What New Year’s Resolutions Should Chief Security Officers Be Making?

The best-laid plans of mice and men often go awry, but what plans should CSOs be making this year? Here are some great suggestions along with top tips on how to see them through

Check Point’s UK managing director, Keith Bird

“Chief Security Officers should be making two New Year resolutions for 2015: deploy threat emulation and treat mobile as a matter of utmost importance.

“Check Point’s global network of threat sensors revealed that over a third of organisations have downloaded at least one file infected with unknown malware over the past year. Malware authors are increasingly using obfuscation tools so their attacks can bypass detection by anti-malware products and infiltrate networks. Threat Emulation, also known as sandboxing, is a critical layer of defence against this explosion in unknown infectious agents.

“The issue of securing mobile devices will continue in 2015 to grow faster than organisations can control it. We surveyed over 700 businesses globally in 2014, and 42 percent had suffered mobile security incidents which cost more than $250,000 to remediate, and 82 percent expected incidents to rise during 2015. Worryingly, 44 percent of organisations do not manage corporate data on employee-owned devices. As an attack vector, mobile probably provides direct access to more varied and valuable assets than any other individual attack vector. It’s also the weakest link in the security chain, giving attackers access to personally identifiable information, passwords, business and personal email, corporate documents, and access to corporate networks and applications.”

Dan Power, EMEA sales director at OneLogin

“I think one of the big resolutions for CSOs is to get use of cloud computing and services back under control. This does not mean stopping use of cloud – that is a futile exercise, line of Cloud platformbusiness need to have access to the best tools available to do their jobs to the best of their ability. Instead, it should be around making sure that the right rules around access, identity and management are in place.

“Cloud apps can be accessed from anywhere, and from any device. Using cloud services like single sign-on to manage cloud apps can help the IT department get these back under their control, while users experience is improved because they now only need one Password. In fact, when properly implemented it is a double whammy, the company is more secure and the users are happier. How often does that happen?!

“The IT security team can quickly be seen as an enabler, rather than an obstacle to doing business. It’s possible to do more around management and deprovisioning, which is a key process for the CSO.”

Pulsant’s CTO, Matt Lovell

“Minimising the concerns, risks and exposure of business systems, the business brand and customer data is paramount to both roles. We have observed an increasing sophistication of attacks and breaches throughout 2014 and any compromise impacts both the company brand and customer confidence.

“Security has moved beyond a set of solutions or considerations as a part of IT and is now all encompassing involving the entire business. It is embedded in employee interactions, transactions, exchanges, as well as the platforms and systems which enable the business to operate. As a resolution, the IT manager will be working towards ensuring the security Ethos is understood and refreshed across the organisation, by continually evaluating current and potential areas of security improvements.

“For the CSO and larger businesses, one New Year’s resolution will be to enable a greater culture of security processes embedded within the business, from application code development to operational management and monitoring. Where security is considered at every stage, particularly in application development, CSO’s are far better placed to understand and protect the business against the risks now and in the future. There will be vulnerabilities, but what matters is how these are more effectively managed.

“The resolution has to be to embed security as a primary thought at every stage in each business process to optimise security.”

Craig D’Abreo, Masergy VP Security Operations

“Chief Security Officers and Chief Information Security Officers are under more scrutiny than ever before by CIOs, CEOs and the board of directors thanks to the growing number of public security breaches that have occurred over the past year.

“In 2015 CSOs and CISOs should make a well-reasoned case to corporate executives about the value in managed security services and the latest advanced security technologies. Corporate executives are so threatened by the harm cyber criminals pose they are allocating new resources to attack this growing menace. Now is the time to shore up IT’s defences.

data analytics“Advanced security offerings incorporate machine learning and advanced analytics to sift through the mountain of big data that various networks, data centres and security point solutions generate. Most cyber security breaches occur because IT systems and security staff lack the resources to analyse this data and spot anomalies that accompany breaches, cyber thefts and other nefarious activities.

“A third-party managed security provider can develop technology, incorporate global threat intelligence and detect potential and actual cyber security breaches quicker than an internal security staff who may not have the time, expertise or inclination to analyse. There has never been such a critical time for companies to get their security operations in order.”

Jack Marsal, director of marketing at ForeScout

“Over the past year, the term ‘data breach’ has become almost synonymous with business. From major retail hacks including Target and Home Depot, to attacks on financial institutions all the way up to major government entities, no business that conducts electronic operations is immune to the threat of breaches.

