LAS VEGAS – On any list of what is keeping chief security officers (CSOs) up at night, avoiding presiding over the next Ashley Madison debacle needs to be near the top.
After the dating web site focused on infidelity saw its user database hacked and leaked to the public, exposing not only the personal information of its subscribers but also that nearly all of them were men – parent company Avid Life Media CEO Noel Biderman walked the plank last week and resigned.
The bad news for the CSO hoping not to suffer a similar fate is that breaches are going to happen, Dell’s John McClurg told IT World Canada in an interview at the vendor’s Peak Performance conference. McClurg, vice-president and CSO for Dell’s global security organization, held a senior role in cyber-counterintelligence with the Federal Bureau of Investigation before joining the vendor community.
“You’re going to be compromised,” said McClurg. “It’s going to be how quickly you detect and react, and what information was encrypted; that’s the new standard for success.”
In the c-suite, McClurg said what catapults the CSO into the spotlight are the headlines. Recent high profile security breaches like Ashley Madison have gotten the attention of the c-suite, and a lack of preparation is something shareholders are increasingly extracting a price for.
Security is no longer seen as just a necessary cost of doing business; it’s creating opportunity for CSOs to get the support they need to be ready. But with opportunity, of course, comes risk.
“At Ashley Madison it wasn’t just the CEO to go, and more and more the message is being conveyed that an accounting (for such breaches) will be made at the highest levels,” said McClurg.
It begins with education. CSOs need to make clear to the c-suite that breaches are going to be unavoidable, and what’s important is the measures the organization has put in place to mitigate the risk and limit the damage that occurs.
“If you haven’t properly educated the c-suite and messaged the culture you may well get fired,” said McClurg. “It behooves all of us to make sure they’re properly educated.”
A key is bringing the business knowledge and expertise to the table that really earns the CSO a place in the c-suite. You have to bring both security and business expertise, and be able to articulate the importance of security in business terms.
That’s echoed by Timothy G. Brown, a Dell fellow and executive director for security at Dell’s software group. A successful CSO needs to have security expertise, yes, but married with a business mind if they’re going to earn their spot and be taken seriously.
“If they’re a good business leader with knowledge of the business they get a seat because they deserve one, but if they’re just about bits and bytes they won’t get the respect they need,” said Brown. “Of course, to understand what is needed on the business side you’ve got to get your foot in the door.”
As far as other things keeping CSOs up at night, McClurg said social engineering is one worry he hears often from his colleagues, as cybercriminals demonstrate their ability to use social media and social engineering to gather information on their targets.
“Employees put information out there so easily that can be melded into a spear phishing attack that you’re very likely to bite on. You’re a human, and bad guys will play on your humanity.”
Brown points to three primary worries for today’s CSOs. One is around skilled employees; they don’t have enough people to do what they need to do and find it difficult to retain staff. “That’s across the board right now,” said Brown.
Second is knowing what they should do first, and where their priorities should. An third is the new business models they’re being forced to deal with and secure.
“They’re rushing forward into federated environments with multiple partners, into mobility and into big data,” said Brown. “The business is rushing forward to use these technologies without questioning how to use them securely.”