Why CISOs Fumble With Understanding Security Needs

NEWS ANALYSIS: Confusion over policies, treating symptoms instead of causes and lack of focus are throwing enterprise security planning into a state of chaos.

Data.security

AUSTIN, Texas—A set of new polls conducted within the IT industry shows that spending on IT security is slightly up, but that plans for future spending are for initiatives that are actually symptoms of a larger problem.

Another survey of chief information security officers shows that spending is unfocused due to a lack of leadership on the part of the federal government regarding things such as privacy. In fact, the poll of CISOs shows that the group hopes to see government regulations in the United States that parallel the European Union’s General Data Protection Regulation in controlling privacy.

California, with the California Consumer Privacy Act (CCPA) it passed on June 28 that is set to become law on Jan. 1, 2019, was the first state to initiate such a localized regulation.

The poll of IT pros, conducted in July by Spiceworks and released at the SpiceWorld show here, shows unfocused plans for future spending in security, with most of the effort (64 percent) going to anti-ransomware solutions now or in the near future, while an even larger amount (78 percent) planned for employee security. Security spending and plans for spending in Europe were higher.

Infosec Pros Often Confused by New Regulations

Meanwhile, a poll by InfoSecurity North America conducted around the same time shows that security professionals are confused by the current privacy and security regulations being put out by the government and said they need consistent privacy and security regulations before they can tell what direction to take with their own plans.

The lack of clear regulations is a potential reason that IT managers are chasing symptoms instead of causes. The current regulatory environment in regard to security doesn’t give planners much to go on, and as a result they need clarity in the rules before they can produce clarity in procurement.

A look at European IT pros and CISOs seems to bear this out. The EU has a new set of very specific privacy regulations backed up by significant penalties for non-compliance. In Europe, those managers are spending their money and making their plans around those compliance needs. While there still remain questions about some details of the GDPR, the fact is that companies there know they have to satisfy the requirements of the privacy act, and they’re focusing their efforts accordingly.

The U.S. has no such requirement, and while there are regulated industries with similar requirements, those industries are not the broad base of U.S. industry and business, so there the rules remain unfocused. For that reason, there’s less incentive to spend money.

Fighting Skirmishes Instead of the Strategic Battles

As you look at the picture laid out by these studies, however, it’s clear that there’s something wrong with it. Companies large and small in the U.S. are planning to invest in security, but their plans aren’t aimed at protecting their data. Instead, they are fighting the skirmishes when attackers make it past their defenses. They’re fighting ransomware instead of the cause of ransomware.

Perhaps more importantly, they’re fighting last year’s battles. Ransom attacks are already on the decline as other types of attacks are launched. So even if the perfect anti-ransom product is found, it may not make as much difference as these companies think.

Planning for the future, it seems, is being held back because companies are afraid that they’ll focus on the wrong things if they spend money now, so they’re waiting for some guidance from the government. This is confirmed by the InfoSecurity study, in which 90 percent of the CISOs say they want GDPR-like privacy rules like those in the EU.

In reality, this planning paralysis is not only unnecessary, it’s counter-productive. The need for security is already clear. The risks of not doing the job are significant. And implementing effective security isn’t going to be a bad decision regardless of what regulations may or may not flow down from Congress.

Federal Laws Will Take Years to Enact

The reasons are simple: Congress isn’t going to do anything fast, and any regulation that does get passed will wait for a year or two before it takes effect. In the meantime, the EU’s GDPR does affect some U.S. companies, and the fact that they don’t know this won’t exempt them from penalties when the time comes for the EU regulators to come looking, or when a breach is reported that involves EU interests.

What makes sense instead is to proceed with security plans that assume that some set of regulations similar in requirements to the GDPR will come along eventually—and to be ready when that does happen. That will mean that your organization will already have adopted a set of procedures and practices that will be in effect when such a regulation passes. In the meantime, that will also mean that your organization is protecting itself against a potential breach.

A breach is much less likely to become a serious one if your organization is already prepared, and if you have systems and procedures in place to handle such a breach, your company will be way ahead of the game.

If and when such regulations actually do appear, you’ll already have something similar in place, so bringing your systems into compliance will not be as disruptive as it would be otherwise.

The way to do this may not be simple, but it is straightforward. Examine the GDPR as it is now, and look at your own practices. Decide what you need to change to become compliant. Outline the changes you’ll need to make in your own organization, and begin to implement them, starting with the security changes that address the risks you’re most likely to face now.

Look at Your Current Policies, Check GDPR, Then Make Adjustments

This means that if you’re not already doing the basics of data protection, for example, you should start with those. Begin by encrypting all of your data, and continue with data backup and recovery and continuity of operations. While you’re doing those, make sure your network is properly segmented to avoid a Target-like attack and review your security practices, including access rules.

This is the time when you implement two-factor authentication, and when you review your policies such as password management.

Even though the GDPR may never apply to you, other regulations may, and you still have to deal with the liabilities of handling personal information.

Rather than wait for the government to tell you what to do, you can take charge of your own organization’s security and put in place the various practices you need. Of course, this is going to require that you get funding to support those efforts, but this is another place where the GDPR can come in handy.

Just tell your financial management that those rules are going to affect you in one way or another, and to meet the needs of compliance, you need to start now.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...