2015 CISO Wish List

Jonathan Trull, Chief Information Security Officer


As 2014 has come to an end, it is important to take stock of past accomplishments and failures, evaluate current and future threats, and begin planning for the New Year.  2014 proved to be yet another sobering year for cyber security professionals as several companies experienced massive data breaches including: Target, Home Depot, JP Morgan, and most recently, Sony Entertainment. These breaches should give all of us pause for what the future holds in our industry - as they destroyed networks, computers, and data on systems that are so vital to operating a business. Could you defend against such attacks? How could you detect an attack and how quickly could you recover your systems and data?

In light of the events of 2014 and in the spirit of the holiday season, it’s a good time to ask ourselves two questions: 1. What should chief security officers be asking Santa for this Christmas? 2.  What should chief security officers’ New Year’s resolutions be?  

What should chief information security officers be asking Santa for this Christmas?

  • Continuous, Real-Time Visibility into Corporate Assets and Systems. Monitoring and analytics should be at the heart of any security program and will take on greater importance in 2015. To make informed, risk-based decisions, a CISO must know the current status of their assets in real time, including information about an asset’s configuration status, vulnerabilities, defenses, threats, and attacks. This real-time visibility is becoming increasingly more difficult to obtain as corporate perimeters continue to erode and enterprise assets become further dispersed. Security decisions can no longer be made on a “gut feeling” but must be informed by accurate, real-time data that is continuously updated and analyzed. In addition, real-time visibility is needed to quickly identify attacks and stop them before much greater damage can be inflicted. Once attackers become rooted within an organization’s systems, it becomes increasingly more difficult to identify and remove them. And now that networks and systems have become far too complex for humans to comprehend on their own, data analytics and machine learning algorithms are needed to identify and report on attacks and risks in real-time.         
  • A More Secure Alternative to Passwords. Almost every data breach that occurred this year can be tied back to a password being compromised. Although passwords have served the security community well for several decades, the time has come to implement a more robust authentication system. CSOs need a strong authentication system that is difficult to compromise, works across multiple platforms and protocols, is easy to administer, and is not overly burdensome to end users and help desk staff. 
  • Security/Risk Metrics that Actually Mean Something. Unlike other C-level executives, CISOs lack an agreed upon set of security and risk metrics for making informed decisions and managing a security program.  Without a widely adopted set of quantifiable metrics or key performance indicators, cyber security decisions will always be perceived as mere guess work by boards of directors and other corporate executives. Over time this will erode trust in CSOs and the security community as a whole and is a major barrier to obtaining additional funding and resources. CISOs must be able to answer the question:  For x amount of money spent on cyber security, what will be the return?
  • Self-Healing Computers and Networks. Much like the human body, CISOs need computers, software, and networks that can automatically restore themselves to a known good state or quarantine machines that have become infected.  Unfortunately, the pace at which attackers can act often far exceeds cyber security defenders. Self-healing systems are needed to close the Observe-Orient-Decide-Act (OODA) loop that is essential for winning not only in combat but in cyber security as well.

What should chief information security officers' New Years resolutions be?

  • Become a Corporate Business Leader. With the large-scale data breaches we saw this year, in 2015 CISOs need to continue to evolve and become more integrated into C-Suite conversations and key business strategy. As enterprises look to their CISOs for enhanced security under limited budget, we’ll need to focus on more integration between DevOps and security teams to embed security into product and technology from the earliest stages of the development process. CISOs must also resolve to be more than a technical security professional and to take responsibility for making difficult risk-benefit decisions that drive the business forward. This will require CISOs to learn the business, speak the language of other executives, understand the financials, and be able to calculate and truly demonstrate a return on investment for the dollars spent on cyber security.

If you would like to learn more about online or on-campus course offerings and curriculum—call 877-820-0581 or request more information today.