Beruflich Dokumente
Kultur Dokumente
ECURITY
S
DECEMBER 2016
VOL. 18 | NO. 10
HIGH-STAKES ROLE:
MGM RESORTS CISO
SCOTT HOWITT
DEDICATED
TO
INFORMATION
SECURITY
With CISOs on the rise, the position calls for technical, business
and leadership talent. Who wouldnt love this job?
BUILDING A
CYBERTHREAT
INTELLIGENCE
CAPABILITY
ANAHI SANTIAGO:
HEALTHCARE
INFOSEC LEADER
ITS TIME TO
CLARIFY
OWNERSHIP OF
RISKS IN THE CLOUD
E D IT O R S D E S K
HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK
2 INFORMATION SECURITY
DECEMBER 2016
is less about technology proficiency and more about information securityintellectual property and data protection, risk management, forensics and investigation,
business continuity and disaster planning, regulatory
compliance, data privacy issuesand strategic security
initiatives. Building a threat intelligence capability and
communicating risk to non-security executives, especially
ownership of risk in the cloudas Dave Shackleford explains in his columnare two areas that will receive increased scrutiny in 2017.
Cybersecurity is not really a technical venture, says
Larry Larsen, CISO of the Apple Federal Credit Union. It
is a behavioral venture in a technical environment, and
that is where the counterintelligence approach comes in,
he tells Jaikumar Vijayan, who reports on cyberthreat intelligence programs for this issue.
E D IT O R S D E S K
HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK
3 INFORMATION SECURITY
DECEMBER 2016
H IG H - S TA K E S R O LE
HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO
SCOTT HOWITT,
CISO OF MGM
RESORTS
INTERNATIONAL
SHACKLEFORD:
OWNERSHIP OF RISK
By Alan R. Earls
4 INFORMATION SECURITY
DECEMBER 2016
THE ROLE OF CISO can keep you up nights, but it has its
H IG H - S TA K E S R O LE
HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK
5 INFORMATION SECURITY
DECEMBER 2016
Scott Howitt
H IG H - S TA K E S R O LE
HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK
6 INFORMATION SECURITY
DECEMBER 2016
G L O BA L CIS O
HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO
TIM CALLAHAN,
CISO OF AFLAC
SHACKLEFORD:
OWNERSHIP OF RISK
By Alan R. Earls
7 INFORMATION SECURITY
DECEMBER 2016
G L O BA L CIS O
HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK
8 INFORMATION SECURITY
DECEMBER 2016
these goals and that also help educate CISOs on how they
can be more impactful in public policy decisions that are
good for America and good for our business climate. We
must always seek to serve the larger good and protect
the consumer.
How have you seen the role of the CISO evolve
in recent years?
G L O BA L CIS O
HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK
9 INFORMATION SECURITY
DECEMBER 2016
CA R E E R D ATA
HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK
Almost 70% of those surveyed said their organizations had a CISO or CSO function,
but active participation with upper management and boards of directors is still
limited at many companies.
67%
n <1000 (N=82)
n >1000 (N=211)
49%
Yes
40%
38%
27%
4%
2%
SOURCE: THE STATE OF CYBER SECURITY PROFESSIONAL CAREERS, ENTERPRISE STRATEGY GROUP AND
INFORMATION SYSTEMS SECURITY ASSOCIATION (ISSA), 2016; BASED OFF OF RESPONSES FROM 437 IT AND
SECURITY PROFESSIONALS WORLDWIDE
10 INFORMATION SECURITY
DECEMBER 2016
16%
CISO reports
to CEO
35%
22%
CISO reports
to CIO
CISO reports to
someone other than
CEO or CIO
(or dont know)
SOURCE: THE STATE OF CYBER SECURITY PROFESSIONAL CAREERS, ENTERPRISE STRATEGY GROUP AND
ISSA, 2016; BASED OFF OF RESPONSES FROM IT AND SECURITY PROFESSIONALS WORLDWIDE
CA R E E R D ATA
HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
THREAT
INTELLIGENCE
OVERLOAD
1%
2%
Dont know
37%
22%
10%
10%
5%
8%
Other
RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK
Is your organizations CISO, CSO or similar executivelevel cybersecurity position an active participant with
executive management, the board of directors or a
similar oversight group?
