Everything in this world, it seems, is becoming connected, from household appliances that “speak” to one another to drones that deliver groceries. These are part of the emerging world of disruptive technologies. Since businesses’ survival is more dependent on technology than ever before, today’s CIOs must act as technology leaders in addition to critical business partners who understand the nature and direction of their businesses.
A problem that continues to nag many CIOs, however, is that they are seen as technologists. This is exacerbated with the decrease of useful lifecycles of technology and increased awareness and empowerment of businesses to directly procure IT-enabled business solutions. This leads to investments in capital equipment that holds little value to organizations, causing some to question the CIO’s business acumen.
In response, many CIOs are transitioning to a new, agile environment where speed is critical. To deliver, they need to integrate at the rate and pace of business (based on the risk appetite, of course). This is not always easy, as too many IT organizations still do not classify their information properly, often implementing a single security approach rather than an information approach, which spurs business frustration as there are too many controls guarding the critical information.
The CIOs that make this transition will be best equipped to deal with upcoming trends such as the Internet of Things and Big Data. Information related to these developments, when correctly leveraged, will provide a critical competitive advantage, but many CIOs are still coming to grips with the resources required to drive value.
As such, the role of data scientists is emerging. This role will require sound business knowledge paired with the skills to read these new types of information and make speedy decisions about them.
Robert E. Stroud, CGEIT, CRISC
Vice president of strategy and innovation at CA Technologies
Chair of ISACA’s ISO Liaison Subcommittee
The demand for skilled security professionals will only grow
The data breaches that took place in 2013 were game-changing in their size and scope. Adobe reported the compromise of over 38 million users, Chinese hackers cracked into the systems of media giants, while usernames of 22 million users of Yahoo Japan were stolen. Then there were revelations of surreptitious intelligence-gathering by national security agencies such as the NSA and GCHQ.
These events are evidence that security departments still have not mastered the basic “blocking and tackling” of data protection. Critically, they also expose the weaknesses of security that relies primarily on technology as the most important line of defence. For instance, the Adobe breach exposed the weaknesses of password authentication and the failures of current, outdated forms of authentication.
In 2014, the industry will begin to beef up security teams with more skilled personnel in conjunction with adoption of better technology. The C-suite will begin to invite the security department to the table to constructively discuss major business and organisational initiatives. Security will start to be truly seen as a fundamental building block of IT-driven programmes, and cyber security risks will begin to be factored into the business equation.
Driven by this C-suite approach, we will see a new wave of collaboration between IT and security. IT managers will integrate security into business-critical initiatives such as mobility, application development, and business intelligence. All this will culminate in more secure systems, and awareness of security in IT operations, software development, and endpoint management.
The overwhelming and sophisticated nature of social engineering and denial of service attacks exposes the shortage of manpower and skills in the security department, such as computer forensics and application security. Attacks on vertical markets have also uncovered the need for industry-specific skills, such as the support of healthcare and government systems. Given the well-publicised data losses in healthcare, we will find more recognition for the need for core level knowledge and expertise to address security and privacy concerns relating to health information, with estimates of up to 500,000 people in the sector responsible for data governance or security.
The new emphasis on security in the C-suite and in the IT department will drive growth in security’s ‘human capital.’ Spending on security staffing and training will increase. Salaries for skilled security professionals will grow. And there will be a stronger understanding of the value of security to the business, making this function an even more important part of future plans and budgets.
Fundamentally, the capabilities of technology are extremely limited unless they are supported by security professionals who are strong in numbers and honed in skills. I believe that the tide in the cyber security war will begin to turn in 2014; the side with the strongest skills will have the advantage.
After many major breaches this year, it’s time to rethink 2014’s cyber defense with an eye on people, not products
By W. Hord Tipton, CISSP, Executive Director (ISC)2
As security professionals, we look back at 2013 with a sense of frustration that we are still losing ground to the bad guys. But while there were plenty of battles lost this year on the technical side, there is good reason to hope that the war can still be won in the long term – with promising developments on the human side.
There were many frustrations for the defense in 2013. Adobe reported the compromise of more than 38 million users’ personal data, and there were serious questions raised about the security of its source code. Chinese hackers cracked the systems at the New York Times and other major media, and an investigation later showed a calculated effort to crack U.S. government and commercial systems as well. And the face of privacy and cyber espionage changed with revelations of secret U.S. government documents that disclosed the details of NSA activities and intelligence-gathering practices.
