What RSA 2015 can Tell CIOs about the Evolution of Security
By Robert Clyde, CISM, International VP, ISACA
Have you ever noticed that it’s easier to spot changes when you only see someone or something occasionally compared to when you see that same thing every day? For example, were you ever able to easily tell that an infrequently-encountered friend lost a few pounds after not noticing a similar change in a relative or coworker? Or how sometimes it’s easier to spot typos in a document you haven’t picked up in a few days? It’s a fact that sometimes time can bring about a change in perspective—and that change in perspective can be useful in helping you see things you might have missed otherwise.
This subtle shift in perspective is one of the reasons why the RSA Conference can be a useful barometer for CIOs as it relates to the information security aspects of their technology ecosystem. Because, while almost every CIO will agree that security is an important part of that ecosystem, the day to day security challenges CIOs face as a normal course of keeping the lights on can sometimes make it harder to see the broader changes in the space.
The RSA show, because it happens only once a year, can sometimes give that differing perspective—this can help CIOs recognize evolutions and shifts that are harder to see without it. And make no mistake, there are some interesting changes happening in the security space that it behooves CIOs to pay attention to.
Security is Growing
First and foremost, it bears saying that security as a discipline is just now coming into its own. As a proof point of that, RSA this year had 33,000 professionals in attendance (according to a press release from the conference organizers). While a record-breaking number like this, one wouldn’t, in and of itself, be noteworthy, it’s important from a CIO perspective when viewed against the backdrop of a continued and ongoing security skills shortage. Specifically, a recent survey from Cisco cited almost one million unfilled security positions in the marketplace. A recent survey from ISACA found that, while 88 percent of students planned to work in a job that requires some cybersecurity knowledge, only 47 percent felt that they were adequately prepared with the security knowledge they would need.
There are a few implications of this from a C-level perspective. The first and most obvious is that staff retention and attrition of security resources is an important consideration and something to probably put some thought/planning into to maintain the overall health of the security program. Secondly, it also speaks to the relative value of automated security controls vs. resource intensive ones (i.e., it may be long-term more cost effective to automate tasks that in the past required significant manual intervention).
Relative to this same point, there was also a subtle shift in emphasis among other CIOs and CISOs that I spoke to this year. In years past, the perception among folks at the senior level was that security was barely “treading water”—i.e., that organizations were keeping pace with attackers, albeit barely. This year, the informal consensus was that security was not keeping pace. Continued and seemingly-incessant high-profile attacks against large and recognizable targets have reinforced this perception among technology leaders while pressure from regulators and attention from the board has increased.
So the bad news is that the pressure is on; the good news though is that there is recognition among the community that there is an issue. To some degree, this increased recognition that security is an issue is leading to action. For example, it’s probably not a coincidence that the house passed 307-115 (The PCNA or “Protecting Cyber Networks Act”) during the week of the largest security industry conference.
What is the “New Perimeter”
Additionally, there was an increasing awareness of the erosion of the organizational technology perimeter as it was understood in years past. Technologies like cloud, virtualization, mobile, etc. have extended the IT environment for many firms; this extension has brought about new ways of thinking about the perimeter. In years past, for example, it was possible for organizations to place quite a bit of reliance on one or two technical controls to enforce security policy. As new technologies emerge and as the IT environment evolves toward cloud and software defined data centers, the reliance that firms can reasonably place on traditional perimeter controls declines. As this happens, the governance of technology becomes more important, while maintenance and operation of individual controls becomes less so.
As an example of what I mean by this, consider traditional network protection controls like firewalls and intrusion detection systems (IDS). In years past, one could set up a firewall or IDS and have a fairly high degree of certainty that a security policy (as codified in that control if not as an actual organization governance artifact) would be enforced. Introduce technologies like virtualization and cloud though and the situation becomes more complicated; for example, in a virtual environment, the utility of IDS may be potentially decreased (due to backplane communication since the IDS won’t see by default network traffic that doesn’t leave the hypervisor). A technology like cloud potentially “break the rules”— or at least create exceptions to those rules—about internal vs. external traffic. Even newer technologies like mobile, application containers (i.e. Docker), the IoT, or others emerge that lend additional complexity in still more ways.
“Staff retention and attrition of security resources is an important consideration to maintain the overall health of the security program”
As environments become more fluid, constructs that pre suppose segmentation become more challenging and complex. For example, consider an organization with PCI in scope where the cardholder data environment (i.e. the portion of the network where credit card processing occurs) has been carefully segmented from the general purpose network. What happens when this environment becomes virtualized? It’s much easier for a workload, virtual image, or data from the regulated environment (the CDE) to accidentally be relocated to another area—either to a general purpose area of the network or, in fact, outside the organization to a cloud services provider.
As one might imagine, there was a noticeable presence of vendors providing products and services to address these challenges at RSA since these are real pain points that organizations struggle with. That said, no individual solution is a panacea, but instead need to work together with existing controls to enforce policy. This in turn means that the governance aspects of security—for example the establishment of management intent relative to risk and security goals— becomes more important with technical enforcement affected through a portfolio of controls which fit today’s reality of virtualization and cloud, where individual controls work together to address portions of the ecosystem rather than doing the entire job in isolation.
These changes are subtle but palpable on the show floor. And, from a CIO viewpoint, are important to take a note of. At a minimum because it should inform the questions that they ask of their security-focused staff members, but more broadly because effective governance of security is part and parcel of effective governance of technology.