By Gil Press
Cybersecurity is in the news almost daily, with much-publicized breaches affecting enterprises worldwide. It’s no surprise, then, that improving cybersecurity is a top-of-mind priority for business and technology executives. A global survey of IT and cybersecurity professionals by the Enterprise Strategy Group (ESG) found that, for 39% of organizations, cybersecurity is the most important business initiative driving IT spending in 2017. Sixty-nine percent said they were increasing their cybersecurity budgets this year, more than any other IT area.
Given this sense of urgency, CIO Straight Talk assembled a virtual focus group of Chief Information Security Officers, or CISO’s, and other cybersecurity executives to find out what is on their minds and their agendas (see box).
One serious problem they describe is a persistent skills shortage. This is driving CISO’s and others responsible for cybersecurity to increasingly look for help in the form of automated tools and improved data analysis. Another problem facing many organizations is that business leaders continue to think of cyber-risk in terms of internal network penetration, specific technologies, and defensive measures.
Our panelists made clear that cybersecurity requires a broader view, a more comprehensive and proactive strategy that includes all digital assets and all the points of enterprise contact and access that have shifted from the physical to the virtual. In their organizations, they said, top management has recognized the importance of cybersecurity and the potential impact of cyber incidents on reputation, trust, and the bottom line.
To spread that message, our panelists are increasing their investment in educating employees throughout the enterprise about cybersecurity and risk choices. In response to the skills shortage, they are working to cultivate and motivate cyber professionals. They are collecting and analyzing more data to support a more proactive cybersecurity posture. And they have redefined the role of the CISO as the executive in charge of linking business strategy to digital risk management.
“More of everything”
With more than 150 years of cybersecurity, IT, and business experience among them, these cybersecurity practitioners have seen a lot. But the attacks continue to come with greater frequency, intensity, and business impact. “We’ve encountered more targeted attacks that are more social in nature,” says Paul Reyes. Through social networks and other means, hackers are gathering data and harvest credentials of Visra Energy’s employees, using the information to target specific groups.
There is another new type of threat, very different in nature. “The game has changed with what I would call drive-by’s, where the attacks are not targeted specifically at us as a company,” says John Graham. “We are seeing more of everything,” adds Andy Ellis, highlighting the increasing sophistication of recent attacks. He attributes this to the fact that hackers also benefit from open-source and from what he calls “the democratization of tools.”
Ellis also points out the increasing visibility of cybersecurity breaches. “The Sony attack was a wake-up call to most of us practitioners,” Graham agrees, referring to the 2014 breach of Sony Pictures computer systems when hackers stole a rich trove of confidential documents and posted them online.
Such security breaches can result in much more than a direct and quantifiable hit to the bottom line. “A cyber event can do serious damage to your reputation,” says Entergy’s Zeeshan Sheikh. Adds Ellis: “Having greater visibility carries with it the risk that your failures, which used to be minimized, are now greatly magnified.”
Redefining the CISO
The increase in the visibility, frequency and sophistication of cybersecurity incidents, has brought about a rapid heightening of the visibility of the chief information security officer. Today, 31% of public company boards receive reports directly from the CISO, according to the 2016-2017 NACD Public Company Governance Survey; Gartner predicts this figure will rise to 100% by 2020. Correspondingly, the boards and executive teams of many enterprises have taken a fresh look at the responsibilities of the chief security officer, redefining the role in broader business terms.
“If you view yourself as a defender or traffic cop or protector,” says Cisco’s Steve Martino, “you are in the old world.” While the role was traditionally focused on technology, now “you have to be a translator, using a language the business can understand to explain what the technology means in terms of business risks and processes to manage that risk.”
“Operational risk management” is how ADP’s Roland Cloutier labels the new requirements. “I’m not just putting firewalls around the data center,” he says, “I’m looking at the entirety of the business process, providing a risk view so we can make good business decisions.”
