If you had a crystal ball and could predict the future, what would you foretell?
In the real world, we have to rely on our visionary leaders to predict the future as they see it unfold.
That’s why we were excited to chat with our Consumer Chief Information Security Officer Neil Daswani upon hearing that he would be making a bold prediction about information security at a recent event called secureCISO. Joining him in San Francisco were CISOs from Twitter, Maxim Integrated and SoFi, and industry expert Scott Shuster.
Welcome, Neil. Heard you recently had the opportunity to play an unusual role— #ITpsychic. What’s that about?
It was a great name for a panel. The idea was to make a prediction about what would be the top priority for CISOs this year. In a world where cyber threats evolve every day, your information security defences need to advance just as quickly.
We become a better information security community as a whole when we share best practices and our experiences, and shift our priorities accordingly.
There actually was a poll on Twitter using the hashtag #ITpsychic, where the audience and others got to vote on their favorite answer.
Given all the news headlines we see about cybersecurity incidents, that seems like a tough question to answer. What were some of the panellists’ predictions?
You’re right. It’s tough to predict just one, single priority. My fellow panellists predicted that we would see a range of priorities. One prediction was to invest in user authentication technology because after a large data breach, hackers frequently attempt to use stolen passwords across a large swath of accounts, putting both consumers and businesses at risk. Another prediction was that CISOs would be asked about cyber-insurance by someone in the executive suite. This makes sense with all of the data breaches we see in the news.
So far, I’m seeing themes of data breaches and the cloud. Now I’m dying to know about your prediction. What was it?
My prediction was that the top priority for CISOs this year will be securing information in the cloud, and that CISOs will need to create or grow their budgets for cloud. The trend of moving infrastructure to the cloud is hard to ignore. If and when your chief information officer decides to make this call, you want to be ready to make this move.
The audience seemed to agree with you according to the Twitter poll, where “investing in cloud security” received the most votes. What do CISOs need to be thinking about as they move to the cloud? Why does it seem challenging?
One important challenge deals with security controls. In the past, many of the typical controls were on-premise in the form of security appliances of various kinds or could be leveraged from traditional hosting providers. Now, with the move to the cloud, controls need to be adopted from cloud providers, or newly developed as infrastructure moves to the cloud. Appropriate security controls are essential in order to appropriately detect and prevent security incidents. Additionally, secure scaling in the cloud—which is essential for a growing business—would need to ensure that controls move with the data and that the entire data lifecycle is protected through every associated redundancy, high-availability and disaster-recovery construct.
Results of the #ITpsychic poll, votes were conducted on Twitter.
The effects of changing controls seems to be far-reaching. What other controls might be affected?
You now need to rely on the cloud service center for forensics in the case of a cyber incident, so your entire protocol may be affected. And auditing and compliance need to be taken into account, especially if you accept payments as part of your business. As you can see, you can’t do all of this in a day—you need to budget and plan.
Information security professionals focus on prevention, but sometimes cyber incidents occur. What kind of threats will CISOs face when they move their infrastructure to the cloud?
Many cyber threats that existed before the cloud will still exist now—they’ve just been adapted for the cloud. A recent example of this is ransomware attacks on Mongo DB, a database program that many organizations run in the cloud. The big problem with this attack was the scale. Leveraging vulnerabilities around insecure default configurations, hackers have been able to commandeer more than 28,000 databases.
What’s one more thing CISOs should remember about the cloud?
You’ve seen the data breaches in the news. We’ve seen 146 breaches in 2017 in the first five months of the year, according to privacyrights.org. What information security teams need to remember is that their customer’s personal data is highly valuable to identity thieves, and that protecting this data is of utmost importance. If a data breach does happen, you want to think about taking care of your customers in a way that puts their safety first — credit monitoring alone is simply not enough.
How did it feel to be an #ITpsychic for a day?
Well, I’m a big believer in sharing ideas and best practices with other industry leaders. As a security community, we all gain when we educate each other about our experiences.
By The UnLocked Editorial Team
Pictured below (L to R): Apple and smart car hacker Charlie Miller and Symantec Consumer Chief Information Officer Neil Daswani.