If your company finds itself in the news this year related to cybersecurity it will probably mean you’ve been breached. And if you’ve been breached, the chief security officer’s (CSO) job is on the line. And maybe that of the CSO’s bosses as well. So motivation is high to keep data and IT systems secure. But how?
Gone are the days when the CSO could hope to shelter employees and IT resources behind a firewall. In fact, many of the CSO’s peers are likely charging ahead on initiatives that will further open the doors to potential dangers by shortening application development cycles, adding more public cloud services, and increasing mobility for employees and their expanding list of devices.
In 2018, the CSO’s job is to help the organization achieve these goals of growth and openness while helping peers clearly understand the risks and implement appropriate risk mitigation. A tall order, to be sure. But prioritizing these five tasks, says Akshay Bhargava, vice president of the cloud business group at Oracle, can help make it happen.
1. Integrate Security into Development
“More than anything else, developers want their software to get used,” says Bhargava, and that can work in the CSO’s favor. “The first thing potential users will see when they access a new application is its security and identity process,” says Bhargava, who cites a recent McKinsey study showing that both ease-of-use and security are necessary if an app is to gain and retain users. “Ease of use is important and developers know that,” he says, “but if the app is perceived as insecure, usage drops off fast.” Consider cloud-based identity management services that give developers a quick way to make their application’s authentication processes both powerful and easy to use.
Also, “embed security practices into the development lifecycle and not an additional measure to be tacked on,” says Bhargava. Otherwise, he says, “developers will focus on fast development and release cycles and will treat security as optional.”
- Related: Find out more about Oracle security
In 2018, CIOs must work with app developers to map out a secure DevOps process that doesn’t ask them to stop the bus for separate security guidelines. “Be proactive and define appropriate technologies, processes, and developer training that ensures security is embedded throughout the development lifecycle,” says Bhargava. For example, Oracle Software Security Assurance (OSSA) is Oracle’s methodology for building security into the design, build, testing, and maintenance of its products.
2. Automate IT Processes to Protect Data
In 2018, two data security problems are screaming for more automation.
First is security alert overload. There are too many security alerts coming from across today’s hybrid IT systems -- think tens of thousands—for humans to manage. Second is unpatched vulnerabilities. There are way too many unpatched IT assets leaving security vulnerabilities unaddressed. “That’s because an IT team needs to find a time to bring down the software and patch it, and there’s never a good time to do that,” says Bhargava. This means that applications, databases, open source software, network software, servers, “all remain unpatched long after a vulnerability is found and widely shared between hackers.”
In short: CSOs find themselves with too many alerts to track, even if they manage to find well-trained IT security staff, and too much unpatched infrastructure that’s just begging for hackers to exploit.
Both problems are ripe for solving through automated processes that take the humans out of the equation as much as possible. To manage security alerts, CSOs should look for cloud services, such as the Autonomous Database from Oracle, which brings massive compute power and machine learning to the process of finding, vetting, and resolving security alerts without humans getting involved. CSOs should evaluate public cloud infrastructure for automatic patching across the entire stack of software that supports their application—while the app is running, the moment a patch is available.
3. Think Holistically About Regulation and Reporting
“Almost as important as protecting the data is showing that you’re protecting the data,” says Bhargava. There are two chief reasons for this. One is that regulators are putting more teeth in data security rules, such as the European Union General Data Protection Regulation, or GDPR, which comes into effect on May 25. “People’s eyes go wide when they see the regulations that are coming,” says Bhargava, “They open businesses to the steepest fines we’ve ever seen.”
Second is that CSOs need to improve their efficiency in regulatory compliance. In a Society for Information Management (SIM) survey of 1,178 CIOs and other IT leaders, cybersecurity came up as their companies’ No. 1 IT challenge, and the issue that’s most personally worrisome to them. But their companies actually spent less money on cybersecurity in 2017 as a percentage of their IT budgets than in 2016. In 2018, CSOs need to continue to pull together more of their IT landscape into a system that kicks out regulatory reports as a matter of course.
An important side benefit of this process is that it helps the CSO/CIO report up to the CEO and the board with a meaningful measure of the organization’s cycybersecurity stance. This leads to our next priority.
4. Give Your CEO and Board Clear Metrics on Security
CEOs and boards find security extremely complex and obscure to evaluate. For this reason, it is more important than ever to have clear and easily understandable metrics about security. They need visibility into the organization’s risk level so they can make informed decisions on how best to mitigate risks, reduce costs, and continue to innovate.
For example, “the typical organization’s Security Operations Center (SOC) gets thousands of alerts every day,” says Bhargava. The CSO should be able to report on how those alerts are being handled with metrics like the Mean Time to Respond. “These metrics show, ‘here’s how many alerts we got, here’s how many were legit, here’s how long it took us to respond to the legitimate ones,’” says Bhargava. “A shorter Mean Time to Respond shows that hackers have less time to get in and get out before your security controls stop them. And that will make sense to the CEO and the Board.”
This goes back to the automation mentioned above. The CSO should prioritize the implementation of automated software that can receive alerts and use machine learning to catch anomalous behavior and know what to do with it. “Everything is orchestrated, analyzed, addressed, and closed out with no humans involved,” he says. Then the system can kick out a Mean Time to Respond report that will help company leaders feel more informed about IT security.
5. Protect the Brand
When hackers strike and data is lost, “the hit to your brand reputation can be much costlier than the system outage,” says Bhargava, who notes that even the most venerable brands can lose billions of stock market value as a result of a breach. But a CSO can help stem the tide of bad press by showing a quick and professional reaction.
“Hope for the best, but plan for the worst,” says Bhargava. Have an incidence response process for these eventualities that includes everyone involved, he says, from the IT security team to the legal, communications, and executive teams. “Transparency is key,” he says, noting the 72-hour window for data controllers to report a data theft to regulators under the GDPR. “The best companies will have cybersecurity fire drills to simulate how they’re going to react and communicate.”
“As the CSO, it’s always best if you can find the inevitable hackers and stop them before they steal your data,” concludes Bhargava. But if that doesn’t happen, he says, have clear guidelines in place and train the company to follow them.
Jeff Erickson is editor at large for Oracle.
