Q & A with John Deere's global security guru.
This editorial product was produced by the SC editorial team and underwritten by Informatica. It is part two of a three-part series.
One of the thorniest obligations for most information security leaders these days is keeping their organizations' critical data shielded against a spreading plague of cybercriminal attacks. Additional barriers to thwarting the constant attempts at incursion lie in the newest tools and applications corporate workers and consumers alike embrace to take on daily tasks.
Incontrovertibly, advanced technologies – such as mobile devices, cloud services, big data analytics, social media platforms and more – enable organizations to evolve new lines of business, increase productivity and improve customer experiences, says John Johnson, global security strategist and architect with John Deere, the American heavy equipment manufacturer. At the same time, however, these technologies also expose corporate infrastructures to the possibility of network breaches and data compromises.
“As they become adopted in the enterprise, there are more ways than ever for sensitive corporate information to be used and abused,” Johnson explains. “In contrast to the castle model of IT, we now have an always-on, always-available open model. Data now flows where and when it is needed.”
Accordingly, the top priority for CISOs is to “focus on what information is the most sensitive, regulated or valuable, and to protect it,” he says. At the same time, he adds, it's also essential to find successful ways to sell data protection efforts to business leaders. Frequently, achieving this means moving the focus away from network- and device-centric security methods.
Johnson shared other insight with SC on what data security in the 21st century involves:
SC: Are you seeing more organizations' IT and IT security leaders pushing business units and C-level executives to integrate security/privacy into overall operations?
JJ: Leading organizations realize that IT security is more than applying security as the last step before a product goes out the door. Organizations need to mature their security capabilities to be able to proactively deal with the advanced threats we are seeing as we connect more devices – many of which cannot be managed – to corporate and public networks. It is also necessary to run security more like a business with metrics that demonstrate that resources are focused and effective at managing risk. This requires real leadership and communication skills in a CISO, but it is crucial to becoming a business enabler and partner. Ultimately, that is where we will provide the best value to our organizations.
SC: What are some actions that IT security teams can take to be more proactive in keeping various systems, applications, software and more updated and patched?
JJ: Organizations typically have good practices around monthly Microsoft patching, but any large and complex network will have non-compliant systems and systems that cannot be managed. It is important to have an inventory of non-compliant systems and to put them on a restricted network segment if possible. User accounts should not have local admin access, unless an administrator is performing administration. Privileged accounts should be limited and role-based and only issued to administrators who need them. If possible, some type of privileged access management tool should be used. I would also investigate going beyond anti-malware to invest in advanced threat protection for endpoints to break the attack ‘kill chain' and better protect against zero day attacks and systems that cannot be made compliant in a timely way.
SC: What more can organizations be doing to strengthen their ability to gather and leverage threat and attack intelligence data to stop compromises?
JJ: I would increase visibility to threats on endpoints and feed that into a SIEM (security information and event management). Ideally, this would give insight into how systems were exploited, lateral movement and some forensic information. I would also increase visibility to network threats by making use of network data and better segmenting the network. Additionally, I would consider data loss prevention. All of these tools require a significant effort if you expect them to block attacks, but even having them deployed in passive mode can help you quickly detect and respond to attacks and potential breaches.
SC: What do you see as important data-security related issues coming to the fore in coming months for which information security leaders must prepare?
JJ: There is a real need to improve how we secure point-of-sale devices and improve security for the retail sector. My colleague, Brian Engle, is working hard on this problem as the new executive director for the Retail Cyber Intelligence Sharing Center (R-CISC). I sincerely hope that we can help retailers and small-business owners better secure business transactions by pushing for better industry standards and practices.
Also, there is a serious shortage of expertise needed to secure our critical infrastructure and industrial controls systems. The past 15 years have seen a growth in fairly secure computer systems, out-of-the-box, with robust patch management. In many ways, industrial control systems – used in critical infrastructure and even in the connected consumer systems that make up the exponentially growing Internet of Things (IoT) – are not designed to be secure or managed and updated in a trustworthy way. These systems are rife for exploitation and consumers, corporations and governments should be concerned. – SC editorial staff