Similarly, Graham spends a fair amount of time on “educating the executive team and our board, trying to ensure they understand the risk decisions we are making relative to the funding and our maturity curve.” Ellis agrees: “Our job is not to eliminate risk; our job is to enable our companies to make wiser risk choices.”
Redefining the responsibilities of the CISO in terms of risk choices is still not a common practice. When Reyes goes to security conferences, he says, he hears many of his peers speaking only about specific products and technologies. “If we don’t marry the business strategy with what we actually protect, we lose half the battle,” adds Reyes, whose CISO role was expanded last year to include risk and compliance.
As Cloutier sees it, cybersecurity today is an important component of any business’s critical success factors. And taking this broader view of cybersecurity’s business impact may extend beyond the confines of a single enterprise, further elevating the visibility and influence of the CISO.
DNB’s Berit Børset serves as chairman of the board of FinansCERT Norge AS, which was established in 2012 to facilitate cybersecurity information sharing among financial institutions in Norway. Five years later, as Nordic Financial CERT, the collaboration has expanded to include banks in Sweden, Denmark and Finland. The banks “share information and assist in handling security incidents when they occur,” says Børset. Leading and participating in regional and industry cybersecurity collaboration means that the CISOs in these financial institutions are now seen by business executives “much more as partners” who take part in boardroom discussions on security, Børset adds.
Successfully presenting to the board, says Gartner, means connecting the cybersecurity program goals to business risks. While many organizations continue to think of cyber-risk solely in terms of internal network penetration and defense, others are developing a more comprehensive risk management strategy that includes all digital assets—websites, social networks, VIP and third-party partner exposure, branding and reputation management, and compliance.
Not a moment too soon, according to the National Association of Corporate Directors, which points out in its 2017 Cyber-Risk Oversight report that over the past 25 years, the nature of corporate asset value has changed significantly, shifting from physical to virtual. The NACD estimates that close to 90% of the value of the Fortune 500 now consists of intellectual property and other intangibles.
Embedding security throughout the enterprise
Given the wide-ranging business impact of cyber-risks, members of our panel are developing and implementing specific processes and policies to ensure security guidelines are followed by the rest of their organizations.
First and foremost, security must be integral to the work of the IT team and the development of software applications. “Security considerations and standards are embedded in the IT process and there is a joint sign-off at the end,” says Cloutier. Similarly, Børset and her team “ensure that security requirements are followed by software developers,” via close coordination.
Martino has established a program he calls “service security primes,” in which manager level staff in different IT groups are chosen to be the single point of contact for security escalations.. “What I get are people embedded throughout the organization that the IT leader cares about because they report up to” that leader, Martino says. This results in a “stronger partnership to make informed decisions.”
Embedding security throughout the business also means going beyond the IT group. At DNB, each business area has its own special security coordinator, says Børset. At Entergy, Sheikh is using a number of governance and compliance committees to keep “stakeholders informed about our cyber maturity level and where we need to continue to invest.”
At Cisco, security is embedded in all business processes, whether it’s HR’s handling of employee data, Marketing’s handling of customer data, or Engineering’s handling of intellectual property. This makes “everyone accountable in some way for the overall security experience,” says Martino. “If as CISO I’m the only one responsible for security, I’m going to fail because I can’t scale to all those different processes.”
It’s imperative to make cybersecurity integral to all business processes. But for cybersecurity to be truly embedded in the daily life of the organization and in all activities, cybersecurity education has to touch all employees.
Raising employees’ cyber proficiency
“Our top impacted areas are people, people, people,” Reyes states flatly. “The top challenge comes down to human performance,” Sheikh agrees. “The user community is the weakest link. Most breaches come from phishing. Once access is provided, it’s just a matter of time. I can keep spending thousands on tools, but how do you train?” Joe Kirk puts it another way: “All the technology in the world won’t prevent a user from clicking on the wrong link.”
So what’s to be done about the people problem?
