Since 2014, CIOs have flagged cyber security as either their first or second most important IT management issue in the venerable IT Trends Study from the Society for Information Management.
Yet in 2013, cyber security came in just seventh in that same survey. What happened in a year? The infamous Target data breach, which resulted in an $18.5 million fine and the ignominious departure of Target’s CEO.
The cascading series of disastrous, high-profile breaches since then makes the Target breach seem almost quaint. The message is clear: Year over year, the risk of career-ending breaches looms larger as threats continue to balloon in number and potency.
Pity the poor CSO in the hotseat. Understandably, some feel compelled to jump on every new threat with a point solution, which plays right into the security software industry’s marketing strategy.
But no organisation’s cyber security budget is infinite. How can CSOs possibly determine how to allocate their defensive resources most effectively?
The simple answer is twofold: Rationally prioritise risk and, at the same time, make the most of the useful defences you already have in place. Few dispute that unpatched software and social engineering (including phishing) represent the highest risk in most organisations, followed by password cracking and software misconfiguration.
Cut through political and operational barriers to ensuring prompt patching, establish an effective security awareness program, train your ops folks to lock down configurations, and put two-factor authentication in place…and you’ll reduce your overall risk by a magnitude.
Sure, anyone can reel off other big risks and vulnerabilities. If you’re operating an electric utility, for example, you need to understand highly targeted threats to critical infrastructure and how to defend against them.
And when malicious hackers do inevitably breach your perimeter, the Zero Trust trend of instituting pervasive authentication among systems shows real promise in stopping attacks from moving laterally through organisations.
Managing risk as a way of life
Malware and hackers have plagued systems since floppy disks. But in recent years, a different sort of threat has arisen: The relentless pressure to innovate. Bob Violino, frequent contributing writer to CIO, explores the dirty little secret of our digital transformation era in “Security vs. innovation: IT's trickiest balancing act.”
The point of his article is clear: If security or privacy is an afterthought, your transformative initiative will probably fail, potentially in spectacular fashion. Get the security architects in there early, however, and sensible security becomes integral to the successful outcome — and can add to the appeal of resulting applications.
InfoWorld contributing editor Isaac Sacolick explores that topic in detail from a software development perspective in “How to bring security into agile development and CI/CD.”
As you may have heard, developers have a tendency to feel security is not their problem, instead deferring to security teams that arrive late in the dev process — teams that may be unaware of vulnerabilities in the very business processes an application was built to embody.
An outgrowth of DevOps, DevSecOps makes security a central concern for both developers and operations, not just in avoiding coding flaws, but in automating security testing and monitoring applications for security issues after they go to production.
Integrating security into software is also the theme of “UEM to marry security – finally – after long courtship” by Computerworld senior reporter Lucas Mearian. In the past, managing mobile and/or desktop devices — using MDM (mobile device management), EMM (enterprise mobile management), or the latest iteration, UEM (unified endpoint management) — has overlapped with endpoint security management, but remained a separate process.
According to Lucas, vendors are now merging the two to “provide a centralised policy engine for managing and securing corporate laptops and mobile devices from a single console.”
In some instances, that evolution includes machine learning algorithms that automatically assign security policies to users based on such parameters as geographic location, the type of device being used, and whether the network connection is public or private.
Sometimes, though, new cyber security technology arrives with such little fanfare you don’t even know you already own it. In “5 firewall features IT pros should know about but probably don’t,” Network World contributor Zeus Kerravala pops the hood on the modern firewall to recommend powerful features you may not be aware of, from network segmentation to policy optimisation to DNS security.
Taking advantage of firewall features lying fallow is a kind of no-brainer windfall – and Zeus provides sound, detailed advice on how to make the most of it.
In the end, however, we must all prepare to defend against the biggest, baddest external threat of our time: ransomware. In “More targeted, sophisticated and costly: Why ransomware might be your biggest threat,” CSO senior writer Lucien Constantin alerts us that ransomware has become so stealthy and sophisticated that it rivals the advanced persistent threat in its pernicious subtlety.
Moreover, as recent incidents confirm, ransomware attackers have moved on from blackmailing consumers to targeting organisations that promise a much bigger bounty.
How big is the problem? The FBI says that while the number of incidents has remained relatively flat, the payouts are higher — but no one truly knows, due to organisations’ reluctance to report successful ransomware extortions.
Cyber security can be a dismal science. As threats multiply, and even democratic institutions are subject to attack, it can seem as if not just systems, but civilisation itself is under siege.
But that backdrop should only convince CSOs and their organisations to double down on developing smart, prioritised security defences. We hope this collection of articles from CIO, Computerworld, CSO, InfoWorld, and Network World helps you develop and refine your own successful cyber security strategy.