2%
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
Top-Level Participation
COO
41%
8%
CIO
11%
Senior IT
manager who
reports to CIO
(i.e., VP level)
22%
CEO
SOURCE: THE STATE OF CYBER SECURITY PROFESSIONAL CAREERS, ENTERPRISE STRATEGY GROUP AND
ISSA, 2016; BASED OFF OF RESPONSES FROM 293 IT AND SECURITY PROFESSIONALS WORLDWIDE
CREDIT: ERHUI1979/ISTOCK
11 INFORMATION SECURITY
DECEMBER 2016
6%
15%
No
Dont know
SOURCE: THE STATE OF CYBER SECURITY PROFESSIONAL CAREERS, ENTERPRISE STRATEGY GROUP AND
ISSA, 2016; BASED OFF OF RESPONSES FROM 293 IT AND SECURITY PROFESSIONALS WORLDWIDE
CA R E E R D ATA
HOME
Which of the following are the most important qualities of a successful CISO? (Multiple responses allowed.)
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK
50%
Leadership skills
47%
Communication skills
30%
29%
A strong relationship with the CIO and other members of the IT leadership team
23%
Management skills
22%
Technical acumen
19%
18%
Business acumen
17%
14%
10%
9%
Operational skills
1%
SOURCE: THE STATE OF CYBER SECURITY PROFESSIONAL CAREERS, ENTERPRISE STRATEGY GROUP AND ISSA, 2016; BASED OFF OF RESPONSES FROM 437 IT AND SECURITY PROFESSIONALS WORLDWIDE
CREDIT: ERHUI1979/ISTOCK
12 INFORMATION SECURITY
DECEMBER 2016
T H R E AT IN T E L L IG E NC E O VE RLO AD
HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
SEVEN WAYS
TO AVOID
THE FEEDING
FRENZY
Cyberthreat intelligence is
just data if it is not actionable.
RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK
By Jaikumar Vijayan
13 INFORMATION SECURITY
DECEMBER 2016
tractor, a lot of the work that Larry Larsen did for federal
agencies involved extensive use of threat intelligence in
cyberdefense strategies.
We were seeing so many different attacks from so
many different sources against government, it was an
operational imperative to know where it was coming from
and why, Larsen recalls.
Today, as the chief information security officer at
Apple Federal Credit Union in Fairfax, Va., Larsen sees
a lot of value in applying similar methods in a threat
intelligence program designed for dealing with the multifaceted threats directed against his current employer.
Cybersecurity is not really a technical venture, he
says. It is a behavioral venture in a technical environment, and that is where the counterintelligence approach
comes in.
Most companies have firewalls, antivirus and other
IT security tools they can plug into their network infrastructure. But that often doesnt tell security analysts
anything about the source of the attack or who is entering
T H R E AT IN T E L L IG E NC E O VE RLO AD
HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK
Larry Larsen
catastrophic attack?
Larsen is among a growing number of security officers
who have implemented a threat intelligence capability to
help steer the technical aspects of their security program.
In 2015, the threat intelligence market accounted for a
somewhat modest $190 million in revenues, according
to analyst firm IT-Harvest. But it is expected to top $460
million this year and over $1.5 billion in 2018.
Driving the market is the growing focus on aligning
security efforts closer to actual needs and enabling
better situational awareness based on the specific nature
of threats that an organization faces. Digital Shadows,
headquartered in San Francisco and London, provides
these types of servicestailored threat analysis and alerts,
dark web searches for stolen data and credentials, and
morethrough its SearchLight platform.
Its about knowing what is going on around you
so you can figure out what to do, says Rick Holland, a
longtime Forrester Research analyst, who is currently vice
14 INFORMATION SECURITY
DECEMBER 2016
T H R E AT IN T E L L IG E NC E O VE RLO AD
HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK
15 INFORMATION SECURITY
DECEMBER 2016
T H R E AT IN T E L L IG E NC E O VE RLO AD
HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK
requirements, advises Josh Zelonis, senior analyst with Forrester Research. It would be irresponsible for someone to
recommend a threat feed without an understanding of your specific organization and the motivations of threat actors
who would target you, he says.
According to Larry Larsen, CISO at Apple Federal Credit Union, the goal should be to try and get finished intelligence
to the extent possible from your service provider. Theres a difference between finished intelligence and just
information, says Larsen, whose company has subscribed to a customized threat intelligence service from SurfWatch
Labs. Finished intelligence is information you can take, digest and act upon immediately.
For instance, its one thing to get intelligence that a threat actor was identified on the dark web offering Yahoo
accounts for sale. Its another thing entirely to know that Yahoo accounts belonging to 48 people in your organization
were available in that data dump.
Threat intelligence needs to be tailored for your organization in a manner that it informs strategic and tactical decision-making, Zelonis says.
Anything that has not been enriched to this level is just data and should be avoided if you do not have the
capabilities in house to perform this enrichment. J.V.
