Why CIOs need to be proactive not reactive to cybersecurity threats

Security executives urge firms not to lose focus on prevention. They advise developing a holistic plan for IT and business units to fight cybersecurity together.

The greatest cyberthreat might not be a massively destabilizing attack that takes out the electrical grid or some other piece of critical infrastructure. Instead, the most significant risk could come from the accumulated damage of a constant barrage of attacks that shake the collective confidence in the Internet as a platform.

So argues Rick Howard, chief security officer at Palo Alto Networks.

"I really think that we are on the verge of having this affect our way of life," Howard said during a recent event hosted by Federal News Radio.

Security challenge isn't a cyber Pearl Harbor

"We've got so accustomed to using the Internet to manage ourselves -- our communicating with our family and our friends, communicating with our business operations and all that kind of stuff. And what we're seeing is a thousand cuts, death by a thousand cuts," Howard said. "We're not seeing this giant thing that we used to all think about 15 years ago -- [that] we're going to have a cyber Pearl Harbor. That's not what's happening. What we're seeing is a lot of little slices, that it's slowly eroding our confidence in the digital space. And if we get to the spot where we can't trust that environment anymore, then where are we as a society?"

Howard says that firms need to do more of the basic blocking and tackling in security, starting with taking a thoroughgoing inventory of their digital assets and understanding the material risks to their business.

[ Related: Corporate culture hinders cyber insurance buy-in ]

"I think in our industry there's a lot of shiny objects in the cybersecurity space," he said. "What really needs to be happening with our network defender practitioners is doing a robust risk analysis of their own environment -- what do they really need to be worrying about and what can they let go because it's not that big of a deal?"

John Davis, CSO of Palo Alto Networks' federal division, suggested that too many firms have resigned themselves to a reactive approach to security, essentially conceding that hackers will access their network and instead focusing on efforts to mitigate the damage an attacker can do once inside.

Focus needs to be more on data breach prevention than recovery after the fact

"Some of our industry has given up on the ability to prevent, and is focused primarily on detection and response, which means, with a mindset like that, it means you're always involved in cleaning up aisle, nine, as some people like to say," Davis said.

[ Related: Why startup leaders need to set the tone for security ]

"We believe that you can actually get ahead of a lot of that," he said. "Now you might not be able to prevent everything, but we think you can make significant progress in terms of preventing the threat in the first place so that you can make better use of your people, time and resources where in those cases where you do have a problem to go find it and do something about it. But you can take a lot of that off of the radar screen up-front if you have a prevention mindset."

"Look at the headlines -- breach after breach after breach. And so these issues today are becoming CEO and board-room issue. They are not dealt with strictly in the environment of the IT world, so the more that senior leadership in terms of CEOs and chairmen of the board and board advisors become involved in these issues, well that puts a lot of pressure on being right."

[ Related: Cybersecurity: How one CIO stays a step ahead ]

Davis echoed Howard's call for a comprehensive risk analysis, mapping out the different segments of the network and examining the needs of the enterprise along with the security concerns. That holistic approach to protecting a firm's digital assets has the added benefit of bringing together teams that sometimes work at cross purposes.

"It helps to bring the information technology people and the cybersecurity people together. Often, they are two communities that are at odds with each other. One's trying to get an organization to perform, the other one's trying to slow it down to make sure it's secure, and often it's a win-lose situation," Davis said.

"This gap analysis enables them to both come together and look at it from a common perspective. How do we as an organization safely enable what we need to do to do our business?" he added. "The other thing that it does is once you have this gap analysis, it enables you to essentially have a scorecard for your organization so that leaders -- the CISOs and the CIOs of an organization -- can use the results of the gap analysis as kind of a scorecard in terms of risk management posture for the organization. And it's a great tool that they can use to brief the leadership of the organization."

Join the CSO newsletter!

Error: Please check your email address.

Tags cybersecurityCIOssecurity

More about CSONewsPalo Alto Networks

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kenneth Corbin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts