SecuritySecurity Management

What Should Chief Security Officers Ask Santa For This Christmas? (Part 2)

Duncan MacRae is former editor and now a contributor to TechWeekEurope. He previously edited Computer Business Review's print/digital magazines and CBR Online, as well as Arabian Computer News in the UAE.

Google + Linkedin Subscribe to our newsletter Write a comment

We asked the tech industry what CSOs should ask Santa for, and we had so many great suggestions we needed a second article….

Jason Hart, VP and CTO for Data Protection at Gemalto

“CISOs should ask Santa for a security framework capable of fending off Grinch-like cyber hackers trying to steal companies’ data. The latest Breach Level Index report shows there were 888 data breaches in the first half of 2015 alone, compromising 246 million data records of customers’ personal and financial information worldwide. This is because today’s security strategies are dominated by a singular focus on breach prevention that includes firewalls, antivirus, threat detection and monitoring. But if history- and the Grinch- have taught us anything, it’s that where there is a will there’s a way. Walls will eventually be breached and made obsolete.

“The best presents would be better access control techniques and stronger authentication and encryption measures, including secure encryption key management. By placing security controls as close as possible to the data, CISOs can ensure that even after the perimeter is breached, sensitive information remains secure. What better gift than the peace of mind that results from maintaining control over data, even when it is deployed in the cloud or in their data centre?”

Rob Norris, director enterprise & cyber security, UK & Ireland at Fujitsu

“This year we have seen a huge amount of cyber-attacks in the media. This puts cybercrime at the top of the corporate agenda and, as such, CISOs should be reviewing their security procedures and ensuring the right security is in place to deal with hackers this Christmas. What’s becoming essential, especially for larger organisations with high amounts of sensitive data, is having the ability to detect and contain threats quickly. So at the top of their wish list, CISOs need to be asking for a better Security Incident Response process.

“This is a procedure to tell them what to do in the event of a hack, who to contact, how to protect customers and how to remedy the situation before it escalates. Rapid response is key and having this process in place is invaluable when faced with a real-life security incident. As well as a quick response, businesses need to be able to spot a breach quickly and understand the level of impact. If they are able to do this, when breaches go public organisations are better prepared to answer questions. It is key for CISOs to make sure their brand is prominent in the media for the right reasons – no one wants to see their CEO on TV talking about a data breach while everyone is tucking into their turkey!”

Kevin Epstein, VP, Advanced Security and Governance at Proofpoint

“Data breaches have dominated the headlines in the information security world in 2015, with multiple high-profile incidents exposing highly sensitive personal information. Such breaches are often caused by employees succumbing to basic human instinct – curiosity or momentary lapses in attention or judgment. The human factor continues to be the point of greatest exposure in cybersecurity.

Given the continuing increase in socially engineered threats across email, mobile, and social media – and associated proclivity of users to click – the number one request CISOs should make from Santa is a modern Targeted Attack Protection and Threat Response solution; one that anticipates and compensates for the human factor. ”

Christmas treeIsaac George, SVP and regional head, Happiest Minds

Don’t Hackers Know It’s Christmas Time? (sung to the tune of Do They Know It’s Christmas Time by Band Aid)

It’s Christmas time, there’s hackers to be safe from
At Christmas time, it’s defence time with the DMZ
And in our world of Security, we have Compliance smiles of joy

Throw your SOC around the Cloud at Christmas time

But say a prayer, pray for the CISOs now
Threat Intell-igence won’t let you have some fun
There’s a Threat outside your Firewall, and it’s a world of dread and fear
Where the only LOGS collecting, is the bitter string of codes

And the server lights are flashing with the clanging chimes of SIEM

Well tonight thank God it’s some other CISO, instead of you

And there will be Events and Audits this Christmas time
The greatest gift the CISO has is GRC
Where Governance never grows
And vulnerability never slows
Don’t hackers know it’s Christmas time at all?

Here’s to you, raise a glass for everyone
Spare a thought for CISO’s everywhere
Don’t hackers know it’s Christmas time at all?

Free the worms, let the hackers know it’s Christmas time
Free the logs, let the CISOs be at peace this time
No Malware, let the hackers know it’s Christmas time
No access, let CISOs be at peace this time

Let the hackers know it’s Christmas time!!

Dawid Czagan, CISO at Future Processing

“Giving money for ‘next generation’ firewall is not enough. The Board needs to understand that security is as strong as its weakest link. We do need to invest in educating people. Let’s invest in two factor authentication. This is standard nowadays. If we want to think seriously about security, we can’t just rely on passwords.

