5 Top Trends Redefining CSO Priorities

The CSO carries a heavy load, as the person responsible for overall direction of security functions associated with IT applications, communications, and computing services and security within the enterprise. Part of what makes the role of the CSO so challenging is that trends introduce change, and the changes are cumulative. Few of the old security concerns go away; yet emerging technology trends introduce new risks while amplifying traditional concerns in novel and unexpected ways.

Let’s examine 5 top trends that are causing CSOs to re-assess their existing priorities for mitigating risk in the enterprise.

1. Consumerization of IT

Few trends have been so surprising to traditional IT teams as consumerization of IT. Remember back when the IT department could make a careful assessment of needs and support requirements and then dictate what devices and platforms the employees would use? Those were the good old days in terms of risk management. Oh, there were always a few exceptions, but exceptions are defined by the norm,which was policies for supported devices.  Now, the exception is becoming the new norm.

According to a recent IDC study, 95 percent of information workers use self-purchased technology for work. The survey is filled with interesting findings, including some disconnects between official policy and assumed policy. (67 percent of employees said it was permissible to access non-work-related websites, while only 44 percent of the employers said it was.) Telling though, is that the top barriers to enabling employee use of their own PCs and devices are security concerns.

The value that these new technologies are providing goes beyond the traditional arguments about boosting personal productivity and fostering collaboration; they facilitate a new way of communicating inside the organization, and with the customer community beyond. CIO.com in an article, 5 Reasons Why CIOs Can’t Ignore Consumerization of IT, notes: “According to McKinsey and Company, ‘word of mouth is the primary factor behind 20 to 50 percent of all purchasing decisions.’ As the control of corporate brands shifts to online conversations outside of the company's purview, organizations will increasingly value employees who can navigate the ecosystem and are influencers in their social networks.”

Without the ability to say “no”, it is left to IT to try to accommodate these new consumer devices. In terms of security impact and risk, this means no more platform “standards”, lack of ability to enforce policy or do traditional monitoring, frequent lack of enterprise management tools, and a growing percentage of “unmanaged” devices within the enterprise.

2. Cloud Computing

Cloud computing is another significant game changer. The economic case for cloud computing can be persuasive: deploying solutions while avoiding the classic hurdles of capital expenditures and operational expenditures that go with deploying and managing your own resources. The CSO has the ability to seamlessly scale up or down according to need. The cloud represents a major change in how computing resources will be utilized for large companies with existing data centers, processes and people who manage them.

From the CSO perspective, an enterprise needs to know that resources placed on the cloud have the proper level of security, yet moving to the cloud limits an organization’s ability to control systems and data.  Ironically, this means that organizations that best have their data centers under control and well-managed today may take a slower approach in adopting Cloud computing benefits – which could ultimately place them at a disadvantage.

For a perspective on this topic, the risks and rewards of cloud computing are examined in the white paper, Cloud Computing: Business Benefits with Security, Governance and Assurance Perspectives, which is a collaboration between ISACA and the Cloud Security Alliance. More guidance documents on the research page of the Cloud Security Alliance site can help CSOs do a cost benefits analysis to determine if cloud computing is the right move now or in the future.

3. Advanced Persistent Threat

Over the years computer viruses have evolved from sometimes amusing nuisances to more sophisticated hacking attacks that have become technically advanced, persistent, well-funded, and motivated by profit or strategic advantage.

Today the CSO must contend with the Advanced Persistent Threat (APT), sometimes referred to as a “low and slow” approach because the APT is usually intended to serve as a long-time monitor of systems rather than as a direct, one time attack. Unlike the highly visible infections of the past, such as the ILOVEYOU virus, an APT is designed to elude detection, making the job of detection and protection all the more difficult.

Wikipedia (see their page for source references) states that definitions of APT can vary, but an understanding can be summarized by their expansion of the acronym:

Continue Reading