Like many companies, Entergy has implemented fake phishing programs, followed by awareness training “for anyone who clicks on it,” Sheikh says. Other members of the panel report similar programs in their organizations. At Vistra Energy, different types of phishing campaigns are targeted periodically at 15 different types of groups—executives, privileged access users, compliance officers, admins, etc.
At Cisco, employees receive fake phishing campaigns every quarter. They can go to an internal web site (the “phish pond”) to learn more about phishing and validate any test phish. This exercise has reduced clicks on fake phish by two-thirds, says Martino. Those employees that do click get immediate training and a month later, they receive another fake phish.
Another common practice involves on-going training programs and annual certification for all employees. At ADP, for example, short animated videos and interactive gamification (e.g., quizzes, video games) work well to engage employees and help with content retention, Cloutier says. Key to such training is measurement, he adds, including how many people take it, how much time it takes them, and the nature of their feedback.
In addition to broad-based training programs, the CISOs on our panel have develop customized training to raise security awareness of employees in specific type of jobs. At Cisco, the “security ninja” program is targeted at software developers building products and services for Cisco’s customers. They work their way up various levels until they get the coveted black belt. For business-related roles, special training programs cover topics such as designing secure business processes, regulatory issues, and the employees’ responsibilities as data stewards. At DNB, the security coordinators mentioned above customize a general training program to fit their specific business area.
“When I talk to employees,” says Martino, “I communicate to them that the internet is great but it’s like being in the middle of a large city rather than a small town’s main street.” Just making them aware of the importance of backing up their personal files is important, he says, as 18% of people never back them up and 39% only do so when reminded.
All employees are foot soldiers in the battle with hackers, but a team of security professionals helps the CISO lead the charge. The trouble is that it’s hard to find people with the right experience and expertise to fill the increasing number of open cybersecurity positions.
Hiring and motivating scarce talent
The demand for experienced professionals and those with new skills and experiences is rising. Forty-five percent of organizations responding to the ESG survey said they currently have a problematic shortage of cybersecurity skills. By 2022, there will be 1.8 million unfilled cybersecurity positions in the U.S., according to the Center for Cyber Safety and Education.
Finding and hiring cybersecurity professionals “has been difficult and will continue to be,” says Sheikh. In Norway as elsewhere, “many companies are increasing their security staff so there is a lot of competition” for knowledgeable people, says Børset. “It’s tough to find them and tough to keep them happy and challenged,” adds Graham.
Sometimes this requires creative recruitment, focusing on your actual needs rather than on a candidate’s credentials. For example, when Akamai sought someone to manage its compliance documentation, Ellis says, the best candidate for the job actually turned out to be a reference librarian –with no security experience.
Another way to deal with the talent shortage of security professionals is to develop people from within the organization. “If you are only seeking top-tier experienced security professionals, you are going to fail,” says Martino.
When it comes to developing security talent from within the organization, “in some ways you have to ‘grow’ them within your company so they can understand how business processes are managed within technology systems,” Sheikh notes. “They need good run time. Another good source is from the field like recent graduates.”
Cloutier suggests a multi-prong approach to finding and hiring security professionals: “You have to have a good pipeline program; you have to operate in a location that has security resources; and you have to develop a culture where people actually want to join your organization.”
The ADP security team regularly invites students from 8th grade through high school to visit the company, educating them on why cybersecurity is a great career. They work with large universities in locations where ADP has a strong presence, supporting specific programs in cybersecurity, risk management, and compliance, and using these university relations to recruit interns and top graduates.
Once you get the right people to join the security team, you need to work hard to keep them motivated and at the top of their profession. Security is constantly changing, says Martino, so he is always looking for inquisitive people who are “self-motivated to learn.”
Cisco provides individualized learning opportunities for members of the security team based on their planned career path. At Vistra, Reyes makes sure members of his team have opportunities to present their work to internal and external audiences. Several companies make an effort to rotate their people through various security assignments.
