Enterprise adoption of big data and cloud infrastructure is presenting new challenges for Chief Information Security Officers (CISO). I recently sat down with Susan Mauldin, CISO, Equifax, to get her thoughts about the evolving role of the CISO, perhaps into Chief Information Risk Officers, and how to secure the cloud.
PRAT: How has the role of the CISO changed over the last few years?
SUSAN: It certainly has become more challenging. The role of the CISO, I would say, is similar to a military role. In fact, we see this in the military and various government agencies where they actually talk about cyber warfare now. We’re seeing an evolution in the role, where the CISO is becoming more of a risk manager for the company, and in fact some companies are actually creating a role called the chief information risk officer. It’s a natural evolution for a CISO to go into that role, as it has historically been a very technical role, but it’s now becoming more of a risk manager role for the company.
PRAT: Cloud is a great way to bring more agility to an enterprise. More applications are being moved to the cloud, but there’s also been a big scare about security and compliance. How do you view cloud and security? Are they at odds with each other or do they help each other?
SUSAN: Five years ago, I would’ve answered you by saying that as a security professional, I would be adamantly against cloud. Today, I would say that cloud is definitely the way of the future. We used to say there was a tsunami coming and it was the cloud, but now we say that wave is here. It’s cresting and we really have to figure out how to use the cloud in a secure manner. We need to find a way to enable our business to use cloud services.
PRAT: It’s been said that enterprises have too many entry and exit points to reliably secure them all. Does cloud have the same number of exit and entry points?
SUSAN: One school of thought says that when you put corporate assets into a cloud, it is more secure because you know exactly what you have there. You have an exact inventory, you know exactly who has access to that data and how that's controlled. For some enterprises that might be very attractive. I think for other enterprises that have a very, very good handle on all their assets internally — a locked-down network with very few entry and exit points — they will have more cultural resistance to going toward a cloud solution.
PRAT: Inherently, is there anything about the cloud that makes it insecure?
SUSAN: Cloud solutions are third-party solutions, which means they're not something I have full management of. So things like physical security, network security and so forth that I would normally check would have to be satisfactory for me in a cloud provider, but I would want another level of controls over the data itself. I would want encryption of data at rest and in motion, in use and in transfer. And I would also want tokenization or obfuscation of that data. Along with assurances from my third-party cloud provider, I would want to know it manages privileged users properly and that physical security is done well. Those are the kind of things that I would look for to give me assurances.
PRAT: If you look at the CISO community, do they share this view of cloud security?
SUSAN: I would say at least half the CISOs that I know share that view. I would say more CISOs are becoming more comfortable with cloud because there are controls available to us today that weren’t there years ago: Encryption, obfuscation, the ability to audit and so forth. Companies are also insisting that CISOs become more comfortable with the idea of cloud. Given enough time, we can secure anything and find a way to say yes to it. Business-driven CISOs are of that mindset.
PRAT: We hear of big data and security coming together now. What does it mean and why does it make sense?
SUSAN: Security has always been part of big data. In the early days of security, it was really nothing more than network monitoring before security really became its own profession. Even then, network analysts were analyzing packets, looking at firewall logs and proxy traffic. That was the big data of the time. Information comes from every device on the network. Everything is IP-addressable. We’re always looking for the anomaly that says something’s not quite right. In my environment, our big data challenge is how to sort through all that data quickly and in a manner that fits what we are looking for.
PRAT: What’s your message to fellow CISOs and big data practitioners out there?
SUSAN: Big data in the cloud is not something to be feared — it’s a new horizon. For companies that have cultural aversions to that [adapting to the cloud], I think that it’s really up to the security team to make that difference, to help enable the business so that they have the assurance to do business in the cloud and in a secure manner. I think security has a very prominent role to play.
Edited by
Ken Briodagh
