How has the role of the CISO changed in general?
I think it’s gone very strategic in nature now versus in the earlier days when it was very much about the very tactical of all management, so we see a lot more CISOs being either direct reports into the CIO or we see them now coming out from underneath the CIO altogether and reporting in to either a CFO or COO.
I think that’s important because most of the strategies roll from the top and once the top is in alignment and the CISOs are attached to that, then they have a better opportunity to go and try to implement plans.
How is the corporate network environment changing?
A couple of examples of that is just the whole movement around shadow IT. A lot of the organizations out there aren’t even familiar with the cloud-based systems that they allow employees to have access to. That also means that they aren’t aware of all of the major platforms that people are using, thus an increase in security risk. So you see shadow IT, you see mobile apps being downloaded. The data has shown us that about, I think the last numbers that I have seen was some 97 percent of all Android mobile apps have some kind of security or privacy risk associated with them but yet those are the very apps that are being downloaded by employees that also may have corporate data sitting on devices.
Then you’ve got the Internet of Things which means a lot of things to different people but mostly devices that are not being connected or not protected. In our roles as consultants, we do a lot of work looking at things like infusion pumps and home automation systems and on and on that now have IP addresses. You see that convergence of things is creating quite an interesting challenge just for the CISOs to keep up. That evolving business model is one of the biggest issues that they’re facing.
The other one is complexity. We’ve always said that the weakest link in security is people and we’ve now put into the hands of the weakest link technologies that the CISOs may or may not have visibility into. I think the challenge you run into is that a lot of attacks still happen at the application layer and now you have less visibility to those apps, which is going to create the opportunity for increased risk among the employees.
I think the other one is just the standard thing, the loss [of devices]. You’ve got form factors, you’ve got things that can be lost, things being left behind, whether they be tablets, whether they be mobile devices and so a combination of factors, not to mention all the things that go beyond that out to your third parties and external parties.
Sign up for Computerworld eNewsletters.