Given the constantly evolving threat landscape, the emergence of new technology tools and skills and the growing importance of data protection, there's always likely to be something executives need to help improve their organization's security program.
[ Raising awareness quickly: Holiday tips and tricks ]
With the end of another year approaching, we thought it would be a good time to ask security executives what they'd like to include on their holiday wish lists. Here's what they're hoping to receive:
James Beeson, CISO and IT risk leader, GE Capital Americas
"Primary wish: no significant incidents. I would like to keep my job! Seriously, simplification, innovative thinking, moving information security processes to the left are the strategic game changers I'm pushing. These are all on my Christmas wish list.
"Every big organization struggles with simplification in my opinion. Security practitioners need to constantly push to simplify technology and process. This makes our lives easier, and drives efficiency and cost savings across the business.
"Innovative thinking--bold ideas--are a must in our space and I think too many of us are stuck in our old ways. The bad guys are extremely innovative and creative! We need to become much more innovative and think 10 times improvement, not 10%. We are working to leverage things like big data analytics and automation to quickly detect, alert and respond to anomalies in our environment. This also gives us improved intelligence to strengthen prevention.
"Finally, moving security processes to the left, in other words, driving ownership of delivering secure software and infrastructure to the teams that deliver it, versus fixing things once they're further along in the process. This improves our security posture, improves delivery cycle-time, lowers the cost to deliver, and helps to bake the security mindset into all technology employees."
Brian Joyce, director of IT and security at Joseph Decosimo and Co.
"Tools for total transparency on the network; a product suite that is top tier competent in all the areas it seeks to address, that doesn't take an entire department to configure, run, review. On a lighter note, the technology to self destruct computers that belong to users who click the 'unsubscribe' links found in spam and phishing emails. Get them out of the computing gene pool!"
Erkan Kahraman, chief trust officer, Projectplace International AB
"My wish list for 2015 is quite long, but the two most important ones are regarding compliance. For starters, we are renewing our ISO [International Standards Organization] certification using the new version of the standard (ISO27001:2013), so I'd really like to see that certificate on my wall" before the end of the first quarter of 2015.
"We are also expanding in the U.S., and to give our American users a bit more assurance, we plan to go through a SOC2 Type II audit. A clean audit report is another thing I'm hoping for 2015.
"We trust our existing security controls and the information security management system is in good shape to be awarded these certifications. However, it may not always be the case for our contractors. We work with data center service providers that own state-of-the-art facilities with physical and environmental controls that go above and beyond the industry standards. But that does not mean they are certified by an independent third party. And when they are not, it's up to us to make sure they play by the rules. It would be so much easier if they carried certifications for the services they offer, saving us the time and audit money. So my biggest wish for 2015 is that our data center service provider gets an ISO 27001 certification and a SOC2 Type II Audit report!"
Richard Greenberg, information security officer at Los Angeles County Public Health
"My first wish is for companies to thoroughly test software releases before release to customers, reducing the need for patching and fixes, processes that bring all sorts of problems. Clearly this is a wish, but one where we, I am sure, can all join in together. Oh, and what about 'secure' software development by these same companies Wouldn't that be an amazing wish come true We engage in a very varied security awareness program, but I am closing my eyes every day and wishing that no one clicks on those darn pesky links! Phishing is becoming more rampant than ever, and a large problem for all companies and organizations. As long as I am wishing, how about an office with a huge bay window"
Roland Cloutier, CSO, Automatic Data Processing Inc.
"Complex analytics in a box. Security intelligence and analytics are big components of our program here at ADP. As we get smarter on how and where to use our significant capabilities with regards to data collection, we are seeing an increasing need for specified analytics to support multiple portions of our converged security program. When considering scaling independent point solutions for command-and-control identification, malware identification or fraud detection, driving critical outcomes become less cost-effective. Under the tree this year, it would be great to find a partner that provides modular pre-canned analytics that can scale to line speed across billions of events and with vendor supported artificial intelligence, coupled with machine learning algorithms designed specifically for my environment.
"Line speed cross-platform encryption for data access and data use. As we redefined the way we deliver data, content and services to our clients, we are driving an agenda that demands total end-to-end encryption with tokenized access management even at the service & support level. I can only hope that the man in the red suit sees my name on the 'good list' this year and helps [deliver] an automated encryption technology platform that can support client transactions, service bus platform management, security interrogation, and other functions across multiple product sets under one globally managed and redundant encryption provider. Will that fit in a stocking"
Bob Blakley, global head of information security innovation at Citigroup
"I want to save my wishes for things which are truly out of my control; most things aren't worth wasting a wish on because we can just do work and accomplish them. But we have to have the people to do the work. And the most important thing that's out of my control is how many security people exist in the workforce. So here's my wish: I wish for enough skillful security professionals to meet not just my program's hiring needs, but every program's hiring needs. Why the generosity Because as we're learning from recent breaches, a successful attack on one organization can also hurt other organizations."
Jason Taule, CSO, FEI Systems
"Pause button. I'd like to trade in my 'easy button' for a 'pause button.' Having supportive leadership and ample technology budget might seem like the be-all end-all, but it's only the beginning. Change is not constant as many believe. Yes, it is ever-present, but its rate is actually increasing. I'd like a pause button to keep industry drivers and technology stable long enough to get things implemented. And generating a meaningful return on investment would be a bonus.
"A magical balancing scale. Success demands striking the exact right balance between security controls and the needs of the business. Too strict and we hinder operations and results. Too slack and we yield too much to our adversaries. This magic scale would always indicate the exact right balance without undue impact or the need for constant tuning."
"Uniform standards. As the adage goes, the beautiful thing about standards is that there are so many from which to choose. Unfortunately as a governance standard to guide investments in security, privacy and risk management, 'reasonable and appropriate' is neither reasonable nor appropriate. Legislators and rule makers mistakenly believed they were helping by not dictating terms [and allowing] us instead to each decide for ourselves what is proper. However, until we set a minimum compliment, on a per-industry basis of course, allowing everyone to do their own thing puts us all at risk, especially given how interconnected and interdependent we've become. Singling out individual organizations for fines and penalties for failures may make affected customers feel better. But I humbly suggest we might all be better served knowing that our competitors and partners alike all had to incur the expense of meeting the same set of basic requirements."