Regulators and security practitioners alike are engaged in an effort to realign economic incentives that seemingly put enterprises at a permanent disadvantage to criminal and nation-state hackers. New cybersecurity regulations and evolving enterprise data security strategies both hold the prospect of moving the needle in favor of data protection. This week, we look at new power structures in the executive suite and architectures in the corporate network that organizations are experimenting with to help ensure their data remains secure.
The European Union’s General Data Protection Regulation is expected to change the way companies collect, store, and interact with data. A year out from its global implementation, countries and states have begun to bring their own regulations to the table. New York State passed a law regulating the cybersecurity capabilities of financial services organizations. Since then, two US senators have proposed a bill to require disclosure of cybersecurity preparedness of public companies to the SEC. The bill relies on financial incentives to shame companies with poor cybersecurity. One key requirement in the bill is that the organization report to the SEC on the cyber security knowledge of the board. This is an area that companies have talked about for years, but the new law would go further and hold them accountable.
New Bill Forces Cybersecurity Responsibility Into the Boardroom https://t.co/VcNiYGJhxz
— Jack Nichelson (@Jack0Lope) March 22, 2017
The CISO and the board are not always aligned on business decisions. In Yahoo’s case, the CISO resigned over an order from the CEO to collect user data. Extreme cases aside, every company can benefit from better communication between the CISO and the board. Adding board members with cybersecurity expertise can only improve this working relationship.
— Tim Grieveson (@timgrieveson) March 21, 2017
A new power couple has arrived in the c-suite: the CIO and the CISO. If the CIO is the new COO, then the CISO is the new CIO. Both positions have moved from the back office into roles that make them directly involved in business operations. Digitization, a strategic initiative for almost every company, requires consultation from the CISO. As companies invest in consumer-facing software, the role of the CISO is evolving beyond internal security and gaining new responsibilities in defining how the organization navigates trust and security for its users. A common mistake is to wait until the final review phase to solicit input from the IT security organization, by which time the project risks failing an audit for privacy or security reasons. The best practice is to involve security from the beginning, which has led to the rise of the DevSecOps role.
— seth williams (@_seth_williams) March 21, 2017
The threat landscape that is driving increased anxiety at the board level includes a ratcheting up of sophisticated cybercrime operations. Authorities recently revealed they are investigating a tie between the North Korean government and the online theft of $81 million from Bangladesh’s central bank. If the investigation concludes North Korea was involved, it would set a new precedent for governments participating in cybercrime. Kenya’s Revenue Authority fell victim to an international ring of hackers who successfully stole $39 million. Investigators call one suspect’s arrest the “tip of the iceberg” in relation to the group’s global footprint.
An IT expert has been charged with $hacking into Kenya's Revenue Authority and stealing $39m
— Security Privateers (@scheidell) March 22, 2017
It is tempting to invest more money in cybersecurity and assume the problems will be fixed. The solution, however, requires smart spending as well as sufficient budget. If a new cybersecurity tool does not integrate with existing security infrastructure, the alerts can go into a void or compete with existing alerts for the attention span of the incident response team. Unsurprisingly there has been a movement to bring simplicity to security. A new generation of cloud-based security tools offer unrivaled collaboration and integration because of APIs, which enable the seamless exchange of information between tools.
Green fields don't exist in enterprise security. Sales people should focus the pitch on how their product integrates into an existing mess. pic.twitter.com/SISoiMjfvI
— Edward Amoroso (@hashtag_cyber) March 14, 2017