In your view, how has the threat landscape changed, and how have technologies evolved to handle changing threats?
We’ve seen the threat environment evolve from hobbyists and cyber criminals 10 years ago, to now a much more sophisticated group of adversaries. Cyber criminals have matured significantly and operate more like well-functioning corporations than the lone wolves of the past. Additionally we’ve seen the rise of hacktivisim – where hacking is seen as a means of expression. This poses a significant challenge to business and governments given that these types of attacks are designed to be highly public and impactful such as DDOS attacks. But perhaps most interestingly, we’ve seen a surge in something that is called by many names. Some call it Advanced Persistent Threats while others simply call it targeted attacks. These attacks are typically launched by nation states and organized groups and are specifically crafted and tailored toward their target. These attacks use a combination of technical and social exploits to achieve their goals. With this highly dynamic threat landscape, we have seen a set of new security technologies rise up. One competency that is perhaps the most important, yet underdeveloped, is a company’s ability to do forensics, post breach analysis and rapid response.
In terms of skill sets, how has the threat landscape influenced hiring decisions concerning IT security teams?
What kind of skill sets must the security team have today? Aside from traditional security skills, we’re now seeing the great demand for forensics and analytic skill sets. There is certainly a lack of these skills in the community and it can represent a challenge to companies that must build defences for the current environment. Beyond that, we’re seeing the need for companies to hire security executives who have not only security and tech skills, but business skills as well. Because security and the business are becoming so intertwined, I believe that the key skill going forward in security will be the ability to find opportunities to reduce risk and secure the applications and devices of the future to allow business to embrace opportunities.
Your view on information security certifications. Do you think they still provide industry value?
Certifications definitely have a role to play. In some cases they attest to foundational knowledge. But they certainly do not represent the complete range of skills security professionals must have. 4. How has the role of the CISO changed? Has the changed from being focused on protecting the business to that of business enabler who looks at areas where the security function can provide a clear competitive edge? I think security is moving from a discipline that was centred around discovering risk and stopping initiatives to one that is focused toward business enablement. The CISO should be a partner with the business helping it grow, looking for new opportunities and increasing the ability of the business to execute on its mission. It is a very significant change in role from what that role was five years ago.
If you look at some of the advanced high profile attacks that were carried out in 2013, what are the key lessons that can be learnt from these attacks, and how can they be prevented?
One thing that 2013 has taught us is that even some of the most sophisticated environments can be compromised. That means that businesses must be as vigilant as ever on security, but at the same time they must build a competency in responding to incidents that have occurred. It is this response capability that most companies lack both in terms of tools and process. This is a huge opportunity for security groups to grow in 2014.
How can a CISO present a business case for investing in security?
Security has long struggled with good metrics, but as our ability to do analytics increases, so does our ability to justify preventive measures in the business. Specifically I think the CISOs that are most effective at advocating for security competencies in the business are ones that can show how security unlocks an initiative that the business is trying to drive, such as BYOD or the adoption of cloud services.
Despite many organizations adopting cloud, many organizations are still sitting on the fences. What do you think are the major perceived and concerns regarding cloud, and how can cloud providers address these issues?
Security has been a large gating issue for cloud adoption in many businesses. However, this is only for sanctioned cloud adoption. What we are seeing today is the mass adoption of cloud services driven by individual employees and groups in the business in the name of productivity. The question for security then becomes how do we alleviate, or at least mitigate, the concerns of the business; while at the same time empower these employees to leverage the vast services available online. Cloud service providers certainly have a role to play and they should be able to articulate their security strategy. But more importantly, businesses should build a set of assurance technologies internally to mitigate the risks that come from the adoption of the cloud and accelerate that adoption.
Free Download: The Video Surveillance Report 2023
Discover the latest developments in the rapidly-evolving video surveillance sector by downloading the 2023 Video Surveillance Report. Over 500 responses to our survey, which come from integrators to consultants and heads of security, inform our analysis of the latest trends including AI, the state of the video surveillance market, uptake of the cloud, and the wider economic and geopolitical events impacting the sector!
Download for FREE to discover top industry insight around the latest innovations in video surveillance systems.
