CIOPerspective
The enterprise risk
management approach to
cybersecurity
Cyber adversaries are winning, and better cybersecurity tools are not even half the battle
BY RICHARD A. SPIRES
With the seemingly endless array of cybersecurity prod- ucts, tools and related “best practices” available that promise to protect an organization’s enterprise and data, it is fascinating to see the continued spate of successful cyberattacks.
Whether it is one-off attacks against large compa- nies and government organizations (Target, Sony and the Office of Personnel Management immediately come to mind) or large-scale campaigns based on a software vulnerability (such as the recent WannaCry and Petya ransomware attacks), it appears that the adversaries are winning — and winning at an increasing rate.
In an era of ever more sophisticated cybersecurity tools, how is it that we are actually backsliding as a community?
Those of us who have served as CIOs or in other senior IT roles at large enterprises understand that three factors, when combined, make it exceptionally difficult to secure an environment and prevent successful cyberattacks.
Factor 1: Complexity
In almost all large organizations, one will find tremen-
Richard A. Spires has been in the IT field for more than 30 years, with eight years in federal govern- ment service. He is now CEO of Learning Tree International and chairman of Resilient Network Systems.
dous complexity in the IT environment, which is a com- bination of legacy (most likely antiquated) systems that are still core to business operations, modern applica- tions that are most likely built in a number of different languages and architectures, and finally a new set of applications that are running in a public cloud. In par- ticular, software-as-a-service applications are increas- ingly helping organizations quickly and easily leverage new applications.
Although cloud computing and SaaS business models can enable IT organizations to reduce infrastructure costs and enable more agility to support customers, they also increase complexity.
To the degree that it uses SaaS-based applications, an IT organization gives up control (and visibility) into some of its IT infrastructure while having third parties store and control sensitive data.
Not so long ago, the IT security team was respon- sible for protecting the organization’s IT perimeter. With today’s new computing and service models, a traditional perimeter often no longer exists — or if it does, it might include protecting a number (perhaps up to dozens) of third-party cloud service and SaaS application providers.
Factor 2: Adversaries
The second factor working against our ability to protect our environments and data are the adversaries them- selves. Their ability to share techniques and data makes them ever more sophisticated and persistent. Whether they are nation-states or criminal organizations, adver- saries see tremendous potential for gain, and the invest-
39
August 2017
FCW.COM