Embracing uncertainty. It is a tricky concept, but one that is trumpeted by Eddie Schwartz, whose 25 years in the information security field and current role as CISO of RSA have taught him, among other things, that a focus on the unexpected is critical. Eddie, who is also chair of ISACA’s Cybersecurity Task Force, will deliver the opening keynote presentation at ISACA’s North America Information Security and Risk Management (ISRM) Conference this November in Las Vegas. Today, Eddie chats with us about the puzzling concept at the core of his keynote.
ISACA: What do you mean by “uncertainty” and why must we embrace it?
Eddie: Security teams already know how to deal with routine problems they understand, for example, achieving regulatory compliance or preventing known malware or network exploits for which there are antivirus (AV) or intrusion detection systems (IDS) signatures. These issues are like audits where you can achieve a level of certainty and easily improve over time. However, advanced adversaries will bypass regulatory controls, use zero-day exploits, target end-users, and generally exploit unknown or unexpected weaknesses, even in the best security operations. Security plans must include a focus on the unknown unknowns, which requires us to embrace uncertainty and to plan for uncertainty aggressively.
ISACA: How is big data transforming security management?
Eddie: Security managers often ask me, "Which logs should I review?" The focus for so long has been on trying to find more device logs to analyze in the hope of finding complex security threats. The last few years of tremendous losses due to state-sponsored, criminal and hacktivist groups have shown us that we need to be looking at information from a broader context—from a business context. Big data forces us to think about the universe of internal and external information that might help us understand what is happening in our organization. What is good behavior relative to users, business processes and IT systems? Where are the outliers? Big data is transforming security management, fraud, GRC, and identity management and governance.
ISACA: Why have traditional security technologies, processes and skills become ineffective?
Eddie: Many traditional technology and process-level approaches to security were built on the notion that we could actually prevent most of the bad things happening in our environment. We only can prevent that which we already understand, such as existing malware, network exploits or behavioral rules that are fairly trivial to bypass. Even modern “advanced” approaches to intrusion and malware prevention have fundamental weaknesses and cannot provide certainty. Although leading security vendors are now offering advanced-technology approaches (security analytics, identity and access governance), security skills have not kept pace with both technology advancements and management requirements in terms of business adoption of big data, cloud, mobility and social media. Our industry must address this critical-skills problem and ISACA is a big part of the solution.
Learn more about Eddie and the North America Information Security and Risk Management (ISRM) conference here.
Continue the conversation in the Cybersecurity topic within ISACA’s Knowledge Center.