Back to work, people! It's time for CISOs to dust the holiday cookie crumbs from their lips and stop rubbernecking the proverbial car crash that was the Sony incident. As 2015 kicks off, it’s the perfect time to reevaluate plans and priorities, and maybe even engage in a bit of wishful thinking. As security and risk management professionals start the year, the following items are most likely to hit their wish list for the coming 12 months.
Not being a scapegoat
One particularly startling statistic to come out of 2014 is the number of C-suite and board-level executives who view the CISO as nothing more than the ceremonial scapegoat when the fecal matter hits the fan. A recent survey of CEOs, CIOs, COOs, CFOs and legal counsel at enterprises showed that about 44 percent said CISOs should shoulder nearly all of the blame for a breach. But only about half of those leaders thought the CISO should have a say in security purchases. All of the blame and none of the say-so? Sounds like a scapegoat.
True, sometimes there's no avoiding security incidents. But the best security leaders recognize that the important thing is to limit the risk incurred by incidents. If CISOs can take the teeth out of breaches, limiting the number of records stolen or the type of data exposed by making it very difficult to get to the most sensitive data stores, they can greatly reduce the chances they'll be the sacrificial executive. While advanced detection techniques are important, true risk reduction also requires more attention paid to incident response. As Forrester analyst Stephanie Balaouras explained in a recent 2015 prediction blog, only 21 percent of organizations report improving incident response is a critical priority. Consequently, most can't respond to breaches in a way that doesn't "drag their corporate reputation through the deep, dirty mud one finds at a monster truck show."
From the same survey of C-suite leaders mentioned above, nearly three quarters of them believe CISOs deserve a seat at the table and should be a part of the leadership team. While there are no easy fixes to grant this wish, one of the big problems that CEOs and boards have with CISOs is their perceived inability to communicate up the food chain. As professional development expert Michael Santarcangelo explains in a piece for CSO last year, this means being able to understand corporate politics, measure what matters to senior leadership, and communicate the salient points to effectively and succinctly demonstrate the value driven by the security program. Perhaps one of the first steps toward making this wish for respect a reality is a 2015 push from security leaders to spend more of their continuing education time on public speaking and written communication skills, rather than technical ones.
Easier ways to prioritize problems
According to the PWC Global State of Information Security Survey 2015, the percentage of security incidents detected by enterprises increased by over 43 percent in 2014. As incidents and threats continue to pile up, security teams are seeking better ways to prioritize. It's probably why Gartner has named risk-based security as one of the top 10 strategic trends for all of IT, not just security. For CISOs who have primarily focused on operational matters and depended on vendors' definitions of threat priorities, one big place to start that transformation into a risk-based security practice is through a solid risk assessment and gap analysis. This process is a fundamental part of lining up security goals with business priorities, rather than simply chasing the newest threats because CERT or ISC Storm Center warned about them.
Better cloud and virtualization security
According to the recent 2014 IBM CISO Assessment survey, only about half of respondents said that their cloud and virtualization security practices are mature. And almost a third of CISOs today see the need for a dramatic transformation or improvement in security for cloud and virtualized environments. As CISO ramp up for 2015, cloud and virtualization will continue to remain high on their radar. Some of the tough problems to tackle include access control and IAM integration, data governance and stemming the propagation of advanced malware across increasingly complex, hybrid environments.
A working security analytics program
According to the Ernst & Young Global Information Security Survey 2014, 37 percent of organizations say they have no real-time insight into their cyber risks. More startling, only 13 percent of enterprises report that their information security function fully meets their needs. As environments grow more complex, threats multiply and the number of security solutions also balloon, CISOs need a way to actually gain intelligence from all the security data that streams through the enterprise. In conjunction with a movement toward risk-based intelligence, a working analytics program can also improve the way security teams prioritize their action. Analytics programs take a lot of moving parts—they can include the integration of the right threat intelligence feeds, team members versed in data science and a big data platform that can store and be quickly queried for the right information.
As the big hacks of 2014 hit the rear view mirror, CISOs understand there are plenty more potential incidents waiting for them in the coming year. While it probably isn't possible for them to have all of these wishes granted in 2015, focusing on even one or two of them has the potential to help manage the risk inherent when incidents strike in the months to come.