Top 8 things CSOs wish they had a solution for

What's keeping you up at night - complexity, data deluge, BYOD?

After a challenging day at the office, many CSOs and CISOs spend their harried nights wishing for a better and easier way to accomplish the tough tasks they face at work. I know I have. I've spoken with a lot of my peers this year and thought I'd compile a list of these wishes and pain points--and provide an opportunity for us to share recommendations on how to tackle these tough tasks.

Here are the top eight wishes I've heard in the last year:

1. We need simplicity, not complexity.

There's simply too much going on in our IT worlds. New cloud computing, mobile, and social networking technologies and innovations are flooding our infrastructure. There are so many technologies in our businesses--at best soldered together--but definitely not talking to each other.

[More from Jason Clark: 4 keys for IP protection | Securing your Board of Directors' comm portal]

Unfortunately it is only getting worse. Declining operational efficiency and effectiveness affects the whole organization. Too many security solutions offer 1,000 features, but most people only leverage 100. To be effective, we need solutions that actually talk, share intelligence, and learn from each other.

2. We don't want to be overwhelmed by too much data and information

Firewalls, AV, IDS/IPS, load balancers, routers, switches, DLP, web security gateways, MDM, email gateways, Active Directory, thousands of applications, thousands of databases, etc. We are overwhelmed with data that we aren't necessarily looking at on a regular basis. I've asked many CISOs: "What value are you getting from your IDS or firewall logs?"

Most responded that they have little to no value because there is just too much data. And it isn't going to scale for the future. Even items like SIEMs are not intelligent. They are complicated to run and they simply turn data into information. But information isn't what we need. You still need to collate and analyze the information to understand what actions to take. Even then, it's going to take more than action lists. CSOs need a guiding compass that provides an effective overall risk management strategy.

3. We need to turn data into wisdom.

CSOs need data, so they can use their wisdom to make the best security decisions. To get there, data needs to be translated into information. And that information needs to provide intelligence. Intelligence will help CSOs build their security wisdom. The more intelligence CSOs receive, the bigger the benefit. Unfortunately, many of the solutions I list above aren't translating information to intelligence. They are simply providing information, which leads to reactive actions vs. proactive actions.

4. We need a predictive risk posture view.

I'm talking about a pressing need for a risk-based approach that is simple to implement. Most of today's buying decisions are gut-based on old experience and yesterday's threat landscape. And while governance, risk management, and compliance (GRC) solutions exist, usually these solutions are rule-based and are not intelligent, are overly complex, and don't take a data-centric view. [See What's next for GRC?]

Many of the good risk and compliance solutions are also very expensive and few companies can afford them. We need a GRC solution that easier to deploy and manage. As more CSOs partner with others and continue cloud adoption, GRC will be the tool of the future to help manage risk because they will have less and less direct infrastructure control.

5. We need visibility, control and protection for our data at all times.

This is about the DATA, not the device or outlet. So whether it is on a handheld, a tablet or in the cloud, we need to know where our data is, who is using it, when it is accessed--even if it was just created. We also need control of the data. This includes enabling data collaboration, knowing when it leaves our partners, and having a kill switch if our data is not in the right place. We should be thinking about our security program from the ground up.

6. We want to allow BYOD.

We want to enable the business by allowing BYOD, but most CIOs are not fans of mobile device management (MDM). They want security and data protection, but not necessarily to lock down or control the device. It makes it even harder when we get pressure from our executives to allow personal devices on the network. We need to be able to easily allow any device to access our network and data, but have full visibility and control of the data.

I believe the future is a hybrid of DLP and DRM mixed with virtual sessions. And for certain applications, data is then routed back into the data center. I do not believe the future is MDM. It just applies all the old ways of endpoint security to a new paradigm of mobile devices. It doesn't solve the real problem.

7. We NEED to stop spear phishing.

This is the number one way that most targeted attacks compromise users. Phishing may be an old method, but a researched, well-orchestrated socially engineered lure is very effective. I have asked 200 CISOs "How many of you feel confident you can stop a spearphish attack on your CEO?" And not one said they could. We have to think out of the box to solve this problem. The most successful way to solve this is by mixing science and humanities together.

One great example is [Disclosure - I recently joined the executive board for phishme.] I've found that, depending on the technology and awareness, up to 70 percent of employees will click on a spear phish lure. Your security technology needs to be mixed with your awareness program because 15 percent will still click.

You need an email security solution that uses cloud-based spear phishing protection, which catches and inspects any never-before-seen URLs, before they hit your network. Your standard spam filters cannot do this. Lastly, many spear phishing emails avoid your company email system and target your CEO's Gmail account. So you need a web security gateway that can protect your user when they click on a spear phish link. There are very few web security gateways that are spear phish-aware. This is key.

8. We want an easy way to measure and market our success.

This is a big one. Security is a board room problem, but we have to be able to convince the board that it is a BOD problem, while measuring the trend to impart success. We have to address so many new security challenges and emerging threats. How can we possibly demonstrate our value to our CEO and Board of Directors? I've addressed a few of my best practices here, but would also love to hear your suggestions.

Did I miss your main pain points? If I did, leave me a comment below and let's discuss. If you've got suggestions on how to address some of these challenges, please feel free to post them as well. In addition, send me a message on LinkedIn and I'll try to help you through some of the best practices I've seen to address these challenges.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jason Clark

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place