CISOs of top firms suggest strategy changes for security teams

Security leaders from the likes of Coca-Cola, eBay and Walmart urge security teams to "look three years ahead"

Chief information security officers (CISOs) at top companies, including Coca-Cola, Federal Express, eBay and Walmart, have revealed their recommendations for using new technologies to build better computer security and improve business productivity.

The CISOs and other security leaders, including HSBC Holdings group head of infrastructure security Bob Rodger and Johnson & Johnson worldwide vice president of information security Marene Allison, form the US Security for Business Innovation Council (SBIC).

In the SBIC report labelled Focusing on strategic technologies (PDF) released by security software supplier RSA, the security leaders said that enormous changes in security are underway, but in some ways, developments are not happening fast enough.

Simon Strickland, global head of security at AstraZeneca, explained that the speed of change is quicker than it has ever been.

"You've got to inject flexibility and innovation into your strategy because 18 or even 12 months down the line, technology will have moved, your adversaries will have moved on and you can pretty much guarantee there will be questions about why you're not keeping up with developments," he said.

The first recommendation that the security executives suggested in trying to meet enterprise requirements in what they called a fast-moving environment was to look at least three years ahead.

"A three-year rolling plan is a useful tool to help focus limited capital on forward-leaning security investments," the report reads.

In looking ahead, the security executives suggest that any security team should forecast the strengths, weaknesses, opportunities and threats that its organisation will face in one, two and three years or more from now. These should help guide investments in solutions, the report states.

The enterprise should also align its security with IT and the business, the security leaders suggested, and the security team should demonstrate how its vision aligns and enables business strategy.

An enterprise-wide big data strategy should also be on the agenda, and the security team should help to define the overall big data strategy because it is likely to have some of the first use cases.

"It's vital that information security teams develop new security controls to allow for the fast adoption of big data techniques enterprise-wide, while ensuring the protection of the company's big data assets," the report said.

The final point is to get auditors engaged, letting them know about the new technologies that will be implemented over the three-year plan.

For example, if an organisation is considering using cloud technology or virtualisation in a way that could pose challenges for audits, they should develop a partnership with auditors well in advance to establish meaningful audit criteria.

The second of the three recommendations is to achieve a bigger picture through integration. The security leaders suggest that organisations currently get a fraction of the potential value from the security data they have because it tends to stay inside a range of siloed applications that are not interoperable.

The final recommendation is to maximise value through formalised technology deployments. To do this, security leaders suggest that organisations should predict and track the total costs and total value of new technology.

Organisations should also scale deployments rather than trying to do it all at once, and should consider carefully how to assess the trustworthiness of cloud security services.

Finally, they should approach maintenance strategically, with an eye on employees who are used to maintaining old software with the budget they have, rather than investing in new technologies.

"Ask yourself whether you can accept the risks of not doing every software update or hardware upgrade for older technologies that may be reaching end-of-life. Strategic cost-cutting can free up resources to get more advanced technologies in place," the report states.