The Best Piece of Security Advice for CISOs in 2016

December 16, 2015 Elias Terman

CISO Security Advice

Fourteen Industry experts weigh-in on how to mitigate cybersecurity threats in the new year

As we look ahead to the new year, we asked a group of security experts to provide their most important piece of advice for CISOs along with which cybersecurity threats to be most mindful of in 2016.

Jesper Jurcenoks, ‎Product Manager, Vulnerability Assessment at Alert Logic

@jesperjurcenoks

Jesper Jurcenoks

 

 

 

 

 

Best piece of Advice: Get visibility into your ever changing cloud infrastructure, make sure your tools can handle the ever changing nature of cloud elasticity and visualize your cloud environment. It’s surprising how much you and your employees have the same mental picture of what your cloud environment looks like, which in turn helps your security.

Biggest cybersecurity threat in 2016: Misunderstanding the Shared Security model between Cloud Provider and customer. Specifically, everyone knows that Amazon AWS has great security, however many companies fail to understand that AWS only covers part of the stack and that the company themselves are responsible for the rest, leaving many systems unprotected.


James Kaplan, Principal at McKinsey and Author of Beyond Cybersecurity + Website: Protecting Your Digital Business

@jmk37

James Kaplan

 

 

 

 

 

Best piece of Advice: Determine how to position cybersecurity as a business and commercial issue rather than just an IT one.

Biggest cybersecurity threat in 2016: There is no single biggest threat -- threat environments vary radically by sector and company depending on its business model and information assets.


Mike Rothman, Analyst and President at Securosis

@securityincite

Mike Rothman

 

 

 

 

 

Best piece of Advice: The CISO should have two priorities. First, a focus on hiring because without a competent team they can train and retain, there is no way to achieve their goals. Secondly, get a ton of face time with the senior team to educate them about the security program, what the team does and why it matters.

Biggest cybersecurity threat in 2016: Apathy. Or in other words, breach fatigue. The constant drum of breaches and other attacks can create numbness on the part of executives and that’s not a good thing. We’ve been dealing with these advanced attacks for 5+ years and have seemingly made little progress. At some point the senior team starts to question why they are spending so much money to have so little impact. This forces CISOs to focus on value, manage expectations, and make sure they set achievable objectives.


Eric Ogren, Security Analyst at 451 Research

@451Research

Eric Ogren

 

 

 

 

 

Best piece of Advice: Budget for 1, 2 or 3 innovative security products. You’ve got compliance cracked, but now is not the time for trainspotting. Keep moving forward. A few proof of concepts with new age vendors may really help secure your business and make your life easier.

Biggest cybersecurity threat in 2016: Fatigue. We place a lot of demands on under-staffed security teams. It’s easy to see why companies get jaded about useful new product ideas – they all take practitioners to operate. The biggest cyber threats will continue to use open doors to the business whose job it is to communicate with the outside world, such as browsers, email and web sites.


Katie Moussouris, Chief Policy Officer at HackerOne

@k8m0

Katie Moussouris

 

 

 

 

 

Best piece of Advice: No one can handle security alone -- defenders need all hands on deck, and security researchers are among the global network of potential allies. Creating incentives for security research should augment and direct the proactive security assurance efforts like secure development, secure operations, and penetration testing that companies invest in to protect their users.

Biggest cybersecurity threat in 2016: The biggest cybersecurity threat to companies is a sense of false security by ticking all the “best practice” check boxes, yet failing to have ongoing threat assessments from the real world in the form of accepting vulnerability reports from helpful hackers. As of 2015, out of the Fortune 2000 companies, over 94% had no published channel to receive bug reports from outside security researchers. What if the next headline-stealing breach could have been prevented by a hacker warning a company first by reporting the issue? Hackers can be heroes if companies are willing to listen. The result is a safer Internet for everyone.


Rik Turner, Security Analyst at Ovum

@OvumICT

Rik Turner

 

 

 

 

 

 

Best piece of Advice: Invest to make it more expensive for attackers to target your infrastructure, than that of your peers and competitors.

Biggest cybersecurity threat in 2016: DDoS is an on-going concern, particularly as it is now being linked with ransom demands. In addition, phishing and its more refined variants, such as spear phishing and watering hole attacks, continue to be a problem. Similarly, botnet traffic continues to outstrip human-generated traffic and the need to distinguish between good and bad botnets becomes ever more important.


David Strom, Journalist at ITworld, TechTarget, Dice/Slashdot and Network World

@dstrom

David Strom

 

 

 

 

 

Best piece of Advice: ​You will be hacked/breached/whatever. Start preparing now. Don't take your security for granted, and don't ignore the insider threat.


Ernie Regalado, Founder, at Bizety Technologies

@BizetyCDN

Ernie Regalado

 

 

 

 

 

Best piece of Advice: Continue to invest in training and education for company personnel. You can never have enough education.

