Cybersecurity, the Cloud and IT Budget: 2015 CIO and CISO Priorities
What are some of the top concerns of CISOs & CIOs today? According to a 2014 TechAmerica Federal CIO and CISO Survey - improving cyber security, naturally. As new threats increase, risk management involves both educating users about security risks such as phishing attempts as well as building up network protection with continuous monitoring.
Much of continuous monitoring involves maintaining an inventory of both assets and security solutions, and using data feeds to find new risks and measure how well current security solutions are working for their organization (or agency). Having a lot of data isn’t necessarily useful, however, it’s more about how effectively that information is parsed and distilled to the right people.
For example, much of the of geolocation data from our authentication service that tells you where users are authenticating from may be difficult to read in log form, but a convenient map that shows you the same information as a snapshot may help administrators glean important insights into user activity.
As we wrote about in Where On Earth Are My Users?, admins looking for login attempt data can be cumbersome when it comes to digging through every application, server and network appliance. Duo Security makes logs more accessible with our Maps and Flags feature that shows all authentication attempts over the last 24 hours, in addition to other data like username, integration type, time of attempt, which auth method was used and whether or not it was successful. That gives you quick insight into any denied or fraudulent auth requests and where in the world they were attempted.
Cybersecurity as a main priority and concern for 2015 is echoed by the CIO.com article, State CIOs List Security as Top Priority for 2015, based off of survey results from The National Association of State CIOs (NASCIO). In addition to risk management, tightening up monitoring of third-parties that handle the critical business processes is another challenge for CIOs as they navigate security.
Third-party vendors have long been a target and area of security concern. The oft-cited Target breach involved stolen HVAC vendor credentials that gave intruders access to some part of their network, while countless accounts of other point-of-sale (POS) vendor hacks have led to millions of stolen payment cards.
And it’s not just the retail industry - financial organizations have also been targeted for theft, with attackers gaining access through those that support the industry. One example is an incident in which intruders stole healthcare employee W-2’s from their third-party payroll and HR management provider by using stolen credentials to their software, and subsequently filed fraudulent tax returns with stolen information.
For more on third-party security, check out Remote Access Attacks: A Motif in Retail & Service Provider Breaches and Lack of Third-Party Security, Multifactor Authentication Lead to Medical ID Theft.
Similarly, new threats are of particular concern to CIOs and CISOs due to the fact that intruders have found new ways to bypass traditional network security systems, including the use of malware that can’t be detected by traditional antivirus systems, as cited in ‘Data Breach’ - Top Concern for CIOs in 2015.
Security Challenges in Modernizing IT Systems
Other concerns of CIOs and CISOs include the arduous task of modernizing IT operations, primarily moving from legacy IT systems and physical infrastructure (like data centers) to shared service providers or cloud (web-based) solutions - part of this process involves consolidating and centralizing resources. And it’s no surprise, as the benefits are numerous and include better scalability, lower operating costs, no capital expenses or hardware maintenance costs and faster time to to deployment.
But part of the challenge lies in the fact that instead of being stored locally, sensitive data is now accessible remotely via any web browser, making it much easier for data theft to occur. With more value placed on the logins/entry points of web applications, CIOs and CISOs need to find a way to beef up access security; the most effective way to keep intruders out. While monitoring and threat detection solutions may be a good part of a layered security system, it’s possible the intruder has already made their way into your network and viewed or stolen data.
One example I often point to is the case of Code Spaces, a hosting company that was shut down after an attacker stole the credentials to their cloud hosting account, that is, their Amazon Web Services (AWS) Elastic Compute Cloud (EC2). After stealing and changing the password to their cloud management console, the attacker deleted storage volume snapshots, instances and backups.
After deleting storage file containers to the information necessary to launch virtual servers in the cloud, the company was forced to shut their doors, citing the costs and time needed to get back to working order as too much for them to afford.
Clearly, protecting access to the cloud is key to keeping business-critical infrastructure and data safe from landing in the wrong hands. Read more about securing cloud access in Protecting the Cloud with Two-Factor: AWS Authentication Security for IaaS Providers, and learn more about protecting your accounts in Two-Factor Authentication for Cloud Apps.
Of course, any web-based service you use is vulnerable if you’re using only a primary or single-factor authentication method to protect it. A secondary form of authentication, two-factor authentication, can protect your cloud accounts by requiring another physical device (smartphone) in addition to your password, thereby halting the success of remote attacks.
Budgetary Concerns: No Need to Make it Rain, Just a Drizzle Will Do
Of course, without properly allocated budgets, who can afford security? And that’s the worry for many CIO/CISOs that see most of their IT budgets going toward operations, maintenance and infrastructure as opposed to security. According to the survey, this is how IT budgets are being spent:
- 37% operations and maintenance of existing systems
- 23% infrastructure (telecommunications and data centers)
- 16% development of new systems
- 13% cybersecurity
- 11% modernization of existing systems
Part of that reason may be the upfront costs, maintenance and subsequent personnel that older, legacy security solutions required, including hardware, software and other infrastructure costs.
But it’s important to note that as organizations move from old systems to more cloud-based and mobile IT models, the same goes for security companies and security solutions. And that means that security solutions are much more lightweight, easier to deploy and maintain, requiring less support from your IT staff. They’re also much more cost-effective than they used to be, after eliminating the need for hardware and trained staff to maintain them.
Find out more about modern risks and how two-factor authentication can help in A Modern Guide to Retail Data Risks, ideal for CISOs, security, compliance and risk management officers, IT admins and other professionals concerned about information security.