CIO Vision: Next Generation Security Executive Summary  

3 February 2015:

 

CLICK HERE to download the Executive Summary

Introduction

Research from IBM’s global monitoring operations found that the average company experienced more than 91 million security events in 2013. As the number of security events grows, so does the ability to analyze and manage them more efficiently. As cyber criminals are getting smarter they can hack systems and by-pass defenses blending into the background noise of an organization’s operations or exploit employees who inadvertently put the business at risk via human error. Security strategies and investments of the past will no longer protect against these new classes of attacks. IT must design new security strategies to limit the new risks and apply intelligence to protect the organization and its assets through new analytics, innovation, and a systematic approach to security.

It was against this backdrop that CorporateLeaders, in partnership with IBM, recently hosted the exclusive CIO Vision Roundtable Meeting on “Next Generation Security”. The meeting was keynoted by Nick Coleman, Global Head of Cyber Security Intelligence at IBM, Ian West, Chief Cyber Security at NATO Communications and Information Agency, and Peter Berghmans, Trainer, Thomas More & Data Protection Institute and Data Protection Officer, GZA Ziekenhuizen. Jesper Lillelund, Partner & Co-Founder of CorporateLeaders, acted as moderator and Dirk De Bevere, Integrated Technology Services Director Benelux at IBM, was the host and part of the debate panel.

Will I be affected?
Nick Coleman, who prior to joining IBM, was the UK National Reviewer of Security and wrote the ‘Coleman Report’ shared that he is often asked by senior executives: “how can they get a framework in place to address the cyber challenge, and what does good look like? ” he told delegates. “Some still look at cyber in a zero tolerance mentality. Saying they want to make sure attacks they experience never happen again. In reality, this is an unrealistic aim.”

Being more realistic
With the average 15,000-employee organization likely to record 1.7 million ‘security events’ every week, the solution, he argued, is “to get to a level of sophistication where you can spot attacks, and respond to, and manage them appropriately so that you have less disruptive events and can limit the damage.”

Coleman told the meeting this means accepting a security attack is more, not less likely to happen. According to an IBM Center for Applied Insights research 83% of security experts know external threats have increased. The mindset one should have, he said, is simply to accept attacks will happen all the time. He said: “We’re not going to be able to deal with everything manually, but we need to ask if our capability is proportionate and whether we can manage the disruption to a level that makes sense for the organization.”

Be focused, be resilient, be real-time
Resilience is about making it harder for attacks to happen in the first place. “This means having the right eco-system to tell me what’s happening to my neighbors and to tell me what’s happening about the threats which might come to me.

As everything else starts to be connected, the challenge of understanding what’s really happening and spotting things fast with that intelligence becomes harder. The good news, new capabilities are emerging – as an industry we are moving to something called stateful inspection, which looks at real-time behaviors. If something looks unusual and you’ve got the capacity, you can then pick it up and understand what they’re after.

The fact is, we can’t protect everything. So let’s figure out what we want to protect and let’s make sure that when we see an attack and it starts to target our critical assets, we can react in real time.”

There are internal threats too
To explain just how networks can be protected, Ian West of NATO, stated simply that in his mind, many forms of attacks were one thing, and one thing only: espionage. “That’s what describes someone who is after your secrets,” he said. But, he argued that the sorts of things agencies like NATO have to deal with are actually very similar to the problems mainstream businesses face too.

One thing West was clear about however, was not to forget the (mostly accidental) internal threats that are likely to happen too: “You can spend lots of money encrypting data, and creating closed systems, only to find that somebody then takes an enormously sensitive secret document from the closed network, transfers it to an internet connected system and tries to send it out over the internet.”

The 24/7 world
West looks after up to 100,000 user accounts and 10 levels of security. He said the strength of his Agency however, is about having a common purpose. “There is no 100% security, we know that. So when something does happen we’ve got the ability to detect and respond and recover from it.”

He said: “We’ve just gone through a huge modernization process, giving us a lot more emphasis on centralization across the enterprise, including full 24/7 incident response. Some might say having this is obvious, but for our first eight years, our security set-up was during office hours only. When I went home on a Friday afternoon it felt like I was hanging a sign outside on our website saying, ‘Please don’t hack us, we’ll back on Monday morning’.” He said: “Attacks can happen from anywhere in the world so security is a 24/7 global issue now. So we’ve updated our tools – everything from having online computer forensics, intrusion detection systems, online vulnerability assessments and log analysis. You have to be able to look into your networks for these indicators of compromise. What people have to remember is that IT security is a journey, not a destination because of the way that technology is evolving.”

Products create information
The protection of personally identifiable information is, of course, part of an IT security experts’ job. Being vulnerable to security threats may impact the privacy of your customers. Is the privacy risk in the scope of a cyber threat program?

The answer is yes, according to Peter Berghmans, Data Protection Officer and Privacy Expert. In his speech he argued how the Internet of Things are connecting basic products – even products like TVs – are no longer simple items anymore. Most collect information on customers – everything from data on what is watched, liked, and recorded. “Given information has now become part of a products’ value-chain: provided by the customer, managed by the manufacturer.” Berghmans said. Companies that ‘collect’ the information now not only have to meet the IT security baseline. “We have to ask questions about whether or not this new information is information you should keep and use,” he says. These questions enlarge the scope of current security programs.

Privacy by design
To understand this, according to Berghmans, the next big trend for IT experts will be thinking about so called ‘privacy by design’ – creating products/services that correctly balance the gain consumers get from a product, and the privacy they ‘give’ (not always consciously) for having it. This is the so called security paradox.

He said: “When Apple launched Apple Pay, it simply said: ‘we don’t know about your financial transaction; we just support it’. This is a design policy decision that’s been made. This gives Apple a real advantage against the Facebooks and Googles of this world which do process people’s data.”

Refering to a new European privacy regulation coming up, Berghmans concluded: “Being in control will be more important than it is today. Today you can choose whether or not you are in control, as current privacy regulations are difficult to enforce. Tomorrow with new regulations coming into play this will become more difficult.”

Conclusion

Having the right eco-system built to a level of sophistication where companies can spot attacks, respond to them and manage them appropriately is critical. But as the number of security events grows, the ability to analyze and manage them more efficiently is getting harder. Companies can’t protect everything but they need to figure out what they want to protect and must make sure that when attacks are spotted targeting critical assets, they can react in real time.

As security is a 24/7 global issue, companies need to have updated tools – everything from having online computer forensics, intrusion detection systems, online vulnerability assessments and log analysis. IT security is a journey, not a destination because of the way that technology is evolving. And the protection of private business data is a security issue as well as a privacy issue.

CLICK HERE to download the Executive Summary

« Back   View List



Our Partners

The Corporate Leaders Network

Tangible Impacts of Accounting Transformation