What security pros want for the new year

15.12.2015
It’s that time of year when we ask security executives in a variety of industries what they would like to include on their holiday wish lists.

Some of the responses we received were in the realm of pure fantasy. For example, one security chief asked for technology tools that address all of the major security threats, don’t cost anything and have top-notch 7x24x365 support with response times inside 15 minutes!

Most of the wishes submitted are a bit closer to reality, and some might even come true if factors align the right way. So, with the completion of another year approaching, once again we present a listing of what security executives say they are hoping for, as they continue in their mission to protect their organizations’ systems and data.

David Barton, CISO, Websense

“Integrated security tools. CISOs face increasingly complex security tools that don't communicate and play well together. For 2016, I want more security products that will talk and communicate together using standards-based sharing such as STIX and TAXI.

“Security in the boardroom. Too many CISOs are relegated to being relevant only when there is a crisis. Security belongs in the boardroom, in senior executive strategy meetings, in the many business planning processes, and in the operations of the business. My wish for 2016 is more visibility at the board level for CISOs, where we can provide advice/guidance to enable the business to succeed in a secure fashion.

“Emphasis on the sciences. There is a worldwide shortage for information security professionals. This problem is going to grow until we are able to engage young people in the pursuit of the sciences in high school and college. If this trend is not reversed, we will not have enough security professionals to protect the data that is important to us. For 2016, my wish is for more interest in the sciences in all levels of education, more graduates from college in technical disciplines, and more people with technical degrees pursuing information security as a career.”

Mary Chaney, director of worldwide information security, Johnson & Johnson

“My biggest wish is for my magic wand to work and make all applications and databases secure!

“There needs to be a shift in thought regarding how companies deal [with] and manage vulnerabilities at the network, application and database levels. Vulnerabilities speak to the actual risk exposure an organization has, which is, by the way, the single most important factor for any business.

“Information security has grown up as a child of IT and for year’s professionals believed that a hardened network was the answer. We have built entire information security programs around traditional cyber network defense. That doesn’t work anymore. As professionals we need to shift our thoughts and focus on the connection between technology and risk.

“Everyone, from the L1 analyst to the board of directors needs to understand that attackers have moved out of the brute force type of network attack to the application and database level, where the true data resides.

[ ALSO ON CSO: Top security stories of 2015 ]

“A big huge spotlight needs to shine on the actual risk in your environment, meaning unpatched and insecure applications and/or databases. Once you find those answers you will be able to build a security program that strategically places its time, energy, and money into protecting the business through a conscious effort and understanding around risk.”

Erkan Kahraman, CSO, Planview

“Last year I had wished for compliance and I’m wrapping up the quarter with the content feeling of having achieved just that. For next year, I’m wishing to find qualified information security specialists to join my growing team. They are hard to come by nowadays!”

Jason Taule, CSO, FEI Systems

Robert J. Schadey, CISO and director of infrastructure services, 1901 Group

“As I sit in the Kansas City Airport nearing a 12-hour delay prior to departure, I wish for teleportation! 

“Applied focus on security engineering. How important is it to prevent exploitation of critical functions Why does security still begin as a bolt-on after system implementation occurs or even worse, after an exploitation is discovered and determined In supporting federal, retail and Department of Defense in security, the same repetitive mistakes seem to continue to happen in the system engineering process.

“While the product selection and acquisition processes should naturally begin with products that are security tested and proven to vendor claims, considerations for secure methods in monitoring, management and support must equally be proven. The application of security engineering in the design must drive toward checks and balances in handling malicious threats and survivability. Identification of system and security requirements must be part of a sound process, aiding security baseline development and requirements documentation that ensures the overall implementation can be mapped technically against requirements, risks, and consideration for any residual risks.

“More often we want to keep pace and generally move too quickly toward solutions, without examining requirements. Looking at the bottom dollar [while] not considering security engineering will generally eat up costs in bolting on security with technical modification and figuring out methods to address compliance requirements. It’s much easier to work through sound selection and driving the security features and capabilities that should be enabled with sound security engineering.

Dave Dalva, vice president at Stroz Friedberg, who acts in the role of CISO for several clients

“I would like to see boards of directors and leadership teams better appreciate that information security risk management should be treated as an enterprise risk equivalent to financial, reputational, and legal risk. Too often these stakeholders gain an appreciation of security risk only after a breach to themselves or others. I would like to see them increasingly take the initiative to understand how security risk impacts the business, and why culture is so important to good security risk management program.”

Jason Taule, CSO, FEI Systems

“I suspect I’m like every other CSO who made wishes last year in that few if any of our requests came true. I don’t think this is because we were bad and found ourselves on Santa’s naughty list, but rather that the items we were after are beyond the creative abilities of the elves in his workshop. Consequently, much like the child who wishes for the same thing year after year, I’d still very much like a ‘pause’ button to allow me time to catch up with the business and a magical balancing scale that helps me strike the exact right compromise between the needs of the business and our risk exposure.

“Beyond that however, there really is only one additional item on my wish list. What I’d really like is the new G.I. Joe style military action figure known as Actionable Intelligence. The art and practice of our industry has advanced to the point where we have an abundance of tools and technologies to capture and evaluate threat data. But we’re victims of our own success. It’s impractical to try to react to everything, and never before has it been more important to be able to detect things early, deter unauthorized east-west traffic, and respond in a timely manner. Forget hay, now it’s all about finding the needle in the needle stack.”

Curtis Dalton, senior vice president, chief information risk and security officer, Pactera US

“Stronger behavioral analysis capabilities across enterprise system resources to spot misuse [or] abuse early. Clear support from the board on down to the CISO about their level of commitment to reduce risk and alignment on a budget to match that risk expectation.”

Roland Cloutier, vice president and CSO, Automatic Data Processing

“I'm hoping that the architects, engineers and product design specialists for Santa’s security technologies division are considering the development of an automated controls efficacy platform. From a decision support to control validation [perspective] and even as a component of audit management, the ability to have valid transparency and measurability of the efficacy of the existing controls which I am responsible for would be a huge resource lever. Imagine the ability to look at an active console or report that indicates the current levels at which all my controls are operating and enables me to understand their need, their effectiveness, and opportunities for distribution, consolidation, or removal. Yep, I know what I want for Christmas.”

(www.csoonline.com)

Bob Violino