Menu

IoT FEATURE NEWS

Q&A: Distributed Computing and the Evolving CISO with Susan Mauldin of Equifax

By Special Guest
Prat Moghe, Founder and CEO, Cazena
December 15, 2015

Enterprise adoption of big data and cloud infrastructure is presenting new challenges for Chief Information Security Officers (CISO). I recently sat down with Susan Mauldin, CISO, Equifax, to get her thoughts about the evolving role of the CISO, perhaps into Chief Information Risk Officers, and how to secure the cloud.

PRAT: How has the role of the CISO changed over the last few years?
SUSAN: It certainly has become more challenging. The role of the CISO, I would say, is similar to a military role. In fact, we see this in the military and various government agencies where they actually talk about cyber warfare now. We’re seeing an evolution in the role, where the CISO is becoming more of a risk manager for the company, and in fact some companies are actually creating a role called the chief information risk officer. It’s a natural evolution for a CISO to go into that role, as it has historically been a very technical role, but it’s now becoming more of a risk manager role for the company.

PRAT: Cloud is a great way to bring more agility to an enterprise. More applications are being moved to the cloud, but there’s also been a big scare about security and compliance. How do you view cloud and security? Are they at odds with each other or do they help each other?
SUSAN: Five years ago, I would’ve answered you by saying that as a security professional, I would be adamantly against cloud. Today, I would say that cloud is definitely the way of the future. We used to say there was a tsunami coming and it was the cloud, but now we say that wave is here. It’s cresting and we really have to figure out how to use the cloud in a secure manner. We need to find a way to enable our business to use cloud services.

 PRAT: It’s been said that enterprises have too many entry and exit points to reliably secure them all. Does cloud have the same number of exit and entry points?
SUSAN: One school of thought says that when you put corporate assets into a cloud, it is more secure because you know exactly what you have there. You have an exact inventory, you know exactly who has access to that data and how that's controlled. For some enterprises that might be very attractive. I think for other enterprises that have a very, very good handle on all their assets internally — a locked-down network with very few entry and exit points — they will have more cultural resistance to going toward a cloud solution.

PRAT: Inherently, is there anything about the cloud that makes it insecure?
SUSAN: Cloud solutions are third-party solutions, which means they're not something I have full management of. So things like physical security, network security and so forth that I would normally check would have to be satisfactory for me in a cloud provider, but I would want another level of controls over the data itself. I would want encryption of data at rest and in motion, in use and in transfer. And I would also want tokenization or obfuscation of that data. Along with assurances from my third-party cloud provider, I would want to know it manages privileged users properly and that physical security is done well. Those are the kind of things that I would look for to give me assurances.

PRAT: If you look at the CISO community, do they share this view of cloud security?
SUSAN: I would say at least half the CISOs that I know share that view. I would say more CISOs are becoming more comfortable with cloud because there are controls available to us today that weren’t there years ago: Encryption, obfuscation, the ability to audit and so forth. Companies are also insisting that CISOs become more comfortable with the idea of cloud. Given enough time, we can secure anything and find a way to say yes to it. Business-driven CISOs are of that mindset.

PRAT: We hear of big data and security coming together now. What does it mean and why does it make sense?
SUSAN: Security has always been part of big data. In the early days of security, it was really nothing more than network monitoring before security really became its own profession. Even then, network analysts were analyzing packets, looking at firewall logs and proxy traffic. That was the big data of the time. Information comes from every device on the network. Everything is IP-addressable. We’re always looking for the anomaly that says something’s not quite right. In my environment, our big data challenge is how to sort through all that data quickly and in a manner that fits what we are looking for. 

PRAT: What’s your message to fellow CISOs and big data practitioners out there?
SUSAN: Big data in the cloud is not something to be feared — it’s a new horizon. For companies that have cultural aversions to that [adapting to the cloud], I think that it’s really up to the security team to make that difference, to help enable the business so that they have the assurance to do business in the cloud and in a secure manner. I think security has a very prominent role to play. 




Edited by Ken Briodagh


SHARE THIS ARTICLE
Related Articles

EdgeX Foundry: Less Than a Year Later

By: Cynthia S. Artin    11/22/2017

Perhaps the "Real IoT" - in particularly the "Real Industry IoT" - is, if not a fine wine, a vision that needed to ferment a little longer, and like a…

Read More

IoT Time Podcast S.2 Ep. 54: GE Automation and Controls

By: Ken Briodagh    11/21/2017

In this episode of IoT Time Podcast, Ken Briodagh sits down with Rob McKeel, CMO, GE Automation and Controls

Read More

Get Smart: Powering Smart Cities with Network Connectivity

By: Special Guest    11/21/2017

A smart city aims to improve quality of life for its citizens by harnessing technology to connect infrastructures, resources and services, making the …

Read More

Rongwen and Silver Spring Networks Connect Smart Lighting in China

By: Ken Briodagh    11/21/2017

Major Chinese Smart City Project Uses Standards-Based RF Mesh and IPv6 Technology in Guangzhou to Reduce Energy Consumption

Read More

Avnet Launches First Americas-Based Design Center of Excellence

By: Ken Briodagh    11/21/2017

State-of-the-art facility focuses on design and engineering, bringing continued support to all stages of the product lifecycle

Read More