The chief information security officer (CISO) has one of the toughest and most thankless jobs in IT. Cyber attacks and data breaches are becoming larger, more damaging and more common with every passing year and the attacks the CISO successfully averts can often be invisible to the organization and public, while the failures are often all too visible.
Just two days ago, Morgan Stanley announced that it had fired an employee for stealing partial client information for 10 percent of its Wealth Management customers and posting the data on the Internet. Meanwhile Sony Pictures Entertainment is still reeling from its massive data breach in the closing days of 2014. In a year characterized by massive data breaches, the Sony breach topped the list.
Looking ahead to 2015, Todd Peterson, senior product marketing manager for Dell Security, says these four items should be on every CISO's wish list to make the job a little easier.
1. An End to Silos
Rationalization isn't just about business applications. Your security environment is probably complex and growing more so every day — perhaps to an unmanageable degree. To tame that complexity, the security silos need to go.
"Historically, the knee-jerk reaction to a new security threat is to scramble to plug that specific hole, leading to disjointed silos of security from different vendors, managed by different teams and with varying levels of actual value," Peterson says. "The utopia that should be on every CISO's list is a unified approach to security that preemptively closes holes by implementing a consistent, unified approach to those things that control security — policy, execution of access controls, audit, rights and the administrative actions that make all of those things happen."
2. Confidence Replaces Doubt
In the past year, it was hard to go more than a few weeks without hearing about another attack or data breach. That's the sort of thing that can give a CISO serious stress. But you can't hide your head in the sand. Confidence in your security posture is the only way to really get the doubt under control.
"Every week we hear of a new breach, leaving the security community wondering, 'Could this happen to me?' For many, their biggest wish for 2015 would be the confidence to know that they have the policy, controls and visibility in place to make the chances of a similar situation happening to them much lower," Peterson says. "That confidence comes from doing things right."
3. Security Becomes Everyone's Friend
Securing your organization's data would be much simpler if it weren't for end users. They are your greatest security weakness — but quite often it's because they're doing something they think they need to do to better do their jobs. You're not going to get rid of end users, so another approach is required.
"In the minds of end users, most security requirements are a nuisance that makes it harder for them to do their jobs," Peterson says. "But if every user had precisely the access they needed and that access was easily delivered, the only time they would be aware that security was being enforced would be when they tried to do something they shouldn't do. With intelligently planned and executed security, protection of data and access can become a business enabler instead of a productivity black hole."
4. "Peace on Earth," or at Least a Truce with Your Auditor
No one likes to be audited. Preparing for an audit can be one of the most time-consuming tasks your team can perform, and the anxiety is no fun either. But with the right security posture, audits can stop leading to a nail-biting frenzy and maybe even become just another opportunity to check that all your "i's" are dotted and "t's" are crossed.
"In far too many cases the relationship between an organization and its auditor is adversarial," Peterson says. "This is mostly due to the organization being in the dark as to what the auditor is looking for and the auditor asking for information that is difficult for the organization to gather and deliver. Imagine the peace of mind if an organization went into an audit knowing that they've done everything in their power to place themselves in control of the situation. If you know your systems are secure, know who can access what and why and know the right people had their hand in those things from day one, an audit moves from an apocalyptic cloud to a mile annoyance."
This story, "4 CISO wish list items for 2015" was originally published by CIO.