Welcome!

Microservices Expo Authors: Jason Bloomberg, Liz McMillan, Mamoon Yunus, Pat Romanski, Elizabeth White

Related Topics: Cloud Security, Java IoT, Microservices Expo, Linux Containers, @CloudExpo, SDN Journal

Cloud Security: Article

Selling Security

Enterprises can no longer afford to see their CISOs confined to the dark recesses of the IT department

The threats facing network operators all over the world, spanning service providers, enterprises, cloud and hosting providers and mobile operators alike, are by no means stalling. While optimism is always the name of the game, we know all too well in security that trying to keep pace with the slew of attack vectors out there today is an unfortunate reality. As our 9th annual Worldwide Infrastructure Security Report reveals the magnitude of attacks is on the upswing once again and coupled with increasingly complex, multi-vector style attacks, the threat is all too real.

Winning the battle against those threats depends on many factors: the expertise of the security organization; response plans and resources; and the ability to put those plans into action. Increasingly, part of the challenge for Chief Information Security Officers (CISOs) is in getting the right support from their senior management. That's not necessarily a new hurdle for CISOs to overcome. Management buy-in has always been vital for dealing with IT security threats. But with threats becoming more complex, the priority for CISOs is ensuring that they have sufficient resources to deal effectively with those issues.

Executive and board-level awareness of these threats is already pronounced: recent research found that senior executives and risk managers within American and Canadian enterprises today are more concerned about losing money through cyber threats than they are through property damage or investments or securities failing.[1] This growing board-level awareness as to the severity of IT-based attacks means CISOs have an opportunity to champion their own role as a risk manager and defender of the business. By showing leadership and engaging proactively with other heads of department, CISOs can show how their expertise adds a ‘return on prevention' value to the business.

However, when it comes to getting their voices heard, many CISOs face an uphill struggle from day one - everything from IT being seen as ‘just' the cost of doing business and not an asset, to board members with vastly different priorities (i.e., those who would rather wait for their house to be on fire to call the fire department versus taking preemptive action upfront). If CISOs are to deliver an understandable call to action and gain the credibility to push their strategic plans, they need to deploy a range of tactics to make their voices heard including:

  • Discuss security risks in a way that resonates with management: Expecting the management/executive team or board to learn the information security professional's vocabulary can be unrealistic. Instead, the CISO must communicate threats in a way that the leadership team understands. This language barrier doesn't need to be a hindrance though; approached in the right way, it can actually be an excellent way for CISOs to showcase how their role fits within the overall corporate risk management strategy.
  • Translate prevented costs to realized goals: The substantial increase in botnet code modification and botnet node recruitment may be crucial in the understanding of how attacks are developing, but bring these terms up in a conversation with a CFO and you're likely to see their eyes glaze over faster than you can say Distributed Denial of Service (DDoS). The primary message a CISO needs to get across is the threat that attacks of any kind pose in terms of lost revenue, reduced productivity and damage to the business brand.
  • Anchor the threat in your own organization: Engage with the CFO and COO to obtain financial figures relating to the cost of your operations and the amount of money generated through online services and a workforce reliant on a fully functioning IT network. Armed with these figures, CISOs can offer a realistic estimate of the negative financial impact of a level-one cyber attack where key IT services might be adversely affected. In an age where many institutions have built strong revenue streams and enhanced customer loyalty through online and mobile services, it also provides an opportunity for CISOs to demonstrate the crucial role they can play in preserving business operations.

These days, no enterprise risk assessment and business plan is complete without taking into account the operational risk represented by cyber security attacks intended to have a negative effect on the availability of key online services. Enterprises can no longer afford to see their CISOs confined to the dark recesses of the IT department because as DDoS attacks and other cyber threats have become increasingly high-tech and more complex, enterprises need a technologist with a seat at the table.