“Therefore, it really shouldn’t be a big surprise that protecting against those data breaches is top-of-mind with security professionals. To that end, CSOs looking to the next 12 months and beyond have a wide range of New Year’s resolutions to make, but at the top of that list sits finding new approaches to keeping company and customer data secure. More specifically, CSOs should focus on obtaining executive management buy-in on allocating significant security infrastructure budgets, and ensuring that there is a strategic and holistic approach to security posture in place that provides a tangible improvement in security, rather than focusing on the minimum acceptable levels that enable a company to comply with relevant mandates.

Bob West, chief trust officer at CipherCloud

1) Spend time with the business. As the new year begins, they need to make sure they are aligned with the priorities the business has so they can help deliver secure business solutions. Emerging technologies such as cloud and mobility can not only help the business be more agile but also fundamentally disrupt existing technology and security architecture. It makes it that much more important to be engaged as the business moves forward.

2) The cloud is unavoidable for technology and security practitioners and should be embraced. While many of the top cloud providers build in some security controls for their environments, there are usually protection gaps inside and across the different clouds enterprises use to run their businesses. A couple items to add to the 2015 agenda:

– Cloud discovery tools to detect shadow IT and risk score all applications in use at the enterprise. Visibility into what the current state is allows the organisation to make decisions about what applications should be the targets, determine what security controls should compliment those of the cloud providers and then create a roadmap to get to a desired state..

– Data protection tools to complement the existing security measures native to cloud applications. Tools like strong encryption with that allow enterprises management and tokenisation respectively encrypts or masks sensitive information to protect the real data in the event of a security breach. As a compliment, data loss prevention (DLP) tools allow enterprises sets policies for who can access information and how it should be protected.

– Continuous monitoring to detect and flag unusual activity. For example an employee who normally logs in from San Francisco is suddenly requesting access from Russia. This could be normal if that person travels to Russia regularly, or could be unusual behaviour. The enterprise can now make a decision on what action to take (if any) to address the situation.

Kurt Mueffelmann, president and CEO of Cryptzone

“Going into 2015, CSOs and security departments need to resolve to focus less on hunting for zero-day malware on their network, and more on how they can limit the power of human end users to wreak havoc. As Sony painfully learned, it’s not even necessary for users to authenticate themselves once they’ve set foot inside the perimeter – they have free reign to act without accountability. To prepare itself for the next wave of malware-driven cyber attacks, IT departments must resolve to cut back on the access privileges of users whose credentials might conceivably be compromised.

“Imagine a network where an authenticated individual can’t dig around for information, open ports or install malware: instead, they just see the services they’re authorised to see, nothing more. With cyber security now at the top of the agenda for enterprises, presumably they understand that the human element is their biggest vulnerability. By more tightly controlling individual access, a stolen password can be turned from a master key into something much weaker, limiting the amount of damage that can be done and ultimately keeping enterprise’s most valuable assets – be they customer data, intellectual property, or internal emails, secure in 2015.”

Sam Liu, VP ofmMarketing for Soonr, a leading provider of secure file sharing and collaboration services for business

“This new year, chief security officers should be make the following resolution: give employees the secure file sharing service they need to become more productive, collaborative and secure – when on the road or in the office. According to the recent Soonr 2014 Mobility in the Workplace Study, only 22 percent of employees say they have an approved file sharing solution and yet four-in-five (83 percent) workers are concerned about the security and privacy of their files. By giving today’s mobile worker a secure file sharing solution, security officers will not only eliminate the costly risk of data leaks or exposure, they will also make work more productive by delivering anytime, anywhere access for employees on any device they choose to use.”

Dan Beazer, senior consulting analyst at Peer 1

“CSOs will want to make sure that next year doesn’t see the organisation become a victim of high profile data leaks, such as the Sony hack or the iCloud breach. Social engineering attacks are becoming more sophisticated. In the iCloud leak, attackers monitored celebrities’ interviews and social media channels, and found the answers to password reset questions, enabling access to the account. A large amount of information used to identify individuals is now out in the public domain and readily available on sites like LinkedIn and Facebook, which creates major problems for corporate security and identity management. CSOs will need to keep a closer eye on the information their company distributes and employ more sophisticated verification where possible

“CSOs will also resolve to assess risk in the right way. Businesses spend millions on sophisticated DDoS software yet commonly neglect the basics. Infrastructure is often single threaded, meaning that all of a business’ vital data is stored on the same server, while others may leave valuable password information on the CMS. It’s important therefore to make sure that storage is diversified. These types of simple practices are all that’s required to avoid the common mistakes of the past year, so should appear on every CSO’s list of New Year’s resolutions.”

