Growing business engagement with issues around cybersecurity risk means the CISO function should ideally be moved out of the IT organisation, a senior security policy advisor has argued as organisations increasingly adopt business-level controls on growing software-as-a-service (SaaS) adoption.
Noting that conversations around cybersecurity risk often cause otherwise risk-hardened executives to “go weak at the knees,” Centre for Internet Safety managing director Nigel Phair told attendees at the recent VMware Evolve conference in Melbourne that security functions needed to be progressively demystified – and the tone of the conversation changed dramatically.
“I’m a big believer that CISO-type functions shouldn’t be in the IT shop,” Phair – a 21-year Australian Federal Police veteran who spent four years running Australian High Tech Crime Centre investigations – said. “The whole discussion really is about risk – what is it and what does it mean – and what does the online environment mean to the organisation.”
The answer to these questions often emerged in business terms, which is why those running the security function need to paint the benefits of security investments in business terms.
“It’s important CISOs sell themselves within the organisational community, and bake security into everything they do,” Phair said. “The value proposition of the organisation, and indeed to getting staff to work for you, is a good, safe online environment.”
Delivering that environment requires a long and ongoing commitment to risk minimisation at business levels as well as during the adoption of new technologies like SaaS, which is redefining the modern workplace but is also forcing organisations to adopt new security models to accommodate its architecture.
Users were a significant weakness when it came to SaaS, particularly given their penchant for compromising password security as burgeoning numbers of SaaS applications made it hard to remember those access credentials.
“Anyone with a finger is a threat,” said Christopher Campbell, director of solutions product marketing with VMware during his keynote. “It doesn’t matter whether it’s the CEO who lost his laptop, the receptionist that wrote her password on a sticky note and stuck it on her monitor, or a hacker that is trying to get inside the organisation.”
“Everyone is a threat – so it’s all about how you can architect to that, and insert security into the different layers to make it comprehensive and seamless. That’s why you can’t have the conversation happening only at your level, in your department. It has to be comprehensive and has to happen at a higher level.”
Delivering on this goal has seen industry players addressing security issues at three key layers, each of which contributes its own characteristics to the overall application architecture. This includes a secure application infrastructure – VMware’s NSX network virtualisation platform, for example, which was this month certified as secure under the Common Criteria EAL2+ assessment program – as well as streamlined, portable endpoint security policies and the integration of new capabilities and devices into a single application-driven ecosystem.
The combination of mobile device management (MDM) features through VMware-owned AirWatch, and identity-management features marbled throughout the company’s Workspace One secure digital workspace, had provided complementary authentication capabilities that can compensate for user error by treating device characteristics as additional factors during platform authentication decisions.
“The application infrastructure should have some context of the user and the endpoint that’s trying to access the resource,” Campbell said.
“There are so many devices, applications, and Internet of Things (IoT) devices now that the question is how you aggregate all of those and deliver security in a single sign-on fashion. If you do it the old way you’ll end up with lots of disparate solutions that give you no context. What you truly should have is full visibility into those data flows.”
Getting that visibility has been a key goal of efforts to develop federated authentication frameworks, which seek to simplify the process of credential portability and also tie in with increasingly-portable policies around functionally isolated NSX ‘containers’.
Encapsulation of business rules within those containers has facilitated the enforcement of application access controls according to business rules that follow applications throughout the cloud. This relieves users of the burden of remembering so many SaaS passwords and gives administrators the confidence that the infrastructure will respect governance-driven corporate controls.
Infrastructure may be the enabler for this type of secure operation, but security staff must focus on the outcomes that it provides – including better employee buy-in, SaaS applications’ lower cost of deployment and management, and reduced risk from being able to adopt cloud securely – to effectively engage business leaders on their own terms.
“Organisations are pretty good at business continuity,” Phair said, “but again when you put the word ‘cyber’ in front of it they get weak at the knees. To be a resilient organisation, the most important thing is going to be your internal value proposition on how you react and respond.”
“When the organisation can sit down and say ‘this is what we’re going to do and this is our technology roadmap to get there’, that’s when we can say ‘great, this is the security picture that’s going to dovetail with this’. The key is not to think of security as something you have to do when you throw the word ‘cyber’ in front of it; think of it as a way that you can make your business more agile, and even celebrate the way you support your organisation.”