No CSO? Hire one now, advises security expert

Data rich corporations with weak IT security departments are just asking for trouble says M86

M86 Security vice-president, Jeremy Hulse

M86 Security vice-president, Jeremy Hulse

Enterprises without a chief security officer or a beefed up security department will be left wide open as hackers use new exploits to strike, warns a security industry expert.

M86 Security vice-president, Jeremy Hulse, told CSO Australia that the reason gaming companies, such as Sega, from which hackers stole personal data of 1.29 million customers over the weekend, had been hit was because of new exploits and malware on legitimate websites that security staff may not be aware of.

"Upwards of 80 to 90 per cent of good websites can host malware and that can be from a period of 20 minutes to 24 hours, but they [hackers] generally don't leave it up for a long period of time," Hulse said.

"All it takes is for someone from Sega or another company to access the website and download the exploit to their internal network."

"For Sony not to have a chief security officer [before the attacks occurred] is quite a startling revelation," Hulse said. He added that M86 had recently come across a large amount of malware that was not caught by signature databases. "From our own studies with customers, the traditional signature based security is not working and they have some exploit that may not have been discovered [by security staff] yet."

Read more about security in CIO’s 2011 Global State of Information Security Survey.

This meant the chief security officer had to be prepared to deal with unknown threats and invest in new security technologies. "People think they're safe but the hackers are saying, 'No, you're not safe' and they are proving it," said Hulse. "Every time someone in security closes a door the hackers are going to be looking for another."

He added that Cloud service providers also needed to "step up" and inform customers what security measures they could offer before data was hosted in a public or private Cloud.

"The message to Cloud providers is that there needs to be an extra level of diligence. You can't apply traditional security to Cloud services, it's a different game."

He advised enterprises considering hosting data in the Cloud to quiz their provider about data encryption and find out if the data would be hosted onshore or offshore.

Got a security tip-off? Contact Hamish Barwick at hamish_barwick at

Follow Hamish Barwick on Twitter: @HamishBarwick

Join the CSO newsletter!

Error: Please check your email address.

Tags securitystaffingCSO

More about etworkM86SegaSony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Hamish Barwick

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place