I know I am making a rather bold statement with the 2.0 title connotation, but as Jurgen Appelo has effectively captured the Management 3.0 construct compared to 2.0 and 1.0, I believe a similar level of radical role change is occurring for information security professionals and specifically the CISO role within organizations. I’m finding I’m not alone in this thinking. Robb Reck over at InfoReck writes about the new challenges for CISO’s and also makes tepid reference to the 2.0 moniker. Additionally, Gartner’s Tom Sholtz makes similar assertions of the need for information security professionals to evolve to “truly understand how security links to an enterprise’s business goals” in a recent Bank Info Security interview.
The last decade in a nutshell from an information security perspective
The prior decade with the explosion of the information exchange and commerce via the Internet solidified the CISO role and the formal information security department as a critical need for any medium to large size corporate IT shop. As companies birthed whole new business models to leverage the seemingly endless financial opportunities the Internet afforded, the few IT roles that involved haphazardly securing “stuff” quickly were organizationally structured into information security departments. These departments were aligned separately within IT reporting to the Chief information Officer or in even more risk adverse industries and organizations, reporting into the Chief Risk Officer or other such non-IT role. Additionally, legislation and regulatory guidances were being passed to help address the abuses of weak corporate controls as well as rapidly expanding new Internet money movement and associated new fraud patterns. The list is extensive, but SOX, GLBA (technically passed in 1999 and probably more noted for reducing regulatory restrictions on US banks than prescribing security), HIPAA (again, technically passed in 1996), PCI DSS and FFIEC guidances are the first that come to my mind as impacting my information security career. While commerce was still rapidly expanding, at the same time, beginning the narrowing of frameworks towards technology standardization and commonly appreciated security controls, along comes Enterprise 2.0, as characterized by Andrew McAfee and the advent of social media’s dynamic change in people’s personal and professional interactions.
The need for information security investment and a strong, controls based CISO leadership focus was perceived critical. The need to keep the “bad guys” out of the company’s networks and data assets was ever in everyones’ minds. Asking for ever increasing budgets to buy and implement the latest firewalls, gateways, anti-virus, identity management and web access control technologies were made using the business case of fear of bad stuff happening and the seemingly well established security perspective that strong security controls protected one from data breaches and data loss. If a new business or technical initiative didn’t have a well known security control framework associated, security professionals, leveraging their unique position in the organization’s decision making hierarchy simply crushed the initiative with “no, we can’t do that, it is too risky”. Many a new idea was squelched with “security won’t approve that” motivated by a notion it was impossible to secure or a convenient excuse to avoid shaking up the status quo.
In all fairness, the last decade did go a long way to improve corporate and customer security technology controls. Where companies may have had internal security decisions made by disparate individuals across the organization, both inside and outside of IT, the formation of central security policies and standards and the subsequent evolution of centralized, risk based security decisioning was a major step forward. But, now in hindsight, a great fallacy has been realized:
Ever increasing investment in stronger and stronger security controls does not guarantee the elimination of breaches nor data loss occurrences.
As the last decade came to a close, the bad guys, struggling to directly attack hardened company networks and devices switched to the now clearly easier target: the company employees and customers directly. Phishing, being the early indicator of this switch in tactics, was most prevalent in financial services scenarios where access to an account holder’s on-line access permitted the direct movement of funds out of those accounts and into the fraudsters’ accounts. And thus, what John Kindervag of Forrester has labeled the need for “zero-trust” is one of the many signals as to the end of the prior decade’s strong control based “hard outer shell, soft gooey center” approach to corporate security.
The new decade brings the insider threat and Advanced Persistent Threat
With the start of the this decade, the success of security departments in the prior decade of hardening the perimeter has forced the bad guys to look for easier targets and thus why try to get through all those firewalls and demilitarized network zones when gaining access to customer credentials and employee computing devices gets you legitimate access to the data and transactions they desire. In parallel, the constant barrage of media coverage on successful insider breaches of major household names across all industries further sensitizes even the least technically inclined that bad guys are every where stealing everything. The rise of hacker brands such as Anonymous and Lulzsec further cements this information security breach fear in a wide audience.
Now, one would think all of this security press would be a boon to the security industry. For security vendors it truly is practically free advertising for the need for their products, at least initially. Vendors clamor to the table to insist they have the latest whiz bang tool that will protect your company from these evil hackers out to cause havoc and steal your data. But, with all this vendor and media fodder, the CISO conversation quickly has become much more complicated. Here is one particularly extreme example conversation between a CISO and senior management that over embellishes the problem to outline my point:
Senior Exec: I’m hearing about all these breaches. We are protected, right?
