Modern cyber security threats are pervasive
For Equifax, it was the failure to remedy a known cyber security flaw. A vulnerability in a web application whose patch was available in March, resulted in a hack just two months later which seized 147M customer records and cost the company $575M in damages.
For Yahoo, one click resulted in $85M dollars in damages and nearly two years for the full extent of the breach to be detected. The reality is that for enterprises it’s no longer “if” your organization will be breached, but rather “when” and to what extent and cost. In the first three quarters of 2019, 100+ major security breaches have occurred, according to identityforce.com.
Leading US enterprises are projected to spend nearly $124B on information security assets in 2019 (Gartner). But spend alone can’t prevent the inevitable. With a cyber security attack every 39 seconds, the onus rests on Information Security teams to mitigate the risks of aging IT architectures, application vulnerabilities and removing long-held budgetary ceilings to ensure that their organizations are committing the appropriate resources and attention to the security of its data.
With such insurmountable odds, the metrics for success by an enterprise will be measured not by whether or not a hacker’s target hits its mark, as the numbers are in their favor. Rather it will be by how the information security program is funded and can evidence process and methodologies to protect its data, underscored by sound technology decisions.
Like a quantum computer, successful information security teams should operate simultaneously in two different states, one on the defensive and the other on the offensive. The teams that will protect the enterprise successfully position their organizations to mitigate risk and create processes to remediate the threat. It is these teams that will withstand the impact of an event and the downstream fiscal and reputational effects of an incident.
What leading enterprises are doing
It is widely accepted that a breach will affect more than just the customer and shareholder. Within 45 days of Equifax’s information security team isolating suspicious activity in their network, the organization announced the resignations of both its CISO and CIO.
Historically, it has been the CISO that has been the sacrificial lamb as evidenced by their short tenures which represent half the duration of the CIO (2 years vs. 4 years respectively).
But enterprises are learning that heavy turnover at the CISO level creates organizational instability which can jeopardize their programs and potentially turn away talent. Many firms are revisiting their relationship to the CISO. More forward-thinking organizations are restructuring to place the CISO in direct reporting line to the CEO, COO and Board.
This elevation of the CISO from beneath the technology hub and into the executive layer allows the CISO greater freedoms to air any issues with technology and without retribution, or at least one hopes. This is a clear benefit to organizations and will perhaps become the norm across the board.
Organizational structures aside, there are other factors which stand to threaten IS teams within the enterprise. 42% of CISO’s leave an organization because of budgetary concerns or when the IT organization does not incorporate cyber security in strategic planning discussions.
How you can prepare your enterprise for handling the security threat landscape
Successful teams build strong partnerships with not only their legal and compliance arms, but also with their finance teams. Given the technical nature of much of the tooling required to safeguard an organization’s data, it’s critical that finance become familiar, not just with the cost associated with the technologies and consultancies, but also with the team’s end game.
In order to best prepare your enterprise for the threat landscape budgetary impacts include your IS leadership teams. This should be for roadmap and planning sessions throughout the project lifecycle, to insure the application of adequate security controls.
Working to educate your finance arm or at the very least building a bridge to finance is as important to your information security protocols as hiring the right perimeter security professional. If your finance arm can’t communicate the importance of your request up the ladder, your funding could be at risk and your projects jeopardized.
The importance of having the right security monitoring platform
Equally integral to safeguarding enterprise level IS programs is the adoption of a monitoring platform. Many strong IT teams within enterprises have fallen into the trap of tinkering. Just because your team can build a solution, doesn’t mean they should. Your homegrown solution isn’t necessarily king. If there’s one area, beyond firewalls, where teams should consider significant investment, it’s in their monitoring platform.
The art of monitoring distributed systems should best be left to the professionals. While there is a plethora of solutions out there, Splunk is a leader in the space. A newer entrant to the market, with equally strong capabilities is Accedian.
When selecting a monitoring vendor, be sure to confirm that they can support both on-premises and cloud-based infrastructure. Few vendors can do both, even fewer can do it effectively. The ones listed here can and are that rare breed.
77% of enterprises now have at least one application or some component of their enterprise computing infrastructure in the cloud (2018 Cloud Computing Survey). By 2020, nearly 83% of enterprise workloads will be in the cloud. If your organization hasn’t yet made the transition, expect that it will be coming and you will need to prepare.
