[BreachExchange] What Keeps a CTO Up at Night

Audrey McNeil audrey at riskbasedsecurity.com
Tue Feb 13 18:58:45 EST 2018


It is not easy being a CTO, especially considering all the threats from
hackers coming from every possible direction, trying to get their hands on
that priceless data. Perhaps what is most nerve-racking is that even one
security breach can turn a respectable company into a laughingstock. Here
are some of the reasons CTOs around the country are having trouble sleeping
at night.

DevOps Data Breaches

This past November, a massive data breach breach at a U.K. recruiting
agency exposed the personal information of 780,000 clients. Hackers were
able to access the data located on the agency’s development server, which
was used by the agency’s IT provider. The American College of Cardiology,
as well as parenting retailer Kiddicare, had similar incidents last year.
And most notably, the Equifax data breach, which disclosed the personal
information of 143 million Americans could be the worst to date. Read also:
What’s Wrong with Big Data

Such incidents have become more common and are giving CTOs everywhere
nightmares in addition to concerns that oversight in their DevOps
implementation could be the newest route for data breaches in 2018. DevOps
is quickly emerging as a weak link in the security chain and in the rush to
continuously innovate, DevOps teams can introduce vulnerabilities by
dismissing or overlooking corporate security standards. According to a
recent survey, 80% of teams are not doing any security testing whatsoever
during development and, to make matters worse, organizational silos between
developers and security teams prevent the latter from enforcing security

In order to meet this new challenge, companies must apply security during
the DevOps process, which ensures compliance with both internal and
external security regulations, without slowing down the main mission of the
DevOps team, which will be challenging since security is not inherently
mixed into a DevOps culture.

Managing Multi-Cloud Deployments

The massive growth of cloud-based services has made it easier like never
before to bring geographically scattered teams and empower them to
collaborate more closely and effectively.

In order to keep up with the demands of this new workplace model, current
data centers will need to evolve into a combination of collocated,
on-premises and multi-cloud environments. Multi-cloud deployments combine
the best solutions and services from various cloud providers, thus
overcoming vendor lock-in and flexibility issues at the same time. CTOs
must address the need for a geographically dispersed infrastructure to
serve a global customer as well as an employee base. They will also be
challenged to construct the proper multi-cloud architecture and distribute
shape, service and secure it on a constant basis.


A lot of IT departments out there are still working with platforms of
loosely-connected open-source components. These “Frankestacks” are not
long-term viable and if left as is, just like the monster it was named
after, they will turn against their masters with dire consequences.

Companies which allow developers to patch together some sort of
pseudo-platform from a collection of awkwardly integrated open source
projects are taking huge risks in terms of expense and value. Inevitably,
this “Frankestack” network will begin to crumble under the constantly
growing pressure of keeping all of these different components integrated,
secured and up to date.

Adoption of AI

AI has leaped out of sci-fi movies and is expected to become a $37 billion
dollar industry by 2025. Over the past year, Amazon, IBM, Microsoft and
SalesForce have released apps with AI capabilities. The appetite for AI is
growing to a point where humans alone cannot effectively manage it. AI
encompasses machine learning, deep learning, prescriptive and predictive
intelligence, can give business intelligence and can reform daily work
practices such as reducing the amount of work and increasing productivity.

Even though the adoption of AI is being driven because of business reasons,
it is up to CTOs to implement AI. This often means playing catch-up in
terms of understanding the technology, determining how it fits within the
organization and how to prioritize resource to get the job done. The
consequences of failing to adapt to digital business models are severe.
According to a report by the Business Journal, more than half of the
companies on the Fortune 500 list have dropped off the list because they
failed to adapt.

Securing the IoT

In October 2017, a series of distributed denial-of-service (DDoS) attacks
left many popular websites inaccessible for almost a whole day. These
include big names such as Spotify, Twitter, and PayPal. These strikes
targeted a DNS provider called Dyn and the investigation launched by the
company determined that part of the DDoS came from IoT devices that were
infected by the Mirai botnet malware.

The sheer magnitude of this disruption made securing the IoT a top priority
for many companies. According to a recent study, around 70% of companies
said that they were unsure whether or not they could bounce back after a
cyber attack and the average cost of a data breach costs $4 million. This
is the script of a real horror movie for CTOs everywhere.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180213/8f5856fa/attachment.html>

More information about the BreachExchange mailing list