I believe the most important foundational thing CISOs and security professionals can do is to understand the expectations of the CEO, board, executive staff and peers or employees. These expectations are often vastly different and require a different approach to raising awareness.
"I firmly believe that the cloud actually provides a more secure approach to build secure and scalable systems and achieve continuous compliance"
From there it’s about consistently engaging and educating these groups about risk and trust and the impact to the business. For shaping the security R&D agenda for the enterprises it is important to have the right technologies, expertise and coordination. eople first you’ve got to have the right people in place that are well trained experts in cyber security who know what to look for, how to take things apart and put them back together.
Processes – it’s critical to define what the problem is and then establish and align your processes towards that goal. If you don’t know what you’re trying to solve it’s hard to know what processes need to be put in place.
Technologies once you have the problem and processes defined, it’s about putting the right technologies in place to help achieve this. There’s this notion that people who conduct security research are criminals, but in fact, most of them are doing so for opposite reasons. They want to better understand the ins and outs of cyber security so they can improve security postures, not exploit them. Unfortunately, many researchers are being scrutinized by the government through ill conceived laws which prevent them from doing their jobs.
That being said, I think the single most important thing that needs to happen in order to positively impact change in network security practices, is educating lawmakers as they develop legislation. Lawmakers need to shift their perception of what the purpose of security research is, so they can truly understand the issues at hand and work with organizations to create legislation that helps improve security practices.
Cloud computing is now a mission critical part of the enterprise. Cloud adoption is driving digital business growth and enabling companies to shift to processes and practices that make innovation continue As with any paradigm shift, cloud computing requires different rules and a different way of thinking, particularly when dealing with security. While I realize there is still some trepidation about moving to the cloud, I firmly believe that the cloud actually provides a more secure approach to build secure and scalable systems and achieve continuous compliance.
Some of the best practices I live by and educate others on include: Design Foundation Matters - As a result of this transformational new paradigm we have to focus on the design of our security systems and leverage the reliability and automation that cloud providers afford us to operate securely in this new environment.
e Defense in Depth Approach - A cloud-based service needs to be thought about holistically, as an integrated system. This system has layers, components, interfaces and interactions, which are all under your control and programmatically scaled to wherever you set the dial. Each of these factors needs to be carefully considered from a security perspective that flows from a central design.
All Things are Possible with Automation - Thinking of your entire infrastructure as part of your codebase changes the game in terms of what you are able to achieve. There is no longer a gap or disconnect between the operational physical layer and the software that runs on top of it. By simply changing your thinking, machine and network failures are now simply exceptions to be caught and handled by your system automatically.
Simplicity Leads to Better Security Ultimately, simplicity leads to security. Simplicity of design, interfaces, and data-flow all help lead to a secure and scalable system.
Role of the CSO
As CISO of a technology company with a security offering, I am in the unique position to both witness and experience the latest in CSO or CISO trends. While technology and the threat landscape continue to evolve, my role is still largely the same to ensure the security of our customers’ data as well as our employee data and IP.
There’s no silver bullet in security and CISOs shouldn’t put all of their money on one technology to do the trick. It’s critical to lock down security fundamentals, or a defense-in-depth approach as I previously mentioned. Moving to the cloud and abandoning your legacy infrastructure and centralizing your security design and enforcement within your code-base will ultimately allow for greater security at lower human and capital cost.
As visibility of security has increased, the role of the CISO has become an executive role and less a technology niche still need to have - but that alone is not enough.