Alan Zeichick, Oracle BRANDVOICE contributor, wrote in Forbes about the top priorities for Chief Information Security Officers in 2020.

Top Priorities for CISOs: From CISOs Themselves

David McLeod, chief information security officer of Cox Enterprises, says that CISOs should spend their money on training and recovery in 2020. Training often focuses on making employees less of a security risk—teaching them what not to click on and how to proactively protect the information that is a part of their everyday work. McLeod sees employees as something more powerful.

“Train everyone so you have a wall of passionate people surrounding your business. I’m talking about creating a neighborhood watch. I find people who are eager to know what they can do, and they help expand our culture of proactive protection akin to a neighborhood watch. So if I’m going to drive security for the least cost and the highest effectiveness, I’m always increasing my neighborhood watch.”

-David McLeod, chief information security officer of Cox Enterprises

Recovery isn’t far behind, though, because sooner or later, there will likely be a security incident, such as a breach, ransomware attack, or worse. “Some hacker’s going to get in. It’s all about recovery. It’s all about keeping the business going. You can do a lot of harm to a business if you have to shut down your revenue systems for three days,” McLeod says.

Cox Enterprises has changed a lot since its founding in 1898 as a newspaper publisher in Dayton, Ohio. Today it’s a global conglomerate with 55,000 employees and more than $21 billion in annual revenue. The firm is best known for two of its largest divisions, Cox Communications cable television and telecommunications, and Cox Automotive, which includes brands such as Autotrader and Kelley Blue Book.

-Vivek Khindria is the CISO and vice president of security and risk for Loblaw Companies Limited

Greg Jensen agrees that the IT department can be a key risk factor. Jensen is the senior principal director of cloud security at Oracle, and in his role, compiles a great deal of research into the real-world challenges faced by enterprise customers. A top priority for CISOs needs to be deep security-focused education, he says—especially of its techies.

“Think about misconfigurations that expose user accounts, applications, or data to theft or unauthorized access,” Jensen says.

Too often, Jensen hears stories from industry CISOs whose systems administrators fell for a phishing email, which then stole account credentials or installed malware right on a privileged account.

“If we trained our administrators and other technical staff not to do something we don’t want them to do, that would save 25 percent of the risk right there. That’s a monumental savings we don’t have to spend on recovery or other defensive costs.”

-Greg Jensen, senior principal director of cloud security at Oracle

Additional Priorities for CISOs

Education and Cybersecurity

Education is at the top of the CISO task list—for IT professionals and for line-of-business staff. However, cybersecurity needs more than online training and classrooms.

Cox Enterprise’s McLeod points to several other priorities that he sees as common for large-business CISOs. One is to constantly re-evaluate the company’s existing security systems, and wherever possible, streamline them to reduce the administrative burden, reduce licensing costs, and to fight complexity. “You should have metrics on everything, and back those metrics up with dollars,” he says. Another growing concern: The increase in privacy and compliance regulations regarding data, such as Europe’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

“Every time a new regulation comes along, you can’t start a new SOC team to implement it,” McLeod says, referring to security operations centers. “The industry needs to figure out common ways to manage all those requirements without having to spend another dollar—because it’s only going to get worse.”

Loblaw’s Khindria agrees that the new regulatory frameworks create opportunities and challenges, both on the security side and the financial side. “The increased expectations around transparency and notification are a real challenge for those who haven’t developed their crisis management framework,” he says. “So building the playbooks will be a competitive advantage.”

That means focusing on breach detection, incident response, and reporting, Khindria says: “According to the Verizon Data Breach Investigations Report, the average time for companies to detect a breach, respond to a breach, and finish their analysis of a breach is not in line with most privacy notification expectations.”

Managing Large-Scale Cloud Adoption

Khindria says that CISOs at large companies are worried about managing the configuration of their fast-growing cloud resources, whether it’s the adoption of software-as-a-service cloud applications or migrating their own data centers into the cloud.

“Large enterprises are implementing clouds at scale,” says Khindria, “and at that velocity, ensuring their security configurations are intact and stay intact is a challenge.” For example, with more holes in firewalls to accommodate connections between clouds, data centers, applications, and end-users, are the networks all set up properly? “Are you sure there’s no extra VPN connection somewhere? That type of assurance gets more and more challenging,” he says.

One way to solve that problem, Khindria says, and complement a defense-in-depth program, is implementing analytics technology that can quickly detect events that could indicate security anomalies or vulnerabilities. That’s critical because the faster you can detect, the faster you can contain. After all, he points out, attackers use modern analytics technology too.

“The enterprise’s ability to see the needle in the haystack has always been a challenge, but now the bad guys have really upped their game in the use of analytics from an offense perspective,” says Khindria. “Companies need to really ensure that they’ve got their best capabilities on that front as well.”

What about when attacks happen? New tools for analytics can help there, backed by strong automation to reduce response time. The goal is to be watching as the events are coming in so that an attack is identified, analyzed, and remediated as much through automation, in real-time, as possible.

That technology is now real, so that working with the right cloud provider can help make a business more secure. “There was a lot of talk about this security capability in 2019,” Khindria says. “Today such sophisticated automation is both practical and possible.”

Automation is key to a CISO’s success in 2020, says Oracle’s Jensen. He points to the issue of managing critical security patches and fixes—and the challenge of finding the staff resources to handle the deployment of those patches manually. “Say it takes 45 minutes to patch a database, and you have 50 databases,” Jensen says. “Well, it’s not really 50 databases—it’s 50 development databases, 50 test databases, and 50 production databases. Times 45 minutes. That really adds up.”

No wonder people are skipping or postponing patches, Jensen says: “Automation is the only way that we’re able to get ourselves out of this conundrum.”