The key is to give people plenty of opportunities to move throughout their careers, says Cloutier. ADP has 13 different disciplines under the security job family, so “you can be a cyber analyst one day and do a risk assessment the next day.” The result is less than 4% turnover in the security area, he says.
Another way to meet the talent shortage is to invest in automated security tools that can reduce the talent required while at the same time making security jobs more interesting and rewarding.
Automation and analytics
Machine learning and artificial intelligence are a fast-growing aspect of security teams’ work today, with automated tools using machine learning algorithms to find new patterns and insights in the increasingly huge amounts of data that companies collect. Only 6% of respondents in the ESG survey said they had no plans to deploy machine learning and artificial intelligence technologies in their cybersecurity operations.
Automation is “mandatory for all CISOs,” says Reyes. Cloutier asserts that “the only way to successfully protect an organization is to have automation and advanced analytics capabilities.” Kirk relies on automation because “the system has to be watching for you. It cannot be dependent on us to make all of the decisions.”
The increased use of automated tools is a corollary of the rapid growth of data collected and stored by enterprises worldwide. “It’s not possible to secure huge amounts of data manually—we automate whatever we can,” says Børset. Cloutier reports that his security team deals with on average 15 billion events a day for its security intelligence data warehouse; Reyes says that his team increased by 60% to 70% the amount of IT infrastructure log data they collect so they can generate more behavioral analytics.
Automating the collection, processing and analysis of the rising quantities of data, including security-related data, frees security professionals to concentrate on strategic, high value-added tasks. “You have to focus your people on actual incidents rather than common repeatable tasks,” says Reyes. Automation doesn’t necessarily change the number of people needed, according to Cloutier, but it means that those people need higher-level, advanced analytics skills.
Security teams need to take a more assertive posture—actively detecting threats and responding to them—in a rapidly digitizing world. More and more data means more hackers trying to exploit it. “Detecting patterns is key; recognizing if someone is or is trying to get in,” says Sheikh. Exploitation manifests itself in the most recent generator of new digital data—the Internet of Things—and in new regulatory requirements for protecting consumers’ data.
The promise and peril of the IoT
In 2017, there will be 8.4 billion connected things in use worldwide, according to Gartner, up 31% from last year. McKinsey estimates that the Internet of Things will generate $11.1 trillion a year in economic value by 2025. The rapid adoption of the IoT for both consumer and business applications adds one more challenge to security teams.
Universal security standards for connected devices are non-existent or just emerging. In October 2016, Internet service provider Dyn came under an attack that disrupted access to popular websites. The cybercriminals who initiated the attack managed to commandeer a large number of Internet-connected devices (mostly DVRs and cameras) to serve as their helpers. This attack “turned the Internet of Things into the Botnet of Things,” says Ellis. Others refer to the “Internet of Threats.”
The problem, as Ellis and others on our panel see it, are the millions of networked devices installed over the years that are not maintained and are not protected. Today we’re seeing the rapid adoption of unprotected or barely-protected consumer IoT devices, such as cameras and DVRs, that will continue to function for a long time—“consumer-quality devices with an industrial lifespan,” according to Ellis. “In 10 years,” he says, “we will have a long tail of these devices that we will have to deal with.”
The transportation infrastructure is also saturated with legacy devices that do not support current security models. To counter that challenge, “we are implementing technology that puts the security focus in the network rather than the end device,” says Kirk of the Tennessee Department of Transportation. This allows for the rapid isolation from the network of legacy devices that have been compromised.
But the cybersecurity challenges will multiply with the widespread adoption of connected, autonomous vehicles. And tactics such as increased employee education will do little to lessen the threat. “You are not going to educate a device that is on the side of the road,” says Kirk. “It is absolutely crucial for us to have an operating system for the Internet of Things that is not dependent on people doing the right thing.”
