Menu

IoT FEATURE NEWS

Q&A: Distributed Computing and the Evolving CISO with Susan Mauldin of Equifax

By Special Guest
Prat Moghe, Founder and CEO, Cazena
December 15, 2015

Enterprise adoption of big data and cloud infrastructure is presenting new challenges for Chief Information Security Officers (CISO). I recently sat down with Susan Mauldin, CISO, Equifax, to get her thoughts about the evolving role of the CISO, perhaps into Chief Information Risk Officers, and how to secure the cloud.

PRAT: How has the role of the CISO changed over the last few years?
SUSAN: It certainly has become more challenging. The role of the CISO, I would say, is similar to a military role. In fact, we see this in the military and various government agencies where they actually talk about cyber warfare now. We’re seeing an evolution in the role, where the CISO is becoming more of a risk manager for the company, and in fact some companies are actually creating a role called the chief information risk officer. It’s a natural evolution for a CISO to go into that role, as it has historically been a very technical role, but it’s now becoming more of a risk manager role for the company.

PRAT: Cloud is a great way to bring more agility to an enterprise. More applications are being moved to the cloud, but there’s also been a big scare about security and compliance. How do you view cloud and security? Are they at odds with each other or do they help each other?
SUSAN: Five years ago, I would’ve answered you by saying that as a security professional, I would be adamantly against cloud. Today, I would say that cloud is definitely the way of the future. We used to say there was a tsunami coming and it was the cloud, but now we say that wave is here. It’s cresting and we really have to figure out how to use the cloud in a secure manner. We need to find a way to enable our business to use cloud services.

 PRAT: It’s been said that enterprises have too many entry and exit points to reliably secure them all. Does cloud have the same number of exit and entry points?
SUSAN: One school of thought says that when you put corporate assets into a cloud, it is more secure because you know exactly what you have there. You have an exact inventory, you know exactly who has access to that data and how that's controlled. For some enterprises that might be very attractive. I think for other enterprises that have a very, very good handle on all their assets internally — a locked-down network with very few entry and exit points — they will have more cultural resistance to going toward a cloud solution.

PRAT: Inherently, is there anything about the cloud that makes it insecure?
SUSAN: Cloud solutions are third-party solutions, which means they're not something I have full management of. So things like physical security, network security and so forth that I would normally check would have to be satisfactory for me in a cloud provider, but I would want another level of controls over the data itself. I would want encryption of data at rest and in motion, in use and in transfer. And I would also want tokenization or obfuscation of that data. Along with assurances from my third-party cloud provider, I would want to know it manages privileged users properly and that physical security is done well. Those are the kind of things that I would look for to give me assurances.

PRAT: If you look at the CISO community, do they share this view of cloud security?
SUSAN: I would say at least half the CISOs that I know share that view. I would say more CISOs are becoming more comfortable with cloud because there are controls available to us today that weren’t there years ago: Encryption, obfuscation, the ability to audit and so forth. Companies are also insisting that CISOs become more comfortable with the idea of cloud. Given enough time, we can secure anything and find a way to say yes to it. Business-driven CISOs are of that mindset.

PRAT: We hear of big data and security coming together now. What does it mean and why does it make sense?
SUSAN: Security has always been part of big data. In the early days of security, it was really nothing more than network monitoring before security really became its own profession. Even then, network analysts were analyzing packets, looking at firewall logs and proxy traffic. That was the big data of the time. Information comes from every device on the network. Everything is IP-addressable. We’re always looking for the anomaly that says something’s not quite right. In my environment, our big data challenge is how to sort through all that data quickly and in a manner that fits what we are looking for. 

PRAT: What’s your message to fellow CISOs and big data practitioners out there?
SUSAN: Big data in the cloud is not something to be feared — it’s a new horizon. For companies that have cultural aversions to that [adapting to the cloud], I think that it’s really up to the security team to make that difference, to help enable the business so that they have the assurance to do business in the cloud and in a secure manner. I think security has a very prominent role to play. 




Edited by Ken Briodagh


SHARE THIS ARTICLE
Related Articles

IoT Zombie Apocalypse and Post-Quantum Crypto: A Q&A with Infineon's Steve Hanna

By: Paula Bernier    2/23/2018

Steve Hanna has seen it all. But one thing Infineon's senior principal has not seen - and doesn't want to see - is the IoT zombie apocalypse.

Read More

Sustainable Smart Cities and How Natalia Olson-Urtecho Leads with Passion

By: Cynthia S. Artin    2/23/2018

Natalia Olson-­Urtecho is a city planner by education, a technologist by life­long learning, and a visionary strategist in the brave new world of conn…

Read More

IoT Accelerators on the Rise

By: Ken Briodagh    2/22/2018

Everyone in the IoT is looking for the best way to grow the industry, while also finding partners that will help their own companies grow. At the mome…

Read More

IoT for The Aging: You're Never Too Old To Innovate

By: Special Guest    2/22/2018

In the digital era of smarter cities and smarter homes, one of the biggest potential markets for IoT solutions is enabling aging people to remain inde…

Read More

Haltian Delivers Devices and Data to Lindstrom Textile Company

By: Ken Briodagh    2/22/2018

Finnish Internet of Things (IoT) device manufacturer Haltian reportedly is supplying Lindström with more than 100,000 IoT devices and a managed IoT da…

Read More