What security pros want for the new year

A few execs had some pie-in-the-sky ideas while others were a bit more grounded in reality.

It’s that time of year when we ask security executives in a variety of industries what they would like to include on their holiday wish lists.

Some of the responses we received were in the realm of pure fantasy. For example, one security chief asked for technology tools that address all of the major security threats, don’t cost anything and have top-notch 7x24x365 support with response times inside 15 minutes!

Most of the wishes submitted are a bit closer to reality, and some might even come true if factors align the right way. So, with the completion of another year approaching, once again we present a listing of what security executives say they are hoping for, as they continue in their mission to protect their organizations’ systems and data.

David Barton, CISO, Websense

“Integrated security tools. CISOs face increasingly complex security tools that don't communicate and play well together. For 2016, I want more security products that will talk and communicate together using standards-based sharing such as STIX and TAXI.

“Security in the boardroom. Too many CISOs are relegated to being relevant only when there is a crisis. Security belongs in the boardroom, in senior executive strategy meetings, in the many business planning processes, and in the operations of the business. My wish for 2016 is more visibility at the board level for CISOs, where we can provide advice/guidance to enable the business to succeed in a secure fashion.

“Emphasis on the sciences. There is a worldwide shortage for information security professionals. This problem is going to grow until we are able to engage young people in the pursuit of the sciences in high school and college. If this trend is not reversed, we will not have enough security professionals to protect the data that is important to us. For 2016, my wish is for more interest in the sciences in all levels of education, more graduates from college in technical disciplines, and more people with technical degrees pursuing information security as a career.”

Mary Chaney, director of worldwide information security, Johnson & Johnson

“My biggest wish is for my magic wand to work and make all applications and databases secure!

“There needs to be a shift in thought regarding how companies deal [with] and manage vulnerabilities at the network, application and database levels. Vulnerabilities speak to the actual risk exposure an organization has, which is, by the way, the single most important factor for any business.

“Information security has grown up as a child of IT and for year’s professionals believed that a hardened network was the answer. We have built entire information security programs around traditional cyber network defense. That doesn’t work anymore. As professionals we need to shift our thoughts and focus on the connection between technology and risk.

“Everyone, from the L1 analyst to the board of directors needs to understand that attackers have moved out of the brute force type of network attack to the application and database level, where the true data resides.

[ ALSO ON CSO: Top security stories of 2015 ]

“A big huge spotlight needs to shine on the actual risk in your environment, meaning unpatched and insecure applications and/or databases. Once you find those answers you will be able to build a security program that strategically places its time, energy, and money into protecting the business through a conscious effort and understanding around risk.”

Erkan Kahraman, CSO, Planview

“Last year I had wished for compliance and I’m wrapping up the quarter with the content feeling of having achieved just that. For next year, I’m wishing to find qualified information security specialists to join my growing team. They are hard to come by nowadays!”

Jason Taule, CSO, FEI Systems

Robert J. Schadey, CISO and director of infrastructure services, 1901 Group

“As I sit in the Kansas City Airport nearing a 12-hour delay prior to departure, I wish for teleportation! 

“Applied focus on security engineering. How important is it to prevent exploitation of critical functions? Why does security still begin as a bolt-on after system implementation occurs or even worse, after an exploitation is discovered and determined? In supporting federal, retail and Department of Defense in security, the same repetitive mistakes seem to continue to happen in the system engineering process.

“While the product selection and acquisition processes should naturally begin with products that are security tested and proven to vendor claims, considerations for secure methods in monitoring, management and support must equally be proven. The application of security engineering in the design must drive toward checks and balances in handling malicious threats and survivability. Identification of system and security requirements must be part of a sound process, aiding security baseline development and requirements documentation that ensures the overall implementation can be mapped technically against requirements, risks, and consideration for any residual risks.

“More often we want to keep pace and generally move too quickly toward solutions, without examining requirements. Looking at the bottom dollar [while] not considering security engineering will generally eat up costs in bolting on security with technical modification and figuring out methods to address compliance requirements. It’s much easier to work through sound selection and driving the security features and capabilities that should be enabled with sound security engineering.

Dave Dalva, vice president at Stroz Friedberg, who acts in the role of CISO for several clients

“I would like to see boards of directors and leadership teams better appreciate that information security risk management should be treated as an enterprise risk equivalent to financial, reputational, and legal risk. Too often these stakeholders gain an appreciation of security risk only after a breach to themselves or others. I would like to see them increasingly take the initiative to understand how security risk impacts the business, and why culture is so important to good security risk management program.”

Jason Taule, CSO, FEI Systems

“I suspect I’m like every other CSO who made wishes last year in that few if any of our requests came true. I don’t think this is because we were bad and found ourselves on Santa’s naughty list, but rather that the items we were after are beyond the creative abilities of the elves in his workshop. Consequently, much like the child who wishes for the same thing year after year, I’d still very much like a ‘pause’ button to allow me time to catch up with the business and a magical balancing scale that helps me strike the exact right compromise between the needs of the business and our risk exposure.

“Beyond that however, there really is only one additional item on my wish list. What I’d really like is the new G.I. Joe style military action figure known as Actionable Intelligence. The art and practice of our industry has advanced to the point where we have an abundance of tools and technologies to capture and evaluate threat data. But we’re victims of our own success. It’s impractical to try to react to everything, and never before has it been more important to be able to detect things early, deter unauthorized east-west traffic, and respond in a timely manner. Forget hay, now it’s all about finding the needle in the needle stack.”

Curtis Dalton, senior vice president, chief information risk and security officer, Pactera US

“Stronger behavioral analysis capabilities across enterprise system resources to spot misuse [or] abuse early. Clear support from the board on down to the CISO about their level of commitment to reduce risk and alignment on a budget to match that risk expectation.”

Roland Cloutier, vice president and CSO, Automatic Data Processing

“I'm hoping that the architects, engineers and product design specialists for Santa’s security technologies division are considering the development of an automated controls efficacy platform. From a decision support to control validation [perspective] and even as a component of audit management, the ability to have valid transparency and measurability of the efficacy of the existing controls which I am responsible for would be a huge resource lever. Imagine the ability to look at an active console or report that indicates the current levels at which all my controls are operating and enables me to understand their need, their effectiveness, and opportunities for distribution, consolidation, or removal. Yep, I know what I want for Christmas.”

Join the CSO newsletter!

Error: Please check your email address.

More about Automatic Data ProcessingCSOPayPalPlanviewRolandWebsense

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bob Violino

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place