“Don’t think only about prevention. Security is a process. Prevention, detection, response – this is what we need.”

Stephen Love, Security Architect at Insight UK

“This Christmas CISOs are likely to be asking Santa for a crystal ball, enabling full visibility of their IT infrastructure, allowing them to know and understand what is in use and who is on their networks. This crystal ball is likely to take the form of Security Information and Event Management (SIEM) that allows them to gather and assimilate information generated from their network infrastructure. This will help them identify threats and attempted breaches across their network from firewalls and wireless to web applications.”

security vulnerability Shutterstock - © Andy Dean PhotographyJeremiah Grossman, founder of WhiteHat Security

“Insecure websites continue to cause havoc for organisations large and small. Most recently it was TalkTalk which had at least 11 separate serious vulnerabilities in its website, the results of which have been widely reported. Furthermore our 2015 security statistics report found that 86 percent of all websites tested had at least one serious vulnerability, and most of time, far more than one – 56 percent to be precise. Applications are a leading threat vector for attackers and the focus on securing those applications has never been greater. There is no question that the safety and security of the web, the more than one billion people using it, must be protected. What CISOs should be asking for is a simple way to secure software from development to production – ­no matter how much code, how many websites or how often they change.”

Rickey Gevers, CIO at RedSocks

“As cyber security threats become more sophisticated, measures to detect intrusions that we know will inevitably make their way onto a company’s network are as important as those designed to prevent them. Top of every CISO’s 2015 Christmas list should be a tool that monitors traffic from an additional vantage point – as it leaves the network. This will enable suspicious behaviours and destinations to be identified and will help ensure that any incidents can be assessed and remediated in as timely a manner as possible.”

Wieland Alge, VP & GM EMEA, Barracuda Networks

“CISOs will have a voucher for talk time and bandwidth from the business line managers at the top of their Christmas lists this year. Many business lines are likely to receive new equipment with IP connectivity (the corporate equivalent of wearables) this Christmas. Therefore, CISOs will need to know the intentions to put the correct security in place for when they return in the New Year, as they face an influx in devices entering the corporate network. The actual IT guys will have a number of NG firewalls on the top of their lists to be able to assess the threat of any device wanting to join the network, including wearables.

“Wearables aside, the threat landscape is as dangerous as ever and the right tools need to be in place to protect the corporate network. Organisations’ networks are now more dispersed than ever before and modern firewalls provide the best way to protect against attacks. But you have to know where to put them.”

Ken Jones, VP of Engineering & Product Management, IronKey by Imation

“Dear Santa, I’ve locked down my corporate network so only password protected, encrypted USB flash drives can be used. But what happens when my employees take these out of the building? I want a way to monitor when and where they are plugged in and what files have been copied onto or off the device. Can you get your clever little elves working on that right away? BTW, I’ve been (pretty) good this year!”

Christmas elvesChris Pogue, SVP, Cyber Threat Analysis at Nuix

“Dear Santa,

“How are you? How is Mrs. Claus? How are the elves? Thank you for my Red Rider BB gun, with the compass in the stock and the thing that tells time. I still have yet to shoot my eye out, so all the haters can put that in their egg nog and drink it.

“So, down to business, this year my world has become a whole lot more complex. Now the rest of the executive staff and even the board of directors are asking me questions about the security of our systems, how likely we are to experience a breach, and what the potential impact would be. So, for Christmas this year I would like an easy to understand matrix that outlines what security controls I have in place and the effectiveness of those controls. That way, I can create a logical plan for next year and I can maximize the allocation of my budget rather than just spending money for the sake of making it look like I’m doing something effective.

“Please say ‘Hi’ to Rudolph and the rest of the reindeer for me. P.S. There is a bottle of Jameson 18 next to the cookies.”

Mat Ludlam, regional VP EMEA at Courion

“Time poor and budget stretched, CISOs might welcome an influx of Santa’s elves to do serious housework on uncovering access and identity anomalies that can lie hidden the rest of the year. But don’t forget the access onboarding and de-provisioning challenges from employing seasonal workforce from the North Pole.

“Access to Rudolph and his nose’s capabilities of guiding Santa through the thickest gloom would be handy for CISOs who must navigate through a dense thicket of information access governance. Give them the gift of a sharp light that picks out the needles in the haystack of access risk and gets them to understanding the most pressing access risks fastest.

