Eddie Schwartz, Vice President and Chief Information Security Officer, RSA
The Security for Business Innovation Council (SBIC) just released a new special trend report titled, “Information Security Shake-Up” containing predictions for continued cyber security turmoil in 2013. The report assesses how innovations such as big data analytics, cloud computing, enterprise mobility, and social media are rapidly transforming the way enterprises conduct business, will change the face of IT, and will greatly impact the foundation of information security strategies. With the accelerated adoption of cloud, social media and mobile capabilities in the enterprise, it is clear that every organization’s attack surface will continue to become broader and more complex, and the enterprise security perimeter will completely dissolve.
This SBIC trend report offers high-level, actionable strategies to help inform key decision makers and assist enterprises to address the challenges of these megatrends affecting information security programs. From my perspective, there are five key issues on which security professionals should focus in the report.
BIG DATA AS A WAY OF LIFE
If you do nothing else in 2013, stop thinking that “big data” is a buzzword, and start realizing that it will be a way of life for you as a security professional. First and foremost information security programs must get into the information business in a very big way. Security programs must evolve in 2013 from traditional reactive perimeter and signature-based approaches for managing malware, network threat detection, and security controls management, to an agile approach that relies on the power of big data and intelligence-driven analytics. The goal is to always understand the risks to the most important business assets in whatever context they may exist – cloud, mobile, or traditional data center – and to protect them accordingly. To succeed, security leaders must invest in intelligence-driven strategies that harness the power of big data analytics and agile decision support.
CONSULTANT TO THE BUSINESS:
We security professionals have worked for years to have our voices heard regarding the threats facing IT and business from many different directions. Now that the enterprise is listening, we must be seen by the business and by IT as BOTH protectors of the realm and as enablers of innovation rather than inhibitors. As information security evolves from an IT-focused to a business-focused problem, security teams must develop the required consultative skillset to “speak the language of business.” I know you may groan when you hear this phrase, but it’s not about an ROI model necessarily, it’s about the ability of infosec pros to discuss the importance of a business initiative in clear, exemplary, and decisive terms with a business leader, and achieve a shared view of the value of information security investments. More and more, the performance of security teams should be measured on their ability to tie security programs to business outcomes.
TOP DOWN SUPPORT? HOW ABOUT FROM THE MIDDLE OUT?
As we begin 2013, an improving number of C-suites and Boards understand the importance of information security. Many CISOs have the ears of their executive leadership, and information security gets support in many cases from the top. The members of the SBIC report that current resistance to information-security efforts is two levels down from top. Middle managers who are not immediately convinced that they wish to allocate scarce resources to security. They are incentivized by timeline and budget, and integrating security can run counter to their objectives. To be successful in 2013, building upon the Consultant to the Business theme, security teams need to build relationships with middle managers, helping them understand the value of information security, and building a coalition of support within that layer of management. The SBIC Council thinks this may be a harder nut to crack than the C-suite.
SUPPLY CHAIN SECURITY CHALLENGES
Most organizations are both a supplier and are supplied by someone – in most cases by many. Where are the weak security links in that chain? In our interconnected world, organizations must be able to demonstrate that they are a trustworthy supplier, whether it’s commercial IT services such as banking, or electronic systems as part of a manufactured good. We’re seeing heightened interest in organizations developing multi-tiered programs to evaluate and demonstrate the integrity of the entire IT supply chain, downstream and upstream of your organization.
CLOUD, MOBILE AND SOCIAL MEDIA …OH MY!
Enterprise use of cloud, social media and mobile technologies will only increase, and it’s up to security leaders to either find a way to innovate and transform security programs or fall behind their organizations, thus opening up dangerous security gaps. This train left the station a long time ago. If you are waiting for a silver bullet to resolve BYOD, cloud security, or social media nightmares, you might also be waiting for AV to start working again too. The point is: start breaking these problems into bite-size pieces. None of these areas are monolithic. Each has sub-problems that can be tackled while working to find innovations in other areas. Work on the GRC problem, or the network visibility angle, or find a way to get intelligence about your social media attack surface.
Have a great 2013!