What’s on CISO's Minds in 2018?

I’ve just begun a research project on CISO priorities in 2018. What I’m finding so far is that CISOs are increasing their focus in several areas including the following:

  1. Business risk. Yes, CISOs have always been employed to protect critical business assets but in the past, this was really executed with a bottom-up perspective – from IT and security infrastructure up to business processes. Fast forward to 2018 and CISOs are moving to a top down view from business processes down to the technology. This broadens their view of risk and mandates that security controls work collectively to protect ALL the technologies used to accomplish business processes. This is a profound change that challenges even the best CISOs and security organizations.
Topics: Cybersecurity risk management data security CISO identity management

Data and Identity: Two New Security Perimeters

CISOs tend to spend the bulk of their cybersecurity technology budgets on endpoint, server, and network security controls. This makes sense from a historical perspective, but these IT assets are in a state of flux today. Endpoints are often mobile devices rather than Windows PCs, while servers are virtual or cloud-based workloads. Meanwhile, networks are also moving to a virtual model composed of public and private network segments.

Topics: Cybersecurity data security

Enterprises Are Not Monitoring Access to Sensitive Data

If you want to make a cybersecurity professional uncomfortable, simply utter these two word: ‘Data exfiltration.’ Why will this term garner an emotional response? Because data exfiltration is a worst-case outcome of a cyber-attack – think Target, the NY Times, Google Aurora, Titan Rain, etc. Simply stated, ‘data exfiltration’ is a quasi-military term used to describe the theft of sensitive data like credit card numbers, health care records, manufacturing processes, or classified military plans.

Most enterprises now recognize the risks associated with data exfiltration and are now reacting with new types of security technologies, granular network segmentation, and tighter access controls. Good start but what about simply monitoring sensitive data access activities? You know, who accesses the data, how often, what they do, etc.?

Topics: Cybersecurity Information and Risk Management Dell google data security Symantec identity and access management security analytics

Managing IT Risk Associated with Mobile Computing Security

When BYOD was coming to fruition a few years ago, it had a sudden and deep impact on IT risk. Why? Many CISOs I spoke with at the time said it was purely a matter of scale. All of a sudden, large enterprises had thousands of additional devices on their networks and they struggled to figure out what these devices were doing and how these activities impacted organizational risk.

Topics: IBM Cybersecurity Cisco Information and Risk Management Citrix data security CISO Enterprise Mobility