“Santa’s sleigh must fold time and space to make all those deliveries within one night globally. A similar ability to keep one step ahead of time would be a gift for CISOs dealing with a rapidly expanding data breach.”

Dan Lohrmann, CSO, Security Mentor

“Musicians Amy Grant and Kelly Clarkson offer their bold renditions of a ‘Grown-up Christmas List’ that is far-reaching. Santa’s list includes: ‘No more lives torn apart, that wars would never start, and time would heal all hearts, and everyone would have a friend, and right would always win, and love would never end…’

“So following in their tradition and going for broke…my CISO list for Santa certainly must start with no data breaches in 2016 (and beyond). Close behind is a seat on the top corporate executive board, a doubling of the security budget (for starters), and top cyber talent calling 24/7 to ask to join the team.

“But if the utopian list for Santa doesn’t pass muster, how about: A nice salary increase, a surge in the company stock price, increased security respect from business staff, less clicking on phishing links, more family time, and perhaps, a white Christmas.”

Amy Baker, VP of marketing, Wombat Security

“Statistic after statistic has proven that human error has led to some of the biggest breaches over the past few years, so CISOs need a security awareness training program that has proven results changing the behavior of their end users and reducing organizational risk. All security awareness programs are not created equally. When listing off the features they should ask for, their solution should allow them to continuously assess employee vulnerability to attack and knowledge of risky behaviors, educate employees with engaging content, reinforce the correct behaviors by encouraging cyber-attack reporting or providing articles and posters. Finally, no program is complete without measuring changes in behavior throughout the cycle so that they can measure improvement, and adjust education to target the problem areas.”

ashley madisonLuke Brown, VP & GM, Europe Middle East Africa India & Latam at Digital Guardian

“As 2015 comes to an end, it’s clear it hasn’t been the best year for corporations’ cyber-security. High profile data breaches such as TalkTalk, Ashley Madison and Experian have been extremely damaging for the companies involved and brought cyber-security to the forefront of every business-owner’s mind. Ultimately, unless they want to be the next victim, CISO’s should be asking Santa for a security solution that covers both the network and the data contained within it. It is only through combining both security approaches that companies can create a ubiquitous layer of protection, ensuring data is protected regardless of its location at any given time.”

Quentyn Taylor, director of information security, Canon Europe

“Mariah Carey may have only wanted ‘you’ for Christmas but, like many CISOs, what I really want for Christmas is a new set of data protection regulations.

“For too long we have suffered under inconsistent and wildly different EU data protection legislations, and recently even the rough ’protection‘ of Safe Harbour has now been ruled non legal. My best Christmas present would be the upcoming EU General Data Protection Regulation – this would help us safely manage the wealth of data organisations are dealing with on a daily basis and give them a great platform to speak with government regulators, auditors and customers to ensure everyone understands the risks associated with collecting data, helping us to identify the best approach to keep all of us safe.”

David Gibson, VP of Strategy and Market Development at Varonis

“Dear Santa – I tried to be a good CISO this year, yet there are still so many things out of my control. When some employees left the company, about half stole corporate files. One employee deleted thousands of files he wasn’t even supposed to have access to. We had a ransomware attack that took down systems that stored our most sensitive data – and we were forced to take our servers offline for two days. What a mess.

“I know you can’t always give CISOs everything they want, but Varonis is on my risk management wish list because it uses User Behavior Analytics to watch how employees use data and can spot and stop insiders, outsiders that get in, and even ransomware. Varonis DatAdvantage with DatAlert are great for detecting ransomware, controlling employee access, and detecting/alerting us on unusual data access patterns on our file shares (from the inside and outside). Thank you, and Merry Christmas!”

Gerard Bauer, VP EMEA, Vectra Networks

“Today many SecOps team have to try to understand their organisation’s threat landscape “immediate road ahead” by looking in the “rear view mirror” of post-event data. This takes time, effort and slows down the identification and response to the most salient security issues. CISO’s can help their SecOps teams by asking Santa for real-time in-progress threat insights so that their teams can identify and respond to active attacks efficiently and effectively before they grow into service, reputation and customer damaging catastrophes. CISO’s also need to ask Santa to look after their C-Suite peers and board to bring them to a level of recognition that cyber security is now a strategic issue for organisations, that defence alone is not enough and that their should be an integrated response plan in place for the organisation (not just IT and Security functions) to deal with a major cyber-attack.”

