As the criminal infrastructure that supports cyber attacks grows more efficient to speed up development of new threats CISOs need to constantly learn new skills to keep their businesses and their jobs safe, according to Cisco’s head of security solutions.
They have to have solid knowledge of network security, but also have to be able to communicate well, develop in-house security talent and stay on top of how the threat landscape is changing, says James Mobley, Cisco vice president of security solutions and former CEO of security consulting firm Neohapsis, which Cisco bought last year.
+More on Network World: FBI: Major business e-mail scam blasts 270% increase since 2015+
In his job Mobley routinely comes in contact with CISOs who talk about the challenges they face and the steps they are taking in order to avoid breaches and compromises that can hurt their businesses.
Mobley spoke recently to Network World Senior Editor Tim Greene about these challenges and how CISOs ought to respond to their changing roles. Here is an edited transcript of that interview.
NWW: If you were to give advice to a CISO, what are the top four or five things you would tell them to learn about if to be successful and survive in this dynamic area?
Mobley: I would say first and foremost, just to the heart of what the role is, they still need to have a very good understanding of the tenets of security, understanding that security hits across three main areas; people, process and technology.
Secondly, is getting as much of a broad-based understanding around threat actors. Security is really about being threat centric, and it’s about understanding how to build the platforms that give you the greatest flexibility regardless of what comes at you because it’s no longer possible to be able to move on the spur of the moment. You have to anticipate the moves and make sure that the things that you build are capable of scaling very quickly and adjusting very quickly. I would just say keeping that in mind, that it’s threat-centric and understanding the motivations of actors across all aspects.
+More on Network World: The weirdest, wackiest and coolest sci/tech stories of 2015 (so far!)+
Leadership would be the next one. The CISOs now - because the role is escalating, because it’s more strategic - have to have leadership capabilities that allow them to not only lead an organization but also lead change within an organization and that’s not very easy to do. It requires a mix of skills that have not always been seen in CISOs.
Outside of that, I would just simply say determine how to get a team built in an environment where there is going to be a significant shortage of talent. How do you then take a combination of people to accelerate learning and intelligence and the IQ of an organization around security? You’ve got to find ways of elevating the talent and making that talent not only better but also retaining talent. How do you manage to do that? I think that is a key challenge for CISOs, but the best ones are very good at attracting talent, developing talent and retaining talent.
How has the role of the CISO changed in general?
I think it’s gone very strategic in nature now versus in the earlier days when it was very much about the very tactical of all management, so we see a lot more CISOs being either direct reports into the CIO or we see them now coming out from underneath the CIO altogether and reporting in to either a CFO or COO.
I think that’s important because most of the strategies roll from the top and once the top is in alignment and the CISOs are attached to that, then they have a better opportunity to go and try to implement plans.
How is the corporate network environment changing?
A couple of examples of that is just the whole movement around shadow IT. A lot of the organizations out there aren’t even familiar with the cloud-based systems that they allow employees to have access to. That also means that they aren’t aware of all of the major platforms that people are using, thus an increase in security risk. So you see shadow IT, you see mobile apps being downloaded. The data has shown us that about, I think the last numbers that I have seen was some 97 percent of all Android mobile apps have some kind of security or privacy risk associated with them but yet those are the very apps that are being downloaded by employees that also may have corporate data sitting on devices.
Then you’ve got the Internet of Things which means a lot of things to different people but mostly devices that are not being connected or not protected. In our roles as consultants, we do a lot of work looking at things like infusion pumps and home automation systems and on and on that now have IP addresses. You see that convergence of things is creating quite an interesting challenge just for the CISOs to keep up. That evolving business model is one of the biggest issues that they’re facing.
The other one is complexity. We’ve always said that the weakest link in security is people and we’ve now put into the hands of the weakest link technologies that the CISOs may or may not have visibility into. I think the challenge you run into is that a lot of attacks still happen at the application layer and now you have less visibility to those apps, which is going to create the opportunity for increased risk among the employees.
