Security measures of yesterday are struggling to cope with the speed mobile adoption and how devices are now interconnected. Considering the wealth of sensitive information available on third platform technologies, this is a recipe for a disaster. This issue is likely to draw more attention in the next few years as the industry starts to realise just how vulnerable these technologies are.
What do you think are the biggest mistakes CIOs tend to make with regards to security?
CIOs tend to focus on preventive technology. Take this analogy: prevention measures are akin to having security guards stationed across every entrance of your building. While it's absolutely necessary to make sure you have adequate defenses on the outside, breaches are a matter of 'when', not 'if'. Without detection measures in place, once aggressors get into the building, they are free to roam about as and when they like.
CIOs also need to ensure that the different pieces of their security ecosystem talk to each other. They will need a central command centre that will collect all the information from different devices, analyse it, and then provide a complete picture of whether a network is safe or being attacked.
It's obvious that there is no silver bullet to security, so a bigger focus should be placed on recovery plans. What are your recommendations for organisations to better detect and respond to high-impact threats?
Yes, this is definitely a critical aspect for organisations to think about. Organisations need to firstly move away from the idea that it's possible to deter all forms of attacks - it's a matter of 'when', not 'if'.
Currently, the average time to detect a breach is measured in months, long after the damage has become too severe to salvage. The focus should instead be on bringing down the mean time to detect (MTTD) and the mean time to respond (MTTR).
Organisations need to identify where they are on the Security Intelligence Maturity Model, which provides them with a well-defined system to understand what their current security posture is, what their target security posture needs to be, and a compass on how to get there.
Companies will also need to master the threat lifecycle from data forensics for pervasive visibility, to discovery tools for user-driven 'hunting' and machine analytics. This helps achieve 24/7/365, tireless, analysis that is required to protect data assets.
How should CIOs know if their implemented security measures are "sufficient"? Can you elaborate on how they should go about assessing their organisation's current state of resiliency?
Incidentally, many of the major breaches in 2014 considered themselves compliant to security standards, and their measures 'sufficient'. However, being regulatory compliant isn't enough. Enterprises can no longer be satisfied with a 'check the box' mentality. Checking the box doesn't mean good security, it's only the beginning.
Sign up for CIO Asia eNewsletters.