Today’s security landscape feels more like a James Bond movie than normal life. International intrigue is now a standard equation for any large-scale cyber-attack, as we’ve seen recently with the Sony breach and the potential for North Korea being behind it all. Events like this are great fodder for politicos and make for glib and gossipy water cooler talk about the latest celebrity leaks, but they obscure the real dangers just beneath the surface. What if skilled, persistent attackers targeted critical infrastructure like the water supply or electric grid, rather than a Hollywood studio pushing a silly movie? What if they targeted your business?
With many calling 2014 the year of the data breach, corporate security teams are on notice. They face a wide range of threat actors, from nation-state cyber espionage to highly skilled patient attackers for hire, down to home gamers and nuisance attackers.
Corporate IT and security teams are feeling the pressure of this dynamic threat landscape. They know they’re being targeted and that they are vulnerable. A CISOs challenge today is incredibly difficult. Two monumental structural changes, mobility and cloud computing, have transformed their networks from well-defined and protected “walled gardens” to distributed collections of third party partners, with varying degrees of security capabilities. Today, essentially, the Internet is the corporate network.
According to recent research by PwC, the number of reported security incidents around the globe has risen 48 per cent in the last year. However, what is more worrying is that less than 17 per cent of businesses globally are fully prepared for an online security incident according to research by the Economist Intelligence Unit (EIU) sponsored by Arbor Networks.
This comes at a time when executive and board-level awareness of these threats is already pronounced. If the CISO is unable to communicate in terms the executive team and board understand then they don’t get the appropriate level of support that is needed. This executive and board-level awareness of the threat landscape means CISOs have an opportunity to champion their own role as risk managers and defenders of the business. If CISOs are to deliver an understandable call to action and gain the credibility to push their strategic plans, they need to deploy a range of tactics to make their voices heard including:
Make security relevant for management: The CISO must communicate threats in a way that the leadership team understands. This is a tremendous opportunity for the CISO to position his/her role as beyond technology, but to the broader role of corporate risk management.
Know your audience: If you get time with the CFO and talk botnets, you’re likely to see their eyes glaze over faster than you can say Distributed Denial of Service (DDoS). The primary message a CISO needs to convey is the threat that attacks of any kind pose in terms of lost revenue, reduced productivity and damage to the brand. A Chief Legal Officer will be interested in the regulatory and compliance aspects of a breach. Know your audience and tailor the message accordingly.
Specific examples: As the kids say these days, keep it real. Make the key points relevant to your specific organization. Senior executives have little interest in theories or hypothesis. They are very interested in case studies, examinations of their business, and understanding the potential impact that these attacks can have on their business plans, financial goals or standing with regulators.
Without the proper level of understanding and buy in from the executives and Board, this is a recipe for disaster for the CISO, and the organization. Today’s effective CISO is a business-person first, a communicator second and technologist third. This is a fundamental transformation that is taking place in organizations around the world. Those that succeed will be able to work with the executives and Board in a way that is meaningful and that ensures support and funding required to protect the business.
Dan Holden is the Director of ASERT, Arbor Networks’ Security Engineering and Response Team.
No comments:
Post a Comment