CISOs Frustrated by External ThreatsHow Can They Turn the Tide in the Escalating War?
According to two recent reports, Indian security leaders are most concerned about external attacks, and many already believe they are losing the battle against their attackers.
IBM's annual chief information security officer study of 138 security practitioners among top enterprises finds 60 percent of respondents saying that the sophistication of attackers is outstripping the sophistication of their own organization's defences. The study indicates that more than 80 percent of security leaders have seen external threats increase in the past three years, and they are viewed as the top current challenge.
Vaidyanathan R Iyer, Head-IBM Security Solutions, IBM India, says, "External threats are indeed a primary concern for CISOs given the increased adoption of BYOD and cloud trends by enterprises, which need an appropriate security approach."
Meanwhile, a report from security vendor Fortinet finds that 79 percent of all Indian security practitioners surveyed have slowed down or cancelled a new application, service or other initiative because of cybersecurity fears and external threats.
Rajesh Maurya, Fortinet's country manager for India & SAARC, discusses the evolution of external threat and why they arrest progress in organizations.
"As crime services extend their research and coverage, hackers will utilize the same type of processes for determining the best ways to bypass security systems," Maurya says. "For example, current crime services scan malware against vendors' capabilities to stop it, and give them a score result. As vendors expand from malware detection to threat intelligence correlation, criminals will work to counter this movement with the same type of approaches to find out if their botnet infrastructure is flagged in other intelligence systems as well, and work to hide their tracks."
The Impact on CISOs
With increasing challenges from , criminal enterprises, state-sponsored hackers, hacktivists and other cyber criminals, CISOs clearly believe that they are losing the battle. But the external threats are not the only factor.
CISOs are also affected by the demands of enterprise leaders who continue to outline business priorities, adopting new technologies like mobile and cloud. Security leaders are required to handle increased risk owing to the inherent threats brought about by increased interactions and connections with customers, suppliers and partners.
Another reason, as experts indicate, is because government regulations and standards lack clarity and transparency, putting CISOs at risk in implementing these elements within enterprises.
The CISO's Strategy
In response to these reports, some security critics argue that CISOs need to take the lead in educating the business on security risks. They also need to work closely with the industry groups and share relevant information and best practices.
To be effective, the observers say, CISOs need to keep themselves updated with the latest threats and technology available to mitigate risks. They need to be more involved in the business strategy and projects, so that security can be integrated into processes at the design stage.
However, Parag Deodhar, chief risk officer, CISO, senior vice president- Process Excellence & Program at Bharti AXA General Insurance Co Ltd, emphasizes the need for companies to add more focus on assessing risk and putting in place enhanced controls, processes and skilled resources to mitigate it.
"Many companies still do not have a full-time CISO role, which is a concern," he says. "And while the government has acknowledged the fact that cybersecurity is an area of concern, we also need robust laws and investments to tackle rising threats."
Deodhar agrees that there needs to be more public-private partnership, with regulators and industry groups working together with security leaders.
Fortinet's Maurya recommends the use of a proactive response system instead of traditional incident response , which has generally been reactive. "CISOs should encourage having secure development through Product Security Incident Response teams, as well as deep threat research that will limit breach scenarios before they occur," says Maurya.
IBM's Iyer points out that security needs to be "built-in" rather than "bolt -on."
"CISOs should seriously move from the network perimeter-centric approach to a holisitic view on information security with the realization that cloud and BYOD are pushing the perimeter to new realms," Iyer says.
The Need for New Tools
One of the best ways to tackle increasing external threats, as some practitioners maintain, is to use data analytics to correlate the disparate incidents and detect breaches faster. Deodhar finds the need to have the right talent and run mentoring programs within enterprises to create next-generation security professionals who can counter emerging threats.
There needs to be a balanced approach, says Iyer, as large enterprises would need to re-invent their risk profile in the changing global business scenario, and smaller ones have a chance of developing "built-in" information security into their business approach.
To help manage the rising external threat, experts say, CISOs need to advance their approach to real-time security intelligence and analytics and focus on bolstering mobile security capabilities.
"An actionable threat intelligence tool with proactive services is necessary to filter data that matters and alert clients to their potential vulnerabilities and protection measures, prior to an attack," says Maurya.