CISOs and their nightmares

Clive Longbottom, Service Director

Quocirca Comment
Recently, I gave a series of presentations for Check Point Software on What keeps CISOs awake at night? The content was based on Quocircas discussions with a number of CISOs (chief information security officers) and other research carried out across a range of security issues. The following main themes resonated with the audiences. The workload of audit. External requirements for audit are seen as being onerous by CISOs, with some dedicating up to 30% of their time in dealing with tasks associated with gathering the correct information together. However, very few are using automated means to gather the information and many also see the audit team as foes, rather than as a team of people with distinct skills that can be used to help smooth the workload through using their insights to ensure the right information is prepared. Data leakage. As universal connectivity has become more of a reality, the risk of information getting out into the wrong hands is a major concern. For many, this is not something where they see a need to be heavy handed in tracking down the malicious person sending information to competitors, but more the accidental leakage as someone types in John Smith in the To: field of an email, expecting it to then pick up the email address of john.smith@myowncompany.com, and not noticing that it has actually picked up john.smith@ourbiggestcompetitor.com. As social networking usage has increased as well, leakage of information out into these uncontrolled environments has also become a focus. Yet data leak prevention (DLP) tools are now capable of dealing with multiple different information streams, and can ensure that information is not only kept within the organisation itself, but is also kept within the right department or group within the organisation. Consumerisation of IT. As employees increasingly bring their own laptops, tablets and smartphones into the business and demand that IT enable them to be used for business purposes, the CISO is struggling with understanding how best to manage the security of such devices. Quocirca has seen the King Cnut approach of putting in place a policy of not allowing the use of personal devices which is universally disregarded by users. Far better to apply a base policy of what the device must be capable of supporting (for example, encryption, Java, whatever), and use end point device management software to ensure that the device does meet these requirements or to quarantine it if it doesnt. Combine this with the use of suitable virtualisation techniques, and the access device becomes just that no data can be stored, printed or cut and paste from the business environment into the personal environment and no malicious software can cross the boundaries either. Better to assume that all access devices are compromised and act accordingly, than to hope that everything is OK and then find the corporate network infected with something nasty. Use of cloud. As part of the consumerisation of IT, CISOs are also worried about the use of consumer application in the cloud not just social networking, but functions such as DropBox that end users see as making their life easier. Just blocking these will not endear the employee to the organisation, but offering similar, secure capabilities for storing files in an environment that can be controlled should be considered as an alternative. Similarly, other functions that a user could source themselves through either free usage or through small payments by credit card should be captured and looked at maybe the user has come up with a better way of doing something than the systems the organisation already uses? Data on remote devices. Sometimes, it is preferable to store some data locally on access devices particularly on advanced devices such as laptops and tablets. However, even a base level smart phone can now hold many gigabytes of data, and CISOs are struggling to manage how data is being secured. Quocirca believes that all data should be encrypted both on the move and at rest. By

CISOs and their nightmares

http://www.quocirca.com

2011 Quocirca Ltd

doing this, a 500 access device should pretty much remain that at all times just a 500 device. Data stored in the clear can very rapidly make that 500 device a 500,000 device, should the data being stored in the clear be corporate intellectual property or customer information that could lead to the need for legal disclosure and fines from the Information Commissioners Office (ICO) The rise of the professional blackhat. Back in the good ol days, your average hacker was someone doing it for the glory, not wanting to cause any real malicious damage, with malware payloads often just being something that caused minor disruption. Now, however, professional hackers are well provisioned often with headquarters in countries hard for western authorities to get to. They have one of two

motives, financial gain or political/commercial disruption (hacktivism). Indeed, it is possible to go onto the web and find professionally designed sites that offer botnets rentable by the hour with specific attack workloads available to be bought with a credit card. CISOs need to be able to identify unusual patterns of network usage rapidly and to respond as required, by either throttling or blocking usage, or by failing over to alternative systems while the threat is dealt with. The world is a harsh place for todays CISO and the businesses they work for, and keeping up with the dynamics within the security space is not easy. However, covering the areas above through some simple steps can help to allow a more restful nights sleep.

This article first appeared on Voyager Networks Blog page at http://www.voyager.net.uk

CISOs and their nightmares

http://www.quocirca.com

2011 Quocirca Ltd

About Quocirca
Quocirca is a primary research and analysis company specialising in the business impact of information technology and communications (ITC). With world-wide, native language reach, Quocirca provides in-depth insights into the views of buyers and influencers in large, mid-sized and small organisations. Its analyst team is made up of realworld practitioners with first-hand experience of ITC delivery who continuously research and track the industry and its real usage in the markets. Through researching perceptions, Quocirca uncovers the real hurdles to technology adoption the personal and political aspects of an organisations environment and the pressures of the need for demonstrable business value in any implementation. This capability to uncover and report back on the end-user perceptions in the market enables Quocirca to advise on the realities of technology adoption, not the promises. Quocirca research is always pragmatic, business orientated and conducted in the context of the bigger picture. ITC has the ability to transform businesses and the processes that drive them, but often fails to do so. Quocircas mission is to help organisations improve their success rate in process enablement through better levels of understanding and the adoption of the correct technologies at the correct time. Quocirca has a pro-active primary research programme, regularly surveying users, purchasers and resellers of ITC products and services on emerging, evolving and maturing technologies. Over time, Quocirca has built a picture of long term investment trends, providing invaluable information for the whole of the ITC community. Quocirca works with global and local providers of ITC products and services to help them deliver on the promise that ITC holds for business. Quocircas clients include Oracle, Microsoft, IBM, O2, T-Mobile, HP, Xerox, EMC, Symantec and Cisco, along with other large and medium sized vendors, service providers and more specialist firms.

Full access to all of Quocircas public output (reports, articles, presentations, blogs and videos) can be made at http://www.quocirca.com

CISOs and their nightmares

http://www.quocirca.com

2011 Quocirca Ltd