The importance of security in enterprises has changed significantly over the last few years, largely due to high profile data breaches having serious financial impact on the bottom line.
The mother and father of all breaches, Yahoo’s security was found woefully inadequate on not one, but two, occasions as hackers were able to steal the passwords and security Q&As of 1.5 billion customers.
The episode could cost Yahoo shareholders $1 billion or more, plus put its sale to Verizon Communications into jeopardy.
Of course, Yahoo is not alone as the infamous case of North Korean hackers infiltrating Sony’s computers — wreaking havoc with company files and emails — set the company back an estimated $35 million, then there was Target’s breach that cost it $39.4 million to resolve and contributed to the exit of its CEO.
With focus comes clarity
A greater focus on the financial impact of a data breach means that, more than ever before, the CSO’s of today have to understand the business – what drives it, what’s of value to it and from that point of view translate the value that their team and budget brings.
Without an understanding of what is driving the business and how the different divisions interact with and complement one another, and how the process is enabled by IT in general, the CSO is at a great disadvantage trying to communicate security value.
Beyond understanding the business a CSO needs to understand how that organisation intends to grow.
So, enabling a defensive posture that works today is falling down the list of what is required of the job. One has to be able to predict where the company is going in order to predict the security requirements for the future.
CSOs also have to be excellent communicators. They have to be able to communicate the value that they and their team bring to an enterprise.
Beyond that, of course, there’s an understanding of the tools and how they overlay to create a layered defence which plays into the technical skillset of a CSO.
With more CSOs leading bigger teams, and integrating with other business lines, they are becoming business-enablers above all else. This means they need to be able to explain what they’re buying and why, in the least confusing way possible.
All this means that CSOs are looking for more than just security from the tools that they purchase. So, how can the cyber security industry support their new set of priorities?
The transfer of compute, storage, and networking functions to shared or “cloud” environments can be a game changer and building security into the transformation and migration is key.
The more complex the solution is positioned to be, the harder it is for the CSO to explain to the rest of the board – who really do want to be involved in the process today.
Another benefit sought is ease of use, adoption and integration. There are many tools out there and many of them overlap. No one is going to add another tool to the toolbox whilst it requires people to manage and time to integrate.
What enterprises are looking for are tools that can replace existing defensive measures that provide transparency, ease of management.
At a very basic level, companies need to select tools that will allow them to employ a risk-based approach when it comes to enterprise security.
This means having the capability to categorise what are the most important assets and determine where they reside. From this foundation, the next step is to have the ability to dictate how they can be accessed as this will help identify and thereby reduce the risk.
The final element is to have the potential to tighten up this activity by employing processes that limit this access to only what is truly necessary, in a secure manner, by only those that absolutely need to.
These elements together will help to identify and prioritise the real risks that the enterprise and its valuable assets face, to determine where attention needs to be focused if necessary.
Now is the time for fresh thinking and a new approach in the information security industry.
By thinning the trees to focus on what’s important, what at first appears complex is simplified to strengthening defences where it matters most.
Sourced by Leo Taddeo, chief security officer, Cryptzone