For those in the cyber security space, the idea of an “agenda” is both integral to the inner-workings of the enterprise and exceedingly tough to flesh out, seeing as the space moves so quickly.
Nevertheless, in corporate and agency settings, these plans – business continuity, incident response, etc. – cannot be ignored, as they are typically communicated to other members of the C-Suite, as well as the board of directors.
Chief Information Security Officers (CISO) and the like are charged with carrying out these endeavors, and oftentimes they must defend allocated funds and translate return on investment (ROI).
Background
Suffice to say, many CISOs are thinking about more laborious shifts and resource-heavy decisions well in advance. So, it helps to take the industry’s temperature, and get a feel for urgent issues. That requires an objective lens, and navigating through media sensationalism and an abundance of “buzzwords.”
Commenting on the process of gathering this data and becoming prescriptive, Enterprise Strategy Group (ESG) Analyst, Jack Poller, said: “The good news is that organizations are now much more security aware. CISOs, CIOs and IT management realize that the new kids on the block – DevOps, blockchain, IoT, cloud, automation and orchestration – need as much or more security as the existing infrastructure stacks. Being so new, we don’t yet have the depth of experience necessary to completely understand their security strengths and weaknesses.”
Here, we aim to help light the path, providing security practitioners a look at some of the most sweeping initiatives (five) in play right now, they include:
- Cloud Computing
- DevSecOps
- IoT
- Automation
- Mobile Security
-
Cloud Computing
Migrating to the cloud has been a gradual process for many enterprises, as they weigh pros and cons of moving their workloads offsite.
There is certainly an upside to cloud migration, including cost efficiencies. For example, enterprises would no longer have to pay exorbitant costs to store data onsite. Instead, cloud service providers (CSP), which carry additional security measures by default, would store the information – while not forsaking ease of access and third party risk controls.
See Related: Could The Cyber Sec. Talent Crisis Come Down To Perception, Biases?
Commenting on cloud initiatives, Denver Health CISO and Privacy Officer, Randall Frietzsche, said: “We have to better understand how the cloud works, the various configurations and security concerns based on the type of cloud… This understanding…allows us to better vet the solutions… This also drives the contracting process – any downstream vendors, what does that connectivity look like, are any of those downstreams offshore? What different provisions do we need in our contracts to address those concerns for a cloud solution…?
“From soup to nuts,” he continued, “we can then better vet those incoming third-party solutions from a risk perspective, and also understand what the risk is (because it’s often very different in a cloud/web portal versus a client/server, on-prem, etc.)…”
-
DevSecOps
Attention in the space is being doled out to informative campaigns, too, meaning not so much “shiny-box” solutions, but research into new vectors, vulnerabilities and technologies. One concept that has taken the cyber world by storm is DevSecOps, or the integration of security with development and operations from the outset.
Poller, said: “A lot of focus and attention is being paid to how we can integrate security into DevOps with the goal of improving the security of the application. However, there is not nearly as much focus on how bad actors can directly attack the DevOps toolchain.”
-
IoT
The Cyber Security Hub has reported quite extensively on the widening of the attack surface with the embrace of the Internet of Things (IoT). Newly connected devices pose serious security risks – seeing as not all of them carry built-in security principles.
Frietzsche said, “Many IoT vendors are building for convenience and not security, which is why we are headed towards a crisis caused by insecure IoT. We need to have the folks with the technical/security chops looking at these things, vetting out how they connect, how you update them, how you change passwords, what their data flows look like, what ports (inbound and out) are needed, wireless versus wired, etc.”
He added: “We have to get legal and operational buy-in so that if we find this IoT thing is not really able to be secured, we can throw the high-risk flag and they’ll try to find a different vendor. Until these IoT vendors start losing a lot of business, they are not going to change their basic growth methodology. Security needs to be the value-add."
The Denver Health CISO said that one heartburn-inducer is how IoT and biomedical devices are intersecting. He said that if you turn IV pumps into bots, that’s fairly low risk. But if more risk is felt down the line, that surpasses data breach and enters the territory of patient safety.
[inlinead-1]
-
Automation
Here is a buzzword that’s been consistently tossed around, with vendors pitching artificial intelligence (AI) & machine learning (ML) tools and end users claiming to be domain experts.
The truth is that there is no true AI just yet, but ML algorithms, scaled to enterprise function (in threat intelligence, for example), are improving and seeing higher adoption rates.
See Related: 'Demonstrating Business Value': Communicating Cyber Security ROI
In fact, Frietzsche called automation the “Holy Grail.” He said today’s teams are not big enough and the amount of content they need to stay apprised of is growing exponentially.
“I can pay an MSSP a couple of million dollars for the warm bodies with eyes on a screen, but do I really need that?” he said. “If my tools can all talk, and I have some sort of automation engine in place, I can remove a lot of needed headcount or MSSP spend, and use those resources in other areas. And I might just get more effectiveness and not just efficiencies.”
-
Mobile Security
In a recent Cyber Security Hub audience survey, 44% of respondents stated that mobile security is a prime industry topic for them.
Like IoT, new endpoints on a network pose immense security challenges. Each additional endpoint connecting to the web expands the attack surface. There are also very specific threats to both iOS and Android phones, including jailbreaking and malware specific to the device(s).
That said, CISOs must deal with corporate or BYOD device security while also being tasked with wider network defense (the customary duties of firewall, antivirus, threat intelligence, user and entity behavior analytics (UEBA) and other access controls, etc.).
Vulnerabilities embedded in mobile devices could expose other offsite or on-prem data sets, or even the keys to the kingdom. Threat actors can also maintain access on the network, oftentimes through faulty mobile security controls.
Altogether, while some of the focal points look familiar, there is more and more research and collaboration being factored in. By 2019, it seems that security practitioners will begin to further integrate AI and ML tools, as well as mobile and IoT security controls. But threat vectors always emerge, and CISOs need to account for that ambiguity.
Be Sure To Check Out: Industrial IoT Concerns Worsen As More Devices Connect To The Web