Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

CSOs face ongoing paradoxical challenges, according to report

Grant Hatchimonji | Oct. 8, 2013
As security perimeters continue to expand, the need to be flexible instead of locking down is as important as ever.

But coming up with a standardized means of defending against these attacks presents one final, paradoxical challenge: while the ever-expanding risk footprints and evolving foes calls for more regulation in security, increased regulation effectively provides cybercriminals with a handbook on how to circumvent an organization's security.

There is usually a lockstep approach taken to regulation and compliance, said Peeler, and the study's results showed that 74 percent of respondents spent the majority of their time on governance, risk management, and compliance (GRC). But companies are being faced with these flexible, clever attackers, and that flies right in the face of such a regimented approach.

"Regulation and flexibility don't go in the same sentence," she said.

Suby agreed that while having strict, clear-cut regulations could, in theory, help increase security, it's also a dangerous approach.

"If you were building a house and had blueprints that indicated its security capabilities, if that info is shared with burglars, it's valuable to them. It's the same with regulations. Attackers know you're subjected to them. The real question is, do you really want to make your blueprints available," Suby asked.

Team efforts
Not all hope is lost though, as the report suggests that an effective way for CSOs to confront these challenges is to look beyond the walls of their own companies. Collaboration with others, be it in the form of outsourcing or inter-company data sharing, analysis, and best practice strategies could help combat threats.

That said, some may have concerns over, once again, sharing the "blueprint" of their security measures with others. Internal threats, for example, such as employees within companies that are looking to target competitors with attacks, could undermine the potential benefits of inter-company sharing.

But according to Suby, there are some levels of protection that organizations can still enjoy while working with others.

"For those organizations that have built-in information sharing, they have also constructed means to anonymize their data. These are industries that are designed to work together and compete. They have some level of existing engagement and migrate it into the threat sharing. It's in their communal best interest," he said.

He went on to use the example of security standards within PCI and financial services, saying that all companies involved have a vested interested in establishing a relationship of trust with cardholders. As such, there are PCI security standards to which everyone contributes by helping build and mold them.

"If we don't maintain trust, our businesses are damaged," he said.


Previous Page  1  2  3 

Sign up for CIO Asia eNewsletters.