But with greater responsibility comes the challenge of gaining and maintaining credibility within the C-suite. And it is only by conveying this threat in a language the business understands - by demonstrating the potential outcomes using examples familiar to other business heads - that the CISO will be able to get the buy-in they need to do their job properly. This is the challenge and the opportunity - the opportunity for the CISO to get the recognition they deserve and the backing to deal with the ever-growing threat faced by organizations today.

Resource:

  1. Execs Say Cyber-Attacks a Top Threat: AIG Survey-CNBC News-6 February 2013

More Stories By Rakesh Shah

Rakesh Shah is Director, Product and Strategy Marketing of Arbor Networks. He has been with the company since 2001, helping to take Arbor's products from early stage to category-leading solutions. Before moving into the technical marketing team, Rakesh was the Director of Product Management for Arbor's Peakflow products, and he was also a manager in the engineering group. Previously, Rakesh held various engineering and technical roles at Lucent Technologies and CGI/AMS. He holds a M.Eng. from Cornell University and a BS from University of Illinois at Urbana-Champaign both in Electrical and Computer Engineering.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@MicroservicesExpo Stories
IT organizations are moving to the cloud in hopes to approve efficiency, increase agility and save money. Migrating workloads might seem like a simple task, but what many businesses don’t realize is that application migration criteria differs across organizations, making it difficult for architects to arrive at an accurate TCO number. In his session at 21st Cloud Expo, Joe Kinsella, CTO of CloudHealth Technologies, will offer a systematic approach to understanding the TCO of a cloud application...
API Security has finally entered our security zeitgeist. OWASP Top 10 2017 - RC1 recognized API Security as a first class citizen by adding it as number 10, or A-10 on its list of web application vulnerabilities. We believe this is just the start. The attack surface area offered by API is orders or magnitude larger than any other attack surface area. Consider the fact the APIs expose cloud services, internal databases, application and even legacy mainframes over the internet. What could go wrong...
The goal of Continuous Testing is to shift testing left to find defects earlier and release software faster. This can be achieved by integrating a set of open source functional and performance testing tools in the early stages of your software delivery lifecycle. There is one process that binds all application delivery stages together into one well-orchestrated machine: Continuous Testing. Continuous Testing is the conveyer belt between the Software Factory and production stages. Artifacts are m...
In IT, we sometimes coin terms for things before we know exactly what they are and how they’ll be used. The resulting terms may capture a common set of aspirations and goals – as “cloud” did broadly for on-demand, self-service, and flexible computing. But such a term can also lump together diverse and even competing practices, technologies, and priorities to the point where important distinctions are glossed over and lost.
Most companies are adopting or evaluating container technology - Docker in particular - to speed up application deployment, drive down cost, ease management and make application delivery more flexible overall. As with most new architectures, this dream takes a lot of work to become a reality. Even when you do get your application componentized enough and packaged properly, there are still challenges for DevOps teams to making the shift to continuous delivery and achieving that reduction in cost ...
Enterprise architects are increasingly adopting multi-cloud strategies as they seek to utilize existing data center assets, leverage the advantages of cloud computing and avoid cloud vendor lock-in. This requires a globally aware traffic management strategy that can monitor infrastructure health across data centers and end-user experience globally, while responding to control changes and system specification at the speed of today’s DevOps teams. In his session at 20th Cloud Expo, Josh Gray, Chie...
"At the keynote this morning we spoke about the value proposition of Nutanix, of having a DevOps culture and a mindset, and the business outcomes of achieving agility and scale, which everybody here is trying to accomplish," noted Mark Lavi, DevOps Solution Architect at Nutanix, in this SYS-CON.tv interview at @DevOpsSummit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
We have already established the importance of APIs in today’s digital world (read about it here). With APIs playing such an important role in keeping us connected, it’s necessary to maintain the API’s performance as well as availability. There are multiple aspects to consider when monitoring APIs, from integration to performance issues, therefore a general monitoring strategy that only accounts for up-time is not ideal.