CISO: Well, not exactly. The bad guys are using new ways to attack and with the recent economic downturn, the company hasn’t been investing in protection as much.
Senior Exec: But we’ve been spending millions of dollars on this security stuff? Well, what do you suggest we do about it?
CISO: We should upgrade our FlimFlam protection technology, create more security network zones with more encrypting of stuff as well as hire more people to manage the security tools we have as well as start monitoring activity logs for suspicious behavior …
Senior Exec: So you are telling me we have to spend even more money and get more people to protect us? If we do all that can you guarantee we won’t get breached?
CISO: Well, even if we do all that I can’t guarantee we still won’t get breached.
Senior Exec: So what are you telling me to do? How much to spend? What is the worse case if we spend nothing? What if we cut back our current spend 10% or 20%? What would a breach cost for us?
Again, a somewhat far fetched example, but hopefully today’s thematic security challenge is more clear:
How much security is enough when one can’t guarantee, with all the security technology and best practices in place, breaches are still very possible, even likely, and the cost of breaches is difficult to quantify?
This is a different security paradigm today compared to last decade. Security professionals are coming to grips with the realization that, being a bit cavalier here, they were purveyors of a false sense of security in the prior decade with a “strong controls = strong protection = security” mantra.
If this weren’t enough, the continued Internet and Enterprise 2.0 evolution collides with the continued sophistication of consumer mobile devices. I even fell victim, although later than most of the technical gadget minded. The overtly intuitive touch-based, instant response user experience of the current mobile phone and tablet becomes a sharp contrast to the overly locked down, slow and seemingly cumbersome “legacy” experience with the corporate issued computing device. Even the once beloved device by corporate users and security professionals alike, the RIMM Backberry, quickly falls out of favor due to the conflict between a great end user consumer-focused experience compared to a locked down corporate experience. Security departments are now increasingly faced with:
Senior Exec: I want to get my company email on my iPhone without giving up all the personal things I already do on it.
The security roadblocks of “no, it isn’t secure” collide head on with “I want it now and they, they and them to are already doing it. You said we can be breached at any time no matter what controls are in place so why not?” The later being the most difficult to navigate given the reality of the current insider threat landscape. Plus, all the healthy discussion around why corporate laptops and Blackberries were locked down in the first place is eclipsing 10 or more years ago.
Even mobile device manufacturers are quick to respond by incrementally adding corporate security control options to their original consumer devices. Realizing the entirely “new” market for their products: companies with IT budgets, device manufactures are adding features to enable the open personal use while creating technical control barriers to corporate access and data within the same device. Thus, while RIMM’s Blackberry products are trying to make the evolution from corporate focus towards consumer focus, Google, Apple and others are trying to evolve from consumer to corporate. Both trying to achieve the best of both worlds leaving security professionals to try to stay abreast of all the dynamic changes.
The media has even labeled this whole spectrum of corporate mobile computing BYOD or “Bring Your Own Device”. With the IT punditry touting to security professionals: “it is not a case of if but when. BYOD is coming. Better get used to it.” Thus again, in this decade, saying “no, it is too risky or not secure” gets drowned out by senior execs wanting the more modern user experience backed by accountants saying: “if our employees can use their own devices to do work, we don’t have to buy each one of them a $3k+ company owned and managed device.” Any CIO would like to see the upside of reducing the IT budget by delivering an enhanced employee computing experience. How many times goes a CIO get to deliver something better for truly less cost? Yes, the cost/benefit economics of managing employee owned devices over corporate owned devices hasn’t fully be universally accepted. But, there is quite a bit of evidence to indicate it could very well be a windfall to get employees to bring their own computing capabilities to work.
So how does a CISO make the transition to 2.0?
Deep business integration
As primarily done in the last decade, focusing all energy on integration with IT technicians and integrating technical controls in order to secure business products, operations and services isn’t enough. At the same time, abandoning effective security process integration over technology initiatives will most certainly lead to control and ultimately security posture atrophy. A new balance needs to be struck between early business initiative engagement to offer security awareness to help integrate security into those engagements as they are gestated while maintaining a level of presence with technology delivery and change processes to ensure control strength doesn’t reduce.
Of course, this transition to business versus IT balance brings a host of yet to be fully answered questions:
Is the business ready for security professionals to be partners at the table against the prior perception of “security just says no to everything”?
Can security professionals be seen as credible through engaging business acumen?
Can security professionals accurately convey risk based decision trade-offs in easy to digest business language?
In closing, what keeps me drawn to the security profession is the constant changing landscape. I’m looking forward validating answers to these questions.
Do you agree or have I missed a major prospective here?