Today’s CSOs Must Confront Cybersecurity

File this one under “Missed Opportunities.”

In a three-part report that ran November 11-13, the San Jose Mercury News extensively detailed the increasing threat, cost and liability U.S. enterprises face from cybercriminals.

In the second part of his report, titled “How Well Are We Protecting Ourselves?” author Ryan Blitstein recounts a telling anecdote.

When Rick Wesson founder of Support Intelligence, a cybersecurity consulting firm, determined that online criminals were hijacking several Oracle computers into robot networks, or “botnets” and using them used to distribute malicious email to PayPal customers -- most likely “phishing” schemes aimed at fraudulently acquiring account information and passwords -- he notified Oracle’s chief security officer. Her course of action was to direct Wesson to the Oracle’s physical security group that, in Blitstein’s words, “manages the door locks and cameras, and watches the parking lot.” In the end very little was done about the intrusion.

Perhaps Oracle’s CSO thought she was doing the right thing. But the greater lesson here is that a C-level security manager at one of the largest high-tech companies in the country did not understand the significance of the attack nor seemed to be properly prepared to handle it.

At the same time, I think Blitstein was a bit harsh in dismissing the security operation as merely door locks and cameras. Anyone in this industry knows that enterprisewide physical surveillance and security is a sophisticated task. Nonetheless, it’s clear that that’s where the Oracle CSO saw as the boundaries of her job, and that’s where the organizational flaw was.

Cybersecurity and physical security are two sides of the same coin. Just as pertinent to this story is the fact that when Wesson picked up the phone he called Oracle’s CSO, not the CISO or the vice president in charge of Information Technology. CSOs still manage the first line of defense of their enterprises. Wesson, an IT security expert, acknowledges that by his choice of contact.

This presents both an obligation and an opportunity. The obligation is to understand the nature, extent and significance of cyberthreats, even a botnet. A few computers sending out spam may seem harmless to many organizations, Wesson tells Blitstein, but compromised corporate machines could allow thieves to access documents containing trade secrets, insider data in executives’ e-mail, and databases of private employee information.

Moreover, an attack is not a sign of weakness or poor security, and should not be held against a CSO. The CSO must be part of the solution. The challenge of cybercrime is that as fast as vulnerabilities can be countered, new vulnerabilities are discovered an exploited. Symantec estimates 4 percent of malicious Internet activity comes from networks of the nation’s 100 largest companies.

The opportunity for CSOs, already experts in building physical perimeter defenses, is to understand how the growth of cybersecurity threats expands their role in the defense of virtual perimeters -- namely the computers and servers that comprise an enterprise’s gateway to the global information network.

The tools are different, but the same strategies apply. IT managers understand the threat and tools, but don’t always appreciate the strategy. CSOs, on the other hand, grasp the strategy, but sometimes are intimidated by the tools. Suffice it to say: For everything that CSOs do in the physical world -- surveillance, identification and authentication, intrusion detection, response and isolation, there is an analogous function in the IT realm. The learning process requires understanding these tools and functions and how to apply them -- but that’s purely tactical. Dollars to donuts, I would say a CEO is more receptive to a plan that addressed enterprisewide security -- physical and virtual -- than a jargon-heavy document that IT departments often try to substitute for clear thinking.

The real problem at Oracle was that the organization failed to see cybersecurity as part of the CSO’s role. It’s up to the CSO to know that security threats have changed, and that begins by understanding and communicating to an organization and culture that today’s enterprise security takes in more than door locks and cameras.

The San Jose Mercury News’ series on Cybercrime can be found at http://www.siliconvalley.com/ghostsinthebrowser/ci_7408419.

About the Author

Steven Titch is editor of Network-Centric Security magazine.

Featured

New Products

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame.

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area.

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions.