Forensic analysis, access controls, and cloud computing – they are the three areas of focus (ISC)² addressed during its recent Congress in Philadelphia, where Tipton caught up with Infosecurity. They are three areas in “which changes are occurring so quickly that if you don’t keep up, you will be applying antiquated techniques to solutions you don’t even understand”, Tipton said. An inability to keep abreast of these evolving trends can lead to mistakes on the part of the security practitioner, he added.
“Even if you don’t get breached, sound security pays off if you are smart enough to plan and implement it correctly”, Tipton continued. Most of this can be achieved through modernization, he said, and in Tipton’s opinion, the biggest headache in the security field is legacy systems – “The whole environment has been built around silos.” Modernizing your infrastructure, however, will typically require an initial capital investment, and it’s an area that security managers must negotiate in an era of stressed budgets.
You have to demonstrate a business case for security investment, and break down the expected return on investment after the initial capital expenditure, Tipton noted in outlining his strategy. “Money talks when it comes to getting buy in by senior executives – it’s the language that they speak.
“In this day and age, a CISO should be prepared to walk out the door – vote with their feet – if you can’t get funding for something as important as protecting the sensitive, private data of you citizens, customers, and employees. There are certain things that you need to fall on your sword with.”
The need for increased budgets is even more acute in the public sector, where Tipton says the US Congress “is famous” for enacting authorizing legislation, but seldom accompanies this with the required appropriation for an initial investment. Further complicating this issue are public sector departments headed by political appointees, many of whom have a limited lifespan. As Tipton noted, “it’s hard to get your point across about the severity of a situation that – in the end – will cost money, especially if the person you are pleading your case to is likely to move on within a year or two”. This leads to them simply crossing their fingers and hoping that dire predictions fail to materialize until after they have left, said Tipton when recalling on his years of experience in the public sector.
But the situation is not entirely gloom and doom, as he pointed out. “There’s a developing sense of urgency” regarding cybersecurity he believes, noting the increased attention paid to the issue by President Obama and his predecessor, George W. Bush. Couple this sense of urgency with the increasing frequency of data security breaches, and Tipton said there is now a more receptive environment to address cybersecurity issues in both the private and public sectors. “The old problem in government is that you never could get anyone to sit down and listen to you”, he said in reflection. This trend is changing, Tipton asserted, and the general public appears to be getting the message about its importance as well.
However, the impending ‘fiscal cliff’ facing the US federal government could put the breaks on some cybersecurity investments. “Regardless of who is elected [President], there are going to be cuts. It doesn’t matter who promises what, there will be cuts coming”, Tipton predicted. “I’ve never been one to panic over budget cuts, because they make you lean and mean”, he said with a dry smile. “While some will complain that they have been ‘cut to the bone’, I would say that at least they still have bone.”