These unprecedented data breaches were game-changing in their size and scope, but at a more fundamental level, they were reminders that today’s security departments still have not mastered the basic “blocking and tackling” of data protection. The Adobe breach exposed the weaknesses of the password system and the failures of current, outdated forms of authentication. China’s attacks on the media pointed out enterprises’ vulnerability to social engineering and the inability of current systems to detect sophisticated malware.
These fundamental failures exposed the weaknesses of defenses that rely primarily on technology as the most important line of defense. They were setbacks of epic proportions – but sometimes it takes such setbacks to force an industry to think differently. And there is good reason to believe that such a shift is beginning now, and that the wave of new thinking will continue to rise rapidly in the New Year.
At its heart, this sea change puts a bright spotlight on an issue that has long been overlooked: the need for skilled security professionals. For years, the industry has been skimming by with a small, undertrained security workforce, and the weaknesses have begun to show. The overwhelming nature of hacktivists’ social engineering and denial of service attacks exposes the shortage of manpower in the security department. The sophisticated nature of today’s targeted attacks exposes the need for more specialized skills, such as computer forensics and application security. Attacks on vertical markets have exposed the need for industry-specific skills, such as the support of healthcare and government systems.
In 2014, I predict that the industry will begin to meet its frustrating chain of breaches and failures not only with better technology, but with more skilled, and improved, security teams. Finally tired of compromises that put their organizations in the headlines, members of the C-suite will begin to invite the security department to the table during the discussion of major business and organizational initiatives. Security will begin to be seen as a fundamental building block of IT-driven programs, and cybersecurity risks will begin to be factored into the business equation as a business imperative.
Driven by awareness at the topmost levels of the executive suite, IT managers will also rely more heavily on their security teams, integrating security into business-critical initiatives such as mobility, application development, and business intelligence. Once seen as separate camps, IT and security will begin a new wave of collaboration, and the result will be secure systems, improvements and awareness of security in IT operations, software development, and endpoint management.
This new emphasis on security in the C-suite and in the IT department will drive growth in security’s “human capital.” Spending on security staffing and training will increase. Salaries for skilled security professionals will grow. And there will be a stronger understanding of the value of security to the business, making security an even more important part of tomorrow’s plans and budgets. The impacts of security breaches are now recognized as negatively impacting the global economy and the effects may take several years to recover.
And of course, our team at (ISC)2 will be there to support this growing emphasis on security skills and staffing. Already we are developing new methods for testing and certifying security professionals to make them more applicable to today’s changing threat environment. For example, you will see that our tests are evolving to now emphasize scenario-based and advanced format questions and detailed practical knowledge over traditional multiple-choice testing methods.
Technology lost many battles for the defenders in 2013, but those losses taught us a valuable lesson – that the capabilities of technology are extremely limited unless they are supported by an army of security professionals that is strong in numbers and honed in its skills. Armed with this lesson, I believe that the tide in the cybersecurity war could turn in 2014 – and the defenders with the strongest human skills will have the advantage.
Will 2014 see a big uptick in the use of biometric technologies, strong encryption, a rash of new key technologies and more? Some say that the era of having unencrypted data traffic flowing freely inside enterprises will likely soon come to a crashing halt, helped along by the US government, the Apple iPhone and other drivers.
Security experts at Unisys said that they are gearing up for the broad-based adoption of encryption, against the backdrop of disclosures that the US government may have accessed data from the internal networks of major ISPs.
“Regardless of what you might think of Edward Snowden, the government contractor who leaked secrets about US government surveillance, there is no denying that his disclosures have heightened awareness of cybersecurity all over the world,” said Dave Frymier, Unisys chief information security officer, in a statement. “Before that, many enterprises were running unencrypted data on their internal networks, which they believed were secure. Now they are beginning to use encryption internally as well, so we expect 2014 to be the year of encryption.”
As a result of the Snowden disclosures, officials at the highest levels of organizations around the world will very likely increase their focus on data loss prevention, encryption and prioritizing investments in security.
Unisys experts also predicted that consumers will embrace the accuracy and ease-of-use of fingerprint readers on the new Apple iPhone, leading to a broader acceptance of biometrics in general. This could jump start a rapid growth in the use of biometrics – including fingerprint, iris scanning and facial recognition – on consumer devices as a way to protect the devices and data, as well as a method to confirm the identities of users for activities such as online retail transactions.
