Kevin Coleman is a senior fellow at the Technolytics Institute and former chief strategist at Netscape. (File) ()
A very interesting discussion arose with a chief information security officer (CISO) of a critical infrastructure facility within the United States. The topic was the current reality of our cyber defense posture. After thinking about the conversation for some time, a few themes began to crystallize. After boiling them down they fell into three distinct themes that, based on my experience, paint a realistic picture of the current challenges a CISO faces in today’s environment.
The first theme was that when you are a CISO, you don’t have time. Stop for a moment and consider the common issues that hit today’s CISO. Compliance issues, user problems, new systems and software, software patch incompatibilities, vendor security issues — and that was the short list. At the top of his list was keeping up with cyber threats. With everything on the CISO’s plate these days, they cannot take the time to read a multi-page cyber threat report. He began to talk about a security vendor cyber threat report that was 80 pages long, and I had actually seen and read that report. He said, “Get to the main points and just give me a one-pager!” If you look at all that is out there, you can see how easy a CISO could suffer from information overload.
The second theme was about how everyone is focused on the advanced stuff when many CISOs are struggling with the basics. More times than not IT organizations do not have the resources to keep up with the pace of advancement in computer technology and they fall behind. All too often the attention is given to the latest and greatest hardware and software when their current technology environment has old, unsupported software operating in it. In fact at one client, the security staff was told they could not uninstall the old, unsupported program because they were not sure what doing that would break.
The third theme was that they don’t have the money. With the sluggish economy, budgets are tight and cyber security is not cheap. In fact the cost is rising. In some cases, the cost of maintaining what the organization has consumes the majority of the CISO’s budget. Given all of this, our current cyber defense posture could not be more evident. Bottom line: It is all about money.
The picture those three themes project is not pretty and all indications are this will not dramatically change any time soon.