I recently sat on a panel with fellow security executives to discuss the general topic of innovating as a CISO. Unsurprising and somewhat understandable, the conversation quickly devolved and topics covered included RSA’s Innovation Sandbox, the large number of startups CISOs visit at RSA each year and how many trips CISOs make to Silicon Valley or abroad to meet with startups.
I say ‘unsurprising and understandable’ because the natural tendencies of most cyber and overall IT practitioners in general tend to gravitate toward tactical technical investments as ‘innovation.’
I’d have preferred to have much more focused discourse about strategic security and privacy business process innovations, which executives are undertaking to enhance the go-to-market strategy of their businesses.
Take for instance, the challenges of recalibrating the legacy secure software development lifecycle to adapt to the ‘market speed’ with which products are now being deployed using the Agile methodologies (Secure DevOps). To ensure they are securely enabling their businesses to react at market-speed, more CISOs should pursue innovations in Secure DevOps.
Similarly, with the importance of protection of corporate brands from the recurring onslaught of phishing campaigns exploiting the trust consumers place in many corporate brands, I continue to be amazed at the low adoption rate of Domain-based Message Authentication, Reporting & Conformance (DMARC), which is an email authentication protocol that allows senders and receivers to improve and monitor protection of their domains from fraudulent email.
With the data on end-user systems being susceptible to exposure and often highly exposed, innovations around auto-tagging, labeling, classification of sensitive data and the consequent authorization and encryption at a granular level are areas of concern that seem ripe for innovation, yet robust implementations are very few and far between.
Furthermore, the absence of discourse around innovations at the human firewall layer is increasingly evident in the low adoption rates of gamification to improve corporate security awareness programs.
Lastly, with the increased focus on insider threat, security innovations that deliver robust monitoring while balancing privacy concerns are sadly sorely missing from many CISO conversations and considerations.
And whereas my wish list for more strategic discourse on game-changing security innovations is also very technically focused, unlike rhetoric around number of startups I visited last year, I’d like to think that the initiatives I outlined all have direct traceability to key business or operational objectives.