Today's CISOs are doing one of the hardest jobs in the world - definitely the hardest job in the enterprise. They are under constant pressure to be right, while cyber criminals need only be right once.
Andrzej Kawalec, CTO of Enterprise Security Services at HP, says, among other things, CISOs need to constantly try to understand the depth of today's threats, and be able to respond in different ways.
"Add to this that the online population growth, from 32.7% today, to an estimated 60% by 2020, is creating new marketplaces and widening the attack surface, which makes the job even harder."
According to Kawalec, even more frightening is that it is estimated that, by then, 10% of that online population will have the skills to take advantage of cyber threats - equating to a million new hackers in a few years.
"CISOs also need to be able to answer the important question of 'are we safe?' and in today's environment of new threats such as APTs, nation states and hacktivists, this is not easy. The environment has become sophisticated - we face an integrated, economic threat model."
Several alarming statistics compound the problem, says Kawalec. "Firstly, it takes an average of 243 days to detect that a breach has taken place. Even more frightening, 94% of breaches are reported by a third party - a scary statistic for the CISO, who ideally would want to be the first person to know."
In addition, time to resolve an attack has grown by 71% since 2010. "Moreover, 56% of organisations have been the target of an attack, and 44% of all breaches involve third-party mistakes. The average cost of an incident is now estimated to be $8.6 million."
At the same time, only 2.8% of the IT budget is spent on security, 60% of which is focused on reactive measures, he explains. "Another great imbalance is seen by the fact that 80% of the security budget is spent on infrastructure, and 20% on managing process and controls. This should be reversed, particularly when considering that 84% of attacks occur at the application layer."
This all adds to the pressure on the CISO.
The challenge
The challenge for today's CISO, says Kawalec, is to deliver a risk level to the board, and give them confidence that they are doing the right thing, and are secure.
"Unfortunately, there is a disconnect between security and business. The perception is that information risk is making organisations less agile."
There are several factors influencing this, he says. Legacy technologies, a shortage of talent, the new style of IT, and a lack of visibility and understanding. "It is no longer enough to monitor; what you see must be translated into intelligence."
Today's CISO has three main tasks - disrupt the adversary and stop internal and external threats in real time; manage the risk by responding faster and improving the risk posture; and extend capabilities, through security consultancies.
To effectively deal with the ever-changing landscape, CISOs need to decide what level of risk they are willing to accept. They must understand the threats they face, and provide robust solutions to deal with those threats.
Share
