In the wake of aggressive press coverage of recent major breaches at companies from Target to Neiman Marcus, cyber security has finally moved out of the shadows to become a top-of-mind issue at major enterprises. The new focus is dramatically changing the landscape for security leaders and business executives who no longer struggle to convince their boards of the seriousness of the threat.
The sea-change was one of the big takeaways from a session I moderated at the recent SINET Showcase 2013 in Washington, D.C. The panel of leading CISOs from top companies made it clear that they no longer have to shout cyber security warnings from the ramparts. Their boards are now aware of the looming threats…and they are scared.
“Thanks to the New York Times and Wall Street Journal, now I don't have to go and educate the board or the senior leadership team. They're asking me questions,” said panelist Jay Leek, CISO of Blackstone, a diversified financial management company.
Just as important, the high-profile coverage means that cyber security is no longer seen just as an IT problem requiring an IT solution. The threat vector may be IT, but now there's board-level awareness that this is a risk that actually affects the entire enterprise.
“It's sensitive data, and if that were to get lost, there's a loss of trust that those patients may not come back and we're out of business,” said panelist Bill Dieringer, CISO for Ardent Health Services. “So it is very much a business problem, not just an IT problem.”
The greater board-level awareness is leading to a new emphasis on education and corporate culture. The challenge now is to stop sweeping security issues under the rug and change the business culture to get partners to take them seriously.
Enterprise security leaders are also looking to better understand what's happening on their networks and systems at all times, both internally and externally. That means visibility into how things are working, and using analytics to detect threats and develop effective protection. There's still work to be done on that front, though.
Progressive companies are also moving away from building taller walls for protection, instead investing in planned responses to minimize the impact of the most likely threats. “We can't build a sarcophagus,” said panelist Jim Nelms, CISO for the Mayo Clinic, “so we're actually tearing down the walls, because the data has to be where the patient is.”
So, what does that mean in the real world? Enterprises choose their security solutions according to a number of key principles:
Rich APIs and open standards – Companies want to integrate their security solutions with the rest of their systems, and add on their own applications.
Scalability – Too many off-the-shelf solutions don't scale to the enterprise level.
End-user convenience – Security solutions that put too many burdens on end-users don't get used, and can actually hurt employee.
Innovation and speed – The threat landscape is always changing, and enterprise security vendors need to keep up. “60 percent of the canned solutions that we're using are smaller, innovative companies rather than legacy systems,” said Nelms.
The continuing barrage of high-profile hacks has moved security out of IT's back room and forced the executive team to invest in better security technology and improved education.
Specifically, enterprises want real-time, 24/7 visibility into the state of their systems – as well as swift, effective responses to attacks and breaches. The security solutions they choose have to be open and scalable, but can't slow down the speed of business.