Data breaches are on the rise. According to a recent Forbes article, more than 675 million records were compromised last year. What's more, these breaches weren't limited to a single sector: retail, financial and even post-secondary institutions were all victimized. That means IT security must evolve, and that evolution starts with the Chief Information Security Officer (CISO).
In a new Dark Reading webinar, Editor in Chief Tim Wilson sat down with CISOs Jim Nelms of the Mayo Clinic and Chris Wysopal of Veracode for their take on what makes this C-suite role effective in the new IT environment. Here's a quick look at the three Cs necessary for any CISO to succeed:
1. Control
According to Wysopal, companies must now deal with an "expansive new IT landscape" that includes mobile devices, ever-changing end points and soon the addition of wearable and other IoT-based technologies. Nelms, meanwhile, notes technology isn't always the origin of a data breach — people are also a problem. In the financial sector, for example, just 3 percent of breaches happen because of end users. In government, this number climbs to 18 percent, and in healthcare it's a whopping 47 percent.
To succeed in this changing environment, CISOs need to reestablish control. This can be a difficult undertaking, however, since many security officers believe the goal is to reestablish control over network end points, while Nelms argues that companies never had control of end points. In other words, gaining mastery of the situation requires understanding that the rules of "traditional" IT defense no longer apply.
Wysopal points out that part of this change stems from software; since most apps are now written by outsourcers rather than in-house teams, it's almost impossible to discover who wrote specific code. To gain control over this new tech landscape, he says CISOs need to view IT as part of the supply chain rather than an outlier. Managing business risk — and the ability to delegate responsibility, not liability — becomes the hallmark of control, while handling data, not devices, allows CISOs to master their own bailiwick.
2. Communication
The next takeaway for CISOs? Communication. These C-suite executives must now manage relationships across the organization to be successful — this includes IT professionals, front-line employees, the CIO and the C-suite at large. As noted by Tim Wilson, IT security is a board-level concern, but many C-suites simply don't understand the scope of the problem or its solution. It falls to the Chief Information Security Officer, therefore, to effectively communicate both risk and potential reward.
To get the message across, Wysopal recommends that CISOs steer clear of acronyms, meaningless metrics and technical jargon. Fear is also a poor motivator; while statistics about what made it past company defenses seem like they should spur action, they're often paralyzing when not coupled with a solution. Nelms calls the CISO "chief of things that don't happen," and he points to similarly ineffective metrics such as threats that never made it past corporate defenses or the speed at which IT processes handle security issues. For Wysopal, the evolving threat landscape means a greater threat surface, in turn requiring bigger security spend to keep networks safe. But information security budgets are naturally subjective, based on emerging events rather than easy predictions. Effective communication keeps security dollars flowing rather than kept under lock and key until an emergency occurs.
3. Connection
The last big "C" for CISOs? Connecting with reliable partners to outsource some of the security burden. This is especially relevant for smaller companies or enterprises that aren't in a position to spend on more full-time employees but still need to make sure every app they approve or piece of software they roll out is defensible. For Wysopal, the bottom line is that most companies need to outsource. This could mean tapping a cloud-based application security vendor to provide more robust app coverage, or hiring a part-time CISO to help fill the gap. Simply put, it's no longer possible for companies to manage security in isolation; some kind of connection is necessary to combat emerging threats.
IT security is changing, and CISOs must be prepared to evolve. This means effectively managing the three Cs: Control over existing IT resources, communication across the organization (and with C-suite members in particular) and connection with a trusted partner to maximize returns on security spending.
Photo Source: StockSnap
Given the complexities of cybersecurity and the evolving landscape of data breaches, the expertise required to navigate this field is multifaceted. I've had the opportunity to delve into various aspects of cybersecurity, including risk management, communication strategies, and the integration of security measures across diverse technological landscapes. Let's break down the concepts outlined in the article:
Data Breaches & Compromised Records
The escalating number of data breaches, as reported by Forbes, underscores the urgency for robust cybersecurity measures. Over 675 million records compromised in a year indicate the vulnerability of various sectors like retail, finance, and education. This substantiates the growing need for a proactive approach to cybersecurity.
Chief Information Security Officer (CISO)
The role of a CISO has become pivotal. To effectively combat the evolving threat landscape, CISOs need to focus on three essential aspects:
1. Control
- Diversified IT Landscape: With the proliferation of mobile devices, IoT technologies, and changing endpoints, companies face challenges in maintaining control over their technological infrastructure.
- People as a Vulnerability: Notably, human error contributes significantly to breaches across different sectors, emphasizing the need for comprehensive control measures.
2. Communication
- Stakeholder Engagement: CISOs must effectively communicate risks and solutions across the organization, from IT professionals to the C-suite, using clear language devoid of technical jargon.
- Budgeting and Risk Mitigation: Communication plays a pivotal role in justifying security budgets based on emerging threats rather than reactionary spending during crises.
3. Connection
- Outsourcing Security: CISOs need to establish connections with reliable partners for outsourcing security measures. This is especially crucial for smaller companies that may lack the resources for an extensive in-house security team.
- Collaboration for Enhanced Security: Whether through cloud-based security vendors or part-time CISOs, forging connections outside the company perimeter is essential for comprehensive security coverage.
Evolution of IT Security
The evolution of IT security necessitates an adaptive approach from CISOs. Mastery over control, effective communication, and strategic connections with external partners are pivotal to navigate the changing cybersecurity landscape.
Each of these concepts is interconnected and vital for a comprehensive cybersecurity strategy in today's dynamic threat environment.
