With 2012 drawing to a close in a year punctuated by a continuous stream of security breach headlines in mainstream business media, it’s an appropriate time to contemplate what New Year’s resolutions might look like for the CISO/CSO and others charged with securing IT infrastructure and the valuable business assets they carry. I’d like to offer up a couple of suggestions for those individuals to consider. Those follow, in no particular order.
- I will learn to speak the language of the business executives who hold the IT security purse strings.
There’s never been a better time to engage the CEO, CFO and board of directors who have read enough of breaches and the stock price impact they have in the pages of Business Week and the Wall Street Journal to give IT security the attention (and budget) it needs to better protect business assets. But the CISO/CSO must be prepared to discuss the business risk of breaches.
- I will resolve to engage the applications development organization more effectively to improve secure coding and penetration testing of applications before they go into production.
All too often the hijacking of legitimate, business-focused Web sites to distribute malware happens when it could have been prevented by more thorough vetting of new Web applications. Although developers are rewarded more for speed and innovation, tighter and more secure coding should also be rewarded.
- I will investigate more effective methods of educating end users on how to be more secure in accessing corporate data, whether from a company owned or personally owned device.
On January 2nd, IT will see an explosion of demand to use personally owned tablets and smartphones to access corporate email and applications, and with that demand comes a lot of ignorance of the dangers of mixing corporate and personal data and applications on those devices. CISOs and CSOs would be well advised to work with HR on policy creation and education of those dangers. At the same time, security researchers at Trend Micro reported earlier this month on a study of targeted attacks that found 91% of such attacks it found between February and September started with spear-phishing emails. I recently saw a demonstration of some very innovative, interactive training technology offered by Wombat Security Technologies that’s delivered as a hosted service and merits a closer look. The service is aimed at specifically educating end users on phishing techniques and attacks aimed at smartphones.