Forecast 2016: Security takes center stage

After a year of high-profile hacks, security is top of mind for tech execs in 2016

Contributing Writer, Computerworld |

When a high-profile cybersecurity attack occurs, like the ones at Target or Home Depot, Sam Redden knows to be ready.

It's almost a given that Redden, chief security officer at Brazos Higher Education Service, a Waco, Texas-based company that services billions of dollars in student loans, will be summoned to brief his worried board of directors.

Redden says he lays the groundwork for such command performances by proactively communicating with the board on an ongoing basis to keep them up to date on everything that IT is doing to protect the enterprise and how his team is preparing for the inevitable.

Even then, "I wouldn't be foolish enough to say I stay ahead of the bad guys," says Redden. "The bad guys stay ahead of everybody."

That observation is likely the reason why 50 percent of the 182 IT professionals who participated in Computerworld's Forecast 2016 survey said they plan to increase spending on security technologies in the next 12 months.

Computerworld Tech Forecast 2016: Budget Booms and Busts

What's more, when respondents were asked to name the most important technology project currently underway at their organizations, security came in second -- chosen by 12 percent of those polled -- trailing cloud computing by just two percentage points.

"When you look at the amount of money big organizations [spend] to prevent breaches and they still get breached, you've got to assume you'll be attacked too," says Dale Denham, CIO at Lewiston, Maine-based Geiger, a $150 million distributor of promotional products. "You have to have a plan in place."

Attackers are getting more numerous, better organized and more powerful. And the number of entry points they can use to access vulnerable networks is rising exponentially as televisions, printers, cameras and even cars are IP-enabled. Gartner estimates that the number of connected things in use will hit 4.9 billion by the end of this year, up 30 percent from 2014, and will reach 25 billion by 2020.

One recent example of the ever-evolving kinds of security threats enterprises are facing is a piece of persistent malware dubbed SYNful Knock that was discovered last September on Cisco routers.

"It's the first time anything has been publicly disclosed about an exploit of Cisco routing and switching equipment," says Darren Van Booven, cybersecurity officer for the Idaho National Laboratory in Idaho Falls. "It's a great example of the kind of threats organizations now have to mitigate. They require constant changes in our strategy."

John Nai, CISO at PayPal, says in 2016 he'll pay close attention to "infrastructure hygiene," which, he says, "is super important to us." Beyond that, Nai says he believes in keeping a firm eye on the basics. "A lot of companies focus on advanced capabilities," he notes, "but you really need to be brilliant at the basics: Make sure you're patching your infrastructure, patching your desktops and have the right operational capabilities to see what's going on in your network."

Slim pickings in the labor pool is another management concern: There simply aren't enough security professionals to go around, and those who are in the job market can command sky-high compensation packages that are out of reach for many companies.

Those are just a few of the security-related issues that IT leaders lose sleep over. But most of them say they're not staying up late worrying; they're up making plans to take action. They're preparing to fine-tune anti-intrusion strategies, train -- and retrain -- employees, and create disaster plans for the breaches and attacks they say they know lie ahead.

Bigger budgets, better-trained users

Security execs may be getting called to board meetings more frequently for explanations, but they're often leaving those meetings with more resources to spend on protecting enterprise systems and data. The high-profile breaches have helped raise awareness among even the least technical board members about the critical importance of security. (See The board will see you now for more on the changing relationship between security and the C-suite.)

"Instead of going to the board or CIO and struggling with justifying every security expense, I have the board and CIO coming to me," says a CISO from a midsize manufacturing company who declined to be further identified.

"In some ways, the high-profile breaches have done the selling for me. It's almost an open checkbook," he says. But make no mistake, he adds: "The threats are still there and they are certainly scary."

Computerworld IT Forecast 2016: Plans to Increase Spending [factoid]

Across the board, security managers say they'll spend at least some of the money being added to their security budgets on further investments in awareness and training programs. "One of the biggest challenges is with employees. Most of the problems we've had come from emails they've opened that could have Trojans or malware," says Redden.

"It all goes back to user training," he adds. At Brazos Higher Education Service, he says, "we've pulled most remote users back in for additional training. We talk about not letting anyone access their laptop. It's not a personal device. We stress that very highly. Endpoint protection is the No. 1 issue."

Training is also on the docket at Loyola University Maryland in Baltimore. "Our largest challenge is our end users, so we're really ramping up our cyber awareness training," says Louise Finn, CIO and associate vice president of technology services.

In 2016, the university's recently hired security operations director, Patricia Malek, will be conducting face-to-face scenario-based training with employees in all business units. "And we're not just training on the university's policy, but providing training on the personal side, emphasizing personal control over and protection of data," Finn says.

