Here's How CISOs Can Improve Security Readiness

by CXOtoday News Desk    Jan 22, 2015


Even though a lot has been written and said about cyber security, the gap between perception and reality of cyber security readiness is widening, according to the Cisco 2015 Annual Security Report, which reveals that 90 percent of respondents said they were confident in their cyber security capabilities, yet 60 percent are not patching software and systems, while only 10 percent are running the latest version of Microsoft’s Internet Explorer. These findings show that a business are adding further complexities to the already vulnerable cyber space and denotes what should be the road ahead for CISOs in the coming months.

As the Cisco report shows 75 percent of CISOs see their security tools as very or extremely effective, less than 50 percent of respondents use standard tools such as patching and configuration management to help prevent security breaches and ensure they are running the latest versions.

Heartbleed was the landmark vulnerability in 2014, yet 56% of all installed OpenSSL versions are more than four-years-old, which is a strong indicator security teams are not patching, the report said.

 “While many defenders believe their security processes are optimised – and their security tools are effective – in truth, their security readiness likely needs improvement,” the report said.

For example, CISOs must improve approach to protection from the increasingly sophisticated cyber attack campaigns, the report said. 

Cyber criminals are expanding their tactics and adapting their techniques to carry out cyber attack campaigns in ways that make it harder to detect and analyse, the report said. The top three trends in 2014 are identified as snowshoe spam, web exploits hiding in plain sight and malicious combinations.

John N. Stewart, senior vice president, chief security and trust officer, Ciscobelieves thatsecurity needs an all hands on deck approach, where everybody contributes, from the board room to individual users.

Throughout 2014, Cisco threat intelligence research revealed attackers have increasingly shifted their focus from seeking to compromise servers and operating systems to seeking to exploit users at the browser and email level.

 “We used to worry about DoS [denial of sevice], now we also worry about data destruction. We once worried about IP theft, now we worry about critical services failure,” he added.

Stewart said adversaries are increasingly proficient, exploit weaknesses and hide their attacks in plain sight. “Security must provide protection across the full attack continuum and technology must be bought that is designed and built with that in mind,” he said.

Stewart said if attacks are on critical systems, organisations should not try to deal with them alone, but engage with professional networks and law enforcers to help. It is time for corporate boards to take a role in setting security priorities and expectations, it said.

Cisco’s five security principles for CISOs state that security must:

- support the business;

- work with existing architecture and be usable;

- be transparent and informative;

- enable visibility and appropriate action;

- be viewed as a people problem.

According to Stewart, organizations need to build a capability to detect and contain attacks quickly to ensure as little impact as possible on critical services. He said online services must be run with resiliency in mind, and all of these moves must happen now to tip the scales in favour of the defenders.