P RE D I C T I V E I NTELLIGEN CE
properly map out a deployment plan
that very much sounds like a ‘no’.
What many people don’t understand
is just how difficult the CISO’s job has
become over the last decade. Everything
has gone digital, proliferating technology
and systems that produce and manage
critical business data. Traditional
security boundaries have vanished
and they are operating with network
complexities that would have been
previously unimaginable.
Internationally dispersed, mobile
workforces and outsourcing have
become commonplace within many
organisations, creating countless
connections that span multiple
continents. The number of regulatory
mandates that the CISO has to navigate
is dizzying.
Complexity is the CISO’s number one
problem – it’s only natural that they may
seem resistant to anything that may
further compound this issue.
CISOs lack necessary
network visibility
But pushback from the CISO and their
security team doesn’t just happen
because they’re worried about their
workloads. Many are also concerned
because they know that they’re not in
the best position to secure any additions
to their security environment.
If they don’t already have visibility over
their hybrid estate, they can’t picture
their security status as it is now, let
alone how it would look with any number
of innovations tacked on.
When they put their hands up to say,
‘stop’ or ‘slow down’, it’s because they
know just how dangerous new third-
party apps, or virtualised networks,
or IIoT devices can be to their already
fragile risk posture.
In most organisations, a lack of network
visibility combined with inconsistent
security measures tied to new
technology deployments are the root
cause of security being seen as ‘The
Department of No.’
34
The CISO has an
image problem.
If this perception is going to change,
then the CISO needs to ensure that
they can gain full network visibility
and predictive modelling capabilities.
If they’re able to see everything that
needs to be protected, plus analyse and
predict where risks and vulnerabilities
may arise, they will be more confident
in their team’s abilities to deploy and
protect new network elements. It’s the
first step to security becoming ‘The
Department of Yes.’
The danger of saying no
Progress waits for no man. While
security teams may find themselves
at a stalemate, organisations are still
charging full speed ahead with their
Digital Transformation initiatives. They
don’t have time to navigate any impasse;
they know that they need to innovate to
become more efficient and to maintain a
competitive edge.
This results in security being overlooked.
If it isn’t ignored completely, it’s
relegated to an insufficient checkbox
exercise during DevSecOps processes.
When properly embedded, security
underpins the success of any innovation.
But when security is sidelined, it’s
possible that an organisation’s Digital
Transformation initiatives could bring the
business to its knees.
Disconnected processes often lie
behind the execution of poor security.
The likelihood of process disconnect
only increases in hybrid environments.
One of the main reasons behind this
is the separation of teams responsible
for different portions of the network. In
hybrid environments, not only can there
be separation between the security and
operations teams, the growing DevOps/
DevSecOps team also adds yet another
layer of departmental complexity.
The CISO needs to make sure that
process disconnect doesn’t impact the
delivery of effective security. They need
to ensure that they don’t operate within
silos and that they have the oversight
needed to ensure that all processes are
fully aligned.
One example of how misalignment harms
organisations is when cloud services are
misconfigured. Many organisations work
with an assumption that cloud services
are secure, but if their access points
aren’t properly configured then they
could end up ushering in any number of
new threats.
Insufficient cloud security protocols
and a lack of testing are leaving many
businesses exposed and this trend
will continue to gather pace if cloud
deployments aren’t fully within the
purview of the CISO.
Issue 22
|
www.intelligentciso.com