“Evolving threats demand new security approaches”

by Sohini Bagchi    Feb 08, 2013

Lawrence Orans Research Director Gartner

Lawrence Orans, Research Director, Gartner Inc., is a cyber security expert who assists CIOs, CSOs and other security professionals in developing strategies for mitigating threats. In an exclusive interaction with Sohini Bagchi of CXOtoday, Oran discusses the current and the emerging trends in the cyber security space as well as how the role of CSOs are evolving in the ever changing security landscape. Excerpt.

What is it that the enterprise should watch out for in the cyber security space?
The year 2012 saw the rise of cloud computing, social media and interesting mobility concepts such as BYOD to work and these forces are likely to produce radical changes in the way enterprises manage IT security in the coming year. This means that enterprises should look at these trends now while at the same time find ways for security checks and balances to protect corporate data. They should be careful of more sophisticated destructive malware that can target their critical infrastructure. Consumerization of IT of which BYOD is a by-product will continue to gain precedence, posing greater challenges for enterprises and enabling them to leverage more advanced security solutions to secure their network and critical data. Last year was quite an eye-opener for organizations with the evolution of Shamoon, Red October, Flame and several other malware attacks that had catastrophic consequences. There is also an increase in cross-platform attacks, which businesses are encountering in recent times. Enterprises should be careful of their digital wallets as smartphones, payment capabilities and credit card data as these will continue to interest attackers. Moreover, in the IT security vendor landscape, a number of new players will emerge in the cloud and mobile space offering newer solutions and the established ones will also build their solutions based on the evolving trends and technologies.

How is the nature of attack and security approaches different in the public and private space?
Government and private entities serve two different kind of clientele. The former control the legislature and are accountable to its citizens, while the latter is accountable to stakeholders. The difference lies in the implementation approaches and how they interpret and respond to existing security laws and regulations. However, today there is not much of a difference in the security landscape in these two segments. The same security questions that drive private entities are also driving government IT security. For example, the government IT increasingly understanding and embracing the benefits of the cloud and big data just like its private counterparts. The increased growth in the number of public private partnerships is also blurring the line between the two sectors. Most governments depend heavily on the private sector to develop, deploy and manage information security solution. They are realizing that cyber security is no longer a standalone issue and both the sectors are sharing commonly available human and technology resources to increase collaboration in the security space. This will help strengthen the cyber security landscape in the long run.

Which are the areas in security CIOs should invest in the next 1 year?
Evolving threats demand new approaches to security in the coming months. Enterprises are realizing that investing in IT security can have a positive effect on business ROI. As a result, security is occupying a place on the boardroom agenda today, rather than remaining a sole domain of the IT department. In terms of technology investment in security, most CIOs or CSOs will invest in mobile device management tools such as mobile device management (MDM) and mobile applications management (MAM). The rise in the BYOD trend will also compel CIO/CSOs to invest in multifactor authentication that are not dependent on cryptography. This will help them establish appropriate safeguards and controls to reduce risks. Many security managers are also planning to invest in a BYOD strategy and on staff training that will help them understand and implement BYOD security, as well as the cloud-based systems and applications that are generally accessed by mobile users. Besides, authentication and encryption, that will continue to be an integral part of security investment, several organizations will start to invest in cyber threat intelligence an area that is likely to gain momentum in the coming months. Apart from this, an increased focus of organizations will be on security training of their personnel and on addressing the various security and compliance issues in the evolving threat landscape.

How is the role of Chief security officers (CSOs) evolving in the ever changing security landscape? Is that affecting the CIOs role in any way?
The CSOs role is evolving in the current enterprise security landscape. However, it will continue to be even more important in the coming days as he will assume a greater responsibility. Currently security officers report to the CIO. But this trend will change. Security groups will become more independent, with CSOs breaking away from reporting only to CIOs, instead getting more direct lines to the audit committee and risk officer. There should not be any problem as long as the CSO and the CIO continue to collaborate and work in a cordial manner thinking of the long term business value. Another area where I see growth is that within the enterprise, there will be high demand for data scientists and analysts with domain expertise in security who will analyze and correlate security data and unstructured business data to apply it in the real time setting and environment.

What should be the immediate plan of action for CIO/CSOs to counter threats within the enterprise?
There has to be greater cooperation in the industry, between security professionals, management, and IT. The focus today should be on quick detection and response. Every organization should follow the five steps include, minding the gap between business and IT security, identifying targets, evolving key security control, adding newer delivery mechanisms and repeating and reviewing the security measures frequently. To secure their enterprise with the proliferation of BYOD, big data, social and cloud computing, enterprises should identify the right security solutions in the market that can save organizations from malware attacks, hacking and other advanced attacks. In the long run, education and training in the cyber space should be an integral part of every organization’s business agenda. A third party security audit can also help in reducing threats. These should be rigorous activities of organizations to keep cyber criminals at bay.