The responsibility of securing the enterprise has been pushed onto the CIO, Linda Ban, the Global C-suite study director at IBM, said at the Fusion 2015 Conference of CEOs and CIOs in Madison, Wisconsin. The trend was one of the findings of IBM’s recent Global C-suite Study, which surveyed over 4,000 people from all C-level positions.
Ban was not the only one at Fusion who addressed this issue of the CIO taking charge of security. Asif Naseem, President and CEO at PDS, an IT services, solutions and technologies provider, also spoke about how security now dominates the CIO’s agenda because of unavoidable emerging technology trends and because cyberattacks are increasingly malicious.
Naseem added that each emerging technology trend brings more and new vulnerabilities and risks that the CIO has to address within his or her own organization.
IoRT (Internet of Right Things)
Of the ever-increasing number of mobile apps and devices being used by employees, for example, “no more than half of these devices entering the network are secure,” he said.
Furthermore, the rise of Internet of Things (IoT) brings new security concerns with it, Naseem said, adding that “99% of the devices that can be connected, aren’t.” Yet.
But the statistic begs the question, Naseem said: “If a device can be connected should it be?”
Having hundreds of millions, even billions, of devices connected to the Internet creates a larger surface for attack, Naseem said.
He urged the audience to instead think of IoT as IoRT, or “Internet of Right Things”, and only connect devices that will bring value from being connected to the Internet.
Avoiding these new trends, emerging digital technologies, and the risks that they bring with them is impossible, said Sean Wessman, senior manager for Ernst & Young (EY) Cyber Security, during his presentation on building new and competitive business models securely. This is especially the case as millennials increasingly enter the workforce.
To prove his point he cited Gartner’s statistic that 30% of millennials would rather have an iPhone than a raise. In addition, Gartner also found that 46% of vehicle drivers aged 18 to 24 would choose Internet access over owning a car.
As C-suite leaders are forced to embrace digital technologies, Wessman said, they have to think about “systems of trust.” That’s really the challenge that’s upon us as the CIOs and the leaders of IT… in our organizations, is how do we establish systems of trust?” he told the Fusion audience. One way is to think about security is in phases, he said.
The three phases of cybersecurity maturity
In a survey of CIOs and IT leaders EY Cyber Security has done for the past 18 years called the Global Information Security survey, the Ernst & Young security practice has found there are three phases of cyber security maturity companies must go through:
Activation is the first phase, Wessman said. “If we’re doing secure software development, activation is defining a policy or standard for… secure application development. That’s the early phases. It establishes the governance in the organization that allows us to do something of this nature.”
Adaptation is the second phase. “How do we adapt our software development lifecycle to apply to the new areas where we may do software development?” Wessman said.
For example, the risks that come with development on a mobile device are different from the risks when developing for a on a web-enabled device or for an internal financial control system and so on, he said.
The challenge then is: “How do we adapt our policies and our standards to apply to these different environments that have clearly different requirements and different threat vectors and different threat outcomes?” Wessman said.
Anticipate is the final phase of cyber security maturity.
“If we have trouble managing thousands of devices today, how are we going to manage millions of devices?” Wessman said. “If we have to anticipate then all of a sudden maybe we can think about things differently.”
Wessman used the example of James Roth, CISO at Aetna, a healthcare benefits company, and how Roth recognized it would be impossible to manage defects in his software development cycle on the backend. So Roth studied the way code was developed in his company and it turned out that “across all platforms, 90% of the code redevelopment was from open source code repositories and libraries because coders don’t want to do the same thing twice,” Wessman said.
Roth’s innovation approach to solving the problem? Rather than focusing on managing defects on the backend, Roth decided to secure the base of code on the front end, namely: “Only allow [their]developers to leverage code that has been through security process so that at the backend [they] have far fewer defects to manage across the lifecycle of these many devices, bringing the cost down.”
Wessman cited this as a prime example of how being forced to anticipate what will come next can help IT leaders to think differently and solve potential problems.
Let us know what you think about the story; email Kristen Lee, features writer, or find her on Twitter @Kristen_Lee_34.