It’s not easy being a CISO (chief information security officer). On one hand, there’s the ever-present challenge of facing the board – struggling for extra budget that doesn’t exist and trying to articulate security threats in business terms to a non-“tecchie” audience. Then there’s the threat landscape itself. Ever-changing, ever-advancing while the CISO’s resources remain static, and executed by an increasingly agile, resilient, well-funded and sophisticated enemy. Viewed in these terms, CISO is probably one of the most challenging roles in modern business.
Growing threats, soaring risk
Ask any CISO in 2014 what their key ongoing challenges are, and most will mention skills shortages. Some 56 percent of respondents to the ISC2’s annual Global Information Security Workforce Study last year said they thought there was a workforce shortage in the industry. Skills gaps also remain a perennial issue, especially in new areas such as BYOD and cloud computing. Even if there were a surplus of skilled professionals from which to choose, CISOs regularly complain that they aren’t being given the resources to attract them.
Then there’s governance. CISOs often find themselves at odds with their CIO, who’s pushing for wider access to data, greater efficiency, resiliency and financial accounting. Yet all of these contribute to IT risk. Being able to satisfy these demands while keeping a lid on that risk is a constant battle and one that can undermine the CISO’s wider efforts to ensure the organization does business securely.
The problem security chiefs have found time and again is that, unlike with other areas of IT, there simply is no ROI to what they do. On the one hand this makes it difficult to convince the board that extra resources are needed. But it also marks a significant contrast to the bad guys, who can benefit from an enormous return on investment in terms of the proceeds of cybercrime. They only need to be right once – the CISO must be right 100 percent of the time. Let one attack slip through, and your organization could be all over the media landscape the next day.
Added to this is the extra risk that comes from cloud computing and mobility. That same ISC2 survey of over 12,000 security professionals worldwide found BYOD and cloud highlighted as major causes of concern for respondents. The use of employee-owned devices and cloud-based services in the workplace not only increases an organization’s attack surface manifold, but also limits the CISO’s capacity to develop an in-depth defense strategy. Mobile apps are particularly high-risk. Whether purchased or developed in-house, they are often coded carelessly and can be rushed out without adequate testing against the OWASP Top 20 to remove vulnerabilities.
Another factor increasing the attack surface is the proliferation of third-party partners like managed service providers and law firms. Their communications are essential to the business, but so often they are the weakest link in the chain and therefore the one targeted by attackers as a stepping stone into the larger organization.
Then there are the threats themselves. Targeted attacks are no longer the preserve of nation-state actors. Toolkits readily available on the cybercriminal underground have democratized the means to launch covert operations designed to lay hidden inside your network, exfiltrating customer data or sensitive IP. Many CISOs will not become aware of a breach until months or even years later.
Answering the Call
Challenging times call for a trusted security provider who can offer CISOs the right set of tools to lower IT risk. Industry innovators, such as Trend Micro, offer wide range of security solutions for physical, virtual, cloud and mobile environments is underpinned by the Smart Protection Network. This cloud-based threat prevention system has been engineered to deal with the 3Vs of big data: volume, variety and velocity.
It collects huge amounts of data – over 15TB each day – from a wide variety of sources including URLs, domains, files, exploits, network traffic, command & control servers, mobile apps and threat toolkits. It then uses various resources to identify even previously unseen threats, employing big data analytics to mine threat intelligence for the best results.
The final step is to rapidly block those threats in the cloud, before they’ve even had a chance to infiltrate targeted networks or devices. Advanced protection like this is essential to lighten the burden for under-fire CISOs everywhere.