The security experts have made their predictions for 2014. Now it is time for CIOs to make some tough decisions and establish security priorities for the coming year. Certainly many of those predictions will come into play. The predictions aren’t made in a vacuum; CIOs would be foolish not to consider the situations in which experts expect serious threats and risks.
Bring Your Own Device (BYOD) will continue to be a primary concern for CIOs in 2014. However, CIOs will have to pay attention to a few twists to the BYOD movement, like BYOI, or Bring Your Own Identity. Unfortunately, as Jake O’Donnell pointed out in a SearchConsumerization piece, the budget doesn’t necessarily meet the needs for mobile security, and that’s a problem that CIOs will have to work around.
CIOs will also turn more attention to the cloud, not just to determine how to make data in the cloud more secure but to see how the cloud plays a role in covering network security, as Philip Lieberman, CEO & Founder, Lieberman Software, stated, adding:
CIOs will have to reevaluate proposed security as a service being delivered via the cloud considering that hardware and software will no longer need to be purchased for deployment.
These issues are just the tip of the security iceberg. Overall, the primary challenge for CIOs will be to make sure everyone within the company is on board when it comes to security policy. It appears that 2014 will see a real shift in security concerns and in the way security will work. Education for everyone from the CEO down to every employee who has access to the corporate network will be a must.
Here are the top priorities that CIOs will be (or should be) focusing on in 2014.
Click through for nine security priorities CIOs should focus on in 2014.
Changes in BYOD assessment
BYOD has introduced a ton of new software into most companies, according to Michael Angelo, chief security architect at NetIQ. In the past, CIOs have dealt with the obvious questions of support, interoperability, and (to some extent) security — but they have not looked at software licensing issues. What would happen if the software being used in the company had an education, student, developer or personal license? Ultimately, he said, change to policies and procedures in order to mitigate potential software licensing liability will be an emerging issue in 2014.
But, Angelo added that software isn’t the only concern in the Bring Your Own movement. CIOs will now need to be prepared for BYOI. He explained:
BYOI comes into play whenever consumers or employees use their own third-party identities (example: Google, LinkedIn, PayPal, etc.) to conduct transactions ranging from accessing business services and sharing data to placing ecommerce orders. The advantage comes from being able to provide a level of business relationship without having to create an account. Ultimately the CIO will need to monitor this, and decide if BYOI would reduce or increase their overhead, workload and liability/risk profile.
CIOs will eliminate consumer-based file sync and share solutions in the workplace.
According to John Landy, chief security officer at Intralinks, CIOs will eliminate consumer-based file sync and share solutions in the workplace in favor of enterprise-grade alternatives. Employees have become increasingly self-sufficient and in control of their own IT provisioning, thanks to the many tools easily at their fingertips. They regularly use consumer-grade applications in the workplace because these applications are familiar and easy to use. Employees think they are being more efficient by not wasting time turning to IT for help and not wasting time struggling with unfamiliar applications. But Landy pointed out that for the CIO and the IT department, this is a nightmare for security. He said:
Consumer-grade sync and share solutions introduce unnecessary vulnerabilities into secure data exchange processes, as IT no longer has control over who is sharing what information with whom and on what device. Over the year ahead, CIOs will begin to realize that while consumer-based file share and collaboration solutions may be acceptable for sharing information within the corporate firewall, they are not nearly secure enough to facilitate collaboration beyond it.
CIOs will realize that enterprise-grade solutions are available that offer security and control without hindering employee productivity, and they’ll turn to those tools in 2014 to avoid data loss, compliance fines, and other severe consequences associated with negligence in content management.
CIOs must perfect the data privacy balancing act.
Our country has experienced serious backlash from information leaks that cast a spotlight on our surveillance policies, and it’s clear that our nation must labor to find that balance between its security interests and important civil liberties concerns. CIOs are the stewards of corporate data, and as such, Robert Butler, chief security officer, IO, said, in 2014, CIOs should expect to be pulled into that debate. They need to stay apprised of how, when and what they are obliged to share with government organizations, as well as when they can and should legitimately hold back data.
Also, he added, the information converted and stored in digital form is subject to the laws of the country in which it is located:
“Where is our data?” will be a question on everyone’s lips. The widespread adoption of cloud computing services, as well as object storage, have broken down traditional geopolitical barriers. In response, many countries have issued new regulations that require customer data to be kept within the customer’s country of residence. In 2014, the visibility to maintain compliance will be high on every CIO’s wish list.
On-premise email solutions
Cloud-based email was originally billed as a panacea for overworked (and often over budget) IT staff — an innovative new model that would relieve them from the burden of purchasing their own hardware, maintaining their own systems, and managing their own data. But the price for this hype has all too often been paid at the compliance table, according to Kari Woolf, senior global product marketing manager at Novell, Inc. She said:
The cloud may be suitable for many organizations, but others — particularly those with strict compliance requirements or data protection directives — find that on-premise email solutions are the only way to keep sensitive data strictly within their control. While cloud-based email will continue to become more mature and secure over time, many of these organizations (and perhaps some specialized industries at large) will buck the trend.
