As threats mount, CISOs must rethink information security programsDate: Apr 25, 2014
Malware. Zero-day threats. Viruses. Most "modern" data security threats aren't really all that new. The problem is the expanding scope of potential threats as companies have to protect endless amounts of data on numerous devices, said Information Systems Security Association founder Sandra M. Lambert.
As a result, company CISOs must re-examine their information security programs, said Lambert, now CEO of consulting firm Lambert & Associates LLC. At the RSA 2014 Conference in San Francisco in February, Lambert sat down with SearchCompliance Editorial Director Christina Torode to discuss how CISOs should adapt information security programs to face mounting threats, and why doing so could provide a big competitive advantage.
What would be your advice for a newly-minted CISO put in charge of developing an information security program?
Sandra M. Lambert: First of all, I'd say make sure that they're a member of ISSA, because you can learn so much from your colleagues and gain from their experience. In order for them to have become a CISO, I'm sure they've had quite a bit of experience as it is. Another thing that I would tell them is to hire the best people that they can use to fill in the gaps wherever their experience might be lacking. If their experience is in a very technical field -- maybe they started out as a firewall administrator -- then make sure you fill in your staff with people who have other nontechnical skills that might have come from auditing or from other backgrounds so that you have a well-rounded staff. Everyone has an expertise that they can lend to make your information security program successful.
I would also say that you need to make sure that you evangelize to the upper management in the company. We all know that we need to manage up for security awareness to make a really good, effective information security program. When you do that, it helps guarantee the success of your program because upper management is the one that's going to approve your budget. The closer the relationship you have with those folks, the better chance you have of them understanding your budget needs and understanding the rationale of why they should approve your budget.
Do you think that a strong information security program can give companies a competitive advantage?
Lambert: Most definitely. That was one of the main things that I did at Citibank to make my program successful. Most companies view information security as a cost of doing business, one of the things you just have to have. If you can prove that you are bringing business to the company, then you've got a visibility segment there that nobody else has. For instance, when I was at Citibank, I had a good presentation of our security program. We had a potential customer who was, in essence, looking at two or three banks to try to decide which bank they wanted to do their corporate business with, and they had each of those banks talk about security. I had an awesome presentation that portrayed what a great security program we had.
We did get that client, and I was told afterwards that the security presentation and the things we were doing to help security controls was one of the major factors in us getting that client. In essence, information security brought revenue to the bank.
What emerging cyber threats and technologies are you keeping your eye on?
Lambert: A lot of the threats for corporations, and now for governments and nation states, are similar threats to what we had before. We used to have viruses on our PCs, so we had antivirus programs. That was the technology for that threat. Malware is still being sent to devices, but at this point there are so many more devices than we used to have. The threat is a similar source in that it's still malware, but it is now proliferated across your cell phone, your iPad, your servers, etc.
More from RSA 2014
CISOs: Use collective security intelligence to your data security advantage
The key to information security? Know your data assets
Security information sharing helps offset scarce data protection resources
We've already seen specific nations creating denial-of-service attacks using malware that's sent on a vehicle that is difficult to trace where it came from. That's one of the emerging threats. It's a pretty hot topic these days.
How do you prevent that? I think a lot is going back to the basics. You have to have defense in depth. You can't have just a firewall. How do you put a firewall on a cell phone? You don't. You have to have a number of techniques. You have to have your firewalls, you still have to have the antivirus programs even though people critique that because they say you can only find software that has a signature. True, but it has a signature, so you're still getting part of the problem.
The zero-day threats won't be caught by antivirus software, but you catch those by watching and monitoring. You log monitor all of your devices and are just aware of what is going on in your environment. You can only do that by using a variety of tools, not just one. I think that cryptography is key to the success of any information security professional in the future, so you need to really be familiar with that.
You don't have to be a cryptographer, but you need to understand it because the intricacies of key management are a crucial part of succeeding. Cryptography is used in so many things. It's used in digital signatures. It's used in encryption and decryption, of course. I think that's a key tool that everyone will be using more. Luckily, the vendors are starting to build those tools into products. That's why you don't have to be a cryptographer to understand it now, but you have to be familiar with it.