Top Ten CISO Challenges: What to Watch in EMEA

It’s that time of year again, we are building up the conference season. A time where we look left-and-right across the security challenges that organisations are facing. Around this time last year, I gave my view of the EMEA CISO Landscape and given all that has happened in our industry over the past 12 months, I wanted to provide an updated set of challenges.

No matter which vertical they’re in, the EMEA CISO is facing some common challenges in the coming year. GDPR fuels several of them, as does the continuing shift to the cloud and the march towards encryption. Here’s a list of challenges that should be on your radar in 2018 – better to get ahead of the issues than trying to play catch-up later!

Challenge 1: Do you need all that technology?

In most cases in life and in business, we buy products because we have problems to solve. But “need” doesn’t seem to be driving today’s security technology purchases. We don’t seem to be sure what we need to protect ourselves from.

Ten years ago, companies could purchase easy-to-implement defence mechanisms for a traditional end-to-end architecture, including several forms of IPS; a DMZ for third-party access; a firewall in front of the web server; and antivirus on endpoints. Most technology addresses only one type of threat, resulting in a patchwork of tools in most enterprises.

Today, the technology landscape is crowded and confusing. The CISOs we talk to don’t know if they need antivirus, or enterprise protection platforms, or enterprise detection response. They hear about solutions for malware sandboxing and threat access, and they wonder if these tools will help create a secure work environment. They wonder if they have the right controls for devices like mobile phones. Vendors aren’t helping; they’re busy trying to one-up each other and make too many promises.

The short answer: no single solution is going to keep you safe if you don’t understand why you have the solution. You need a layered set of service and an ability to tie technology investments to risk reduction measures.

In 2018, start with the problems instead of the products. Don’t buy a machine learning platform because you read about it online. Identify problems and find safeguards to mitigate those risks.

Challenge 2. Applying strategic processes and workflows to digital transformation.

Cloud technologies, continuous integration (CI), and DevOps are no longer the new guys in the room. Organisations are experiencing tangible cost savings, quality improvement and time to market with tools like CI. Unfortunately, the security team can often be left behind in this DevOps whirlwind. In a world of two-week sprints and ‘failing fast’, it’s no longer suitable for infosec to be engaged at the end of a project. Most CISOs I deal with are trying to work in a much more cross-functional fashion, embedding themselves into project teams and offering guidance much earlier in the development lifecycle.

To make progress on the cloud journey, organizations need to gather all the business units involved in the cloud around a single table – including network architects and security – to create joint processes and workflows. In this way, you’ll make progress right from the start. You’ll also, inevitably save money and improve the organisational perception of the security function.

Challenge 3: Responding to the monetisation of malevolence and mischief.

The mechanisms that bad actors use to drive revenue are changing. For example, we’re seeing JavaScript in web pages being used to mine cryptocurrency on end-user machines. In other cases, it’s payloads sent via social engineering campaigns. In fact, we can expect to see more malware that will use the resources of your machine to generate revenue, rather than stealing your data. The bad actors would prefer making the money themselves, using idle clock cycles to generate cash!

Personal information is big business for the bad guys but invariably, it has a shelf life. The theft of credentials is only valuable until such a time as the user resets their details or closes down the service. Through leveraging idle resources on a client endpoint, there is a perception that no one is losing out, although these mining services are often delivered as part of a malware campaign and once a client is infected with a Trojan, the opportunities for nefarious activity are endless.

Challenge 4: GDPR, and everything that goes with it.

I would say that, roughly, eighty percent of data is outside the CISO’s control. That’s worrisome, as many CISOs I know say they’ve inherited their data privacy programme. Thirty years ago, many organizational departments used notepads and calculators to manage their data. They certainly wouldn’t have handed the notepads over to the CISO and said, “Here, this is your responsibility now.” But now it’s common for many departments to tell CISOs that they have to manage all business data. The EMEA CISO is taking on responsibility for data they haven’t had a hand in creating.

Unfortunately, technology is the only delivery mechanism for storing personal information. GDPR is focused on businesses understanding why they have certain information, where the information came from, whether consent to store information was obtained, and how you ensure that information stays accurate and up to date. By default, these burdens are falling on CISOs. IT has inherited the requirement to decide how to control the information.

The challenge is not exclusively a technical one: organisations have to learn to differentiate between why and where that information was obtained, as opposed to simply managing technical controls. Processes and workflows must be established in order to sort out responsibility for data.

Challenge 5: Third-party management is more complex.

Digital, mobile businesses are not static within the confines of a datacenter. The need to be agile and “fail fast” means that companies are increasingly leveraging partnerships to deliver on customer demands. We have a hard-enough time assessing our own risk: the risks posed by third parties that we choose to work with is even more onerous.

In fact, we’re moving beyond simply assessing third-party risk; now, as Gartner notes, we must worry about fourth-party and fifth-party risk farther along the technology supply chain. As use of public cloud solutions grows, we’re creating many new partner relationships.

An adjacent challenge to third-party management is that we aren’t assessing risk quickly enough. Penetration testing that takes five days is too slow, in a world where attackers can gain the upper hand in just a few minutes. The security industry needs better tools and techniques for assessing third-party resources. The need for security assurance has never been higher but CISOs are a pragmatic bunch; insisting that a provider instantaneously allows a full infrastructure penetration test, simply isn’t working for reasons of change control and service availability for other customers. Many CISOs are now shifting from a model of testing to one of contractual agreements, SLAs and Cyber Security Ratings.

Challenge 6: Addressing the skills shortage with automation and orchestration.