Geoff Webb, senior director, solution strategy, NetIQ

“The challenge of the Internet of Things (IoT) is that its sheer scale will overwhelm attempts to keep it under control. The number of IoT devices in the workplace is growing so quickly that IT will find it incredibly difficult to manage traffic, let alone understand the risks or how to secure the data. Attackers are already starting to see the opportunities that lie in unsecured IoT devices. While they are designed to be simple and easy to use, there is a risk that they will be user-friendly but not secure. In order that we keep the data from these devices as secure as possible, CSOs will need to look away from the devices themselves in 2015 and into the data itself.”

Encryption keyVormetric VP EMEA Paul Ayers

“Up until now, organisations only encrypted what they were forced to protect by compliance requirements, or when they were in an industry area where secrets were important (some government sectors, aerospace and defence). Businesses in 2015 will increasingly have to face up to the fact that networks and systems are “porous” and can and will be penetrated by malicious parties. As such, topping the CSO New Year’s resolution list is that security-spend needs to shift to the data itself – rather than just adhering to the compliance rule book. Ultimately it is data-centric security tools – including encryption, access controls, tokenisation, data-masking and data access monitoring combined with access pattern analysis from security intelligence implementations – that serve to dramatically reduce the attack surface available and will be in high demand over the next 12 months.”

Paul Kenyon, EVP of Avecto

“This year we saw many businesses buckle under the pressure of a cyber attack. Malware, malicious bugs and rogue insiders affected a number of big name organisations. But the vast majority can be avoided if IT leaders prepare to be proactive.

“Relying on reactive measures simply doesn’t work. For 2015, businesses should ensure they incorporate multiple layers of protection into their security strategy with a defence in depth approach, using a number of different technologies to make it increasingly difficult for hackers to enter in the first place.

“Many organisations are tentative to implement security projects for fear of introducing productivity barriers, but this needn’t be the case. There needs to be a shift in mindset where security is seen as an enabler not a restrictor. The technology behind the scenes should be almost invisible to the average employee, with a positive user experience crucial to the success of any security rollout.

“If IT managers can change their outlook on security to be more proactive in 2015 and strike a balance between security and user freedom, they will reap the benefits of a more efficient and profitable business.”

Andrew Fox, director of Managed Networks & Connectivity at Timico

“Protect all of your devices – Traditionally, implementing and running some kind of anti-virus on staff PCs was protection enough, but with users now working on smartphones, tablets and a number of other devices, it’s vital that everything is controlled and protected. It’s no longer adequate to just protect a business from data coming in to the network; the data moving within it has to be considered too.

“Get your head around mobile – There are not many intrusion apps available from leading vendors specifically for mobile devices, although there is no denying the importance of mobile devices when assessing security strategies. Network Access Control (NAC) – is a relatively recent buzzword within the industry – a way of enabling businesses to identify and authenticate any device on their network by identifying the NAC address. Understanding this will be key.

“Keep learning – Being part of a rapidly evolving profession means that resting on your laurels when it comes to industry knowledge really isn’t an option. ISO, PCI, Data Leak Prevention – they are all absolute ‘must knows’ for today’s CSO. Data is now a company’s most valuable currency – and it needs to be protected both inside and outside of the organisation.”

Guillermo Lafuente, security consultant at MWR InfoSecurity

“The news of data breaches involving advanced attacks in 2014 has been astonishing. The latest one, affecting Sony, clearly demonstrates that defending your perimeter is not enough. CSOs will need a strategy in place that will help in detecting and reacting against such advanced attacks when they happen.

“At the same time, reliance on cloud technology is increasing. CSOs need to have a clear understanding of the threats that cloud technology is facing and make adequate investment where needed in order to mitigate those threats.

“If your organisation is using, or planning to use, big data, then it will be time to create security policies for the big data solution.

“In summary, CSOs’ New Year’s resolutions should be:

– Invest in attack detection and incident response: make sure your organization have the capability to detect and react against advanced attacks.

– Protect your internal network: perimeter defences can be bypassed and are usually inadequate against internal attackers. Make sure sufficient investment is made in having your internal network as secure as your perimeter.

– Cloud Security: make sure your organisation has adequate security policies when dealing with cloud technology. Your company should remember security when selecting a provider.

– Big Data: if you are using or planning to use big data technologies, make sure that security risks are understood and mitigated, and security policies are in place.”

How much do you know about the world’s most notorious hackers? Take our quiz!