Biggest cybersecurity threat in 2016: The most vulnerable sectors are transportation, manufacturing and energy. There are hundreds of thousands of organizations globally running old machinery and equipment that is decades old. Targeting these systems can inflict a considerable amount of harm, even crippling parts of a country.


August Detlefsen, Application Security Consultant & Author of Iron-Clad Java: Building Secure Web Applications

@codemagi

August Detlefsen

 

 

 

 

 

Best piece of Advice: Dollar for dollar, training your developers in major classes of vulnerabilities and how to mitigate them will yield the best results in terms of security posture. When designing your training program, don't forget to train the developer managers too.

Biggest cybersecurity threat in 2016: Adoption. We know how to defend against most of the major classes of vulnerabilities, but we still see those same vulnerabilities crop up time and again.


David Cowan, Space & Cyber venture capitalist at Bessemer Venture

@DavidCowan

David Cowan

 

 

 

 

 

Best piece of Advice: For the REALLY important data in your enterprise, use a notebook and pen. At least until 2025.

Biggest cybersecurity threat in 2016: The security agents running on hosts are so noisy that sophisticated adversaries (the ones targeting your crown jewels) see them from a mile away, so they can be disabled or avoided. The false sense of security we get from these noisy sensors will undoubtedly lead to more devastating attacks.


John Stauffacher, Core Services Architect at Optiv

@g33kspeed

John Stauffacher

 

 

 

 

 

Best piece of Advice: Good luck.

Biggest cybersecurity threat in 2016: Inadequate staffing levels and a general technical deficit when it comes to implementing security solutions. Far too often, teams are undertrained and understaffed for the work load they have to shoulder.


Patrick Miller, Managing Partner at Archer Energy Solutions

@PatrickCMiller

Patrick Miller

 

 

 

 

 

Best piece of Advice: Stop talking about security. Security causes Executive management (C-level, Board of Directors) to shut down mentally. Security has scary consequences, is often too technical to fully understand and there are no easy solutions. If you want traction (budget, resources, solutions), start talking about operational resilience. How do you keep the company running in the face of any obstacles and hazards (of which security is just one)? Security is risk management. Consider using the word “resilience” instead of security.

Biggest cybersecurity threat in 2016: Data containment and integrity. Companies will continue to get breached and their data stolen. The stolen data will be sold to the highest bidder or leaked depending on the threat actor’s motivations. Further, there is potential for data manipulation. If the threat actors can breach the organization, in addition to stealing the data, they have the option of manipulating it. Think of stock price, product price, tariff, exchange rate, etc.


Stephen Ridley, Principal at Xipiter

@s7ephen

Stephen Ridley

 

 

 

 

 

Best piece of Advice: Having been a CISO at a popular FinTech company, I know how difficult it can be to triage your time. I believe CISOs these days should be focused on IoT and endpoint protection as the "new frontier," listening to vendors that are offering solutions with some degree of intelligent data search and as well as those that are making use of "data science" or machine learning to increase signal and decrease noise from all these tools. You should ask yourself, is that new appliance/app going to just be generating more data that you have to slog through or is that vendor actively thinking about your workflow and making your life easier by using search technologies and data science?

Biggest cybersecurity threat in 2016: Threats as we all know can be external or internal. There is a new threat landscape that we are only just starting to see the first tremors from. That threat is the ubiquitous insecure embedded operating systems and applications that are showing up in the enterprise -- Internet Of Things, industrial control, and embedded systems. I think this new landscape requires new technologies and new perspective.


Rami Essaid, CEO and Co-Founder, Distil Networks

@ramiessaid

Stephen Ridley

 

 

 

 

 

Best piece of Advice: Having a plan of action for the worst case scenario can reduce incident times by over 50%. Just because it’s unlikely doesn’t mean it is improbable. Be prepared.

Biggest cybersecurity threat in 2016: Account takeovers and identity theft are going to skyrocket in 2016. This is a byproduct of the massive breaches that have occurred over the past two years. So much sensitive data has been leaked, everything form username/passwords to confidential personal information, but we haven’t seen the rest of the iceberg and how the bad guys are going to use that data.


Rapid Fire Poll: Which will pose a greater threat to companies in 2016?

mobile vs. cloud

ios vs. andriod

mobile vs. cloud

Previous Article
How Bots and Scraping Affect Your Online Travel Site
How Bots and Scraping Affect Your Online Travel Site

How Bots & Scraping affects your Online Travel Site. Content & price scraping can damage your brand includi...

Next Article
451 Report Reviews the Web Behavior Analytics Landscape
451 Report Reviews the Web Behavior Analytics Landscape

Web behavior analytics (WBA): driving out bots, cutting out fraud - 451 Research Report. Learn how these c...