I am in this business for almost two decades, which is frightening by itself. On the other hand, it is absolutely fascinating, how the security industry and especially the role of the CSO changed. I do not want to go into long stories of security itself but look at it: Initially it was all about the perimeter and the network. Most of the attacks came through the lower levels of the stack and you could keep your environment safe by protecting the edge. I remember the times, where people told me that there is a trusted (everything inside the edge) and an untrusted (everything outside) network. Then, obviously, with the smartphone and notebooks, the game changed and borders disappeared up to the point where we talk about Bring Your Own Device. We are slowly moving the focus as well from protection to detection.
In this context, the tole of the CSO should have changed as well. Initially it was mainly about technology. A CSO (if that role even existed) typically know about firewalls, networks etc and therefore was able to do the job. This shifted then more into compliance and policies. I remember when I did my CISSP back in 2005 a lot of people had a hard time covering the network section as they had a legal/compliance background and were not understanding networking that much.
Well, we see new CSOs popping up everywhere. Even in mid-sized production companies, CSOs are getting established. Often the CSO still reports into IT, which makes security an IT problem but at least they have one. More advanced environments take it a step further and have the CSO reporting into the business – maybe the CRO, the COO.
If so, we need a new role and a new profile for the CSO: We need a CSO who is able to act on the interface between business and technology and therefore has a deep security background (reading a book is not good enough) as well as an understanding of the business. Additionally, the CSO needs to find a balance between compliance and risk management. To take it one step forward – if we look at threat intelligence and actor-based threat intelligence, there will be a link between the business strategy, the every-changing threat landscape and security. A huge challenge and a role we need to learn first, besides the technology, which needs to evolve as well.
Looking at the technology, personally I am missing three areas:
- A more data-centric approach: I would love to see a technology like Microsoft’s Active Directory Rights Management Services but access is only granted if you authenticated on the right trust level (a step-up might be required), if you are on a policy-compliant computer, if you are in the right location (network and geography), and with an application which is accepted for the criticality of data.
- Better detection capability: I see it as a given that the next big wave of investment will be around better detection. Static rules do not help unless to catch the stupid bad guys. Artificial Intelligence and Machine Learning have a lot of promise there – we just need to make sure we are not overselling. It is not a silver bullet but a promising tool.
- Threat Intelligence: I want to understand who is attacking me, why and why now. And even better, I would love to understand who will be attacking me next. One approach could be to link Threat Intelligence with the business as described in here (and further).
Exciting times for all of us and our industry.