The Bank of Labor in Kansas City requires employees to take part in a security awareness training program annually. But Shaun Miller, the bank's information security officer, says that schedule renders the program "worthless" because threats change so quickly.

To help people remain vigilant, Miller sends out phishing emails "the same way the bad guys do." If users click on the links in these messages, they're sent to a landing page and get immediate feedback about what they should have done differently. "I'm not doing this to get employees in trouble," Miller says. "I'm doing the same thing audit firms would do. People learn [best] from their mistakes."

Hire in or contract out?

Among respondents to the Forecast survey who said they expect to add staff in 2016, 25 percent named security initiatives as the factor driving that decision. And 33 percent said security was the skill they expect will be the most difficult to hire for in 2016.

In interviews, executives at small and midsize organizations say they will hire people with broad IT and security skills, rather than highly experienced experts in specific security areas, such as intrusion detection or firewalls.

Computerworld Tech Forecast 2016: Hard to Hire

Many companies are adding expertise not by hiring, but by contracting with the growing number of security services providers. As one CISO put it, one of the advantages of contracting is that it's a way of sidestepping the threat of having sought-after security employees poached by other organizations.

Frankie Duenas, CTO at Cabrillo Credit Union in San Diego, heads a small department of six IT professionals whose duties range from security and networking to programing and daily operations, and he also outsources for security assistance when necessary. "We have a budget in place to throw at security" -- either to respond to emerging threats or to respond to a need for more sophisticated security software and/or services, Duenas explains. "We're going to double that [contingency] budget next year because hacks evolve quickly, and we need to have that pot to pull from."

At Geiger, Denham says he hires third parties to handle both intrusion detection and intrusion prevention services. The company also works with outside auditors on compliance with the PCI Data Security Standard.

"I don't expect we'll hire more [security professionals into IT]," he says. Instead, Geiger will continue to turn to service providers as new needs arise.

"You're never finished with security. You can't do it all, and you can never do it fast enough," Denham says. "There's always more to do than IT can handle."

The bottom line is that security is a critical enterprise issue that never goes away. It never ends because hackers always find new ways to do damage.

For example, the industry has made great progress in fighting phishing attacks, according to PayPal's Nai, but as it has done so, the bad guys have refocused their efforts elsewhere -- on disseminating malware, for example.

"As we continue to improve in certain areas, the bad actors don't go away," Nai says. "They don't go out and get legitimate jobs. They simply move to another attack vector."

The board will see you now . . . and now . . . and now

Just about all of the security professionals and CIOs interviewed for this article said they expect to put more emphasis on communicating with their boards in 2016.

"Three years ago, unless there was a breach, a person in this role would rarely get to talk to the board. Now it's not unusual to talk to the board once a quarter," says a manufacturing company CIO who requested anonymity. "They're trying to evaluate risk, and they want to feel confident that I'm putting measures in place that are cost-effective and protect the company."

Darren Van Booven, cybersecurity officer at the Idaho National Laboratory, says the success of a risk management and security program hinges on IT leaders having access to, and the ability to communicate with, senior executives.

"It's imperative to understand the business of the organization," he says. If you don't, you can't articulate risks in a way that the leadership understands. "If you hear CISOs saying they're not being listened to, that's why," Van Booven says.

In addition to board members, Van Booven meets with most senior managers to share information and provide training.

"This peer-to-peer meeting between Darren and other senior leaders has made a big difference in their commitment [to security]," says information management program integration director Hortense Nelson. "That personal element is very important."

Security outside the walls

Beyond internal communication, IT leaders like the manufacturing company CIO find themselves increasingly working outside the company's walls -- with supply chain partners and their boards, in his case. The CIO has drafted a security questionnaire that he is proposing be added as a regular part of the vendor management process.

Dave Cooke, director of technology at Altum, a Reston, Va., consulting firm and software-as-a-service provider, has been on the receiving end of such questionnaires and says he is seeing an increase in their use by client companies. Altum's customers are large foundations and other organizations that give out grants and use Altum's grant-tracking software service to monitor distributions and how recipients are using funds.

"When we get a client that wants to sign up for our service, they send us a security software questionnaire. We have to answer a litany of questions before they consider us," says Cooke. "We've seen an uptick of these in the last 18 months. They help us because we figure if they're asking these questions, we need to take the same [issues] into account."

— Julia King

This story, "Forecast 2016: Security takes center stage" was originally published by Computerworld.

Next read this:

Julia King is a Computerworld contributing writer based in Pennsylvania.