16 INFORMATION SECURITY
DECEMBER 2016
T H R E AT IN T E L L IG E NC E O VE RLO AD
HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK
17 INFORMATION SECURITY
DECEMBER 2016
START SMALL
When implementing a cyberthreat intelligence practice,
it is easy to get overwhelmed, Podborny observes. Dealing
with threat intelligence data can be like drinking from a
fire hose unless you have a good process in place for consuming and acting upon the information that is pouring
in from internal and external sources.
T H R E AT IN T E L L IG E NC E O VE RLO AD
HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK
18 INFORMATION SECURITY
DECEMBER 2016
H E A LT H CA R E L E A D E R
HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
Anahi Santiago of Christiana Care Health System has spent much of her career in
healthcare information security. We are under attack, she says. BY MARCUS RANUM
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK
19 INFORMATION SECURITY
DECEMBER 2016
H E A LT H CA R E L E A D E R
HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK
I know theres a tremendous amount of focus on healthcare information security right now. Back in the 80s,
when I worked at a large hospital in Baltimore, information security in healthcare really wasnt on anyones radar at all. Is that changing?
20 INFORMATION SECURITY
DECEMBER 2016
organizations started to pay attention. When the Office for Civil Rights started to levy significant fines, thats
when people started to really get serious about security.
A few years ago, I would have said that healthcare
information security was the worst for a long time,
but now government has probably surpassed medical
as the worst.
H E A LT H CA R E L E A D E R
HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK
21 INFORMATION SECURITY
DECEMBER 2016
H E A LT H CA R E L E A D E R
HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK
do both!
Internally, it really starts with education. People are
the most important asset in any information security
programit starts with educating people about the risks
and helping them [to] understand how that ties to patient
safety. At the end of the day, they live and breathe patient
care, and they will do anything to have good outcomes
and make patients lives better. If you can connect
information security to patient safety, you can now
connect to your clinicians in language they understand.
When I talk to them about clinical devices that are on
old, unsupported operating systems that are measuring
some critical data about a patient, [I] have to bring
integrity into the picture: Do you really have the right
information?
I talk to them about ransomware and how if we dont
apply good data hygiene and we are infected, you could
potentially not have access to your clinical information
when you need it. It puts patient lives potentially at risk.
22 INFORMATION SECURITY
DECEMBER 2016
T H E H Y B R ID L IF E
HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK
Business leaders sign off on cloud but fail to understand their accountability.
BY DAVE SHACKLEFORD
23 INFORMATION SECURITY
DECEMBER 2016
T H E H Y B R ID L IF E
HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK
cloud projects. The reasons are manynot enough resources on the security team, apathy from management,
slow adoption of changes, pushback from DevOps teams
and more. Buy-in from vendor management and procurement teams, with involvement from legal teams, is also
Legal
There
Moving
Cloud
24 INFORMATION SECURITY
DECEMBER 2016
Additional
T H E H Y B R ID L IF E
HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK
Data
25 INFORMATION SECURITY
DECEMBER 2016
Compliance
any.
CISOs should ensure that use of cloud computing
services complies with all current laws; IT security
best practices, standards and requirements; and risk
management policies. The same goes for all privacy
laws and regulations. Its important to make sure that
an executive or team explicitly signs off on all use of
cloud computing and that they are properly informed
with documented cloud risk assessment results. Until
this process is accepted within the organization, true
risk ownership wont reside where it should on cloud
projectswith the senior executives and data owners. n
HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK
FEATURES EDITOR
MANAGING EDITOR
Robert Richardson
Kathleen Richards
Brenda L. Horrigan
SITE EDITOR
Robert Wright
SITE EDITOR
Peter Loshin
Linda Koury
EDITORIAL BOARD
Moriah Sargent
CONTRIBUTING EDITORS
Doug Olender
dolender@techtarget.com
Stay connected! Follow @SearchSecurity today.
2016 TechTarget Inc. No part of this publication may be transmitted or reproduced in any form or by any means without written
permission from the publisher. TechTarget reprints are available through The YGS Group.
TechTarget
275 Grove Street,
Newton, MA 02466
About TechTarget: TechTarget publishes media for information technology professionals. More than 100 focused websites enable quick
access to a deep store of news, advice and analysis about the technologies, products and processes crucial to your job. Our live and
virtual events give you direct access to independent expert commentary and advice. At IT Knowledge Exchange, our social community,
you can get advice and share solutions with peers and experts.
www.techtarget.com
26 INFORMATION SECURITY
DECEMBER 2016