The modern-day CIO, CISO and senior management team members engaged in information security are faced with a daunting task. Chris Roberts (@Sidragon1) posted a description of the CISO role which seems accurate for many organizations:
“Being a Chief Information Security Officer is easy. It’s like riding a bike. Except the bike is on fire, you’re on fire, everything is on fire and you’re in Hell.”
WHY IS THE ROLE OF CISO SO CHALLENGING?
The requirement of being compliant with a myriad of state, federal and international regulations, successfully passing the next information security audit and the ever-present threat from cybercriminals pulls the team in any number of directions. Perhaps the most difficult issue faced is reconciling the difference in running a secure business with achieving a pass on a compliance audit.
ONE OF THE BIGGEST MISCONCEPTIONS
One of the biggest misconceptions about achieving compliance is that certified companies are secure. Any number of organizations have been certified “PCI DSS compliant” only to fall victim to cybercriminal attacks and data breaches. It’s not for a lack of security technologies or even diligence on the part of the IT security staff. The adversary in cyberspace does not care if your business is compliant. If you have something of value behind your firewall, the incentive to steal it is as attractive as a jewel case – in both cases smash and grab is frequently successful.
In Fall of 2015, The New York Cyber Task Force was formed to try and address the issue of cyber defense. Their conclusion is that defense is possible, but only if the right approach identifies and prioritizes the right innovations. On the issue of compliance; the analysis was quite blunt:
‘While perhaps satisfying regulators, [compliance requirements] often force defenders to expend far more effort than it costs attackers to circumvent them. This was not always the case. Two decades ago, cybersecurity architectures were less complex and threats less varied, so defenses built on static checklists were more effective at keeping adversaries out. Check-the-box compliance has, in short, gone from essential to albatross. Once a game changer, it has over tim,e become a drain on the resources of defenders.’
Sadly, for many businesses, the operational security tool-set costs have increased at a compounding rate, as they attempt to stay - some would say unsuccessfully - ahead of the greater volume and sophistication of cybercriminal attacks. The 2017 “Internet Organized Crime Threat Assessment (IOCT)” from Europol succinctly outlined the security challenge when it comes to Ransomware:
‘Ransomware attacks have eclipsed most other global cybercrime threats, with the first half of 2017 witnessing ransomware attacks on a scale previously unseen…Ransomware has widened the range of potential malware victims, impacting victims indiscriminately across multiple industries in both the private and public sectors, and highlighting how connectivity and poor digital hygiene and security practices can allow such a threat to quickly spread and expand the attack vector.’
Both FedEx/TNT Global and Maersk have $300 Million-dollar post ransomware infection bills. That kind of loss is not something the chief executives want on their shareholder performance reviews.
THE DOLLAR OF DEFENSE
The excerpt from the IOCT executive summary is precisely why The New York Cyber Task Force responded by recommending a change in the tactics of the defenders with the following advice, “Any innovation by defenders must impose far greater costs on attackers. A “dollar of defense” (or hour or other measure of input) should not yield just a ‘dollar of attack,’ but should force attackers to spend considerably more to defeat it.”
Also Read: Data Breach Fire Detection
At near the top of the list of leveraging the dollar of defense is this conclusion:
‘Faster patching is one of the most critical ways enterprises can protect themselves. Software that automatically updates itself is of no use if the process is delayed by enterprise IT staff that needs to exhaustively test every new change. The WannaCry attack of May 2017 would have been stopped in its tracks if only enterprises had applied the existing Microsoft patch. Yet on average organizations take 12 weeks to patch, far longer than hackers need to turn vulnerabilities into exploits.’
RAPIDLY DEPLOY PATCHES
So, if you’re looking to leverage a security investment to meet compliance requirements and increase the difficulty on the cybercriminals, rapidly deploying patches is one of the strategic focuses required. The consensus opinion from the Task Force’s report, “Building a Defensible Cyberspace”, which included representatives from Microsoft, Time Warner, and PricewaterhouseCoopers, is advice well worth considering.
Contact Us Today
Connecting more people to data has become imperative for organizations worldwide. In Top Trends in Data & Analytics for 2022, Gartner stated, “Connections between diverse and distributed data and people create truly impactful insight and innovation. These connections are critical to assisting humans and machines in making quicker, more accurate, trustworthy, and contextualized decisions while considering an increasing number of factors, stakeholders, and data sources.”Explore
Since the dawn of business, users have looked for three main components when it comes to data: Search | Secure| Share. Now let's talk about the evolution of data over the years. It's a story in itself if one pays attention. Back then, applications were created to handle a set of processes/tasks. These processes/tasks, when grouped logically, became a sub-function, a set of sub-functions constituted a function, and a set of functions made up an enterprise. Phase 1 – Data-AwareExplore
Practitioners in the data realm have gone through various acronyms over the years. It all started with "Decision Support Systems" followed by "Data Warehouse", "Data Marts", "Data Lakes", "Data Fabric", and "Data Mesh", amongst storage formats of RDBMS, MPP, Big Data, Blob, Parquet, Iceberg, etc., and data collection, consolidation, and consumption patterns that have evolved with technology.Explore
Enterprises have, over time, invested in a variety of tools, technologies, and methodologies to solve the critical problem of managing enterprise data assets, be it data catalogs, security policies associated with data access, or encryption/decryption of data (in motion and at rest) or identification of PII, PHI, PCI data. As technology has evolved, so have the tools and methodologies to implement the same. However, the issue continues to persist. There are a variety of reasons for the same:Explore
Finding Hidden Patterns and Correlations Innovative technologies such as artificial intelligence (AI), machine learning (ML) and natural language processing (NLP) are transforming the way we approach data analytics. AI, ML and NLP are categorized under the umbrella term of “cognitive analytics,” which is an approach that leverages human-like computer intelligence to identify hidden patterns and correlations in data.Explore
The Rise in Big Data Analytics According to Internet World Stats, global internet usage increased by 1,339.6% between 2000-2021. With nearly thirteen times as many people using the internet, this has resulted in a massive increase in the amount of data being processed daily. Our increased sharing and consumption of digital media also compounds this increased usage to create an enormous pool of data for big data analytics firms to process.Explore