The acceptance of biometrics will begin the evolution away from the traditional user ID/password combination used most frequently to verify online identities. Among financial institutions especially, advances such as embedded biometrics in mobile devices will give rise to greater acceptance of consumer banking transactions and e-commerce on mobile devices, the firm said. Likewise, 2014 will see banks further exploring the use of self-service outlets and kiosks that require a combination of physical and digital security methods, including biometrics.
Unisys also said that security awareness and protection techniques related to enterprise bring your own device (BYOD) programs will be on the rise. For example, Steve Vinsik, Unisys’ vice president for global security solutions, predicted a rise in “bring your own security” scenarios, in which employees using their own mobile devices for work also employ their own security measures – often without the consent or awareness of enterprise security managers.
“That opens up a whole host of issues around how enterprises deal with people having their own security on their devices, and how that interacts with the enterprise’s ability to monitor and manage that device,” Vinsik said.
Also relating to BYOD, the ability to automatically pinpoint a user’s specific device as well as its geographical location will give security managers insight into the “context” of that user’s attempt to access the network. Contextual authentication solutions can alert managers when, for example, someone outside of a pre-determined geographical area attempts to access their networks.
In the same way, attribute-based access controls identify access requests that fall outside a user’s normal pattern, such as attempts to obtain information they don’t normally access or at unusual hours. By combining these insights with other identity management methods like biometrics, security professionals can make it much more difficult for those without permission to gain access to networks and applications.
Frymier said software sandbox models, in which enterprises deploy mobile apps in an environment that is totally isolated from other applications, will continue to gain acceptance too. By employing this model, organizations can stop, start, install and uninstall corporate mobile apps without affecting other parts of the mobile device.
He added that all of this increased use of encryption will both enable and encourage more companies to adopt other technologies as well, leading to an ancillary growth in IT like the use infrastructure-as-a-service (IaaS) cloud solutions, where previously they might have had concerns about the safety of their data in the cloud.
2014 is now upon us: the ball has dropped, the fireworks are over, and now it is time to see what the year brings.
Nobody can know the future, but if there is one thing that is clear, it is that 2014 is shaping up to be a year of exciting developments and rapid change. Things like delivery via automated drone and wearable computing devices, once the domain of only the most speculative sci-fi writers, is now not only possible but seemingly on the brink of becoming “serious business.”
For professionals in the ISACA community, periods of disruptive technology change can sometimes seem daunting; there are a lot of hard questions to answer. How does one secure an automated drone? How does one govern a technology ecosystem that—literally—extends to what corporate citizens wear to work? And how do we ensure users’ privacy rights as we do so?
Answering these questions fully will take time, research, diligence and industry consensus. But as we face these questions, it is useful to consider a few things. First, being in a position to ask these hard questions in the first place is a good thing. Questions that “push the envelope” mean the business is evolving: these questions are a byproduct of the business taking advantage of new markets, exploring more efficient ways of operating, or opening up new pathways to deliver value to the customer.
As such, it is important that we frame risk discussions with the business accordingly. By this I mean that it is important that risk discussions include both technical risks of adoption and business risks of non-adoption.
Obviously, it is important that we address the new technology risks that can arise (since many of them can and will introduce new security and governance challenges that we ignore at our own peril). However, it is also imperative that we counterbalance those with due consideration of the business risks associated with the “status quo,” since businesses that do not adapt alongside their competitors will incur market risk.
The faster the pace of change, the riskier running in place becomes. In the words of Starbucks CEO Howard Schultz, “Any business today that embraces the status quo as an operating principle is…on a death march.”
Additionally, it is important to remember that business leaders asking questions like these of security professionals, risk managers, governance professionals, or other practitioners is a good sign. It indicates trust in the practitioners’ ability to understand the issue and confidence that guidance received will be useful and actionable.
That kind of relationship takes time to build and requires the foundation of a successful and fruitful partnership. If that history is not there, effort is required on the part of the practitioner to build it. (And the faster the pace of change, the more effort required.)
The point is, there will be plenty of tough questions to answer in the weeks and months ahead, and while that is challenging, it is also an optimistic sign for 2014.
Ed Moyle
Director, Emerging Business and Technology Trends– ISACA/ITGI
