As we set out to consider the major cybersecurity and IT operations developments of 2017, we identified three major forces we believe will influence public- and private-sector enterprises for years to come. And we provide action items you can take in your own organizations to address these forces in 2018.
(Image: Mohamed Hassan / Pixabay)
What would a year-end wrap up be without mention of ransomware, the Internet of Things, and nation-state threat actors? All of these elements affected the lives of cybersecurity and IT operations professionals to significant degrees in 2017, and will continue to wield major influence on our lives in the year ahead. Ok, we mentioned them.
If you’re looking for a laundry list of technologies, Forbes leaves no stone unturned with its 60 cybersecurity predictions for 2018. Such technology roundups are useful to help guide your planning and purchasing decisions. But as we set out to consider the major cybersecurity and IT operations developments of 2017, we realized there were three major forces at play this year that speak to significant organizational and behavioral changes. We believe these forces will influence the IT ops and cybersecurity decisions made by public- and private-sector enterprises for years to come. Here, we highlight why these matter, and provide suggested action items you can take in your own organization in the year ahead.
Three forces driving cybersecurity and IT ops in 2017
One of the least sexy tasks of IT operations was catapulted into mainstream attention this year after a series of ransomware attacks crippled organizations around the globe. Easily lost amongst all the finger-pointing and noise, however, is the fact that patching is hard. Even our best intentions are often derailed by something as old as humanity itself: fear of change. As senior writer Fahmida Y. Rashid notes in CSO Online: “Organizations have legacy systems and many have made massive investments over the years in unpatchable systems and equipment. Migrations aren’t always the answer, and the security industry needs to be more creative about finding ways to work with organizations on upgrading obsolete systems or putting in safeguards to protect what is in place. There are restrictions on what the organization can do with its funds, which requires another set of creative ideas on making do with limited resources.”
Organizational silos certainly don’t help matters. In most organizations, we see IT operations and cybersecurity teams operating in separate, discrete business units, and reporting to different corporate leaders, which makes it difficult to achieve the kind of holistic view of the network needed to thwart future attacks. If we, as an industry, have any hope of putting up a worthy fight against a formidable force, we have to start by breaking down the corporate barriers between IT ops and security. Here at Tanium, we practice what we preach. Our IT and security teams are consolidated in the same organization, led by our Chief Security Officer. This is not the case in most organizations. In fact, reporting lines vary widely and there appears to be no clear standard. More than four in 10 respondents to the PwC 2018 Global State of Information Security Survey, which polled 9,500 executives in 122 countries, said their CISO reports to their CEO, while 22% said the CISO reports directly to the board. About a quarter (24%) said their CISO reports to the CIO. While calling for large-scale organizational change may seem quixotic, we believe IT operations and security teams would do well to work more closely together regardless of reporting structure. One place to start is for members of IT ops and security teams to begin collaborating on technology choices that serve the needs of both groups.
What you can do about it:
Improving collaboration between IT and cybersecurity teams isn’t a panacea to the patching dilemmas organizations face, but it goes a long way toward smoothing the process. Working to foster a spirit of ongoing collaboration will make it easier for you and your colleagues to keep your applications and devices up to date, and keep your company’s data and employees safe. Look for good projects with shared goals you can collaborate on. Find ways to build better cross-organizational communications mechanism. Develop approaches for cross-pollination across teams. You may find your IT colleagues, for example, want to do more in the cybersecurity space because it gives them a break from their traditional roles. Likewise, if you spend all your time on a cybersecurity team, a stint with IT ops could help you understand the challenges those colleagues face.
2. The board of directors
What makes 2017 a watershed when it comes to the topic of cybersecurity and the board is the marked change in the types of questions board members are asking. Over the past several years, hIgh-profile breaches – and their resulting impact on the bottom line – have prompted boards of directors to begin paying attention to cybersecurity in ways they hadn’t done before. As Julliette Rizkallah, CMO of Sailpoint, writes in Forbes: “We’ve come a long way from the days where board members would ask: Are we secure? They are now requesting scorecards that measure company security posture. They are also asking more questions related to regulations and how security controls can help demonstrate compliance. Soon, we will see boards demanding quarterly cybersecurity briefings – some directly presented by the CISO – rather than relying on the occasional update from the company security committee.”
