We attended the CISO Executive Network Leadership Summit in DC last week, which attracted chief information security officers from leading organizations such as the CIA, The Ohio State University and State Street Bank. The Summit provides a good platform for CISOs to share security areas of greatest interest/concern.
Topics of high CISO focus these days include: advanced persistent threats (APTs), the bring your own device (BYOD) challenge, employee awareness (the social threat), and the future of compliance – which is moving toward focus on continuous threat and risk management.
Val Rahmani, CEO of Damballa, gave the opening keynote and highlighted that APT may be a misnomer as many so-called advanced persistent threats don’t use “advanced” technologies or methodologies but DIY kits off the web and basic techniques such as phishing. APTs become advanced when cybercriminals develop custom malware tools, utilize multiple techniques, exploit zero-day vulnerabilities, etc. Advanced hackers deploying APTs also often follow a stealthy, “low and slow” approach; Val suggested that 35% of these threats sit on a network for months before they are discovered and 9% go undetected for years.
The discussion surrounding BYOD and its security implications were the source of heavy debate among CISOs present; issues included financial advantages/disadvantages, legal responsibilities and privacy rights. Those in attendance conceded that any cost-savings created by employees bringing their own smartphones/tablets to work are presently outweighed by the costs of providing security and support for these devices; however, BYOD is an inevitable IT transformation, and solutions that manage it will be in high demand.
Increasingly, CISOs are focusing on honing their skills to address board-level concerns regarding security. CISO roles have evolved beyond merely identifying and implementing policies and technologies to secure their organizations’ IT assets to educating executives and employees on how to effectively use these technologies and monitoring their compliance.
CISO Executive Network is the leading peer-to-peer organization for information security, privacy, and risk management executives. It includes chapters in ten cities across the US, bringing CISOs and industry experts from top-level vendors together in intimate roundtable settings. The next events are the third Breakfast Roundtable Series of 2012, focusing on Virtualization and Cloud Computing Security – for more information on these events and the organization that arranges them, check out their website: http://cisoexecnet.com/.