Today’s CSOs Must Confront Cybersecurity

File this one under “Missed Opportunities.”

In a three-part report that ran November 11-13, the San Jose Mercury News extensively detailed the increasing threat, cost and liability U.S. enterprises face from cybercriminals.

In the second part of his report, titled “How Well Are We Protecting Ourselves?” author Ryan Blitstein recounts a telling anecdote.

When Rick Wesson founder of Support Intelligence, a cybersecurity consulting firm, determined that online criminals were hijacking several Oracle computers into robot networks, or “botnets” and using them used to distribute malicious email to PayPal customers -- most likely “phishing” schemes aimed at fraudulently acquiring account information and passwords -- he notified Oracle’s chief security officer. Her course of action was to direct Wesson to the Oracle’s physical security group that, in Blitstein’s words, “manages the door locks and cameras, and watches the parking lot.” In the end very little was done about the intrusion.

Perhaps Oracle’s CSO thought she was doing the right thing. But the greater lesson here is that a C-level security manager at one of the largest high-tech companies in the country did not understand the significance of the attack nor seemed to be properly prepared to handle it.

At the same time, I think Blitstein was a bit harsh in dismissing the security operation as merely door locks and cameras. Anyone in this industry knows that enterprisewide physical surveillance and security is a sophisticated task. Nonetheless, it’s clear that that’s where the Oracle CSO saw as the boundaries of her job, and that’s where the organizational flaw was.

Cybersecurity and physical security are two sides of the same coin. Just as pertinent to this story is the fact that when Wesson picked up the phone he called Oracle’s CSO, not the CISO or the vice president in charge of Information Technology. CSOs still manage the first line of defense of their enterprises. Wesson, an IT security expert, acknowledges that by his choice of contact.

This presents both an obligation and an opportunity. The obligation is to understand the nature, extent and significance of cyberthreats, even a botnet. A few computers sending out spam may seem harmless to many organizations, Wesson tells Blitstein, but compromised corporate machines could allow thieves to access documents containing trade secrets, insider data in executives’ e-mail, and databases of private employee information.

Moreover, an attack is not a sign of weakness or poor security, and should not be held against a CSO. The CSO must be part of the solution. The challenge of cybercrime is that as fast as vulnerabilities can be countered, new vulnerabilities are discovered an exploited. Symantec estimates 4 percent of malicious Internet activity comes from networks of the nation’s 100 largest companies.

The opportunity for CSOs, already experts in building physical perimeter defenses, is to understand how the growth of cybersecurity threats expands their role in the defense of virtual perimeters -- namely the computers and servers that comprise an enterprise’s gateway to the global information network.

The tools are different, but the same strategies apply. IT managers understand the threat and tools, but don’t always appreciate the strategy. CSOs, on the other hand, grasp the strategy, but sometimes are intimidated by the tools. Suffice it to say: For everything that CSOs do in the physical world -- surveillance, identification and authentication, intrusion detection, response and isolation, there is an analogous function in the IT realm. The learning process requires understanding these tools and functions and how to apply them -- but that’s purely tactical. Dollars to donuts, I would say a CEO is more receptive to a plan that addressed enterprisewide security -- physical and virtual -- than a jargon-heavy document that IT departments often try to substitute for clear thinking.

The real problem at Oracle was that the organization failed to see cybersecurity as part of the CSO’s role. It’s up to the CSO to know that security threats have changed, and that begins by understanding and communicating to an organization and culture that today’s enterprise security takes in more than door locks and cameras.

The San Jose Mercury News’ series on Cybercrime can be found at http://www.siliconvalley.com/ghostsinthebrowser/ci_7408419.

About the Author

Steven Titch is editor of Network-Centric Security magazine.

Featured

  • Data Driven, Proactive Response

    As cities face rising demands for smarter policing and faster emergency response, Real Time Crime Centers (RTCCs) are emerging as essential hubs for data-driven public safety. In this interview, two experts with deep field experience — Ross Bourgeois of New Orleans and Dean Cunningham of Axis Communications — draw on decades of operational, leadership and technology expertise to share how RTCCs are transforming public safety through innovation, interagency collaboration and a relentless focus on community impact. Read Now

  • Integration Imagination: The Future of Connected Operations

    Security teams that collaborate cross-functionally and apply imagination and creativity to envision and design their ideal integrated ecosystem will have the biggest upside to corporate security and operational benefits. Read Now

  • Smarter Access Starts with Flexibility

    Today’s workplaces are undergoing a rapid evolution, driven by hybrid work models, emerging smart technologies, and flexible work schedules. To keep pace with growing workplace demands, buildings are becoming more dynamic – capable of adapting to how people move, work, and interact in real-time. Read Now

  • Trends Keeping an Eye on Business Decisions

    Today, AI continues to transform the way data is used to make important business decisions. AI and the cloud together are redefining how video surveillance systems are being used to simulate human intelligence by combining data analysis, prediction, and process automation with minimal human intervention. Many organizations are upgrading their surveillance systems to reap the benefits of technologies like AI and cloud applications. Read Now

  • Right-Wing Activist Charlie Kirk Dies After Utah Valley University Shooting

    Charlie Kirk, a popular conservative activist and founder of Turning Point USA, died Wednesday after being shot during an on-campus event at Utah Valley University in Orem, Utah Read Now

New Products

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area.

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions.

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file.