Ensuring the security, availability and authenticity of the various data sets that a company creates or is entrusted with by its partners and customers should be top-of-mind for a chief information security officer (CISO) focused on cyber security risk. It’s a broad brush indeed, and for many smaller companies, a CISO is a luxury that they simply cannot afford. However, this does not obviate the need to have the CISO’s responsibility and accountability fall within the remit of a senior company executive.
Cyber Security Risk
That said, does the role of the CISO require technical or business acumen? In the recent keynote address at SC Magazine’s Toronto Congress, IBM’s Global CISO Joanne Martin highlighted the need for information technology professionals to be prepared to deliver actionable insights into threats to their respective company’s leadership and boards. According to Martin, at IBM, the top cyber security risks identified by her team are security risks that accompany the continued use of machines that use Windows XP, as it remains embedded in parts of IBM’s systems. Microsoft ceased to provide support to Windows XP on April 8, 2014.
Crown Jewels
Couple the Windows XP migration effort with the continued avalanche of breaches affecting customers, patients and company internal data, and every CISO has his or her hands full. These issues aren’t the type that executives and boards of directors sit with quietly. Boards of directors have sat up and noticed as more and more companies have been pilloried following a breach or cyber security incident that puts customers, partners or the company itself at risk.
When the existence of a cyber security risk has been recognized by the board, the CISO is asked, “Do you know what constitutes the ‘crown jewels‘ to the company and what the damage will be to the company should they be lost, stolen or otherwise compromised?” Crafting a cyber security risk mitigation strategy to protect data is a challenge, and it is important to know where the most valuable information lies. If you are a new (or established) CISO and don’t have this answer, you now have your task.
Malicious Code and Sustained Probes
For those who have followed the prognostications in the annual security reports issued in the first half of 2014, CISOs are facing two major types of incidents within the cyber attack continuum: malicious code and sustained probes. These are the same issues identified in IBM’s annual report issued in July 2013. The challenge for CISOs will be processing the extraordinary amount of data fed to them from the near-constant probing of their company’s infrastructure while also maintaining a level of service to their constituency to conduct unimpeded business. The reality is that, once penetrated, the more advanced entities will burrow deep into the infrastructure in hopes of a long-term engagement via a snatch-and-grab compromise. Therefore, the challenge for the CISO will not only be monitoring the outside coming in, but also the inside going out and any anomalous activities within the intranet of the company.
Overall, the role of CISOs is a mixed bag of skills. They need to earn their place at the leadership table. This is possible through their successful ability to articulate business risks and execute mitigation methodologies designed to address those risks. While CISOs may always be focused on creating solutions that assure the security, availability and authenticity of the company’s data and “crown jewels,” their measure of success will be evidenced by the continued trust of the company’s partners and customers.