Aside from GDPR, my LinkedIn feed is bombarded with two topics: the cyber skills shortage and automation. In fact, in some ways, the two are intrinsically linked.

CISOs that I speak with are looking for more expedient methods of identifying malware and applying controls. Sources suggest that north of 200,000 new malware samples are discovered every day and it’s impossible for cyber analysts to effectively process such a volume of data. If the average lifetime of a malware hash is less than a minute, why are we chasing our tails with this deluge of data? We need a better way to differentiate between malware which can be prevented with signature-based AV and that which requires a fresh approach.

CISOs are turning to machine learning and malware sandboxing technologies for the identification of malware. Both technologies focus (albeit via different means) the behavior and construction of malicious binaries to identify the truly novel and sophisticated.

In discussions I have with CISOs, orchestration is being used to shorten the time to detect and time to remediate. Companies are devising playbooks which document the steps that a malware campaign will take to achieve its objectives. These steps are then translated into machine-readable language and uploaded to an orchestration platform, such as Phantom Cyber. These platforms can maximise investments in existing security solutions by triggering specific events (create tickets, change firewall rules, query DNS information, patch systems, etc) upon discovering a specific indicator of compromise; but automation and orchestration are not silver bullets for the talent gap problem. You still need a “conductor” of the orchestration.

Challenge 7: Boards are engaged – but they need metrics.

A few years ago, CISOs might have had to go into board meetings armed with a stack of news stories about recent cyber attacks. Today, attacks are in the news every day, and boards know full well what kind of damage can be unleashed in the aftermath of security breaches. So, boards are receptive to discussions of threats – but they also need more meaningful metrics that highlight the impact on the business, and how CISO solutions will mitigate the damage.

We need to work harder on delivering metrics that boards understand. Too often, our industry relies on numbers like “300,000 malware alerts” to explain risks. These quantitative terms offer little context for the listener. We also often use qualitative statements, like “medium risk of a cyber attack,” that, in isolation, are too vague to be useful. We must work harder on meaningful metrics, but the good news is that we have board engagement like never before.

Check out my series on board metrics for further information.

Challenge 8: Encryption – the snowball that doesn’t stop rolling.

As recent reports confirm, encrypted traffic is on the rise. We will soon be living in a world where almost all websites are delivered via HTTPs. The ‘blind spot’ keeps growing for organisations who are not inspecting encrypted communication. A security controls framework is ineffective without visibility. CISO increasingly appreciate the need to inspect all content traversing their internet gateways.

Though encryption remains only part of the security puzzle. Front loading the internet with the ‘silver bullet’ of encryption only serves to protect information in transit between two parties and does not maintain security hygiene overall – something that is essential moving forward.

First, we must get encryption right. For years, issues have occurred around implementation and the way organisations are deploying and consuming cryptographic services. For example, not verifying certificates, revocation lists or allowing self-signing certificates can all cause a break in security.

In addition, encryption is only valid against those who shouldn’t have access to data. The encrypted information is still accessible if a hack is undertaken via legit means e.g. phishing to access an admin account.

When it comes to security on the web today, we must continue to look at the basics alongside encryption. Patching, application upgrades, sufficient IAM solutions are all strong security principles that must be applied without fail. If any one of these is missing or compromised the security chain will be broken.

Google plans to identify unencrypted websites as “not secure” in the Chrome browser. This is most certainly a commendable step although we must not confuse security with privacy. As encryption does become the norm and it undoubtedly will, it is crucial that we clarify and separate ‘security’ from ‘confidentiality’ to determine what technologies are most suited in each instance.

Challenge 9: Sharing threat intelligence, inside and outside the organization.

Bad actors only have to be right once. We have to be right all the time. To do this, we need to learn from peers and start treating security as non-competitive.

No organisation can protect itself without a holistic enough view of the threat landscape. This is true within organisations as well: security can no longer run as a stand-alone vertical. No one can rely on a security function that is not embedded in the business.

Many campaigns that we see are focused on a particular industry vertical. CISOs I meet with are sharing insights and experiences with their peers in other organisations to better protect themselves. Through projects such as Structured Threat Information Expression (STIX), companies are benefitting from a common language structure for information sharing which is also machine-readable. When everyone is speaking in the same terms, identification and remediate of issues becomes faster and more effective.

Challenge 10: The perception that the cloud itself is insecure.

Perceptions are bubbling up that the cloud is introducing new threats. But is this perception based in reality?

When Amazon Web Service was down for several hours in February 2017, it caused massive follow-on problems across the internet. The reason for the outage was incorrect command line argument(s) and human error. We are never going to have a foolproof control for genuine mistakes but I assert that it’s unfair to call this a vulnerability introduced through cloud computing.

Cloud adoption continues to grow, as it does, such an explicit delineation of cloud and on-premise will not be necessary. Is the world of commodity computing displacing traditional datacentre models to such an extent that soon all computing will be elastic, distributed and based on virtualisation? Will all computer access be service-based and ubiquitous?

Cloud computing requires an institution to apply the concept of trust, allowing a third-party to manage data on their behalf. At first glance, this unfamiliar approach sounds radical and dangerous although pragmatism and context suggest otherwise. Companies have been relying on third parties to manage information for centuries; the difference with cloud computing is that the information is in digital form.

An organisation is idiomatically only as strong as its weakest link. Whilst it is prudent to acknowledge the threats and vulnerabilities associated with public cloud computing, there are a myriad of risks to the confidentiality, integrity and availability which exist across enterprise environments and I assert that these are significantly more easily exploited.