One of the biggest challenges in addressing cyber security issues is bridging the disconnect between the different departments within an enterprise. Securing PCs, phones, tablets and network endpoints may have once been the exclusive province of IT, but over the years the rising stakes – both financial and reputational – of data breaches have made cyber security a priority for the C-suite and the rest of line-of-business, too.
For example, PricewaterhouseCoopers’ 18th Annual CEO Survey found that 90 percent of U.S. CEOs regard cyber security as strategically important, and that a similar percentage of them was concerned about the evolution of cyber attacks. These outlooks are justified in the wake of the high-profile incidents adversely affecting Sony Pictures, Home Depot, Target and others in the last year plus.
Acknowledging such risk is only part of the struggle. Today’s threat environment is complex and rapidly changing. Malware is no longer just an issue for PCs (e.g., it can also infect mobile devices through third-party app stores), cyber criminals have upped the ante with creations like CryptoLocker (ransomware plus strong encryption) and IT and the business side alike have to be vigilant of compromised appliances, as demonstrated by recent revelations like the Superfish adware that breaks HTTPS on some Lenovo PCs.
Securing data and other assets requires the entire organization to go all-in on cyber security. Many firms still have a long way to go on this front and perhaps could take a cue from current cultural movements in tech such as DevOps, which emphasizes collaboration between the previously siloed departments of development/testing and operations. Obviously, DevOps was formulated with goals other than cybersecurity in mind, but its cross-collaborative design provides a good idea of what’s needed to tackle overarching business and technical challenges.
Gaps in the cyber security apparatus: Where enterprises can address their vulnerabilities
Indeed, a recent survey of 1,006 CIOs, CISOs and other IT leaders, conducted by the Ponemon Institute on behalf of Raytheon, discovered that entire cyber security efforts may require this higher level of coordination across teams. The challenge is clear: Nearly 80 percent of respondents confirmed that their organizations’ respective boards of directors had not been briefed on company-wide cyber security strategy in the last year.
Some of the more specific concerns aired by these executives included:
- Difficulty hiring and retaining capable cyber security staff.
- Containing employee-driven risks such as data leakage or bring your own device misuse.
- Lacking actionable intelligence about threats to their networks.
- Uncertainty about budgets, leading to a potential lack of suitable security technology.
- Challenges in securing the vast, emerging Internet of Things (or Internet of Everything).
- Almost half of IT stakeholders were concerned about the rise of zero-day threats and 35 percent believed that attacks against critical infrastructure could become more common.
The first three items were cited together by 43 percent of the survey’s subjects, while budgetary and technological issues came in at 33 percent. At the same time, the study’s coordinators highlighted how growing uptake of cloud computing and IoE infrastructure could create new attacks surfaces, with many IP-enabled devices not yet hardened against hijacking and malware. The simplicity of so many of the IoE’s parts – e.g., sensors may have IP connectivity but very little in the way of an OS, user interface or patching mechanism – ironically makes security even more complicated.
Anxiety about the IoE nicely encapsulates the underlying issues facing fragmented enterprises. With its considerable scope and wide variety of weaknesses across software and hardware, the IoE will test the capabilities of any organization that does not have well thought-out security processes and technical solutions in place.
“Securing an entire IT infrastructure is hard enough but the Internet of Everything demands an even bigger security approach to keep endpoints and networks protected against more sophisticated cybercrime techniques and tools such as sniffer attacks, denial of service attacks, compromised-key attacks, password-based attacks and man-in-the-middle attacks,” stated a 2014 Trend Micro primer on IoE operations and security.
Toward broader cyber security coordination: What the White House’s recent actions tell us
The use of multiple intelligence sources, whether a combination of new and old network security tools or the aggregation of data analytics from many, is essential to plugging the gaps in corporate networks. Forrester Research has estimated that most companies utilize only about 12 percent of the data generated by their infrastructure, a finding that underscores how much opportunity there is for CIOs et al to shore up their companies’ positions, by using tools like deep discovery solutions to find and share actionable information.
In securing the IoE in particular and IT infrastructure in general, there’s both a technical and procedural component. Organizations needs tools that can comb through mounds of data, and they also need processes for sharing the findings and adjusting processes accordingly.
Emphasizing the latter aspect of cyber security, the White House recently announced the formation of the Cyber Threat and Intelligence Integration Center. This body arrives at a pivotal time, when government agencies need to coordinate cyber security activities to thwart risks such as advanced persistent threats developed by sophisticated hackers and states.
The White House has positioned the CTIIC as the point agency when it comes to formulating coordinated cyber security assessments and responses. It gives the U.S. government an equivalent of the National Counterterrorism Center, for dealing with everything from APTs to threats to critical infrastructure such as electric grids and water supplies.
The public sector is setting a good example here for creating a “funnel” into which lots of disparate information can be poured and processed into something that is understandable and actionable. Private sector approaches to today’s cyber threats will necessarily be different, taking the form of better intra-organizational collaboration (here’s where DevOPs could again be a useful general blueprint) rather than the formation of a standalone body. But the goals will be the same across both sectors: With more data being generated and more threats coming to light than ever before, CIOs need a sensible way to make sense of the risks they face and take appropriate action.