The increasingly complex landscape that society’s mass digitization has established, driven by mobility and permanent connectivity, coupled with the new risks and threats that are proliferating in the market – which are becoming more and more sophisticated-, has created new challenges for the Chief Information Security Officer (CISO). Let’s see what they are here.
The technological scenario is diversifying… and becoming more complicated
Although it may seem hard to believe, but not long ago people exclusively used personal computers and networks highly controlled by the IT manager in a way that, just by protecting the organization’s perimeter, the company was safe from possible attacks. But the technology landscape today is very different and systems on the premises (both personal and located at the company) have given way, on many occasions, to systems based on the supply model, known as cloud computing.
On the other hand, data is no longer generated and stored only in the data center but, mostly on mobile devices which proliferate amongst employees and which, on many occasions, are not even provided by the company, but are personal (although they are also used for work purposes without the access control applications used previously). Even the corporate network’s intelligence has jumped from the data center to the professionals’ devices. Furthermore, the network today is starting to provide connection to the most varied devices, and increasingly will be taking into account the trend towards the so-called Internet of Things.
This scenario requires CISOs to have a new approach which responds to these new models (cloud) and practices (the famous BYOD or the use of personal devices in the work environment). It is essential they have very specific policies in this respect and, above all, they should inform their employees about them, explaining what action should be taken to avoid risking their company’s information. It is also essential to protect the mobile device from the data center with the new software tools (many of which are delivered as a service or cloud model), and those which manage mobile devices, provided by the security suppliers, whilst not forgetting to shield the internal network and corporate assets.
In addition, with regards to the adoption of the cloud, it is necessary to agree with the cloud providers which security controls must be applied and, of course, only upload assets and core systems to the cloud if the safety standards are the highest and comply with the relevant regulations of data protection, etc.
Threats are getting more dangerous
The second but no less important challenge for CISOs is the change in the type of attacks and threats that has occurred in recent times. Cyberattacks that were conceived by hackers in the past to overcome an IT barrier have given way to persistent and targeted threats by groups of crooks whose purpose is information theft, espionage, or economic profit.
Chief Information Security Officers should be aware of this new reality and know that, although it is difficult to avoid the attacks, it is possible to mitigate its effect if they react quickly and they are ready. Experts recommend adopting a security approach based on methodology and betting on standards already recognized in the industry as CoBit or ISO 27000, and frequently conducting audits to see the degree of preparation when facing an incident of this type.
Improving risk management is possible, thanks to the constant monitoring of increasingly sophisticated threats that occur on computers and on the net. There are many tools already available on the market and their implementation and deployment (many work in service mode) is simple.
Budgets still tight
Recent years have been characterized by a fall, or at least an important adjustment in IT budgets still suffered by many companies, even though the economic situation is beginning to improve. Fortunately the senior management of all kinds of companies is increasingly aware that spending on information security is absolutely necessary. So while it is a challenge to justify expenditure in the IT area, the truth is that for security managers this task is easier, especially after some notorious attacks produced in the industry like the one suffered by Sony Pictures, amongst others.
Proof of this is that the expense on security has continued to increase exponentially in recent times (even in times of crisis) and, according to Gartner, it will reach 76 billion dollars globally this year 2015, which is to say that it will increase more than 8% compared to the year before. The growing adoption of the previously mentioned mobility and cloud computing technologies, as well as social networks, will promote the use of new technologies and security services of up to the year 2016, according to the consultant.
Scarcity of qualified personnel
The human resources related to information security are scarce and have a high cost, a reality which is another great challenge to the person in charge of this area. More problematic, however, is to be able to retain these professionals in a market where companies all bid for them. What can be done? It won’t hurt if the CISO, among his other roles, takes the time to promote talent and development promotion programs for employees in his area which wouldn’t only involve an economic consideration but would also bring benefits that go beyond that (flexible working environment, high level of training, etc.) in order to keep these so coveted and, at the same time, necessary employees.
Awareness and alignment with the business
Not only must the Chief Information Officer (CIO) be aligned with the business but also the Chief Information Security Officer. So that, beyond having solid knowledge in the field of communications and information technology and how to ensure security in applications and systems, the CIO will need to know how to guide your company to enter new markets, embrace new technologies and geographic areas in such a way that the business risks are mitigated as much as possible.
Having the ability to establish bridges between the business team and the systems engineers and application developers will also be a more than necessary task for the new Chief Information Officers.
Make security invisible for the user
As is the case of IT in general, it is necessary to work to make the information security invisible and transparent for the organization and its users (employees, partners, suppliers, customers). The work involved behind the scenes (linking security with the business information) is hard but necessary.