CSOs Face Boards of Directors to Address Risks, Network Visibility
In the aftermath of high-profile security incidents and breaches in 2011, corporate boards and senior executives are thinking about security more than ever as they hammer out budget details and resource allocations for 2012.
As part of these discussions, many boards of directors, often for the first time, are asking CSOs and chief information security officers (CISOs) detailed questions about what went well and what didn't within the origanization, Jason Clark, the CSO of Websense, told CIO Insight sister publication eWEEK. Spurred by news headlines, the directors are interested in making sure the company is secure against similar incidents, Clark said.
CISOs are getting asked about targeted attacks, malware and data breaches, but the people asking those questions don't really know what these terms actually mean, according to Clark. Very few board members have a security background and can easily get overwhelmed with jargon or technical details, Clark warned. As a result, CSOs should avoid industry or technology jargon when addressing the board. If the directors request technical details, the CSO should explain the terms in the same way it would be explained to a family member, Clark said.
CSOs should rely on numbers and specific statistics to explain the situation, by citing how many attacks were stopped, how many new programs were implemented and how many pieces of confidential data were protected from being leaked. It's often best for the CSO to equate security to dollars and cents, Clark said.
More employees are using mobile devices in the enterprise, but IT departments often don't have the tools that allow them to track what devices are being used, what applications are being accessed and who is using them, according to Clark. In a similar way, the proliferation of cloud applications, especially consumer services such as Dropbox and Box.net, means IT departments generally have no idea how much of sensitive corporate data are residing on public servers without proper data security controls.
In addition, a growing portion of network traffic is being encrypted. In the past, about 10 percent of network traffic was encrypted. With increased concerns about attackers intercepting data via man-in-the-middle attacks, more services, such as Google's Gmail, have adopted SSL by default, resulting in about 60 percent of network traffic being encrypted, Clark said. That's more than half of the traffic flowing in and out of the organizations' networks that IT staff have no visibility into.
The increase in the amount of encrypted traffic "kills" the organization's ability to detect malware, especially since many criminals have started using encrypted tunnels to communicate with command-and-control infrastructure and to transfer stolen data, according to Clark.
CISOs also need to talk with the boards about how to secure email and check both inbound and outbound communications. Many organizations have old technology to secure these critical channels but should be investing in more innovative techniques, Clark said.
Finally, CSOs need to talk to the board about the need for security intelligence so that the IT professionals are aware of what is happening in all areas of the network. Actionable information is necessary in order to address risks and respond to threats in a timely manner, Clark said.