Why CIOs need to be proactive not reactive to cybersecurity threats
- 02 March, 2016 02:44
The greatest cyberthreat might not be a massively destabilizing attack that takes out the electrical grid or some other piece of critical infrastructure. Instead, the most significant risk could come from the accumulated damage of a constant barrage of attacks that shake the collective confidence in the Internet as a platform.
So argues Rick Howard, chief security officer at Palo Alto Networks.
"I really think that we are on the verge of having this affect our way of life," Howard said during a recent event hosted by Federal News Radio.
Security challenge isn't a cyber Pearl Harbor
"We've got so accustomed to using the Internet to manage ourselves -- our communicating with our family and our friends, communicating with our business operations and all that kind of stuff. And what we're seeing is a thousand cuts, death by a thousand cuts," Howard said. "We're not seeing this giant thing that we used to all think about 15 years ago -- [that] we're going to have a cyber Pearl Harbor. That's not what's happening. What we're seeing is a lot of little slices, that it's slowly eroding our confidence in the digital space. And if we get to the spot where we can't trust that environment anymore, then where are we as a society?"
Howard says that firms need to do more of the basic blocking and tackling in security, starting with taking a thoroughgoing inventory of their digital assets and understanding the material risks to their business.
[ Related: Corporate culture hinders cyber insurance buy-in ]
"I think in our industry there's a lot of shiny objects in the cybersecurity space," he said. "What really needs to be happening with our network defender practitioners is doing a robust risk analysis of their own environment -- what do they really need to be worrying about and what can they let go because it's not that big of a deal?"
John Davis, CSO of Palo Alto Networks' federal division, suggested that too many firms have resigned themselves to a reactive approach to security, essentially conceding that hackers will access their network and instead focusing on efforts to mitigate the damage an attacker can do once inside.
Focus needs to be more on data breach prevention than recovery after the fact
"Some of our industry has given up on the ability to prevent, and is focused primarily on detection and response, which means, with a mindset like that, it means you're always involved in cleaning up aisle, nine, as some people like to say," Davis said.
"We believe that you can actually get ahead of a lot of that," he said. "Now you might not be able to prevent everything, but we think you can make significant progress in terms of preventing the threat in the first place so that you can make better use of your people, time and resources where in those cases where you do have a problem to go find it and do something about it. But you can take a lot of that off of the radar screen up-front if you have a prevention mindset."
"Look at the headlines -- breach after breach after breach. And so these issues today are becoming CEO and board-room issue. They are not dealt with strictly in the environment of the IT world, so the more that senior leadership in terms of CEOs and chairmen of the board and board advisors become involved in these issues, well that puts a lot of pressure on being right."
[ Related: Cybersecurity: How one CIO stays a step ahead ]
Davis echoed Howard's call for a comprehensive risk analysis, mapping out the different segments of the network and examining the needs of the enterprise along with the security concerns. That holistic approach to protecting a firm's digital assets has the added benefit of bringing together teams that sometimes work at cross purposes.
"It helps to bring the information technology people and the cybersecurity people together. Often, they are two communities that are at odds with each other. One's trying to get an organization to perform, the other one's trying to slow it down to make sure it's secure, and often it's a win-lose situation," Davis said.
"This gap analysis enables them to both come together and look at it from a common perspective. How do we as an organization safely enable what we need to do to do our business?" he added. "The other thing that it does is once you have this gap analysis, it enables you to essentially have a scorecard for your organization so that leaders -- the CISOs and the CIOs of an organization -- can use the results of the gap analysis as kind of a scorecard in terms of risk management posture for the organization. And it's a great tool that they can use to brief the leadership of the organization."