I think the other one is just the standard thing, the loss [of devices]. You’ve got form factors, you’ve got things that can be lost, things being left behind, whether they be tablets, whether they be mobile devices and so a combination of factors, not to mention all the things that go beyond that out to your third parties and external parties.
I think when you take a look at the expansion of the footprint, the volume of devices and then the volume of people that are part of the ecosystem, including third parties, then the risk goes up pretty significantly.
How do you see CISOs responding to these changes?
So now we’re beginning to see a movement by CISOs to try to simplify things, making sure you’re getting the best value out of the technologies that have been acquired and seeing if there are opportunities to consolidate, to ensure that the management of your environment is going to be a little bit easier to navigate.
How do we now think about the security architecture in a way that it allows us to be positioned to scale, be positioned for the ability to plug in newer technologies when that time arises in a way that’s going to make for an easier to manage and a more easily connected kind of environment? That’s the other trend that we’re seeing, a more, “Let me build a blueprint to enable the business,” moreso than simply worrying about the tactical aspects of, “How do I go and look and see where the vulnerabilities are within the environment?”
What do CISOs say about how the threat environment is changing?
If anything has really shifted, it is the nature of the attacks. They’re more advanced because [attackers] are better funded and have more resources to invest in the types of technologies required to evade defenses. That creates a challenge around visibility because if attacks are becoming more advanced, you have to have the ability to see them and to identify when something is going on so that you can move faster on the response side of things.
So that advanced nature of attacks means that now you see CISOs looking more and more at threat intelligence, big data analytics, so they can take a look at not only the indicators of compromise, but identifying data that’s coming from all aspects of their environment - from firewalls, from the endpoints, from email, from the network - and taking all of that data to try to get a crosshair on something that is in that environment that could in fact be malicious.
How are CISOs dealing with the shortage of well qualified workers?
When we’re out there talking to individuals in different companies, we see open REQs sometimes in the hundreds where they’ve been trying to hire and unable to do that. So again, when you think about analytics, the ability to get a little bit of a head start on what’s going on to get more visibility, the ability to automate different aspects of the operational side of things and in the ability to collaborate and to find ways to collaborate within environments so that you can leverage talent across enterprise. Those are the types of things that we’re seeing CISOs look at in addition to how do we ramp talent quickly. We see training programs where they’re trying to move very smart individuals out of the universities and get them ramped up as quickly as possible. I think all those things are taking place are positive, but the talent shortage seems to be one that is going to be quite a challenge to try to fill, given there is a wide gap.
What approaches do you see CISOs taking to create secure networks?
What we often hear is, “First let me deal with my table stakes. Let me make sure that I don’t have any glaring holes,” and when that happens, usually you’re looking a couple of things. You’re looking at either applications and, “Are my apps secure?” or you’re looking at the network and trying to make sure that first and foremost the infrastructure and the apps are secure. We spend a lot of our time still looking at applications and trying to make sure that the apps are secure and the networks are segmented appropriately and the right kind of security frameworks are in place there.
Those are table stakes, and that has to be done, and then what’s that done, there is a big interest and focus around response. It’s around the intelligence side of response so they can work on preparedness and then it’s about how quickly can we gather, contain and get back to an operational state once something occurs within the environment.
How are CISOs looking at the Internet of Things?
I would say that if there’s one area that is becoming very interesting to us because everyone knows it’s coming, but it’s defined a lot of ways, is IoT and the whole IoE, the Internet of Everything. What we’re beginning to see now in cases where it’s no longer just, “I’m about to put a device on the network, and I want to make sure it’s secure,” but it’s really about, “How do I digitize in a complete business process? How can I take what was once a process that was driven by industrial means and now add sensors, gather information at the point of attack and then use all that information to feed back intelligence into the backend that allows me to make decisions that might be market-based decisions around demand for specific products or it might be decisions that can be made on how do you go about fertilizing different lands in a certain way to help increase yields for farmers?”
You have to begin to think about it from the ground up moreso than just going in and trying to plug holes. That’s one of those things again around the CISO role becoming more strategic, is that we’re seeing that in addition to the technical aptitude, they have to also make sure they’ve got a really keen sense of the business processes and how those are evolving as well.