CSO of the Year: John South, Heartland Payment Systems

With these advantages, they probably can't be beaten. Just like bank robbers and drug dealers, cyber criminals and nation-state actors are part of a criminal lethality that will never go away. But we should all collectively strive to make it so difficult for them to conduct their attacks that it depreciates their economic and political incentives and cripples their operations. At best, we may eventually reach a point where we can effectively stop the majority of attacks at the carrier level then track the criminals down and bring them to justice.

SC: What is on your future agenda at Heartland?

JS: My agenda is to continue improving Heartland's security strategy to take advantage of emerging technologies, such as BYOD and the cloud, while staying focused on the security implications of merging these technologies into our infrastructure. I will also continue to press for improvements in industry-government sharing and advocate that the value in the intelligence that we gather is in the sharing of it.

SC: What are the threats/newer applications that you think you and others in your position must address this year? How will you do this?

JS: One of the major threats that will be facing all of us over the next year is the increasingly aggressive DDoS attacks against elements of our critical infrastructure. I would not assume that these attacks will be only aimed at major companies like we have recently seen focused toward the major banks. As cyber criminals perfect their attack vectors, I would expect to see new targets to emerge in the weak links of corporate networks, such as the crucial junctures of companies' supply chains as well as their customers' networks. Attacking the weaker links may give the adversaries an edge in compromising the country's critical infrastructure. 

BYOD will challenge all of us as this is, but the tip of the ever-evolving iceberg. Over the next few years, I expect to see more applications and infrastructure built around mobile platforms. Cloud computing will have similar challenges for us in the future, particularly in maintaining full diligence of data and applications. In the cloud, the presence of data may take on all new meanings. 

SC: What are the security technology essentials that organizations should have in place?

JS: One of the more important tools, as always, is a comprehensive logging and review process. Today, it's critical that this capability be tied into an active intelligence process that allows trained resources to quickly and efficiently identify anomalous behavior. Two other technical capabilities can be associated with this process. As our adversaries need to be able to communicate back to their own devices, having a mechanism for quickly identifying command-and control-channels as they are established is essential. In addition, as we share malware and attack indicators, having a tool that allows you to quickly locate the presence of the indicators on the network provides a distinctive edge.

SC: What tips would you give to individuals looking to enter the field of information security?

JS: Build a strong base of understanding around the technical side of security, but be able to discuss your strategies in business terms. You will have to sell your ideas to your business leaders and perhaps even your company's board of directors; therefore, you must be able to build a business case around your strategy to show not only the technical but business advantages. The more lucid and compelling an argument you present, the better chance you have of selling and implementing your idea. In addition, if you are completely new to the field of information security or if you are still in school, try to find a company that is offering an internship program, which will give you an opportunity to showcase your capabilities and gain relevant experience. 

SC: What's your best advice to others when it comes to building a strong security program?

JS: The most important aspect of building of a strong security program is having the right team, and the right size team, in place. There's no right answer to what the right number of people is; no magic formula exists. However, it's essential that you have team members who can operate effectively without direct supervision, who can independently decide how to approach a security question and who act as internal security consultants. As such, security team members need to understand how to listen to business leaders and help translate their needs into a strong security program. While this process needs to start early in the project lifecycle, the security team should be engaged throughout the various stages of development and deployment.