The CSO of the future
- 08 July, 2014 03:41
What does the future hold for enterprise security? What will programs, roles, technologies and policies look like in five years or so?
Prognosticating can be tricky, especially in such a fast-changing digital environment. But part of the security executive's job is to not only keep up with the latest developments, but also to anticipate what might come next so companies can prepare to handle challenges. CSO interviewed security executives about the future and where they see their discipline headed. Here are some of the major trends they expect to see.
Changing role of the security officer
There will be a continued convergence of physical and cybersecurity, and this will affect the role of the security executive, says Roland Cloutier, CSO at ADP, a provider of human resources, payroll, tax and benefits administration services.
"The management [issues] of physical investigatory and cybersecurity functions are so interrelated that it just makes sense to have a single management function that has appropriate transparency and oversight," Cloutier says. "We will still have global metrics for all those [security] service areas and there will still be service silos," but they will all be managed under one department, he says.
"I believe that's where the [corporate security] world will be headed, and it's already in the nascent stages," Cloutier says. "This has been a topic for security executives in the last few years, but now we're seeing large organizations heading down that path."
Many companies will consolidate the CSO and CISO functions, Cloutier says. But that won't reduce the importance of either physical or cybersecurity, and the people in that role will need to be experts in all aspects of security.
Regardless of what title these individuals hold, the important factor is that all security and risk management will be under one roof. "We will not have competing security executives on either side of the house," Cloutier says. "You'll have one individual or entity that is required to make risk-based decisions for the organization."
Future security leaders will be more technically inclined than they are today, Cloutier predicts. "We've spent a lot of time saying that security executives need to understand the business or have leadership skills," he says. "But I don't think you can [perform] this role in the future unless you have an incredible knowledge of technology."
At the same time, security chiefs will need to assert themselves as business leaders. "As the C-suite continues to recognize the importance of security, and that it must be an integral part of holistic business strategy, heads of security need to be more a part of the decision-making process for the business as a whole," says Richard Greenberg, information security officer at the Los Angeles County Department of Public Health.
And in addition to security, executives must become more proficient in data-privacy matters. "There will be more interaction between privacy and security," says Jason Taule, chief security and privacy officer at FEI Systems, a provider of information and analytics services for government entities dealing with behavioral and mental healthcare. Personal and professional information are getting harder to separate as more and more companies start using social media and big data. That blending will create tension that could lead to more legal actions, he says.
Companies will need to someone in the role of chief privacy officer, and this person should probably be the same as the top security officer, Taule says, because guarding privacy--whether it's that of employees or customers--is so closely linked to protecting data.
"I do think the security officer's job will become increasingly about privacy because we need to ensure the actions we take do not infringe on the rights of data owners, especially when the data in question has been entrusted to us for safekeeping," Taule says. "Privacy is just another question of risk. And the security officer's job is about managing different kinds of risks."
Changing roles within security departments
New security job functions will emerge in the coming years as organizations place greater emphasis on areas such as cloud computing, mobile technology and big data.
"As more infrastructure and solutions move to the cloud, job functions required to manage this will be different then what we traditionally have seen," Greenberg says. "More project -managers will need to be hired at companies as more security jobs migrate to the cloud."
"We will see cool new names like data security scientist and cloud control engineer or analyst," Cloutier says. "But we need to define what these functions mean, prioritize them and start finding people" to fill these roles.
In some cases, companies will opt to convert existing positions into these new functions, Cloutier says. For example, they might retrain a firewall technician to be a cloud control engineer.
Some observers expect to see a dramatic shift in the role of the security department itself and its relationship with other functions.
"We will see corporate security become a merger between IT security, [human resources] security, facilities security and operational security," says Michael Daly, director of IT security services and deputy CISO at technology giant Raytheon.
"And these will be part of a larger shared services function at the corporate level, supporting all of the company's businesses," Daly says.
"This is driven by cost and efficiency, but also by the convergence of -technologies that support these functions as well as the leverage gained by business analytics built from their converged data systems."
Analytics and the cloud
Data management and analytics capabilities are becoming increasingly important for organizations as they accumulate massive stores of information from a growing number of sources.
"We hope to gain much-improved predictive capability from threat analytics built on access to community and enterprise data," Daly says. "We also anticipate big gains in our privileged user and insider threat monitoring as a result of improved behavioral sensing and analytics."
Expect to see heavier investments in monitoring, alerting and response capabilities that use big-data analytics to significantly shorten response times, says James Beeson, CISO and IT risk leader at commercial finance provider GE Capital Americas. IT security will become "much more behavior-analysis driven," Beeson says.
