There has never been a tougher time to be a Chief Information Security Officer. Regulatory changes across the EU have led to the introduction of much more stringent controls on how businesses should manage the customer data they collect. And any organisation that suffers a data breach will be subject to a far larger financial penalty than before – something that no CISO wants to preside over.
To add to the pressure that CISOs are under, the people attempting to steal data from businesses are becoming more sophisticated and better organised than ever. Protecting customer data from nefarious hackers is a never-ending arms race for which CISOs, with necessarily limited budgets, are increasingly ill-equipped.
It’s all enough to give a CISO a sleepless night or two. However, by understanding the threats that face them, CISOs can determine the ways in which their organisations are at risk and put the right processes and countermeasures in place.
New regulation, new concerns
The EU Council and the Parliament have adopted the new General Data Protection Regulation (GDPR), which harmonises data protection policy across Europe. The GDPR introduces new regulatory requirements for how institutions must manage the personal data they hold on their customers, including the segregation, obfuscation and encryption of data.
It is the CISO who will ultimately be responsible for implementing the technical controls and managing the processes that the GDPR stipulates. And the urgency to get everything in place could not be greater, when we consider the penalties for failure. The GDPR specifies fines of 4% of an institution’s revenue per data breach. So with fines jumping to millions, potentially billions, of pounds for a single hack, many CISOs will endure sleepless nights getting the right security measures in place.
The bad guys are moving faster than the defences
CISOs must also contend with the fact that the cyber attackers targeting western institutions always seem to be one step ahead. The number of state-sponsored hackers from China, North Korea and Iran has increased in recent years, as has the sophistication of the attacks they are carrying out. Foreign governments have invested heavily in training people with advanced hacking techniques and researching new vulnerabilities.
To make matters worse, there was been a recent proliferation of what is euphemistically called “LEGO for Malware” – simple programmes that give those with limited hacking understanding the building blocks to create malicious software. Much of the malware created through these programmes will be different enough from previous variations known to current antivirus software to bypass it. Every single day there will be new and unknown threats to guard against.
It’s difficult to explain to the C-Suite that the organisation’s security measures have gotten worse because the bad guys have gotten better. But CISOs have to go to the board and ask for more money to combat these threats, something that can be difficult when no organisation has an unlimited budget for data security.
It’s not all doom and gloom
These might sound like insurmountable odds and some CISOs may be resigning themselves to never sleeping again in the face of such worry. But there is hope. There are things that can be done to combat almost any threat.
The first step should be to work through a security strategy process to understand the systems, processes and data that are absolutely essential to the organisation’s continued profitability. Every organisation will have a different risk profile, depending on who they are, what they do and where they conduct their business. Understanding which business-critical data and processes must be protected will determine the countermeasures that must be put in place.
One measure that is gaining traction with security architects is micro-segmentation. Some cloud providers already offer micro-segmentation as standard, allowing organisation’s to securely store their data so that many other controls are not necessarily required. That is not to say that CISOs should be throwing out their firewalls and the like just yet. Simply that there are many technology solutions that can powerfully augment existing security measures.
It is only by assessing the risk profile of the business, defining a security strategy and sourcing the solutions required that CISOs will be able to have necessary but difficult conversations with the board. After that, it becomes a commercial decision: is the board ready to risk lost data or disrupted systems by not investing in the appropriate security measures?
The good news is that, with the GDPR and the general awareness of cyber security risks growing, senior executives outside of IT are starting to take the threat seriously. So CISOs should be able to sleep better at night knowing that, at the very least, their concerns are shared.