Indeed, cybersecurity is one of the top five trends expected to have the greatest effect on companies in 2018, according to a survey of 587 corporate directors by the National Association of Corporate Directors (NACD). Boards are less confident about cyber-risk preparedness than they were a year ago, according to NACD. Only 37% of respondents say they feel confident or very confident that their company is properly secured against a cyber attack, compared to 42% last year.
It often falls to a company’s CISO or CSO to educate the board about cybersecurity, which can be a difficult and daunting task. The default is to talk about techniques and technologies, while major business factors – including how organizational silos are limiting effective cybersecurity practices – go unexplored. Research firm Gartner predicts organizations worldwide will spend a combined $89.1 billion on cybersecurity by year’s end, with spending expected to increase 8% to $96.3 billion in 2018. And a survey by Ernst & Young of 1,200 C-level enterprise leaders around the globe finds the vast majority of respondents believe their organizations need to increase their cybersecurity spending by 50%. Yet, only 12% of respondents expect to see their cybersecurity budgets increase more than 25%. This may indicate a lack of corporate willingness to increase cybersecurity spending. In fact, a survey of 1,178 IT professionals by the Society of Information Management finds that, even as IT leaders identified cybersecurity as the top IT issue for their organizations this year, cybersecurity spending as a percentage of IT budgets decreased in 2017. Cybersecurity spending represents 5.3% of the IT budget this year, compared with 6.2% in 2016).
So, what’s going to make organizations increase their investments in cybersecurity? More than three quarters of respondents to the EY survey (76%) say the discovery of a breach that caused damage would be likely to cause greater resources allocated to cybersecurity. Damage seems to be the driving force here; 64% of respondents said an attack which did not appear to have caused any harm would be unlikely to prompt an increase in the organization’s cybersecurity budget.
While organizations have made progress this year in changing the types of conversations about cybersecurity being held at the board level, we have a long way to go before cybersecurity is taken seriously as a business priority by the majority of boards. Only 44% of respondents to the PwC 2018 Global State of Information Security Survey say their corporate boards actively participate in their companies’ overall security strategy. According to Gartner, “There is a greater onus on security to translate the work they’re doing into a business context. Without the communication there is a misalignment between security and what’s going on in the rest of the organization.This is when you see the rise of things like shadow IT. With the alignment, the organization will stand or fall together, putting them in a better position than those who are siloed.”
What you can do about it:
Uncovering the right metrics to share with your board is one of the biggest challenges cybersecurity leaders face. Proving the ROI of cybersecurity investments is easier said than done, especially when the metric needs to relate to the business. Sure, you can say product X allowed us to find and remediate vulnerability Y 30% faster than the previous solution. This is nice, but it will mean nothing to your board. The fallback position is to measure everything you can possibly think of to measure, and let the board sort it out. This, too, means nothing to your board. It’s up to you to parse what you’re sharing and make sure it’s in the context of real business value. In an article for CSO, Palo Alto Networks CSO Rick Howard recommends using business concepts such as lost revenue, costs to conduct the forensic investigation of the attack and repair any damage caused, and the expense of defending against customer lawsuits to put your cybersecurity efforts in context. One place to start is by collaborating with your IT and business-side stakeholders to identify the business metrics that make the most sense to your organization, and then working through how you can relate your cybersecurity investments to these metrics. When it comes to measuring the effectiveness of your cybersecurity strategy, there’s no one-size-fits-all answer, and it falls to you to marshal the colleagues available to help you understand what’s most meaningful to your board.
3. Data protection
The European Union’s General Data Protection Regulation (GDPR), which goes into effect in May 2018, is already having major impact this year on how organizations think about data protection. Any company doing business in the European Union – regardless of where it is based – will need to abide by the regulation, which changes how personal data can be used by corporations and governments. Failure to comply could result in fines of up to 4% of global revenue. A bill introduced to U.K. Parliament in September would mirror GDPR.