Willy Leichter, Global Director of Cloud Security at CipherCloud

“CISOs should be asking for 3 things from Santa:

“1. Clearer guidance from the European Commission (and the 28 EU Data Protection Authorities) on how to move beyond the defunct US Safe Harbour framework. Cross-border data transfers will continue to be suspect until this is resolved.

“2. A seat at the board table – which lets CISOs escalate situations where they are being asked by lines of business to put convenience ahead of security.

“3. Bigger budgets to manage the transition from on-premises to cloud infrastructure. While this move will provide cost savings in the long run, the investment in switching costs has been underestimated.”

Gert-Jan Schenk, VP of EMEA at Lookout

“2015 saw any number of major corporate breaches, so I would think that the top of CISOs wish list would be that they won’t be dealing with a hack for Christmas this year.
Easier said than done. CISOs need to adopt smart technologies that take advantage of security advancements like big data and machine learning, tools which use intelligence to spot security issues before they become a problem. It’s not about implementation of solutions, it’s about efficacy of solutions.

“For 2016, CISOs will wish for better, smarter, more effective tools to protect their network, especially via mobile, which will be a big target for hackers. Mobile connects everything now, from corporate email and file servers, through to personal social networks. A hack in one part of the chain can lead to access to another, so the whole chain must be protected, especially corporate networks.”

Simon Persin, director at SAP GRC and security company, Turnkey Consulting

“Increased budget to spend on white hacker skills to keep would-be attackers at bay, along with additional technology implementations to protect company assets, would be widely welcomed.

“However, it’s not just about funds. Raised awareness is also important. Externally, more media reports on occasions when compliance has failed, and the implications of this happening, will paint a clear picture on its importance.

“Internally, the nature of the CISO’s role means that their successes often can’t be publicised. Operating in a world that most people do not need to be concerned with, there is often criticism at any failures – data breaches, denials of service, loss of reputation, etc – but little interest in how many attacks have been prevented.

“In fact, sharing that type of content can create fear and be counter-productive, so it is important therefore that there is recognition and trust that a CISO plays a business-critical role.”

IBMPaul Dignan, global technical account manager at F5 Networks

“Protecting their organisation from cyber security threats is one of the CISO’s top priorities, and there’s no doubt that having skilled talent will be first on their Christmas list.

“Recent high-profile hackings have propelled the cybersecurity skills gap firmly into the public eye and prompted significant efforts to educate the next generation. Many claim that there is a direct correlation between a widening skills gap and an increase in data breaches, and so action must be taken to ensure that with an ever-evolving threat, global cyber-defences remain proactive rather than reactive.

“With hacking capabilities only getting more sophisticated, more focus needs to be placed on education initiatives around cyber security for the current workforce and the next generation of workers.”

Barry Scott, CTO, EMEA Centrify

“CISOs should be asking Santa for security conscious employees and protection against insider threats. Unanticipated risks originating from insiders with privileged access to corporate data has raised threat exposure and the likelihood of a data breach.

“Too many employees have too many rights to too many things. With the necessary tools (from Santa) CISOs can keep tight control of privileged access, and avoid giving employees the ‘keys to the kingdom’. Users should only have access to what they need for their job. If they move from that job to another role, they should not take these privileges with them; these should be taken away and new privileges provided for their new role.

“Equally, when someone leaves a company, access to confidential data should be taken away to avoid potentially disgruntled employees using this information for wrongdoing.

“CISOs need to be monitoring access more efficiently. With the right tools, Santa can help CISOs prevent the naughty and protect the nice!”

Mark Deem, partner, Cooley LLP

“Beyond an ever increasing budget and a wider talent pool from which to create a market leading security team, I suspect that – from a legal perspective – most CISOs will be craving a greater degree of certainty as to their future legal duties and obligations concerning personal data and infrastructure security. With the General Data Protection Regulation and Network and Information Security Directive (not to mention the possibility of Safe Harbour 2.0) due to come into being in the next year or so, CISOs will be looking to their lawyers to help make sense of the new environment in which we will all be operating, so that they can hopefully achieve compliance ahead of the curve. two percent or five percent fine (and of what)? mandated breach notification (to whom and when)? After years in the making, surely some legal clarity in the stocking is not too much to hope for?”

Read part 1 of this article here!

Do you know much about 2015’s worst data breaches? Take our quiz to find out!