What keeps CISOs awake at night? What would they love to have in a perfect world? What do they need to make their job easier and more effective?
The best way to find out is to gather a dozen CISOs from some of the UK’s biggest organisations and put them in front of a group of leading security vendors and industry analysts – which is exactly what happened with the 9th IT Security Analyst & CISO Forum, an event that’s organised by Eskenzi PR.
The event, which took place in June in London, consisted of a morning debate with the vendors and analysts firing questions at the CISOs and getting them to talk freely about the challenges they face on a daily basis.
The discussion was wide-ranging, covering all aspects of the CISO’s task, from technology to the recruitment of good staff.
Here is a taste of some of the subjects covered…..
Denial of service attacks
Although distributed denial-of-service (DDoS) attacks have received a lot of attention in the past, most of the CISOs from our group felt the issue is generally one that they can keep under control.
“DDoS is a bit like the weather,” said one of them. “It is always there, and most of the tme you don’t notice it, unless it turns into a storm.”
The general feeling is that it is something organisations have to live with and manage, both from the point of view of being on the receiving end of an attack, and also having systems hijacked for an attack on other organisations.
Another CISO admitted that her systems had been hijacked a couple of times for attacks, but this had been solved by informing the ISP as soon as it was discovered and the out going messages were choked off.
Others using managed services just informed their providers and left them to solve the problem, although as one pointed out: “We make it the service provider’s problem, but the CISO still needs to have situational awareness. We need to know what’s happening.”
The CISO for one very large public organisation said he had the bandwidth to withstand most DDoS attacks, but said his main concern that any such attack might be used “as a shield for other activities that could be more serious.”
The future of the data centre
The CISOs in the group were all agreed that the days of the old monolithic data centre are over, as more companies outsource services and make greater use of the cloud.
One CISO working in the pharmaceutical sector said: “Data centres are very expensive so I think there will be a steady move to managed data centres, provided they can abide by our standards.”
Another was more brutal: “If you were starting from scratch, why would you ever build your own data centre?” He said his company owns no IT kit and outsources all its services, allowing it to scale resources according to current business requirements and without any capital investment.
But all agreed that outsourcing, especially moving systems out to the cloud, inevitably entailed some loss of control – but not an abdication of responsibility. “The data centre provider is never accountable. It will still be your neck on the line if anything goes wrong,” said one CISO from the finance sector. “Outsourced data centres may be cheaper, faster and more flexible, but you have to accept that the quality will be lower.”
And from a security point of view, there are also concessions to be made. One CISO from the manufacturing sector complained that the big cloud providers are very inflexible. “They have a dreadful attitude. They won’t even let you scan your systems unless you book ahead,” he said. “They just won’t negotiate.”
On a lighter note, a CISO working in financial services told of how his outsourced data centre had suddenly run out of power. It turned out that the operator had opted to use a biomass electricity generator, but had failed to appreciate that biomass needs to be stirred regularly in order to produce the necessary output. “Any farmer could have told them that. It’s a well known fact,” he said.
The move towards users bringing, and using, their own devices is well established, and most of the CISOs agreed that there was little point in trying to resist – especially when the greatest demand comes from senior management.
Some technical solutions can help with security but the general consensus was that user training is essential. The risks of carrying corporate data around on a personal device need to be spelled out to users so that they understand the power of the phones and tablets they are using.
One CISO was pinning his hopes on the emergence of a data-centric model where the data itself would carry its own properties and security as it travelled from system to system. However, he wasn’t holding his breath for a solution any time soon. “We were promised this five years ago, but I’ve not seen it working anywhere yet,” he said.
Other factors are also making the whole process more difficult for many organisations. For example, under pressure from the Financial Conduct Authority, banks are being urged to take responsibility for helping users to access their systems, regardless of how experienced or careful those users are.
And one CISO with a large international mobile workforce bemoaned the complexity of trying to comply with the specific local laws of different countries, many of which restrict the movement of some data outside their borders.
One consequence of the ready availability of cloud services, apps and mobile devices is that non-IT specialists are often tempted to build their own system rather than ask the IT department to build it for them.
All the assembled CISOs recognised the phenomenon of so-called “shadow IT” and most acknowledged that it was hard to stop. Indeed, some positively encouraged it, within reason.
“Shadow IT supports revenue growth in our organisation. It needs to grow and thrive, but it also needs to understand it’s not real IT,” said one CISO.
Another CISO from the finance sector agreed, but insisted that shadow projects should be carried out in secret. “We have moved from No to Know,” he said. “We can’t stop them doing what they do, but they do need to be aware and understand the implications of what they are doing throughout its whole lifecycle. And we do retain the right to hold something back if we think it carries too high a risk.”
The head of security in a large telecoms company took a similar approach. “You need to put your arms around them and explain what is negotiable and what is not,” he said. “Big organisations move pretty slowly, so you need to roll with it when these projects arise. You just need to support them with guidance and counsel.”
Patch management, all agreed, is an endless task that can never be tackled completely, because the number of new patches coming in is overwhelming. Organisations therefore need to focus on the most serious risks and prioritise their most critical servers.
As one CISO put it: “You can never get on top of patching, as new patches come out every day. You need to select your most important servers, accept the risk on the others and apply compensation controls to mitigate any risk.”
He also identified Java as on being one of the biggest drains on patching resources. “It’s the cause of a lot of failures because of all the versions of Java. You can’t patch everything,” he said.
Privileged users and insider threats
This was one of the most worrying and contentious issues in the whole discussion, as most of the assembled CISOs conceded they had not found a truly secure way of managing privileged users.
As one of them put it: ”The goal of most external attackers is to become a trusted internal user. Then they can carry out their work more easily.” His approach was to focus on red-teaming to expose weaknesses in the systems, and to restrict the freedom of internal users to prevent them moving sideways from one system to another.
But managing privileges in dynamic organisations is very difficult. “Companies can grow very quickly and you get lots of changes, and we have to live with it,” said a CISO from the banking sector. “We try to conduct regular privileged access account reviews, but I have to admit it is one of the biggest problems we have not yet solved.”
The challenge is also magnified when managed service providers need to have access to your systems and databases, said a CISO from the insurance sector. Such an arrangement requires a high level of trust in the MSP and its own procedures and staff.
“I wish we had better tools for detecting suspicious or anomalous activity on our systems. But we don’t have them yet,” he said.
As with so many aspects of security, the real solution tends to lie in training and understanding the users. One CISO advised: “Walk towards the problem. Don’t ignore people who are having problems. Let them vent their grievances and understand what their problem is,” he advised. Otherwise, insiders can build up grudges and become a danger.
In other words, this is a management problem, not a technical one. “Managers need to understand their people, understand what is normal behaviour and learn how to spot odd or abnormal behaviour,” he said.
On a more proactive front, it was suggested that if departments take more responsibility for the ownership of their data, then they will be ore willing to consult and collaborate with information security. For example, one large public body carried out a data asset review that took 18 month to complete, looking at a) how critical each asset was, and b) who owned and was responsible for it.
The review, according to the CISO who led the review, produced real benefits: “Now people talk about risks and backups. We now get requests for audits of who has access to their data. Before we had a typical accretion of rights as people moved around the organisation. Now we have that under control.”
Ron Condon is Managing Editor at IT security guru.