Woolf said CIOs will turn to on-premise email solutions that offer the low administrative burden promised by the cloud, but more importantly, the on-premise solution will offer the equally critical ability to maintain control of data — and prove it in audit. As the regulatory vice tightens in industries like health care and financial services, she expects on-premise email solutions that offer a simple, cloud-like user experience and all the benefits of IT control, along with capabilities like archiving, digital signatures and encryption, support for new authentication methods, and stronger security for data synchronized to mobile devices, to gain new footholds.
Assessing, auditing and hardening systems of engagement
According to security experts from Alsbridge, millions of dollars have been invested in building out systems of record for ERP, HR, and the like. Millions more have been spent on maintenance, but many of those systems no longer meet the need for agility in the business today. Systems of engagement now have a substantially different value proposition: integrating social and collaboration capabilities with the everyday transactions of the business. These systems are mobile, consumer-centric and often delivered via the cloud. The vast majority of these solutions are also less hardened versus their legacy counterparts, and they’re typically implemented and maintained via a small ecosystem of partners and third parties.
The legacy environments were known to be highly secure, but now they are being mixed with a more social, interactive, customer-facing environment that is far less secure. The challenge for CIOs is to secure the “bridging” technologies (usually a cloud-based solution) that tie the two environments together in the enterprise.
The Insider Threat
The insider threat has long been a security problem, but Timothy P. Ryan, a managing director with Kroll and the cyber investigations practice leader for North America, says we should expect the insider threat to become more visible, thanks to privacy breach notification laws and enforcement regimes. Information technology simply made the betrayer’s job easier; however, that same information technology, as well as stronger rules and regulations, have improved the alert CIO’s ability to thwart the threat. The operative word there is “alert.” CIOs need to make stopping the insider threat a top security priority in 2014. Said Ryan:
There’s a tremendous amount of data compromised today where the act is never discovered or disclosed. People discount the insider threat because it doesn’t make the news. Instead, we see headlines about external credit card breaches and theft of personally identifiable information, because regulations mandate accountability and punishment is expensive. The insider threat is insidious and complex. Thwarting it requires collaboration by general counsel, information security, and human resources. SEC breach disclosure of “material losses” may be the model for rules requiring a company to be more transparent and answerable for allowing bad actors to go unpunished.
Quantify cyber risks and answer board-level inquiries on cybersecurity.
The impact of cybersecurity risks to businesses is multi-fold and can range from reputation damage, loss of revenue, legal fees, and penalties for lack of compliance to disastrous downtime to critical services, said Isabelle Dumont, director of product marketing, industry/vertical initiatives with Palo Alto Networks, adding:
With cyberattacks being the new norm, security officers must refine their understanding of their risks throughout their enterprise. Given the rise of cybersecurity mentions in quarterly filings, be ready for boards to demand a systematic review of assets – systems, applications, devices, data, networks, and any component potentially impacted by a cyber event – related risks, assets that are most often targeted by cybercriminals and level of security in place along with plans to fix what’s below basic compliance requirements.
The CIO’s priority will be to get board-level executives and audit committees to take a greater interest in cybersecurity and threats to the enterprise. With more and more data breaches – from theft of trade secrets to loss of customer information – in the headlines, corporate audit committees are beginning to focus on the connection between cybersecurity and an organization’s financial well-being. As such, they will expand their attention beyond the financial audit process to the organization’s strategic plans for protecting non-public information and risk mitigation plans for responding to a possible breach. CIOs and IT leadership should prepare accordingly, said Alan Brill, a senior managing director for Kroll.
Third party may end up being the buzzword of CIO security priorities in 2014. Angelo suggested that CIOs will implement new techniques and tools to track third-party components introduced by a software application. He explained:
Malware has long been introduced into companies via software products. But since Stuxnet, the question of Software Supply Chain or “What’s in Your Product?” has arisen. While most companies still vet software for vulnerabilities prior to introduction in their environment, the practice has become difficult as most products include third-party components (for example, open source libraries or frameworks) and many executives don’t have insight into what their applications have been built with. The need to monitor environments to see if components have had new vulnerabilities disclosed will be top of mind.
At the same time, Jason Straight, SVP/chief privacy officer at UnitedLex, said CIOs will focus on auditing the security protocols (people, processes and IT) of third-party service and solution providers. He said that when corporations fail to consider the security risks brought on by third-party partners and vendors, enterprise creates a “soft underbelly” that hackers can easily exploit.
Third-party threats come from multiple sources. The smart CIO will concentrate efforts on all of them.
Adopting Biometrics and New Authentication Options
Biometrics made a splash in 2013 with the iPhone‘s use of the fingerprint in place of passwords. Multi-factor authentication made waves as companies like Dropbox and Twitter discussed this option after serious breaches. Jim Reno, distinguished engineer with CA Technologies, said we will continue to see biometrics being leveraged for uses beyond unlocking a smartphone screen and customizing video game settings.
The reason to turn away from passwords and to biometrics and other forms of authentication is simple – trust. According to an article in the Business Reporter, companies that use biometrics, in particular, gain more trust from their customers. It’s also a way for companies to protect themselves, as the article pointed out:
Companies that have adopted biometric solutions have seen an improvement in customer satisfaction. Slovakian financial institution Tatra Bank introduced biometric signature identification for customers in February 2011 as well as a voice biometric identification in the middle part of this year. Michal Liday, retail head of Tatra Bank, speaking at a voice biometrics conference in London, says: “Before we introduced biometrics, we were subject to fraud attacks from misused identities from theft or misused identity cards. This was a regular story.”