CISO Exchange East Day 1: True Security Partnerships And Overcoming IoT Security Challenges
CISOs And InfoSec Leaders Share Insight At CISO Exchange East 2019
On the first day of CISO Exchange East 2019, enterprise security leaders gathered to discuss the state of cyber security. Delegates heard senior information security and CISO leaders discuss their cyber concerns and along with ideas that security peers could take back to their organization. Day one of the Exchange event featured panels discussing approaches to enterprise partnerships and alignment of technology with the business, and early signals in overcoming security challenges with the Internet of Things (IoT).
True Security Partnerships – Connecting The Technology To The Business
Simply put, security cannot be a bolted on enterprise afterthought. Cyber leaders must be able to create value to the organization by analyzing new risks. This can be accomplished through partnerships with key business stakeholders including the CIO, Chief Privacy Officer, and Chief Risk Officer. Audit and compliance committees are also potential allies in the protection of PHI and PII data.
The responsibility for enterprise risk management resides in different aspects of a business, depending on the industry, the regulatory and compliance climate, and management’s approach. For a retail drug store and pharmacy such as Rite Aid Corporation, PHI and PII now reside in the cloud, which requires constant monitoring and management. At the American National Red Cross, risk management has expanded beyond the risk office to include the information security and privacy teams. For the USDA Farm Production and Conservation Mission Area, the 89 systems comprising technology, process, and people accept the risk to deliver upon the agency’s mission.
Proactively Managing Relationships In The Business
An increase in risk and awareness of cyber issues has grown the need to proactively manage relationships within the business. The security teams are constantly working on relationships to build trust and be included in project and business decisions. The result is not interfering with project schedules and deliverables. The business leaders become part of the security solution.
The USDA is a very distributed organization with 26,000 personnel in the field needing managed access. Similarly, federal organizations find building trust and relying on reputation to help accelerate the security mission across teams and departments.
Ways To Effectively Communicate With The C-Suite And Board Of Directors
Before meeting with the C-suite or board of directors, CISOs meet with compliance, risk, IT, and privacy teams to assess where they were, the current situation, and where they’re going. Keeping executives from making appearances on the broadcast news is a straightforward objective that many security leaders can relate with. Organizations that have enabled incident response plans and provide external communications to constituents will be ahead of businesses that find themselves constantly reacting to incidents and questions from company advisors.
Security receives a lot more visibility in the board room than in the past. One CISO mentioned that they can now present at a high level to the board about risk, data loss risk, preventative controls, areas to make investments, ransomware, and discuss industry news. The awareness of board members and the broader executive team about security principles demonstrates the advancement of trust.
How To Raise Security Risks And Issues Within The Enterprise
Most board members don’t want to get into the specifics, but they need to understand how risk is being evaluated for the product and vendor. When the security team is summarizing millions of record transaction moving within the organization and to external partners, confidence about risk management is also be shared.
The type of information that groups find valuable varies and there is no one-size-fits-all solution. A highly-visual "heat map" may be more appropriate for the board to convey where the risks are. In specific business groups, the security team will need to go into more detail. For example, the supply chain may want to understand vendor risk and legal requirements for data privacy. The privacy officer wants to know more about the nuts and bolts for a specific service, such as how data is collected, and how it will be stored.
Overcoming Security Challenges Created By The IoT
Enterprise organizations are still working through what IoT means for business operations. On day one at CISO Exchange East 2019, Nnake Nweke, the Chief Risk Officer at the US Agency for Global Media moderated a panel exploring how to overcome the security challenges created by the IoT. Two IoT product manufacturers, Stanley Black & Decker and Sleep Number, shared their journey to deliver secure consumer solutions and how this experience has been reflected back on InfoSec efforts for the business.
The Enterprise Landscape For IoT Usage
At Stanley Black & Decker, the company had the foresight to pursue securing its connected products. Security was brought into every aspect of the lifecycle from the design process all the way through delivery. The effort set a standard for how the company would pursue security for internal applications of IoT technologies.
A connected consumer product has raised new security questions for bed manufacturer Sleep Number. The bed is the IoT product and it gives feedback to the user each morning. The business must have a strategy addressing how the customer’s data is protected? How is data integrated into the overall enterprise?
Data Sensitivity And Access Controls For Enterprise IoT Devices
As a retailer, Sleep Number handles credit card processing through PCI in addition to different customer touchpoints. With the introduction of IoT and data sharing, the risk to brand reputation increases. While the data reveals little to no PII, the user data is deemed highly sensitive to the bed owner and the risk for data loss is perceived as great to them.
Reputation and protecting brands along with the consumers of those brand products is paramount for the Stanley Black & Decker business. Generally, the connected device data is not very interesting and is considered low risk. While these devices may not yet manage sensitive data, businesses need to conscious about not becoming the next headline where devices are circumvented and used other than as intended.
The Top IoT Security Challenges
The panelists view IoT as an evolution of mobile and BYOD experiences. However, without a playbook or standard for IoT security, companies are going back to the fundamentals – know what the device is supposed to do.
Security leaders want to let teams innovate within their spaces. While it is okay to experiment with new methods of collecting, moving, and analyzing data, organizations also need to keep people safe, such that authentication and authorization has to go along with every device.
Interested in being part of the discussion? Request an invitation to the next CISO Exchange.