The biggest challenges faced by CIOs/CISOs heading into 2015

As the year winds to a close, CIOs and CISOs are faced with a number of challenges heading into 2015. CSO recently heard from several experts about the topic, each offering their opinion on what they feel would be the most important item in the security sandbox next year.

01 the year ahead
Credit: Shutterstock
The year ahead

As the year winds to a close, CIOs and CISOs are faced with a number of challenges heading into 2015. CSO recently heard from several experts about the topic, each offering their opinion on what they feel would be the most important item in the security sandbox next year.

Naturally, a list such as this won't be completely unique to those working in the security space. But keep in mind, the items in the list are only there because they are consistently something that causes worry or concern in some level of the organization.

 

02 rick howard paloalto
Credit: Palo Alto Networks
Rick Howard, CSO, Palo Alto Networks

"As I have traveled the world last year talking to CIOs and CISOs, one item that keeps pushing to the top is the challenge of ensuring that all of the security devices they have deployed in their enterprise is configured correctly and operating the way they thought it would operate when they purchased it. This is a key component to any organization’s threat prevention program," said Howard.

Avoiding shelfware often means that someone has to manage the device and develop some form of metrics that prove it is doing what it's supposed to do. That's the perfect scenario, but that isn't reality. Usually devices are purchased, deployed, and forgotten about while the IT/Security team moves to deal with another fire.

"Over time," Howard added, "Their Threat Prevention program develops holes that advanced adversaries can slip through."

"My recommendation is to spend the time to configure the device the way you want it to be configured and develop metrics that are regularly reviewed by senior leaders to make sure that the device continues to do that."

03 jeremiah grossman whitehat
Credit: WhiteHat Security
Jeremiah Grossman, CEO, WhiteHat Security

"One of the biggest challenges for CIOs is visibility. Data is everywhere and it is difficult for CIOs – and their teams – to know where all data is at all times," Grossman said.

"There may be parts of the company that are moving sensitive data to the cloud with systems like Salesforce or new devices being used by departments that could leave data vulnerable to breach.

"It makes controlling the data difficult, let alone trying to secure it. And because of this lack of visibility, when a breach occurs, the CIO may be the last to know because they did not have full visibility into where all of their critical data resides.Further complicating this is that they often times must also follow compliance regulations which often do not lead to real security.

"It is critical, therefore, that CIOs ensure that they are spending the right amount of time and money to around ensuring that the security measures that they have in place are really going to protect them from attack. If they are spending money in the wrong place, chances are they are leaving themselves wide open to a breach as well as significant costs to the organization."

04 geoff webb netiq
Credit: NetIQ
Geoff Webb, senior director of Solution Strategy at NetIQ

"The single biggest challenge - relevance. The business has moved so far towards the model of instant IT gratification, supplied by cloud service delivery models, that IT organizations are becoming secondary in the thinking of business users," Webb said.

"Unless they can demonstrate that they can move quickly enough and add sufficient value, the IT organization runs the risk of being marginalized to the point where they are relegated to managing the 'plumbing' of the infrastructure.

"This ultimately will harm the business as CIOs and their teams have decades of experience in implementing technology in a robust and scalable way, but they must successfully adapt that experience over the course of 2015 to the new models of consumerized technology, delivered over mobile platforms and supported by cloud services, or both the CIO and the business will see 2015 as a year of regrets."

05 jj thompson rooksecurity
Credit: Rook Security
J.J. Thompson, CEO, Rook Security

1. Board expectation setting

IT security programs need to demonstrate that they understand the board's expectations that investments made in IT (and in small print - security), are right-sized, measurable, and able to be scaled at a moment's notice to address emerging threats or to decrease investments in lower priority activities.

In the last few years, Boards pushed a virtualization and cloud initiative to realize reduction in G&A expenses. With all of the publicity around security incidents, Boards are more concerned than ever before that the IT organization has the IT security operations capabilities in place to protect the company's data both on premise and in the cloud.

2. Measurable security outcomes

Not only does security need to be scalable and cost effective, but thanks to the marketing messaging behind virtualization and cloud capabilities it has led to the expectation from Boards that security resources can be increased or decreased at a moment’s notice through a virtual dial that is constantly being adjusted to achieve perfect harmony.

So, what's the biggest challenge? Communication of security value vs. the spend. What’s the next big challenge? Demonstrating that security can manage KPIs like the rest of the business, and increase (or decrease) spend according to business risk.

Success has been achieved when resources (people, time, and money) utilized to run security operations can be re-deployed at a moment’s notice based on risks, threats, and policy decisions that take place between budgeting cycles. The re-deployment is easily documented and visualized to show the outcome of the adjustments of your security resource "dial".

06 kurt roemer citrix
Credit: Citrix
Kurt Roemer, Chief Security Strategist, Citrix

"CIOs in 2015 will need to think more like their attackers," Roemer said.

"The cyber-savvy governments of the world have relied on compartmentalization for years, combining the principles of 'need to know,' 'least privilege,' and 'breach containment' to reduce the attack surface by containing data and services to a minimal footprint. These principles assure that sensitive data is only provided to those who really need it, that they have just enough rights to appropriately use and disseminate data – and if something goes wrong and there’s a loss event, the loss is contained to protect from further damage.

"CIOs and IT leaders should continue to explore new techniques and defenses to match their evolving aggressors, but the standard of compartmentalization is essential for protecting networks, devices, sensitive applications, data, usage and privacy...It’s time for CIOs to focus on protecting data from multiple attack vectors, and include compartmentalization as a core tenet to deliver defensible security and privacy."

07 mark kraynak imperva
Credit: Imperva
Mark Kraynak, Chief Product Officer at Imperva

"This year, CIOs and IT leaders will face the greatest challenge when it comes to getting a handle on SaaS usage," Kraynak said.

"Shadow IT, aka business users going around IT to set up new business applications via SaaS vendors, is much more prevalent than most CIOs want to admit, and the risks are huge. In 2015, we anticipate that we will see the first major breaches from systems that CIOs did not know were in use.

"Also, in 2015, business owners are going to accept reasonable responsibility for the security of their data. A key element in stemming the tide of data breaches is to better understand where the data is, how it is being used, who is using it and who should be using it. Corporate IT can’t do this on their own - the business has to accept responsibility for data and usage to participate in this process."

08 marc maiffret beyondtrust
Credit: BeyondTrust
Marc Maiffret, CTO, BeyondTrust

"Quite possibly the biggest challenge facing CIOs and IT staff in the coming year will be the need to build a better bridge across security and IT operations from a cultural and tactical perspective," Maiffret said.

"In most organizations there is a major disconnect between the two, but security and IT ops go hand in hand. And the organizations that tend to be better at this are the ones not suffering major breaches, or at least are less susceptible to many of the tactics used today by hackers.

"Attackers are already bridging the gap on their end and CIOs need to get a solid handle on the major points of lateral movement once hackers are inside the network and are seeking to piggyback off of privileged accounts, or find passwords or mismanaged accounts to exploit."