There is a built-in tension here for companies—including utilities such as Vistra Energy and Entergy—that want to deploy connected devices to better serve their customers while realizing the new cybersecurity risks this entails. “In the past, we could control what plugs into the wall, and whether or not a laptop or desktop was managed by our IT group,” says Reyes, of Vistra Energy. Now there are mobile devices and sensors that connect to the company’s network, and his team needs to ensure that the devices can’t access critical assets.
Entergy’s Sheikh notes that, “over the next 5 to 10 years, the company will have several million devices out in the field, all connected. Why? It’s all about data to make better decisions and meet needs. I want the most devices out there as possible, at a good price for good value. The IoT operating at a better level and insight.”
Cyberattacks exploiting connected but unprotected consumer devices have prompted calls for a greater government role in improving security. Cybersecurity expert Bruce Schneier says we need government regulation of the IoT because neither IoT manufacturers nor their customers are showing they care enough about the security of the Internet-connected devices in current use.
That seems unlikely to happen anytime soon, at least in the U.S. But in Europe, heightened concern about the protection and security of personal data, could have a similar effect.
The coming of the GDPR
The European Union’s General Data Protection Regulation, or GDPR, which goes into effect in May 2018, is designed to give individuals control over their personal data and strengthen and unify protection of that data. As the regulation applies to the export of personal data outside the EU, it will affect both European businesses as well as non-European businesses operating in the EU.
Not everyone is prepared. Less than half (45%) of organizations polled in a recent SAS survey have a structured plan in place for compliance with GDPR, and more than half (58%) indicate that their organizations are not fully aware of the consequences of noncompliance.
The consequences of this and similar legislation will be felt by all enterprises for years to come. GDPR “will drive a level of awareness that companies have the obligation to protect data,” says Martino. “Personal data is a great start, but we are also collecting more and more data on businesses and transactions.” Martino hopes that even without government encouragement, companies will step up their protection of all types of data.
Cloutier also sees GDPR as having a positive impact on the push for greater transparency. But he cautions that “from a pure work perspective there is a short window to prepare.” The required documentation and evidentiary material is a big regulatory burden placed on security professionals and will come at a cost.
“We are not yet at the point where we are addressing things at a global level,” says Graham, pointing to the rise in region-specific and country-specific regulation. That presents a challenge to global businesses where country-specific regulation may drive decisions for the entire company. Ellis sees CISOs as “uniquely charged with having a global view” and regulation such as GDPR as an opportunity for them to work with their company’s general counsel and country lawyers.
More—and more—of everything
The digital transformation of enterprises has made technology the key to innovation, growth, and profitability. As Entergy’s Sheikh puts it, “Our product is power, but we will be the preferred choice for energy solutions grounded in technology and data. We owe it to our customers to constantly find more value.” Indeed, nearly all enterprises are becoming technology-based or technology-driven, collecting and analyzing data that often takes them to completely new markets and new ways of generating revenues.
With that digital transformation come all kinds of new business risks, including those involving cybersecurity. So “more of everything” will continue to characterize the work of CISO’s. In 2018, predicts Martino, all “digital companies”—companies that have a digital strategy at their core—“will recognize the importance of trust to their customers and markets. This will focus security strategies on solutions that are integrated, delivering efficacy, visibility and speed to respond.”
Rapid response will certainly continue to be on the mind of CISOs. “More enterprises will invest in the ability to detect and respond proactively, rather than just build walls,” predicts Sheikh. But speed—and data and analytics and machine learning—will also work on behalf of cyber criminals. Reyes envisions more attacks in 2018 from “people who have leveraged artificial intelligence to increase the speed in which your company can get breached.”
What “more of everything” means, not only for CISO’s and employees but also society at large, is being constantly aware of cyber-threats and embracing the practice of being cyber vigilant.
Gil Press, a columnist (www.forbes.com/sites/gilpress) and blogger (whatsthebigdata.com) on technology, entrepreneurs, and innovation, is a Contributing Writer for CIO Straight Talk.