The leading security organizations "will be the ones that are well informed, that have the ability to look broadly across not just the security technologies they hold, but the business functions, transactions and applications across the organization," Cloutier says.
"Those that look deeply into information [resources] and make sense of it, and leverage big data, analytics, artificial intelligence and machine learning will be the big winners."
Those organizations will be more likely to maintain the integrity of their networks, will have a better understanding of security trends and will be able to make security-related decisions using real-time information, Cloutier says.
Cloud-based services will help companies manage and use big data sets, Cloutier says. Because some cloud service providers will have expertise in areas such as reverse malware engineering, companies that use these services will not need to have these skills internally, he says, which cuts costs. Companies will just need to send malware data to the service provider, which will quickly review the data and send back results.
"The cloud has enabled us as security practitioners to do some innovative things with our resources without growing them," Cloutier says. But while big data, analytics and the cloud will help organizations in their security efforts, they also present new potential security threats on their own, he says. Companies will need to work with vendors to develop effective ways to protect massive stores of data that are housed both on-premise and in the cloud.
Greater focus on data protection
Information security in the future will be much more focused on protecting data than on trying to create protective perimeters around organizations in which information resides on a dizzying array of devices that are frequently in motion, Taule says.
This trend has already begun, Taule says, with companies moving away from the concept of establishing set boundaries to protect themselves. "We're continuing to the point where the only way to get a handle on this is to reassert the boundary, not at the edge of the network" but at the place where the data lives regardless of how it's accessed--whether it's via a desktop computer, laptop, smartphone, tablet, voice over IP phone, IP video camera or any other type of system, he says.
Trends such as bring your own device and bring your own anything are making it much more difficult to rely on network firewalls to protect against security breaches.
"The idea of trying to put a [single] boundary around all that is insane," Taule says. "It's no longer about putting a boundary around the network, but around the data" a company is trying to protect.
Enterprises will rely increasingly on technologies that enable them to identify which individuals should be able to access which types of data and when, Taule says. Identification and authorization is becoming ever more important in an increasingly mobile environment, as organizations need to know they can trust that a user is who he says he is.
Emerging data- and activity-management tools will allow companies to build profiles about users and track typical patterns of activity and usage, Taule says. This will help them spot anomalies that might indicate a potential data breach, much like credit card companies do today, he says. Technology such as desktop virtualization, which gives organizations more centralized control of the security of individual devices, will also help, he says.
"A big reason for using virtualization is the challenge of managing lots of images across lots of workstations," Taule says. FEI Systems has begun deploying desktop virtualization and in the future will take it to new levels, he says.
"From an application standpoint, we're working with a [vendor] to maintain a continuously secure compute platform by constantly tearing down and rebuilding applications, so that any poisoning or backdoors have no persistence, as the environment is restored anew on an ongoing basis," Taule says.
The focus on providing security from a data standpoint will only grow in the coming years as the Internet of Things becomes more of a reality.
"We going to start putting refrigerators and cars on the network, so there will be more to the network than traditional computing platforms," Taule says. "There is a lot of stuff that many may not be aware is already connected to the network," such as IP cameras, embedded systems and measuring devices. "What's worse is that vulnerabilities exist in these devices too, but they are often ignored and efforts to manage risk will only provide a false sense of security as long as unknown entry points persist."
Policy and enforcement: clearer and tougher
As security roles evolve in the future, so too will corporate security policies, experts say.
"I think we will more tightly control access to 'crown jewel' information and more loosely control everything else, [and have policies and] enforcement to match that," Beeson says. To that end, security policies will require that only "absolutely identified" users be granted any access to these critical information assets, and even that will be limited and highly controlled, he says.
Security policies in the future will need to be more specific in terms of how users should and should not behave online, and how users should handle sensitive data and leverage security technology, Cloutier says. "We have to give people better guidelines and use-case scenarios," he says. "This includes giving them how-to [instructions] in very specific environments," such as cloud services.
"Due to a heightened awareness of security and the light being shined on events by traditional media, gross noncompliance will not be tolerated," Greenberg says. "Currently, [corporate] culture determines how infractions and negligence are addressed, and it varies widely from company to company."
Some companies will come to rely more on analytics to help with security and compliance enforcement.
"Historically, most enforcement has been based on simple binary rules--Johnny copied a document that should not have been copied to a USB stick," Daly says. "Financial companies have developed more complex behavioral analytics that identify possible fraudulent activity. These more complex rules, coupled with the power of cloud computing, are enabling much more sensitive policy compliance alerting and enforcement."
Bob Violino is a freelance writer and editor. Contact him at firstname.lastname@example.org.