The Inside Story: What CISOs Know About Cybersecurity
In the wake of aggressive press coverage of recent major breaches at companies from Target to Neiman Marcus, cybersecurity has finally moved out of the shadows to become a top-of-mind issue at major enterprises. The new focus is dramatically changing the landscape for security leaders and business executives, who no longer struggle to convince their boards of the seriousness of the threat.
The sea change was one of the big takeaways from a session I moderated at the recent SINET Showcase 2013 in Washington, DC. The panel of leading Chief Information Security Officers from top companies made it clear that they no longer have to shout cybersecurity warnings from the ramparts. Their boards are now aware of the looming threats…and they are scared.
“Thanks to the New York Times and Wall Street Journal, now I don’t have to go and educate the board or the senior leadership team. They’re asking me questions,” agreed panelist Jay Leek, CISO of Blackstone, a diversified financial management company.
Security Is More Than Just IT
Just as important, the high-profile coverage means that cybersecurity is no longer seen just as an IT problem requiring an IT solution. The threat vector may be IT, but now there’s board-level awareness that actually this is a risk that affects the entire enterprise.
“It’s very, very sensitive data, and if that were to get lost, stolen, breached in some form or fashion, there’s a loss of trust that those patients may not come back and we’re out of business,” noted panelist Bill Dieringer, CISO for Ardent Health Services. “So it is very much a business problem, not just an IT problem.”
Education and Culture
The greater board-level awareness of cybersecurity is leading to a new emphasis on education and corporate culture, explaining the threats as a business-level issue and not a complex technical problem.
The challenge now is to stop sweeping security issues under the rug and change the business culture to get employees, contractors, and partners to take them seriously. At Blackstone, for example, “We make a big scene of it around the office,” Leek told the session audience. “If somebody’s machine gets compromised, we go and we yank it… People watch the help desk push it out on a trolley, and I think they really think twice.”
Visibility, Intelligence, and Analytics
Enterprise security leaders are also looking to better understand what’s happening on their networks and systems at all times, both internally and externally. That means visibility into how things are working, and using analytics to detect threats and develop effective protection. There’s still work to be done on that front, though. “Too many of us are…hiring statisticians that don’t know anything about security, pumping years and years of data into this big-ass database, not knowing what we’re going to get,” lamented Leek.
Progressive companies are also moving away from building taller walls for protection, instead investing in planned responses to minimize the impact of the most likely threats. “We can’t build a sarcophagus,” said panelist Jim Nelms, CISO for the Mayo Clinic, the world’s largest integrated medical practice, “so we’re actually tearing down the walls, because the data has to be where the patient is.”
The Decision Makers
So, what does that mean in the real world? Enterprises choose their security solutions according to a number of key principles:
- Rich APIs and open standards—companies want to integrate their security solutions with the rest of their systems, and add on their own applications. “I won’t buy a company’s technology or invest in an organization that doesn’t have rich APIs,” noted Leek.
- Scalability—Too many off-the-shelf solutions don’t scale to the enterprise level.
- End-user convenience—Security solutions that put too many burdens on end users don’t get used, and can actually hurt employee.
- Innovation and speed—The threat landscape is always changing, and enterprise security vendors need to keep up. “60 percent of the canned solutions that we’re using are smaller, innovative companies rather than legacy systems,” said Nelms, “because they just move quicker and respond faster to what we need.”
If there’s any upside to the continuing barrage of high-profile hacks, they’ve moved cybersecurity out of IT’s back room and forced the executive team to invest in everything from better security technology to improved education.
Specifically, enterprises want real-time, 24/7 visibility into the state of their systems—as well as swift, effective responses to attacks and breaches. The security solutions they choose have to be open and scalable, but can’t slow down the speed of business.