Many chief information security officers view their responsibilities through the National Institute of Standards and Technology's (NIST) model of Identify, Protect, Detect, Respond, and Recover. There's been a focus on detecting and responding to endpoint threats over the past few years, yet new priorities are arising: migration to the cloud, new heterogeneous devices, and custom applications, all of which have greatly expanded attack surfaces.
I recently spoke with seven CISOs. Many are from the Fortune 500, and several are influential in the startup community, advising for YL Ventures. What follows is a recap of their top five concerns and two-year spending priorities:
1. Identity Management in a Multicloud World
The old days of breaching a network's perimeter technologies and slowly hacking laterally across systems is less of an emphasis thanks to the cloud. With stolen credentials, a device is often one hop from accessing the crown jewels of privileged data in the cloud. Microsoft Corporation CISO Bret Arsenault strikes at the heart of the matter. Today, he says, "hackers don't break in, they log in." In line with that thinking, Microsoft's security organization believes that "identity is our new perimeter."
What makes managing identity complex is that it spans many personas. As Juniper Networks CISO Sherry Ryan explains: Security teams must "know who is accessing your network, whether it be a customer accessing your portals, or a partner, a supplier, or your own employees."
Cloud apps often require authenticating with single sign-on and Microsoft Active Directory. Yet most CISOs in this discussion say they also attempt to reduce the "blast radius" with additional identity and authorization silos. They're still working out architectural best practices but are investing in password-less, biometric, and behavioral-based authentication.
To that end, identity and access management (IAM) is a product category CISOs continue to purchase despite the challenges involving the multiple vendors needed to cover employees, the supply chain, and customer identities. Piecemeal IAM adoption is now easier, yet some of the CISOs believe that a one-size-fits-all solution doesn't yet exist.
2. Protecting Assets with Encryption and Zero Trust
The cloud transformation is enabling CISOs to ditch on-premises legacy systems. Many are enthusiastic about building cloud security right from day one, and zero trust is a big part of this. Zero trust limits role-based access by default. It ensures users are who they say they are, and that their devices meet reasonable security standards before connecting.
Besides locking down configurations, CISOs are building zero trust with multiple technologies. They mention leveraging things such as multifactor authentication (MFA), mobile device management (MDM), and vulnerability management. But ensuring that data is only seen by trusted users is an ongoing issue.
At the same time, as the industry finally confronts the dynamic nature of data, encryption is being deployed by many of these CISOs: "It's really a hard problem to get to the point where you're identifying every communication trying to access a piece of data" observes F5 Networks CISO Mary Gardner, noting how valuable information is copied, moved, and accessed by numerous applications and people. Granular controls and encryption must protect data across its life cycle, she says.
Markel Corporation CISO Patti Titus explains the complexity in this context: "As an organization, we have to determine when to encrypt, obfuscate data" and ensure "encryption in transit and at rest." And then there's "the challenge of encrypting data that has to be usable for the data scientist."
3. The Rise of DevSecOps
Even the most analog company is developing software to run its business. This includes customer web portals, mobile apps, and APIs exposed to customers, partners, and hackers alike. Organizations are increasingly automating manual activities and relying on analytics and artificial intelligence. Educating software developers into better practices is key, and a strategic initiative is securing applications with DevSecOps.
Many CISOs are also "moving left" and purchasing static analysis tools that operate on code and flag issues before runtime. In keeping with a common theme, the CISOs prefer seamless approaches that are easy on humans. This means integrating DevSecOps technologies into the daily routine of developers. "Continuous integration is where we've spent a lot of time and focus so that developers are securing their own code, they're testing their own code," says Fannie Mae CISO Chris Porter.
While further along with static analysis tools, many of the CISOs in the discussion also indicate a desire for dynamic analysis. Dynamic tools operate during runtime, monitor applications, and log information for incident response.
4. Responding to "Alert Fatigue"
A CISO's operation involves spotting security breaches through the noise of false positives and low-priority alerts. It's an endless challenge. Antivirus, firewalls, and other security technologies often produce millions of daily events.
To move beyond manual processes, almost every CISO interviewed for this article bought security orchestration automation, and response (SOAR) products. They are generally happy with them. Some want more help getting started. Many feel SOAR performs only as well as the quantity and quality of alerts fed into it.
CISOs are also on the lookout for new approaches to alert fatigue but find the number of technologies coming out each year "overwhelming." These security leaders are hopeful that the new tech they deploy will increase coverage yet are skeptical of the efficacy of more alerts.
"Our philosophy has been to flip the model," explains Blue Cross Blue Shield CISO Yaron Levi. "We are actually looking at alert fatigue from a threat modeling and risk management perspective. [We] model vectors for that potentially harmful attack and then develop our defenses."
Levi is employing attack emulation as a new approach to alert fatigue. The starting point is emulating attacks from recent industry breaches safely within Blue Cross Blue Shield's network. This verifies if common real-world attacks are even seen, after which these alerts receive the top priority for building response plans and automation.
5. Educating Employees to Think Like a CISO
Noting that security focuses on people, processes, and technology, LogMeIn CISO Gerald Beuchelt strongly believes that it really has to be in that order. "We have to get people on board with what security needs to do.... No security team can grow big enough to protect such a complex and large organization by itself."
Many of these CISOs agree that it's important to take advantage of Cyber Awareness Month using educational tools such as games, humor, and shorter training sessions to motivate their user base.
- 8 Trends in Vulnerability and Patch Management
- The Uphill Battle of Triaging Alerts
- Raising Security Awareness: Why Tools Can't Replace People
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Account Fraud Harder to Detect as Criminals Move from Bots to 'Sweat Shops'"