CIO Zone

The CISO vs the cyber criminal

The chief information security officer (CISO) could be spending his cyber security budget incorrectly.

Johannesburg, 08 Jan 2019
Read time 6min 20sec
Brett Skinner, security risk and governance manager, South Africa, Micro Focus.
Brett Skinner, security risk and governance manager, South Africa, Micro Focus.

Cyber criminals have evolved radically over the past 10 years, and have become a lot more sophisticated than the hacker of old. Today's cyber criminal belongs to a highly organised group that makes big money out of its efforts. In fact, cyber crime is up there with industries like manufacturing and farming when it comes to the amount of revenue generated.

Brett Skinner, security risk and governance manager for South Africa at Micro Focus, says: "Security budget allocations are generally split 80-20, with the majority portion going towards perimeter security and the smaller percentage being left for other security initiatives, including defending the organisation against cyber crime activities."

Skinner advocates a holistic strategy to combat all possible types of threat on the organisation's networks, data, identities and applications, as opposed to a piecemeal approach, which far too many businesses still adopt, often to their detriment.

"Cyber crime has gone from being an activity carried out by an individual to having an entire industry built around it, to the extent that it's even funded by certain countries for the revenue.

An estimated $1.5 trillion revenue stream is estimated to come from cyber crime. That's bigger than most countries' GDP. "Yet, despite the undeniable proof of the escalation in threat from cyber criminals, corporates are still routinely allocating 80% of their budgets to perimeter security, which is a very old-school and short-sighted approach," says Skinner.

This mismatch between what corporates are spending their IT security budgets on and what cyber criminals are doing is one of the reasons cyber crime is so successful and a growth industry to boot.

"Perimeter security is exactly what the new cyber crime industry wants corporates to do, as this old-fashioned approach to hacking into a network has fallen by the wayside. Today's sophisticated cyber criminal is targeting businesses through applications, users and data," says Gary de Menezes, country general manager for sub-Saharan Africa at Micro Focus.

When a company is breached, it immediately rushes out and acquires a point solution to fix that single vulnerability, not realising it's only one of many ways that cyber criminals are able to access their business.

The prevalence of the remote workforce, an increased reliance on applications and growing acceptance of bring your own device create vulnerabilities that perimeter security can't defend against. This doesn't mean perimeter security is a waste of money, counters Skinner, but it does mean you need to be sure that the person who is already on your network (ie, inside that wall of perimeter security) and accessing your data is an authorised user.

A huge step in the right direction is the rise of the chief information security officer, or CISO. However, as a relatively new role within the organisation, the CISO may not yet have sufficient support from board level, but this is largely because there's a lack of understanding about the responsibilities of a CISO, says Skinner. "As highlighted previously, there's still too much focus on perimeter security and no clear understanding of what else needs to be protected."

Another significant change in the way that today's cyber criminals go about their business is that they are sometimes inside the networks, exfiltrating data for weeks and even months before they're detected. There's a misconception that hackers are quick to enter and then exit once they have what they need. Today's hackers entrench themselves inside the company networks for months and slowly siphon off the data. This can't be detected or fixed with perimeter security measures. Paul Cripsey, presales solutions consulting director at Micro Focus, says: "It's clear that simply building a higher perimeter wall is not the answer."

While CISOs are crying out for more budget allocation, De Menezes says the bottom line is that most companies simply can't afford to triple or even double their security budget. One way of controlling cyber security spend is to appoint a data officer who is solely responsible for the company's data. De Menezes says: "The business needs to decide which data it needs to protect and which data is not that valuable. The cost will be prohibitive to encrypt and protect all of the data across the enterprise all of the time; you must have a clear idea of what you can and should protect."

This dilemma is shared by the board and the CISO, CIO, CDO and everyone else in the business. The problem, says Skinner, is the corporate response to security threats is generally much slower than the pace at which cyber criminals are evolving their craft. Cyber criminals are organised and agile in their attacks. Businesses are often neither in their response.

"Organisations need to adapt their security strategies to protect their applications, their users and the data, and worry less about perimeter security. And they need to re-balance their security budgets accordingly."

Skinner and De Menezes aren't advising companies to ditch perimeter security completely, they are saying it must be fit for purpose and it has to be part of a more thorough security strategy that defends against threats already inside the organisation.

De Menezes explains how this occurs: "All too often, applications are developed that are insecure, and this is where some of the biggest hacks that we see originate. In the region of 80% of applications screened in 2017 were found to have vulnerabilities in the code."

Another challenge is when organisations do manual testing, and a surprising number of South Africa's biggest enterprises still do this. "Vulnerability attacks are moving much faster than humans can test," says Cripsey. "Human testers are able to check that security is performing as it should and oversee things like password security, but they don't check applications' components for vulnerabilities, for example."

Skinner concludes by saying: "Companies shouldn't be allocating the bulk of their security spend to perimeter security, but should rather focus larger parts of this spend on identities, applications and data. This shift could prove highly disruptive for the CISO, CIO or CDO, who previously advised spending 80% of the budget on perimeter security. However, if you plan your cyber security spend around what happened in the past, you'll probably fail.

"Companies need to stay ahead of cyber criminals and this can only be accomplished if the CISO stays abreast of global developments and incidents. Vendors, in turn, need to stay current with the latest threats that must be defended against and ensure that their products cater for the latest attack methods. This can only be done by collaborating and sharing information across companies, industries and borders. The ideal is to participate in a system that allows us to feed in information about cyber threats and take out value that will help us better defend against them."

See also