By Michael Coates, CEO and co-founder, Altitude Networks

From one CISO to another, Top 4 focus areas for success in 2020

Each year there are a litany of 2020 predictions. It covers the gamut: AI is taking over the world, quantum computing will change everything, IOT will destroy security as you know. While it's nice to opine about distant features, the reality is that very few of these items should have a meaningful impact on your security planning for 2020.

Instead, I'd like to propose an alternate approach to knowledge sharing for 2020. From one CISO to another, here's where I believe the industry can make the most gains. 

#1 The Human Scale Problem

We will never scale to meet the challenge of defending organizations by operating at the speed of humans. The challenge we are facing grows exponentially whereas the human efforts grow linearly at best. I don't need to draw a graph to show that we'll never catch up.

Instead, leverage the creativity and ingenuity of humans to design or adopt automated systems that solve the majority of routine issues automatically. The short term refocus to get off the hamster wheel of manual work will feel like you're falling behind. But once the system is enabled you'll immediately reap the benefits.

Tip from my own experience - start with small scenarios that have minimal variation. The goal is to ship iteratively instead of trying to boil the ocean with a large, unattainable project.

#2 Data, data, data - it's all about data security

The landscape of technology is changing. Migration to cloud is the reality, mobile is here to stay, and we hear more about the transforming network with contractors and interconnected business partners. The day of building a strong perimeter to protect the "crown jewels" are over. Now a company's most valuable asset, their data, is strewn across multiple repositories inside and outside of the company.

In 2020, prioritize risk efforts on these disparate data stores. Wherever you have significant data be sure your security controls actually provide you coverage and value. The fundamental security tenants hold true across all technologies; however, how you implement, and monitor varies greatly. And remember, the security model must be sound in principle, but also operate effectively with your employees and business partners.

#3 Treat your enterprise network like your local coffee house 

We've already established above that your data is no longer primarily stored inside your corporate network and a variety of business partners have internal network access too. Continuing with that thinking, why do we assume so much trust just because an individual is physically located inside our office?

Just like your local coffee house is providing internet access with no assumed trust to an individual, your corporate network should aspire for a least privileged model. In 2020 give consideration to the steps that can remove inherent trust just because someone plugged into an internal network port or jumped on the wifi. Instead, move to a trust model where the office provides vanilla network access and employees authenticate to particular zones or applications as needed to accomplish work. Where possible, weave in device security health attestation too. These steps will raise your overall security health and significantly help contain the impacts of a breach.

#4 How organizations can love their CISO again

A CISO that is loved by the business? It can be done! Instead of operating as the team of "No", empower your business by doing two things. First, establish a publicized "easy path" for routing interactions with security which is also the "secure path". This model involves stating security objectives clearly, providing varying options depending on the specifics of a situation and building "secure by default" technology frameworks. When a path forward for business operations is simple and also secure, you'll find lots of happiness from the business.

Second, you don't always have to say "no". Instead, you can build a model that aligns authority and accountability to a business leader (often a VP). This approach requires the security team to educate a business unit about the risks of a particular project and provide mitigating controls if the team would like to lower risk. After doing so the VP signs off on the project with a full, and documented, understanding of risks and potential outcomes. This model allows business leaders to have authority to take business risks where needed; they will either reap the rewards or suffer the repercussions of their actions. Clearly, this approach requires accountability to the C-level and does have some upper bounds on acceptable risk for the VP to take. But overall the model works nicely.

Final thoughts

As you look to 2020, remember that security is not just a set of technical problems. It is the intersection of human behavior, business drivers, technology and more. We must incorporate all of these elements as we build a security program that focuses on the right items and can scale to meet the demands of a business.

##

About the Author

Michael Coates is the CEO & co-founder of Altitude Networks. His background includes 15 years in the field of information security with roles such as CISO of Twitter, Head of Security for Mozilla, six years on the OWASP global board of directors, and many years in offensive and defensive security practitioner roles. Find him online at @_mwc