CSOs demanding more from cybersecurity tech

CSOs and CISOs are becoming more powerful, and their wielding that power to demand more from their technology vendors, to throw out underperforming tech, and to take more risks on new and innovative approaches

CSOs and CISOs are becoming more powerful, and their wielding that power to demand more from their technology vendors, to throw out underperforming tech, and to take more risks on new and innovative approaches.

Boards are genuinely more concerned about cybersecurity issues, said Larry Ponemon, chairman and founder at Ponemon Institute. And budgets have been rising to match.

Over the past 10 years, cybersecurity budgets have increased by 593 percent, he said, adjusted for inflation, though 493 percent of the increase is a result of a shift of spending from other areas of technology.

That has emboldened CSOs and CISOs, he said. "It's really changing the nature of IT security spending."

Shorter product lifecycles

For example, companies are less likely to make long-term bets on any one security technology.

"CISOs are more focused on measuring results and replacing technology that's not delivering," said Todd Inskeep, advisory board member at the RSA Conference. "The most mature companies have realized the pace of technology means three-year cycles are becoming standard."

In fact, he said, some technologies have even shorter lifecycles.

For example, this summer Gartner recommended that companies re-evaluate and potentially replace their mobile device management capability every 18 to 24 months.

[ ALSO ON CSO:  Why security leaders must seize the opportunity to implement cloud and improve security ]

"We don't do five-year contracts anymore," said Alissa Johnson, CISO at Kalamazoo, Michigan-based Stryker, a Fortune 500 medical technology firm. She is also a former deputy CIO to the White House. "We've got to be agile, we've got to be flexible, so that if something happens, we have the ability to bring someone else in or look at new products."

Senior management is behind her, she said, with a heightened awareness of cybersecurity from both senior executives and board members.

"The board members are sitting on multiple boards, so they come to a board meeting already prepared for a discussion of cybersecurity because they've heard it on other boards," she said. "At least one of those companies have been affected by some type of cyberbreach or incident."

Ready to switch

Houston-based healthcare provider Kelsey-Seybold Clinic still has five-year technology cycles for some types of technology, such as storage and infrastructure. But when it comes to security, three-year horizons are more the norm.

And the organization, which serves about half a million patients in 19 locations in the Houston area, is more willing to pull the plug on underperforming systems.

"We've demonstrated willingness to push one piece of technology out and bring another piece of technology in," said Martin Littmann, the company's CTO and CISO. "If I look at the antivirus space, the McAfee suite has served us pretty well but I think they're behind in terms of their practice, so we look at doing a three-year maintenance renewal or a one-year maintenance renewal."

Littmann reports to the executive staff, and the board, all of whom are practicing physicians. But even though they may not have a technology background, they are becoming more and more educated on cybersecurity, he said, both as a result of his own efforts and because of the recent space of high-profile data breaches in the healthcare space.

[ ALSO ON CSO: Millions of records compromised in these data breaches ]

This has made the clinic's leadership savvier about implementing security technologies, both within and outside the budget cycle, he said.

"As the threat actors evolve in their methods and capabilities, we have to evolve the technology to keep up," he said. "It's an arms race."

Ironically, although budgets are growing, companies are also becoming less tolerant of waste, said Ponemon.

Take, for example, shelfware, he said. That's what happens when a company buys a technology product that might be best of breed but does not integrate well with existing systems, or that a company doesn't have the in-house expertise to deploy correctly.

"Organizations are thinking about who's going to implement it, who's going to monitor it," he said. "Security technologies are very complex tools and if they're not implemented well it's not going to do what you think it's doing and you may miss some catastrophic type of attacks. We're seeing more and more organizations saying, 'If we're going to buy a specific technology, we're also going to hire people to run that technology or buy a managed service.'"

Looking for new approaches

To stay ahead of new threats, cybersecurity leaders are also more willing to take a chance on new technologies, new approaches, and startups.

"We always have to be proactive and be ready and anticipate," said Stryker's Johnson. "That's what the boards want -- they want us to move before anyone else moves, be ready, be agile. The ecosystem is changing constantly."

For example, Stryker has found that its users have been switching to cloud services at a fast pace.

"This is a problem that you will hear from most CISOs," she said. "We not only have to secure our endpoints, but we've got to keep hold of the data, and it's hard to contain, hard to keep within a certain scope. I remember back when you were defining your security perimeter. There is no security perimeter any more!"

In November, Stryker is deploying technology from Skyhigh Networks to warn users about unapproved cloud services and suggest corporate-approved alternatives.

For example, the company has decided on Office 365, and users will get a few months to move all their documents from other platforms to Office 365.

Other cloud services will have a shorter transition period.

"If it's a URL shortener, the cooling off period might be a bit shorter, because there is no good business case to continue it longer than a month or two," Johnson said.

After that, employees will no longer be allowed to use unsafe cloud providers, she said.

"Cloud technology is a technology that is here, has proven to be helpful," she said. "But it has to be done securely."

Other new technologies that companies are starting to look at involve threat-sharing and intelligence tools, according to Ponemon.

"When you have a budget, you can do more things," he said. "And one of the beneficiaries of the new budgets are some of the smaller emerging companies that have a great tool."

Join the CSO newsletter!

Error: Please check your email address.

Tags cyber security

More about CSOGartnerRSASeybold

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place