With so much at stake, GDPR sparked a land grab among technology vendors, with service providers of all stripes marketing all manner of tools promising to ease the compliance burdens. The amount of FUD around GDPR is enormous, and with good reason. Not only will the regulation change how organizations market to consumers online, it changes how they’re required to react after a breach.
GDPR includes a new, 72-hour breach notification rule, which puts significant pressure on IT operations and cybersecurity teams. Those who fail to meet the 72-hour deadline could face a penalty of up to 2% of their global revenue. The regulation also implements data localization requirements which will affect any company using the cloud to do business in the EU.
According to The National Law Review, “The definition of a data compromise under the GDPR is broader than under most U.S. state laws. Under the GDPR, a data compromise can occur where the confidentiality, availability, and integrity of the data is affected. This can be triggered by anything that affects, even temporarily, the availability of data, such as ransomware or a power outage. Similarly, the definition of “personal data” under the GDPR is significantly broader than under U.S. law, and includes any information that can be used, directly or indirectly, to identify an individual, including IP addresses and network passwords.”
From a public policy standpoint, the regulation spotlights core differences in how privacy is viewed by authorities in the EU and the United States. EU member companies view privacy as a fundamental human right, and this philosophy guides legislation. The U.S. does not legislate from the POV that privacy is a fundamental human right. According to the National Law Review, “Rather than create fundamental overarching privacy regulations, the U.S. tends to create privacy laws when a need for them arises.” Privacy regulations in the U.S. tend to be industry-specific (HIPAA for healthcare, and GLBA and FCRA for financial information) and are sometimes driven by industry standards instead of government regulation, as is the case with PCI-DSS in the payment-card sector.
Preparing for GDPR presents an opportunity for IT ops and security teams to begin finding ways to collaborate and work together to eliminate organizational silos. It’s difficult to image an organization adequately responding to GDPR without a concerted, enterprise-wide effort that not only pulls in IT and cybersecurity teams, but also brings together folks from governance, risk, and compliance, legal, marketing, and digital operations – among others.
What you can do about it:
While the breach notification and remediation requirements are the most obvious places GDPR will affect the lives of cybersecurity and IT professionals, the regulation’s stringent privacy and data protection requirements can’t be overlooked. For example, a Forrester Security Brief on GDPR notes under the new rules, “firms must consider privacy at the start of any new project and ensure that the right security controls are in place throughout all development phases.” This will require sustained collaboration between teams. So, let’s say your company is developing a new app. Your security and privacy experts will need to work with the marketing team to build the business requirements and development plan to make sure it complies with the new regulation. Likewise, GDPR puts new rules in place governing how personal data can be transferred between companies. The definition of “personal data” broadens under the new rules includes direct identifiers (name, ID number, home address) and indirect identifiers (date of birth, location, title) and online identifiers (IP addresses, social media accounts, email addresses, account numbers, and browser cookies). It’s time for IT and cybersecurity teams to start working together to ensure they understand where all this data exists in the organization, how it’s being used, and how it’s being protected.
The wrap up
What do successful patching, effective communication with your board, and preparing for new regulations all have in common? They all benefit from closer collaboration between IT and security teams. If you make one business resolution for 2018, make it this: to work more closely with colleagues from across the organization to make sure you’re doing all you can to keep cybersecurity and IT operations working toward common the common goal of keeping your company’s data safe and secure.
About the Author: As Chief Security Officer, David Damato provides strategic product direction over module development for the Tanium Platform and manages the company’s internal security program. David brings a wealth of security expertise to Tanium, spanning incident response and forensics, vulnerability assessments, security program development, security operations, and network and security architecture. Prior to Tanium, David most recently served as Managing Director at Mandiant, a FireEye company, where his team led incident response and post-breach remediation efforts at over 100 Fortune 500 companies. At Mandiant, David was also instrumental in developing new incident response services capabilities and establishing consulting offices both domestically and internationally. Prior to Mandiant, David led security consulting teams at PwC as part of its Washington Federal Practice and held IT roles at Raytheon focused on the management of internal and government networks. David frequently shares his expertise and insights at industry events and with the media.