Whichever cloud service provider (CSP) you choose, whether it’s AWS, Microsoft Azure, or Google Cloud, it is imperative to integrate security into the deployment pipeline to maintain a secure migration. Failure to do so will be costly and will expose your enterprise to unnecessary risk.
Container security continues to gain prominence
Equally important will be the need to develop a container security strategy. Since containers share a host kernel, a compromise of the host can give complete access to all running containers on that host as well as other hosts on the network. Both IS and Risk should have a seat at the table early on in the architecture scoping phase of your migrations. Both of these teams should be key stakeholders and can invariably help make your cloud migration a successful one.
A key burgeoning methodology employed to safeguard enterprises is the adoption of DevSecOps (Development Security Operations). DevSecOps describes the cultural shift of embedding information security within the goals and processes of application and infrastructure deployments.
By including security as an integral part of the entire application life cycle, security considerations can be introduced at the beginning of the development pipeline ensuring the implementation of proper controls. Not as an afterthought at the end of the process.
While implementing strong organizational methodologies is key to supporting continuous monitoring of the environment, without strong access and identity management (AIM) protocols in place, your enterprise is exposed. Key failures in the implementation of AIM are working to first gain sponsorship then alignment with key stakeholders.
Without enterprise-wide support information security initiatives cannot receive broad implementation. Since it takes just one employee targeted by a bad actor to expose the entire organization to both lateral and hybrid downstream attacks, AIM protocols continue to be a safeguard against cyber attacks.
While enterprises work to shore up their internal processes, the regulatory environment, long considered to be behind the curve in both technology and cyber security matters, is finally catching up to current trends.
The impact of regulations on security
In both the US with the (23 NYCRR 500) aka New York Part 500 and the EU with the (General Data Protection Regulation) aka GDPR, both laws stand to compel organizations to create greater transparency around their data assets. This will force greater standardization for their information security protocols.
These regulations are just the beginning of what many regard as a turning point in the application of policy and governance. It’s expected to create standardization in how enterprises employ their information security programs.
With all of the bases covered, even the most proactive and well-funded IS program can be compromised. As such, it’s important to practice your breach communication plan in advance. Your team shouldn’t be rehearsing their breach communication plan during an active breach. Remember, most companies don’t identify a breach for twelve months.
While the initial work will be to remediate the breach, the immediate subsequent and often simultaneous work will be the communication of the event. Top enterprises align their teams with Legal and Marketing in advance of any event and rehearse their communication execution plan.
A solid communication plan is a key tool in promoting IS goals across an organization. Equally important will be to create methodologies that scale. According to Gartner by 2020 there will be 20 billion devices connected to the internet.
This vast augmentation of data will require organizations to not only scale their information security platforms to monitor these assets (IoT attacks were up 600% in 2017). It will necessitate internal processes that enable data mining for performance opportunities and synthesize downstream marketing benefits.
From a technological vantage point any tooling that you currently have should have the capacity to scale to accommodate new nodes that result from any IoT implementations.
The importance of having the right enterprise security team
But all of these great tactics are irrelevant without the right team in place to execute. By 2021, it is estimated that there will be nearly 3.5 million unfilled information security jobs globally. In the fight for IS talent your enterprise needs to be positioned to find resources not just fiscally but also from a brand perspective.
Continue to revisit salary and compensation benchmarking to make sure that you are working to remain competitive amongst your peers in the industry. All things being equal, brand will win in the competition for new talent.
It’s important to keep your organization out in front and protected from digital brand risk to further ensure your ability to compete for new talent. Companies like ZeroFox offer digital brand/risk protection to automatically remediate any negative or hostile threats to your brand.
Given the ongoing threat represented by the talent gap in IS, some enterprises are adopting Security as a service (SECaaS) to prevent any resourcing gaps from impacting their organization.
This methodology allows a service provider to integrate their security services into a corporate infrastructure on a subscription basis. This solution may become more prevalent as the resource gap continues to grow in direct conjunction with the rising threat matrix.
While talent, tools and resources are king in the enterprise’s arsenal to protect against the continuous onslaught of cyber security attacks, equally important is the incorporation of Information Security at the onset of strategic roadmap development, cloud migration strategies and IT deployments.
While the threat landscape will continue to evolve there will be no shortcuts in the process to protect and secure the enterprise. The sooner enterprises involve the Information Security team in its strategic planning and meet its budgetary requirements the lower your enterprise risk.
To learn more, read our blog post “Infrastructure-based Security Solutions – What to Consider.”