| | November 20169CIOReviewMore regulation isn't the answer. In fact, as the government races to design and pass new regulations and if it does so without enough consultation with the private sector, the wrong regulations could actually hinder innovation. Such a result would be counterproductive to continued advancement in the space as cyber criminals and their tactics continue to evolve. The issue that many companies struggle with is they equate compliance with security, or assume that compliance is a sufficient baseline for security. This couldn't be further from the truth. While there may be some sound security practices within the various regulatory frameworks that our companies are beholden to adhere to, compliance is a point in time snapshot of specific controls and neither represents ongoing operational nor organizational practice or maturity. Compliance should be a validation of the existence of controls already being in place and inherent in how the company operates, not a task list of items that are addressed in an adhoc fashion when it is time for the annual audit. Compliance in CloudOne thing that I have found myself repeating more times than I can count to folks who are more infrastructure or operations minded is that you cannot buy your way to security or compliance. All too often executives see terms like "FISMA Compliant" or "PCI Compliant" when looking to purchase solutions from IaaS providers believing that by partnering with these companies that they are magically compliant or that all they need to do is throw a few logical controls around the environment to logically separate it from the rest of your infrastructure and your job is done. While cloud computing may give you the ability to quickly and easily scale up and scale down the infrastructure as the needs of your business expand and contract, they merely provide the capability to make it easier to meet your control objectives, not necessarily as a fast track to compliance.Another area that companies are currently struggling with as it relates to the migration to the cloud is how to protect and control data once it is off network. Traditional DLP solutions do a good job of tracking data around the network, on servers, and on endpoints. Where the existing paradigm falls short is how to do the same when that data is stored in Google Drive, Microsoft OneDrive, Dropbox, Box.com, or the myriad of other online file storage and collaboration tools available. How do you track who that data is being shared with? How do you know who is copying, downloading, or printing those documents? How do you track when that data might be moving from cloud to cloud? How do you control that data once it is accessible on a mobile device? While there are some burgeoning solutions in the space looking to tackle this problem, it is still something that many security teams are still trying to wrap their arms around, particularly since many organizations, whether they know it or endorse it or not, are using multiple file sharing applications today, even if most of them are falling into the Shadow IT bucket.A Word for CIOsThe role of the CISO has changed dramatically over the past few years. When I was in my first senior security role the job was primarily technical. While there may have been exposure to executive management, the most successful security leaders were the ones that were less known. In other words, if executives weren't breathing down your neck, nothing was wrong and you were doing your job well.Fast forward to today and the landscape has significantly changed. Today's cyber security leader not only is expected to have executive presence, but is a regular attendee in Board meetings, has control over a budget to control their program, and has a strong knowledge of both security and enterprise risk management. The job has moved from one that is primarily technical to one where the person in the role must have a good balance of technical savvy, business expertise, and the ability to build effective cross-functional relationships while making reasonable and balanced risk/security decisions. New technologies and a constantly evolving threat landscape continue to make the CISO role both challenging and extremely rewarding. Ever evolving regulatory and privacy standards and the constantly changing threat landscape make the CISO role one where you are constantly learning and updating your vision and priorities of the types of problems you need to consider to keep your company, its users, and its clients safe. I wouldn't want it any other way! If the security organization introduces too many obstacles to basic productivity, users will look for and invent ways to establish workaroundsSam Masiello
< Page 8 | Page 10 >