The pressure continues to increase for enterprise organizations to stay ahead of cyber attackers and new threat vectors. Security leaders need trusted guidance from peers and the InfoSec community to reinforce their decisions and priorities.
Cyber Security Hub took the industry pulse of cyber leaders at the end of 2018 and again in the middle of 2019. Changes in priority and concern highlighted in the CShub Mid-Year 2019 CISO Priorities market report were further discussed with a pair of experienced CISOs during a recorded webinar in August. Here are the key findings from that market report and the CISO perspective for how these can be interpreted by enterprise security leaders.
The Cyber Security Sentiment
The overall cyber security landscape sentiment remains positive for nearly 80% of respondents in the mid-year market check. Bob Turner, CISO, University Wisconsin-Madison said, “Awareness from leadership and users is growing. As a CISO, you need to have the countermeasures in place before the attack happens otherwise it becomes a learning event for the security team and the enterprise.”
In addition, 75% say that hacker sophistication also continues to grow. Dennis Leber, CISO, Cabinet for Health and Family Services (CHFS) in the Office of Administrative & Technology Services (OATS) for the Commonwealth of Kentucky remarked, “Attack sophistication is continuing, and we all have limits on budgets and goals. Attackers do not have those limits. The battle will be a constant struggle. We’re fighting criminals and con people and there’s always a con or scam going on over time. The threat will always adapt and it definitely creates a sense of job security for cyber professionals. We’ll never eliminate the need to commit a crime, or fulfill a greed, or scam someone.”
Cyber-attacks affect businesses and industries greatly. The CISOs called for building-in cyber security risk into the business model. “We can reduce risk, but we cannot ever be ‘safe’,” said Leber. The speakers noted that security teams should be trying to get into the mind of the adversary.
“In the military, we didn’t make a move without an understanding of what the adversary was doing,” said Leber. “Threat hunting and threat intelligence are examples of this.” CISO Turner added, “We’re not keeping up if we’re only listening to intel. We have to turn it into actionable defenses.”
Respondents in the past two surveys were asked to rank cyber needs (programs, tools, and resources) related to allocation of their cyber budget. In the mid-year update, “new solution sets in the next 12-24 months” was the only cyber allocation topic that increased in the percentage of responses compared to 6 months ago. All other cyber dollar allocations went down.
Bob Turner noted that he got exactly what he asked for and has put those budget allocations to use. As a public entity, it takes time to on-board new staff and to complete the purchasing process. “Agility is not something that you can buy off-the-shelf, but you have built-in to the organization before you go for the big ask or the routine ask, “said Turner. “You have to know how fast you can execute it.”
What’s the top priority for a university security leader? Visibility, says Turner. “What can I see and what can I not see? Once you can ‘see’ it, there are tools to be able to deal with it.”
The chart is an accurate reflection of where CISO Dennis Leber is at for cyber allocations, where a lot of the programs supported are federally funded. “You have to be good stewards of taxpayer money, but it’s provided to protect citizens.” A lot of initial investments were already in place when joined the team in the Commonwealth of Kentucky. “Spending on some areas has gone down because of that. Staffing changes occur due to turn-over. Cloud is also relatively new and looking at who can help with cloud security.” And both CISOs agree that the security industry is getting smarter. As it continues to mature, less resources and effort will be spent picking solutions.
Data Privacy Legislation And GDPR
GDPR legislation has been in place for a full year and many enterprises received answers to their questions about compliance along the journey. “We’re still not sure if we’re a target for GDPR,” remarked Turner. “Do the industry verticals have any fears about litigation? They need to understand that it’s a threat and a vector needing attention, but what is the action?”
According to Leber, industries are struggling with GDPR because humans are uncomfortable in the midst of change and the unknown. “After time and implementation, there’s been time to ingest it and realize maybe it’s not so scary. If you have a mature security and privacy program in place, you may have found that it wasn’t much different than what the organization was already doing.” CISO Turner agrees. “We’re a lot more comfortable and the feeling of risk has diminished.”
Many organizations have expressed a lack of interest in privacy legislation because it didn’t impact their business. GDPR should be used as an opportunity to have a broader enterprise conversation to understand the privacy roles within the organization. If GDPR is not impacting your organization, there is likely new legislation being drafted that the enterprise can start preparing for.
A lot of growth and understanding still needs to occur on the cloud; however, respondents have been quite clear that there is a bifurcated view on cloud security: 1) The cloud is not safe; 2) Breaches due to lack of expertise or process.
‘As an employer, you wouldn’t vendor out your payroll without due diligence on security,” said Dennis Leber. The cloud works in a similar manner and the lack of expertise is a major security gap. “There is a feeling of safety when using the cloud, but the cloud is not safe because computers are not safe. I am not afraid of going to the cloud, but we must focus on mitigating and understanding the risk associated with it. Just because I have a cloud provider, my responsibilities for security do not go away.”
“It’s just somebody else’s server,” said Bob Turner. “By accepting their SaaS or building your own platform, there must be documented, functional, and effective security controls. I don’t think the cloud is safe, but it can be safer.”
The Security Talent Crisis
No enterprise will be so bold to claim that finding the right cyber talent is not a challenge. In our mid-year security trends and priorities study, about 70% said cyber talent is a crisis for their organization.
University of Wisconsin at Madison CISO Bob Turner just went through a wave of hiring and grew the team significantly. “The challenges for me are finding both the right talent and the cultural fit. That said, getting the right person on the first shot and the right skills and knowledge is easier today because there are people transitioning from IT careers to security careers. The cultural fit is the going challenge and it will be that way for a long time given statistics on job openings, paying the going rate, etc.”
How do security leaders talk the value of themselves and their skills? CISO Dennis Leber also sees an opportunity to incorporate the value of security into business education. “CEOs can tell you the characteristics to be a good CFO; however, some MBA programs lack any awareness and need for security within the business.” The industry can better educate on what the skills are and how to find them. Our experts agree about the imperative to teach the next-generation to replace current security leaders.