Training, 3rd Party Risk and Prioritization are Top Security Issues for the Enterprise, Says Panel

Security has become one of the most important issues facing CIOs today. The number of places an attacker can use to get at an organization’s valuable assets is exploding. Cloud, mobile, social media, the data being created by analytics applications and the apps that touch that data, are creating more touch points for potential adversaries to try to get access to that data, according to Rob Sadowski, Director of Marketing at RSA, the security division of EMC, during a panel I moderated on security in the enterprise at a recent Softtek conference.

Some sobering statistics I shared with the crowd:

• It takes an average of 223 days to discover a data breach.
• The average cost per breach record is $201.
• 67% of total cost per breach record is spent in remediation.
• 78% of cyber espionage attacks come from email vectors.
• 35% of attacks come from web apps, even though security software has existed for decades now.
• And according to Gartner, by 2018 25% of corporate data traffic will bypass the security perimeter flowing between the cloud and mobile devices. That’s 4% more than we have today.

During the panel discussion, four security experts across the technology, financial services and healthcare industry discussed what are some of the top security concerns for the enterprise today, and why security is becoming a mission critical function.

The Four Trends Making Security One of the Most Important Trends In The Enterprise

Rob Sadowski, Marketing Director at RSA, listed four reasons why security is such a big concern today:

1. The number of places an attacker can use to get access to a firm’s valuable data assets is exploding. Cloud, mobile, social media, analytics and the apps that touch that data. There are more touch points for potential adversaries to try to get access to that data.
2. Attackers themselves are getting much more sophisticated. Attacks are more sophisticated; more tools are available and more sophisticated. The bad guys are better at sharing info on what works and what doesn’t than the good guys.. And the methods are different than before. Our defense strategies don’t match up.
3. There is a big skills gap, to prevent the very big attacks and to defend today’s environments requires a new set of skills. Many traditional security departments and security practitioners haven’t quite developed those skills.
4. There’s a great deal of budget inertia (we see that as a vendor) towards tools. Yesterday’s tools are old, signature-based tools and very backwards looking. In this very dynamic environment with a much more challenging adversary those tools don’t’ stand up

Sadowski said that not long ago security breaches could cause some financial damage. But today: “…a [security] breach can at this point put companies out of business, or affect the tenure of a CIO or CEO.”

Balancing Business Agility with Security Needs

Nicole Gray, Senior Director of Technology Program Management at Inovalon, said that security professionals should partner with business executives and show that they can be strategic and not a roadblock.

“We need executives who are supportive of security and the work we do need to do, and who will provide the investments in the right tools and the right people,” said Gray. She explained that this partnership was necessary “…to protect and defend the organization’s assets, which are core to the business.”

Security Training Needed for All Employees

Bernard Truong, Chief Advisor, Third Party Risk at the National Bank of Canada, addressed the crowd during the panel discussion: “A show of hands in the room, how many of you have formal information security training for your staff?” As more than half of the hands shot up, Truong explained this is an issue for most organizations.

He said that for the first time in his organization’s history the more than 20,000 employees working for the bank had to go through formal security training.

“It’s mandatory for all managers…from the CEO level down, that everybody goes through the web-based formal training…every single manager in the organization is held accountable so that everybody knows what the risks are,” added Truong.

Gray added, “The department of homeland security says that if you see something, say something…it’s so true even for companies, everybody is part of the security strategy, not just the security and compliance team.”

Gray said training was important, not just for front line folks but everybody in the organization.

The Inevitability of Security Breaches

Shouvik Ray, VP and Head of Technology Vendor Management for Bank of the West, made a chilling observation:

“I remember reading that there are two kinds of companies out there, one that has been hacked, and another that doesn’t know they have been hacked or are being hacked.”

Ray said CIOs now agree on the inevitability of attacks, which drives a tendency to build more firewalls, to build castles. But the wholesale movement of data now going to the cloud brings a whole new set of problems.

“We’re always trying to balance between the two,” said Ray.

Focus Turning to 3rd Party Risk

Ray brought up the issue of 3^rd party business partners as an important source of data breaches.

“You surround and parameterize everything, but what we have learned is that…I don’t know what’s out there, and I’m doing business with everyone out there [because] as a bank we have between 100,000 and 200,000 vendors,” said Ray. “If you look at [recent] breaches, the Targets or Home depots, it was either an employee or an employee of a 3d party…if you look at the last 4 months of breaches, 70% were from 3^rd parties.

But Sadowski was optimistic about recent advances in PCI security measures that protect organizations from 3^rd party risk.

“The most recent version of the [PCI security] standard we put out there has a very specific section on 3^rd party risk clearly delineating the responsibilities for the 3rd parties you’re interacting with, what are their specific responsibilities as concerns the custody and handling of that valuable payment card data so that the responsibilities are well known and well delineated,” said Sadowski.

Information Security Risk Management to Prioritize Risks

So are there ways to prevent the types of damaging data breaches that can bring down your company? That’s where the use of Information Security Risk Management comes into play.

Sadowski, stating that the role of security is going to get progressively bigger, said risk management allows organizations to effectively prioritize information security investments and security activity.

“It’s a simple notion, it’s what’s valuable to the organization, its information assets and the things around that: how vulnerable is it, how well are we protecting it, who might seek to get at it, how might they seek to do that and how well do those things intersect,” said Sadowski.

He explained that once these are understood organizations can deploy people and budget resources, which are scarce even for the largest organizations, to the right things that are going to make the biggest impact on the security posture of the organization.

The Future of Information Security

To close the panel discussion, I asked the panelists how they envision information security evolving to the year 2020.

Inovalon’s Gray said security is going to become like any other department in the organization. “There was a time when my CEO didn’t understand a lot about what work we did. Now he’s well into the work we do, the importance of it. Our executives understand… today it’s…critical.”

Truong of the National Bank of Canada added that constant monitoring and real-time detection would become essential. “Make sure you monitor all the movement within your database…[to enhance] the ability to catch a leakage when it’s happening.”

Sadowski agreeing with Truong, added: “That becomes the core function of the security organization, the ability to shrink that 200 days down to 1 day or down to hours.”

Ray concluded that security will have to become part of the fabric of each extended organization for it to become effective. “[You must] slowly create a DNA in the organization….it doesn’t just mean your people, it means the whole supply chain and your whole customer base.”

For a complimentary copy of my latest white paper, check out 6 Proven Practices for Organizations to Avoid a Security Breach.