Information security's roots in IT have traditionally left CIOs and CISOs wrestling to contain the business risks it creates, but growing board and C-level involvement in cybersecurity is reshaping that tradition as business guidance holds cybersecurity practitioners to new standards of governance and risk management.
This significant change in philosophy is being driven by growing recognition that lack of attention to information-security governance now, is likely to translate to major problems down the track when security is breached and fingers are pointed. For those that believe board-level involvement in cybersecurity isn't crucial, just consider the dismissal of high-level executives of US retail giant Target - or the recent dismissal of FACC's CEO after a fake email scam costed the company $65m - showed after that company's large-scale compromise, those fingers are inevitably pointed at business leaders.
Many organisations are still in the transition between CIO-driven security practices and those with board involvement, with a recent CSO survey finding that 1 in 4 CISOs only present a security update to their board once per year and 30 percent do so quarterly.
Increasing that frequency is a key outcome for CISOs whose struggle to boost visibility at the executive level remains a key part of their everyday activities. But gaining that visibility, as many find out, can be difficult in its own right - particularly as businesses expand their network complexity and attack surfaces by integrating their networks with cloud-based applications and services.
As if it weren't already hard enough for CISOs to evaluate and convey the risk status of their internal networks, the shift towards cloud-based business has broken conventional network perimeters and obscured visibility of the processes inside the cloud - creating blind spots that could represent potential new risks if left improperly secured.
"A sensible cloud infrastructure would have multiple perimeters," explains Ian Farquhar, security virtual field team lead for ANZ with Gigamon, whose network visualisation tools help surface the activities of on-premises and cloud-based applications so that CISOs can more accurately assess current risk profiles.
"Businesses need to extend their visibility capability into the cloud so they can see what's happening there," Farquhar continues. "Intruders always play around the margins: they are looking for the way in that you are not looking at. Yet they might not be coming anywhere near your organisation, where all your detection tools are - and if they stay in the cloud, how do you capture that?"
This question will be front of mind for many at the Gartner Security & Risk Management Summit 2016 (GSRMS), where business experts will share their thinking around how cloud and on-premises environments can be managed within the sights of monitoring tools that have become crucial to applying business-level discipline over the risk that cloud presents.
Sign up for CIO Asia eNewsletters.