"We need to advance the security agenda to the boardroom," said MacDonnell Ulsch, CEO and chief analyst of ZeroPoint Risk Research. That means turning to managing risk, according to Ulsch. "I know there are those who disagree with this, and who believe that technical security is the answer. To me, it is only part of the solution of managing risk.
"It is interesting, too, that so many in the industry are focusing on data protection of regulated data, but that intellectual property [IP] and trade secrets seem less critical, even though these secrets may be the lifeblood of the company," added Ulsch. "If I lose PII and PHI, it's a bad day, and there are consequences. If I lose IP, it may be the end of the company. So managing risk is what security professionals are doing. They know it, now we need the rest of the organization to know it."
Ulsch, who joined the Information Security magazine editorial advisory board last month, is among the experts who shared tips and strategies in my article on global risk assessment and security. Analysts at Gartner, and elsewhere, advise senior security management that by 2020, companies can expect cybersecurity spending outside of compliance to drive global risk assessments and strategy assumptions at Global 2000 companies.
"The answer to [the spending question] is not immediately obvious," said Ernie Hayden, CISSP, global managing principal, RISK, Verizon Enterprise Solutions.
"Right now the drivers are still based on compliance to certain security standards," he said. "Additionally, the threat intelligence and how it can be useful to a company is not immediately obvious to the executives, who approve security expenditures. And, with the new threat intelligence, it is quite common that the CISO may need to ask for more technology or staff to help react to the intel more effectively."
As Hayden pointed out, the amount of information and data that CISOs need to plow through -- and protect -- is bursting beyond the "four walls" as mobile devices and high-memory portable media proliferate. And it shows no sign of tampering off. The format of the threat intel -- which is likely coming in bursts instead of a continuous stream -- may open the door for arguments about its real value to the company.
All of this "makes the CISO's job that much more difficult and expensive to execute," said Hayden. "The CISO, executive leadership team and board of directors need to realize that they should assume that the organization will be breached in the future. This is the sad truth that many leaders have difficulty accepting," he acknowledged. "The bad guys only need one way into your network to steal and vandalize. However, the CISO and their team need to cover every single entry point into the network, applications and databases," he said. "Again, this is a tough task."
We also tackle the ongoing issues that CISOs and their teams face as the security skills shortage shows few, if any, signs of improvement. Author Rob Lemos writes about the innovative ways that security firms and other companies are trying to keep their pipelines flowing; especially as universities and colleges continue to fall short, and entry-level security specialists offer little more than "frequent flyer" skills.
On a positive note, help is on the way as vendors continue to improve their next-generation firewalls, fine-tuning application awareness and other user controls. Longtime tech journalist and technology expert, David Strom, interviewed IT security managers and CISOs to find out how their migrations were going and what advice they could pass on to other organizations that are thinking about replacement strategies. Enjoy the issue, and let us know what you think.