IT security: a top five priority for the CIO

If you had polled an average CIO five or six years ago, IT security would not have been in their list of top five priorities. 

Their only experience of IT security issues would probably have been reading about hacking or perhaps detecting an attempt to access the enterprise PABX from a third world country. But by and large these would have been isolated events.

How things have changed. It wasn’t so long ago that a large Australian retailer suffered from a huge number of credit card fraud incidents. More recently in the USA, a large data breach at Target has had a severe impact on the organisation and cost both the CEO and CIO their jobs.

The internet age has allowed fraudsters to target way beyond their own borders. The enterprise has not evolved to meet the most sophisticated of these challenges.

Instead we have seen the perimeter become more porous via policies like BYOD and guest wi-fi access. Yes, it is true that these can be handled on physically separated networks with appropriate security measures. My point is that the network is being extended beyond traditional boundaries, which brings about new risks to manage.

And as we propel towards building an internet of things and assign an IP address to just about any physical or virtual object, we are again talking about larger and larger networks to both monitor and manage.

Your own home as mental model

In trying to process this information, I like to apply a mental model around the old adage that ‘my house is my castle’.   

Let’s think about the home being part of a neighbourhood, with a street outside. Not all of the traffic of cars and people going past are threatening, in fact most are not going to cause any concern.  However, if there is a sudden flood of traffic that spills over into the sidewalk, it turns the street into a car park. At that point we can think about the threats that emerge to our front gate.

In the case of IT security, the front gate has long been the enterprise firewall. And an attack on my castle would be akin to a denial of service DDoS attack. Once there is a siege, there can be no more business traffic that can enter my house.

My home has a front door with locks and an alarm system. The alarm has both a perimeter as well as intrusion detection (again, think movement sensors for your house). In large corporations we have SIEM monitoring and intrusion systems that watch for changes in normal patterns to help keep the bad guys out.  We also use zones to segregate the network and we lock down physical rooms with biometrics and secured doors using the same paradigm.

If every castle has a King and Queen trying to protect crown jewels – ours is precious information, usually in the form of documents.  And just as jewels might be kept in a safe, our most critical information assets are classified and we apply encryption to ensure they remain protected.

And because I’m concerned about security, I have engaged security guards that patrol the neighbourhood and check that the gates are locked.  In IT terms, we are talking about white hat penetration test services and Data Loss Prevention tools that validate no valuable assets are being lost.

Why this will get worse

This fortress mentality is a model that has worked OK in the past.  However, in a world where more openness is being advocated, the task is far more complex.

Systems struggle to keep up with a shifting threat landscape. And that’s made worse when the people that work in an organisation are either not educated in the threats or they are not sufficiently disciplined.

A great example is server patching, which is the bane of any infrastructure group. It is a thankless task that is also endless. There is always somewhat of a backlog of patching that is required and always gets de-prioritised for other project activity.

Further to that - in any organisation, how many default or easily guessable passwords are in place for access to servers?  If your answer is ‘none’, then I both congratulate you and ask; “and how do you know?”

Staring into the abyss

It was interesting to hear the commentary at a recent IT security event I attended. Things are getting complex, and questions are being asked about how to maintain stability in a volatile world of threats. The conversation even got philosophical. People quoted Friedrich Nietzsche.

They talked about maintaining stability in a volatile world of threats. How do you protect a perimeter that has no walls?

As the CIO, you have an accountability to secure the organisation – which is a complex task, but this will never be your number one priority.

You don’t want to be alarmist and you also don’t want to be the sacrificial lamb.  As Nietzsche said:

"Battle not with monsters lest ye become a monster; and if you gaze into the abyss the abyss gazes into you."

That is a warning against becoming the very thing that we fight.  As security columnist Juha Saarinen noted a few weeks back, it’s a difficult assignment to play by the rules when your opponent has none.

How to manage it

It can seem a little overwhelming when multiple compliance efforts and security programs are being brought to your attention at once.

What I’ve learned to do is to view the broader security and compliance issue as a portfolio of change that needs to be addressed.

When you look at the issue with a 10,000 foot view it is surprising how much commonality exists.

I’ve seen this in my past life, where I asked the risk and compliance teams in a biotech firm to bundle SOX compliance + FDA + external audit + internal audit requirements into one body of work - this allowed my team to consume these initiatives as a single program of work to address this once.

At a more recent role, we used the same approach to bundle together IT security + PCI/DSS compliance + privacy legislation compliance and a few other required compliance needs.

There was clear overlap of work that was required, and in the end it is more or less the same team that has to take on these efforts.

Our role as CIO is to be able to take this broader view and address the gaps holistically. We can’t hand over accountability, but we can delegate in a way that ensures we aren’t going over the same ground for every project.