For security strategies to succeed, security needs a seat at the table. In my work as an investigations manager for Cisco, I’ve seen first-hand how much more passion and enthusiasm enterprise leaders will put into security efforts when there is support all the way to the top of the organization.
The Cisco Security Capabilities Benchmark Study, as detailed in the Cisco 2015 Annual Security Report, shows that when there is executive-level responsibility for security, organizations are in a better position to tackle security challenges. As part of the survey, Cisco asked chief information security (CISO) and security operations managers about their views on security readiness. The good news, from my standpoint, is that 91 percent of the security professionals surveyed said their organization has an executive with direct responsibility for security – usually a CISO or CSO. It’s an encouraging finding, because security leaders help define and enforce policies.
Read More »
Tags: 2015 annual security report, CISO, CSO, day-to-day security, Security Capabilities, security challenges
In our increasingly interconnected world, the Internet of Everything is making trust a critical element of how people use network-connected devices to work, play, live, and learn. The relentless rise in information security breaches underscores the deep need for enterprises and governments alike to trust that their systems, data, business partners, customers, and citizens are safe.
Consequently, I see an evolution taking place regarding accountability in cybersecurity moving up to the boardroom level, an issue I discussed earlier this year in Fortune. In a recent Information Systems Audit and Control Association (ISACA) report, 55 percent of corporate directors revealed that they have to personally understand and manage cyber as a risk area. The National Association of Corporate Directors recently published a document on corporate directors’ ownership and management of risk in cyber for public companies. In March of this year, an SEC commissioner said that the SEC plans to create a requirement for corporate directors regarding managing cybersecurity as a risk.
Read More »
Tags: Cisco Security and Trust Organization, CISO, cybersecurity, Internet of Everything, IoE, security
Every year in Scottsdale, Arizona, there’s a unique Information Security conference created by Joyce Brocaglia at ALTA, supported by a who’s who of InfoSec companies like Cisco, RSA, and Symantec, and attended by hundreds of some of the brightest people I’ve ever met. It’s no coincidence that they are all women because this is the Executive Women’s Forum (EWF) and always a highlight of my year.
A special treat for me this year was the presentation by Edna Conway, CISO for Cisco System’s supply chain and, as it turns out, a brilliant and inspiring woman.
A few weeks earlier, after reading that Edna was to be a keynote speaker at the event, I sent her an email just to introduce myself, say “hello,” and let her know that I looked forward to hearing her presentation. Not what I expected, Edna responded with a warm welcome for me to Cisco (yup—I’m a Cisco newbie after almost 30 years with HP!) and said that she was looking forward to getting some help from me on her current focus: securing Cisco’s supply chain. Great! Love to help, let’s keep in touch. However, when she presented to the EWF audience the strategy that she’d already developed and implemented, I was humbled by what an amazingly thorough job she’d done. The other women in the audience recognized the value in her strategy as well, as they lined up to speak with her after her address, and to ask for her help at their own companies. I saw the undeniable admiration in the eyes of these successful women executives—and those aspiring to be successful women executives—and something remarkable occurred to me. Read More »
Tags: Cisco Security, cisco sio, cisco supply chain, CISO, infosec, women in tech
This is a follow up from my post last week that announced this webcast. Today it was a treat to have Richard Noguera as our special guest and who is uniquely qualified to speak on the topic of key imperatives for today’s CISO for the data center. Rich is a youthful InfoSec veteran who has led teams at Yahoo, Symantec and McAfee as well as held consulting roles and presently at Accenture in a Security and Risk management strategy role. I wanted to provide you access to the slides as well as summarize some of the key points Rich educated us on today.
As a concept, cloud is the one that most interested our audience today. We are seeing heavily virtualized data centers with private clouds, cloud attached data centers that leverage Infrastructure as a Service (IaaS) facilities for rapid service deployment or capacity management, and hybrid clouds that mix/match based on implementation needs. Most of our customers have embraced one of the above models. And, so I am going to focus on our imperatives accordingly.
Imperative 1: Enable IT to Play a More Strategic Role
Gartner predicts with market maturity that enterprises will increase migration of *mission-critical* functions to *public* cloud services over the next 3-5 years. IT and InfoSec must adapt and consider an alternative means to maintain the confidentiality, integrity, and availability of their business services, data, and users. For the ‘extended enterprise’ to operate effectively then, access control and data exchange between cloud service providers (CSP) needs to be standardized. Organizations should look to implement a Cloud Services Brokerage (CSB) – whether internally or externally, utilizing private/public/hybrid clouds – to accelerate service implementation and integration and also ensure visibility and cohesive security policy across multiple cloud service providers.
Imperative 2: Business-driven Security and Risk Metrics
Read More »
Tags: Cisco, CISO, cloud, data center, security
The data center landscape is undergoing remarkable transformation and security is being forced to evolve as organizations embrace more dynamic services.
For instance, Gartner predicts 17.9% CAGR in cloud services usage through 2016. As such, Chief Information Security Officers (CISOs) will need to consider how to secure non-standardized Business-to-Business interconnects across their organizations. CISOS will play a pivotal role in shaping the next-generation data center if they are able to act more strategically.
I call this my 3 imperatives for CISOs.
I am teaming up with my former mentor from McAfee and now colleague through our Cisco partnership, Rich Noguera, Sr Manager, Security Strategy and Risk Management at Accenture, to discuss this topic on July 16- 8:00 am PST/ 11:00 am EST
1. Enabling IT security to play a more strategic and advisory role within the organization – today’s CISO needs to think much more in terms of establishing a risk-aware culture as increasingly the economic advantages of moving to the cloud becomes much more compelling. Strategically speaking, CISOs must consider building or buying a cloud services brokerage that is capable of enforcing corporate security policies across the business’ varied providers. There is an opportunity to shift IT away from being considered a necessary cost center to a department, which can enable self-provisioning of new services (with the right tools and training). But to do this, it requires a forward thinking organization with a security steering committee with stakeholders from across the enterprise engaged to ensure that security and risk considerations are factored in.
2. Business-driven security and risk metrics – It is a well-known phenomenon that when nothing negative in data center security happens (for example, malware disruption, data breach), it may become challenging to demonstrate the ROI on security even though security met its purpose. Leading organizations are twice as likely to use metrics to monitor progress and their ability to deal with future technologies as well as metrics to justify the purchase and need of new technologies. As the old adage goes, ‘you cannot manage what you cannot measure.’ Given the range of cloud enabled B2B services, CISOs should concentrate on what matters most – who (i.e. users) and what (i.e. crown jewel data) – to the security of the business.
3. Balancing key technology focus areas with risk metrics - As data center workloads spiral and so too, correspondingly does the volume of security data, CISOs and security teams will need to find ways to filter data to a meaningful metrics. That is where expressing security policy in business contextual terms and security intelligence data and filtering becomes critical.
Register here for this webcast on July the 16th to further discuss these key issues and see how datacenter can enable security to be transformative. Additionally, for more news and discussions, head over to @SecDatacenter or Secure Data Center Trends
Tags: Accenture, Cisco, CISO, data center security