In an IT world ridden with a wide variety of security threats, how does a CISO properly plan for the future? We decided to find out by asking three IT security pros at the 2013 ISSA International Conference in Nashville, Tenn., to share their information security plan and best security advice for 2014.
As an information security manager, what is one of your big objectives or project priorities for 2014?
Elliott Franklin, information security manager, Whataburger Restaurants LLC: Looking forward to next year's roadmap, we haven't provided a cloud storage option for our customers, so they're going to be using whatever cloud product they want. Really, we need to come up with an enterprise-wide cloud solution that we can embrace, that will provide the same functionality they're getting with whatever solution they're using today -- something that is very easy to use, but yet we can use enterprise credentials so that we can control that data when they leave the organization.
What should the primary focus be for CISOs in the coming year? What should be on their agenda?
Evan Davison, security architect, Barling Bay LLC: For me, it's data protection. Even Gartner was reporting it this year, in their trending and future analysis, that organizations will have to adopt a state of what they're calling continuous compromise. The concept that we can build a tower and that we can keep the enemy out -- those days are long over. Whether anyone's in agreement with me or not, the reality is that history has proven this to be true already. We've seen great big breaches at great security companies -- people that are considered very secure and practice great security posture getting breached because of very advanced and sophisticated attacks.
The way that we prevent that from happening is not by building a better mousetrap; it's by protecting the things that are most important to us. If data we are generating is our most key asset, then mechanisms need to be put in place to monitor and protect that important information. Whether that looks like encryption, hardening of devices, solid networks or whatever, all those would need to be handled in individual use cases. The reality is, in my opinion, the focus next year should be on data protection and controlling data generation in your organization -- not trying to build a better mousetrap.
What is, or seems to be, a top-of-mind concern for security?
More ISSA coverage
Identity systems and a security roadmap
Robert Bigman talks computer privacy
CISO discusses threat intelligence and more
Robert Bigman, president, 2BSecure LLC: No. 1, they run to the CIO every year and tell them, 'We need to [buy] this bell-and-whistle shiny toy that just came out from RSA.' I'm not necessarily picking on RSA, but also McAfee or any one of the vendors.
These are expensive toys. Number-priced licenses in a large corporation cost big, big dollars. It's hard to buy that toy, install it, get it working, then come back a year later and say, 'Well, I need another one to do data loss protection.' Then next year, 'I need another one to do digital rights management,' and I need another one to do cloud security.' Eventually, the CEOs are going to wise up to this and say, 'Wait a second. Why are we not fixing this problem?'
A lot of CISOs are coming to the realization that, unlike things like storage where you just buy more, unlike compute where you just buy more compute, unlike network where you buy bigger, thicker pipes, you can't buy your way out of the computer security problem.
Let us know what you think of this story; email firstname.lastname@example.org.