Today’s modern CIOs face a set of expectations, opportunities, and challenges that have grown tremendously over the last decade. This fundamentally revolves around one question “How can IT provide value for the business?” This can include everything from modern DevOps with Docker or Kubernetes, Public Cloud, true Private Cloud, IoT (Internet of Things), Big Data, machine learning, and the list goes on. In conjunction with these emerging technologies is the challenge of managing people, process and compliance. Wrapped around all of this is the concept of security. What “security” means for an organisation has changed dramatically over the last several years.
Historically, security was viewed as an operational task. Companies had a firewall, anti-virus software, and maybe an IPS (Intrusion Prevention System). The application teams were fairly certain that firewalls only existed to make their lives more difficult and many times business expediency overruled security best practices. Patching was not always performance and most ERP and critical applications had no access from the Internet.
Things have changed tremendously since then. The role of the CSO (Chief Security Officer) or CISO (Chief Information Security Officer) has been created specifically to tackle these challenges. This role was responsible for protecting the organisation from the ever-increasing cyber threats and/or data breaches.
In addition to the many other responsibilities of CIOs, they also need to be part CSO. In the same way the CIO is responsible for their budget to the CFO, they must also learn and embrace mature security postures. While the CSO and security team are the experts in emerging threats, CIOs must now structure a general degree of awareness and competence across the organisation.
The threats businesses face today are unique in that they are fluid and ever-changing. Every week there is a new story of a data breach or compromise, and we know what is publicly disclosed is just the tip of the ice berg. Every organisation has had some type of virus outbreak and/or ransomware. The impact and degree this is disclosed, even internally to the business, varies greatly. The true concern is not the inconvenience or disruption a virus or exploit can cause, but what data does my business possess that must not be stolen.
Every business vertical has data that would be financially damaging if made public. Whether this is intellectual property for chemical manufacturing, to patient person information in healthcare, to client financial information in banking, to stolen credit card information in retail, security has become a board room conversation because of how it impacts the bottom line. While disrupting a business through DDoS or exploits can be painful, loss of sensitive data can be catastrophic.
Enforcing the basics
Modern CIOs have an important role in ensuring the private business data remains private. This happens in conjunction with the CSO/CISO and audit/compliance. Too many of today’s compromises happen opportunistically because basics are not enforced.
Ensure systems are patched in a timely manner. Too much malware exists for known and patched exploits.
- Proper identity management, no shared accounts, use good passwords.
- Ensure firewalls are truly least privilege. Don’t have Windows systems with RDP open from the Internet and lock down outgoing connections.
- Encrypt all endpoints, its free, use it. Too many data breaches have come from lost hard drives or devices.
While these seem like fundamentals, they can go a long way towards improving your organisation’s security posture.
The next level is generally driven more from the security team’s guidance, but requires a significant amount of operational support and integration. This is where things get much more interesting strictly from a technologist perspective.
- How do we deploy IPS (Intrusion Prevention System), WAF (Web Application Firewall), and other layer 7 type security in a way that is effective?
- How do I do this in a world where most traffic is encrypted?
- How do we put in place a SIEM (Security Information and Event Management) solution that will aggregate logs from every point of technology and be able to run real time threat intelligence and machine learning on this data?
- How do I enable two-factor authentications on every piece of my environment?
- I must assume that I am either already breached, or will be in the future. How do I lower my mean time to detection of a breach?
- If a malware was sending out stolen data hidden in DNS queries, would I know?
The challenge is two-fold. First, while technology exists to solve all the problems above, it also comes with a significant price tag. Second, if you have the resources to procure this technology, the operational human time to both deploy and manage all this technology can be overwhelming.
A solution that is becoming more and more relevant is comprehensive managed services. The idea being that you have a partner who focuses on the security, governance, and compliance. This holds true, and becomes even more important when combining true private cloud and public cloud environments. Leveraging a service provider can be a force multiplier for a CIO and/or CSO. Large projects such as rolling out endpoint management to thousands of devices can become much easier to absorb. CIOs and their teams can focus on the business and functional requirements. CSOs can define their requirements around encryption and endpoint security. The service provider can then, proverbially “take the hill” and do the heavy lifting.
The expectation for a mature service provider would also be that they are constantly evolving and delivering new solutions to their clients. As you need solutions such as WAF, your time to value should be significantly decreased. You no longer need to run multiple POCs distracting key resources or create deployment and management strategies. The expectation should be the provider has evaluated the industry and has a best of breed solution. Your time to value with deploying an impactful WAF on a production website could be decreased by as much as 12 months. These expectations should be the same regardless if it is Public or Private Cloud models.
Today’s modern CIOs have a plethora of new challenges to face around security, while still advancing business capabilities to generate revenue. Modern agile development cycles in conjunction with best of breed security. CIOs can make a big impact driving and enforcing security basics around patching, good firewall management, and training. Today’s security expectations require a strong relationship between CSOs and CIOs. In many cases, a professional service provider adds a significant amount of value in an organisation’s ability to deploy and get value from new technology that is continuously developed and released.
In summary, focus on the basics and do not be afraid to leverage experts for utilising emerging technologies.
Sean Donaldson is CTO at Secure-24
Image Credit: ESB Professional / Shutterstock