By Security Features • June 13, 2016

Ask the expert:­ What’s keeping CISOs awake at night?


The pressure is on for the CISO. Recent high profile data breaches have meant all eyes are on them, as a worrying amount of websites and applications are found to be vulnerable to cyber attack.

There is more at stake than ever before, especially when considering the potential monetary and reputational damage caused by a data breach.

But with this growing pressure on the CISO, what are the main issues keeping them awake at night? Why are organisations becoming increasingly vulnerable? What are the biggest obstacles the CISO is trying to overcome and how can they overcome them, in order to keep their organisation safe?

Ryan O’Leary, Vice President of the Threat Research Centre at application security company WhiteHat Security, answers some of the burning questions that CISOs are losing sleep over…

How can I justify security ROI?

Security is, now more than ever, a potentially huge monetary liability as recent high profile breaches have shown. Unfortunately, security is considered an expense without a direct Return on Investment (ROI). However, what many organisations are failing to realise is that whilst security may not deliver a physical, financial return, the implications that could follow from not investing in security make it a more than worthwhile investment. Security investments are not new physical offerings or services that will generate revenue; nevertheless, these investments will always prove to be more cost effective than a breach.

The average cost of a data breach was estimated to be $3.8 million in 2015 – if implementing a specific security measure would cost your business just 10 per cent of that figure, whilst significantly reducing your threat exposure – it is inarguably a worthwhile investment. This is especially true when considering the rapid rate at which the cost of a data breach continues to rise. CISOs must present to their peers the potential savings that can be made by investing in security – because, regardless of the initial pay out, a breach will always cost more.

How can I be sure I am spending my security budget effectively?

It can be tempting for a CISO to throw money at the latest or most innovative products, in an attempt to bolster security practices. However, not only is this not cost effective, but it is not always the most worthwhile in terms of protecting the organisation. There is no one solution when it comes to achieving security, and a CISO must be seen to be spending money wisely, and inline with the organisation’s core business activities. The most efficient way to do this is to build security in; not just build it on.

Security must be incorporated from the first instance, in order to reduce unnecessary expenditure. A security-centric development program is the most cost effective way to improve an organisation’s defences. All too often, security and development do not go hand in hand, meaning that developers do not understand the threats faced by an organisation. Nonetheless, training and educating developers will cost the organisation a great deal less than investing in costly security measures to remediate vulnerabilities in bad code.

This education is even cheaper if done in house – thus allowing the CISO to feel confident that they have spent the security budget in the most efficient manner. The vulnerabilities typically start with the developer, the simplest and cheapest way to prevent this from entering code altogether is to simply train your developers on secure coding practices.

How can I identify my best assets, and protect them?

Unfortunately many organisations do not have a clear enough view of the volumes and location of live Internet facing and internally facing applications in their environment. CISOs cannot hope to implement a cohesive threat defence strategy without having a good view of the threat landscape. Given that you cannot secure what you don’t know about, it is important to conduct and maintain an asset inventory, to analyse and prioritise these assets and how they could leave an organisation vulnerable. This should be repeated on a regular basis and updated accordingly, to allow an organisation to further develop understanding of its own risk profile.

With a clear view of their organisation’s threat landscape, CISOs can implement a prioritisation process for ensuring that applications are being tested effectively and often enough to maintain the security of the organisation. Putting these security measures in to affect becomes a great deal easier for the CISO, once they have identified what the key assets of the organisation are, and the level of security needed to protect them.

Where can I find and hire quality security engineers?

In the current security climate, finding a qualified security engineer who can be trusted with protecting the IP of an organisation is an increasingly difficult part of any CISO’s job. There are currently thousands of open positions within the market, but very few qualified security engineers who CISOs feel they can trust to do the job adequately, making this one of the hardest positions to fill. It may seem as though the CISO has to, in fact, make one of the biggest investments on staffing – and in unfortunate circumstances, there can be little to no pay off in doing so.

However, this is not the case – the CISO does not have to blow the budget on hiring affective security engineers. The other avenue to take is to partner with a vulnerability assessment company, meaning a CISO can rest assured that the needs of the role are being efficiently and cost effectively carried out by trusted security experts.

Is it really just a matter of time before my application is breached?

Some organisations are, unfortunately, reluctant to face the reality – breaches are becoming more prevalent, persistent and targeted. All security professionals must be armed and prepared for when – not if – it happens to them. The only way to be truly prepared is through a multi-pronged approach, incorporating secure coding, strong static and dynamic analysis tools, and pen testing. These tools will allow security professionals to identify issues in code as it is being written, to prevent vulnerabilities from ever being introduced in the first place.

Furthermore, a CISO must not lose sleep over the ‘ifs’ or ‘whens’, but rest assured that they know the exact measures they will put in place, should they be targeted by malicious actors. It is imperative that every organisation implements a strong process for remediating vulnerabilities.

However, what many organisations do not recognise is the importance of having a strategy in place for virtually or temporarily patching these vulnerabilities whilst the development team is fixing them, thus reducing the temporary threat surface of the organisation.

Link : Original Souce