CISOs look to the future3 min read

With the end of 2019 in sight, at this time of the year we begin to look ahead to what 2020 – and beyond – might bring. In a recent article, published by DarkReading, Paul Shomo spoke with seven chief information security officers (CISOs), some from Fortune 500 companies. They came up with five priorities for the coming years in cybersecurity.

1. Identity management in a multicloud world
As the article explains: ”the old days of breaching a network’s perimeter technologies and slowly hacking laterally across systems is less of an emphasis, thanks to the cloud. With stolen credentials, a device is often one hop from accessing the crown jewels of privileged data in the cloud. Microsoft Corporation CISO Bret Arsenault strikes at the heart of the matter. Today, he says, ‘hackers don’t break in, they log in.’ In line with that thinking, Microsoft’s security organisation believes that ‘identity is our new perimeter.’”

The article goes on to explain that: “what makes managing identity complex is that it spans many personas. As Juniper Networks CISO Sherry Ryan explains: Security teams must ‘know who is accessing your network, whether it be a customer accessing your portals, or a partner, a supplier, or your own employees.’”

2. Protecting assets with encryption and zero trust
Cloud transformation is enabling CISOs to ditch on-premises legacy systems. As the article says: “many are enthusiastic about building cloud security right from day one, and zero trust is a big part of this. Zero trust limits role-based access by default. It ensures users are who they say they are, and that their devices meet reasonable security standards before connecting.

“Besides locking down configurations, CISOs are building zero trust with multiple technologies. They mention leveraging things such as multifactor authentication (MFA), mobile device management (MDM), and vulnerability management. But ensuring that data is only seen by trusted users is an ongoing issue.”

3. The rise of DevSecOps
As the article points out “even the most analogue company is developing software to run its business. This includes customer web portals, mobile apps, and APIs exposed to customers, partners, and hackers alike. Organisations are increasingly automating manual activities and relying on analytics and artificial intelligence. Educating software developers into better practices is key, and a strategic initiative is securing applications with DevSecOps.

“Many CISOs are also ‘moving left’ and purchasing static analysis tools that operate on code and flag issues before runtime. In keeping with a common theme, the CISOs prefer seamless approaches that are easy on humans. This means integrating DevSecOps technologies into the daily routine of developers.

“While further along with static analysis tools, many of the CISOs in the discussion also indicate a desire for dynamic analysis. Dynamic tools operate during runtime, monitor applications, and log information for incident response.”

4. Responding to “Alert Fatigue”
A CISO’s operation involves spotting security breaches through the noise of false positives and low-priority alerts. It’s an endless challenge. Antivirus, firewalls, and other security technologies often produce millions of daily events.

According to the DarkReading article, “to move beyond manual processes, almost every CISO interviewed bought security orchestration automation, and response (SOAR) products. They are generally happy with them. Some want more help getting started. Many feel SOAR performs only as well as the quantity and quality of alerts fed into it.

“CISOs are also on the lookout for new approaches to alert fatigue but find the number of technologies coming out each year ‘overwhelming’. These security leaders are hopeful that the new tech they deploy will increase coverage yet are sceptical of the efficacy of more alerts.

5. “Think like a CISO”
Noting that security focuses on people, processes, and technology, LogMeIn CISO Gerald Beuchelt strongly believes that it really has to be in that order. “We have to get people on board with what security needs to do…. No security team can grow big enough to protect such a complex and large organisation by itself.”

Many of these CISOs agree that it’s important to take advantage of Cyber Awareness Month using educational tools such as games, humour, and shorter training sessions to motivate their user base.

Find out more by visiting DarkReading via the link.