Web services have taken the development world by storm, especially in recent years as they've become more and more widely adopted. There are naturally many reasons for this, but first, let's understand what exactly a web service is. The World Wide Web Consortium (W3C) defines "web of services" as "message-based design frequently found on the Web and in enterprise software". Basically, a web service is a method of sending a message between two devices through a network. In practical terms, this ...
In his session at 20th Cloud Expo, Mike Johnston, an infrastructure engineer at Supergiant.io, discussed how to use Kubernetes to set up a SaaS infrastructure for your business. Mike Johnston is an infrastructure engineer at Supergiant.io with over 12 years of experience designing, deploying, and maintaining server and workstation infrastructure at all scales. He has experience with brick and mortar data centers as well as cloud providers like Digital Ocean, Amazon Web Services, and Rackspace. H...
As many know, the first generation of Cloud Management Platform (CMP) solutions were designed for managing virtual infrastructure (IaaS) and traditional applications. But that’s no longer enough to satisfy evolving and complex business requirements. In his session at 21st Cloud Expo, Scott Davis, Embotics CTO, will explore how next-generation CMPs ensure organizations can manage cloud-native and microservice-based application architectures, while also facilitating agile DevOps methodology. He wi...
There are several reasons why businesses migrate their operations to the cloud. Scalability and price are among the most important factors determining this transition. Unlike legacy systems, cloud based businesses can scale on demand. The database and applications in the cloud are not rendered simply from one server located in your headquarters, but is instead distributed across several servers across the world. Such CDNs also bring about greater control in times of uncertainty. A database hack ...
These days, change is the only constant. In order to adapt and thrive in an ever-advancing and sometimes chaotic workforce, companies must leverage intelligent tools to streamline operations. While we're only at the dawn of machine intelligence, using a workflow manager will benefit your company in both the short and long term. Think: reduced errors, improved efficiency and more empowered employees-and that's just the start. Here are five other reasons workflow automation is leading a revolution...
We define Hybrid IT as a management approach in which organizations create a workload-centric and value-driven integrated technology stack that may include legacy infrastructure, web-scale architectures, private cloud implementations along with public cloud platforms ranging from Infrastructure-as-a-Service to Software-as-a-Service.
Docker is sweeping across startups and enterprises alike, changing the way we build and ship applications. It's the most prominent and widely known software container platform, and it's particularly useful for eliminating common challenges when collaborating on code (like the "it works on my machine" phenomenon that most devs know all too well). With Docker, you can run and manage apps side-by-side - in isolated containers - resulting in better compute density. It's something that many developer...
While some vendors scramble to create and sell you a fancy solution for monitoring your spanking new Amazon Lambdas, hear how you can do it on the cheap using just built-in Java APIs yourself. By exploiting a little-known fact that Lambdas aren’t exactly single-threaded, you can effectively identify hot spots in your serverless code. In his session at @DevOpsSummit at 21st Cloud Expo, Dave Martin, Product owner at CA Technologies, will give a live demonstration and code walkthrough, showing how ...
Did you know that you can develop for mainframes in Java? Or that the testing and deployment can be automated across mobile to mainframe? In his session and demo at @DevOpsSummit at 21st Cloud Expo, Dana Boudreau, a Senior Director at CA Technologies, will discuss how increasingly teams are developing with agile methodologies, using modern development environments, and automating testing and deployments, mobile to mainframe.
Cloud adoption is often driven by a desire to increase efficiency, boost agility and save money. All too often, however, the reality involves unpredictable cost spikes and lack of oversight due to resource limitations. In his session at 20th Cloud Expo, Joe Kinsella, CTO and Founder of CloudHealth Technologies, tackled the question: “How do you build a fully optimized cloud?” He will examine: Why TCO is critical to achieving cloud success – and why attendees should be thinking holistically ab...
As DevOps methodologies expand their reach across the enterprise, organizations face the daunting challenge of adapting related cloud strategies to ensure optimal alignment, from managing complexity to ensuring proper governance. How can culture, automation, legacy apps and even budget be reexamined to enable this ongoing shift within the modern software factory?
@DevOpsSummit at Cloud Expo taking place Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center, Santa Clara, CA, is co-located with the 21st International Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is ...