The number and variety of IT security threats organizations face these days is enough to make a CISO’s head spin. Yet buying the best technology is no guarantee intrusions will be prevented, says a Cisco Canada executive.
“We have seen many recent breaches where they had deployed the best technologies, the technology did what it was supposed to do, but the organization itself was not ready to process or act on the information the technology gave,” says Ahmed Etman, general manager of cybersecurity at Cisco Canada.
Interviewed during last week’s Cisco Connect customer conference in Toronto, Etman wouldn’t say which breach he was referring to. But one stands out in news stories: The infamous 2013 breach at Target Brands Inc,. where at least two systems sent alerts of suspicious activity to IT security managers before they realized the company had been plundered.
Tens of millions of credit card numbers and customer names and addresses were stolen, and the company spent over $100 million to clean up the mess. Ultimately the CIO resigned.
Security has to be looked at as package of technology, processes and people, Etman said. “We can have as many technologies as we want. If we don’t stitch together and integrate them together its going to very difficult not only to manage but to be effective from a security perspective.”
One of the problems he sees is that some IT pros think because they have the best technology their organizations are safe.
Another, pulled out of Cisco [Nasdaq: CSCO] research, is a gap between how safe the C-suite believes their organization is from successful attacks and what the IT people who run security operations think — staff in the trenches believe security isn’t as good as those upstairs do. “This gap has to be bridged over time,” Etman said, because it could mask security holes.
Among the things he said CISOs ought to be doing to improve IT security is cut down on the number of security products and vendors to (relatively) simplify their architectures.
“We’re seeing customers that have somewhere in the range of between 60 to 80 (security) technologies and vendors in their environment,” he said. Among other problems that creates security gaps. A more “reasonable number,” he suggested would be fewer than 20.
IT pros should see if they can leverage the solutions they have before buying a new technology, he added. Any new solutions will come with purchase, implementation and operation costs, so try to stick with vendors that have the capabilities to cover as many attack vectors as possible.
Finally, he offered three things CISOs can to do improve their organization’s security posture:
–Change perspective: Security conversation no longer sits exclusively with the IT department. “The idea of the CIO only taking care of things is an idea of the past. CISOs have to make sure that there’s a decent awareness of what cybersecurity means to the business, and there must be a decent level of awareness by the board.
“Make sure you speak the language of business, make sure you speak to the board to explain what security issues mean to the business.”
–Move closer to business: Have a better alignment with the business so you can deliver what business expects. Make sure the organization understands that security is a business enabler, not a business prevention.
–Change focus: The idea of the CSO is evolving into a technology risk manager rather than just looking at security. This is in part because of the so-called Internet of Things, where technology will be part of almost every device. That will mean security will be part of every decision that enterprise makes around technology.