"With the Internet of everything, we're facing a changing threat environment. We might have heard of bots but the board doesn't understand. What are we trying to protect, what does the business want, our business goals? Security professionals need to align behind those goals," he urged.
Another challenge is the constant and progressive threatscape: OS/service vulnerabilities, email phishing, workstations, WiFi networks, network roaming, databases, dictionary attacks, brute force, individual servers—these are known areas of possible attacks. Another area of concern is how quickly security measures may be brought down. Cracking passwords could be done in a day of what used to be weeks, he said. How does one keep up?
Add to those is the so-called "dangerous" generation—people who want to collaborate, want to share everything, work anywhere, on any device, expect "cool" apps, who value personal experience, use personal clouds and personal devices. "Who are you talking to, where has all my data gone… all this can, in the wrong hands, make more from your health record than selling illegal drugs," Sidaway quipped.
Despite all the technology available, risk management is still a CIO priority. "How do we align security architecture to the business? And there are business pressures to contend with: we need to be more agile, cost control, market pressures, big data, cloud," he said. "But that's the language we should be using to talk to the business. The number one goal should be to retain and grow their client base, and building up trust between IT and business, and between business and customers. We've got to understand what the business strategy is."
Echoing what Gerry Chng said earlier, Sidaway added that aligning the business with IT is a priority. "A good strategy is important. Too many organisations are looking at constraining use."
Sidaway next talked about the context in which security should be evaluated. For example, controls should be constantly tested to ensure effectiveness without stifling productivity. One should also understand the risks involved: "What's the best way to secure my car? Lock the doors? But shouldn't you know where it's parked is safe?"
"There must also be a balance between cost and benefit," he said. "How does one determine that one strategy is sufficient protection without overspending?"
One common strategic error was to treat security as a technology problem. "Instead, we should be treating security as a goal rather than a process," he said. "Another error is reactive technology for security: You fixed the hole that the last hacker used to get in but not the hole the next hacker is going to use."
Another error is chasing compliance, he said. "Compliance is not security. Put good control in place, understand the underlying architecture, and so forth, make you compliant but are you secure?"
Sign up for CIO Asia eNewsletters.