By now, CISOs must be bracing for another harrowing year. Here is what one peer visualizes in the cyber-crystal ball …

What can the always-on CISOs of today look forward to next year?

With fast evolving digital technology, collaboration, cyberattacks, remote-working concerns, tight budgets and surprises from the Omicron variant on the horizon, how should CISOs prepare for another eventful year? spoke to Aladdin Elston, Head of Information Security, Altimetrik, a firm that specializes in hyper-collaboration and acceleration of technology transformation, for his views.

CybersecAsia: What are some of the major challenges 2022 has for CISOs?

Aladdin Elston (Aladdin): I have noticed time and time again how the great CISOs fall not because a skilled hacker bypassed an elliptical curve algorithm but simply when a default password, an unpatched server or a human misconfiguration was exploited. That is why it is so important for organization and leaders to be focused on the fundamentals and drill them into the culture until it is instinctive throughout the entire organization. Thankfully security automation, built-in security and ZTN will support us during this journey. 

The major challenges that I foresee are ever-growing BIG DATA sets, globally dispersed and unmanaged faster compute power that were never imagined in the dawning Quantum era and finally, AI will evolve so rapidly that only matching machine power against these tasks will make them even possible to achieve.

However, the fundamentals will still be the same and a human error will be the undoing of those security controls, expensive boxes, and AI-powered solutions. The CISOs’ role is already evolving: they will be scaling security teams, enlisting the power of ‘security evangelists’ within the organization, automating the security solutions, and constantly testing and fixing the environment by making it a responsibility of everyone in the organization. The CISO will likely become a conductor of this organizational orchestra whose symphony will be security, a delicate, nuanced, never-ending game in an ever-evolving landscape. 

The cyber landscape has witnessed drive-by downloads of malware quickly bypass a secure VPN; employees going online for more hours in a workday, hackers transiting from after-office hours to 24/7 work. Inevitably, a CISO’s major challenges are always improving the security posture, improving the visibility of metrics, deploying solutions with faster detection and response rates, reducing costs and preventing and detecting a network breach.

CybersecAsia: What cybersecurity, wireless, virtual workforce, and novel trends will impact enterprise security next year?

Aladdin: Here are five heading our way:

  1. As a beneficial approach to preventing cyberattacks by anticipating and actually responding to cyber threats in real-time, Extended Detection and Response (XDR) is going to be essential in 2022, with unified endpoint management (UEM) becoming absolutely necessary.
  2. Secure Access Server Edge (SASE) will see increased adoption, replacing hardware appliances with cloud computing services. This brings together web content inspection, malware scanning, cloud application access and URL filtering.
  3. Phishing-as-a-Service, Ransomware-at-the-Source and Brute Force Attacks with ransomware will contribute to the current scare over supply chain attacks. Strong Supply Chain Risk Management (SCRM) practices are motivating government contractors to differentiate themselves as cyber and SCRM-related regulatory requirements are being implemented. Federal agencies are relying on NIST Special Publication 800-161, Revision 1 (finalizing in April 2022) and the Cybersecurity and Infrastructure Security Agency Information and Communications Technology SCRM Task Force for identifying and mitigating supply chain vulnerabilities. Improving supplier visibility is addressed with the GSA’s Vendor Risk Assessment Program.
  4. The ever-expanding universe of IoT devices can prove devastating in an attack. An attacker with a single vulnerability may find hundreds of thousands of devices that they can leverage in DDoS attacks; so keep those little gadgets patched.
  5. Passwordless authentication will see increased adoption where users can log into systems without the use of passwords or any other knowledge-based secret. 

CybersecAsia: What deep skills should CISOs develop to thrive next year?

Aladdin: Deep empathy, establishing organization-wide rapport and open collaboration will definitely be key skills for CISOs in 2022.

Developers and IT need to ensure that security is built into every step of the network and secure software development lifecycle (SSDLC). To establish this open collaboration, CISOs will need to build deep connections, show genuine empathy and understanding, and establish a regular cadence with the organization’s leaders.

Instead of bombarding teams with demands, focus on the 80/20 principle in security, promote open communication and work hours to discuss options and solutions.

CybersecAsia: A Deloitte report recommends that CISOs and CMOs should work together to cultivate customer trust through better data practices. What are your thoughts on this?

Aladdin: CISOs and CMOs, no doubt, need to work tirelessly to achieve better synergy and data practices. CMOs may be the first to hear what the customers want, and CISOs are likely following digital trends closely. They need to meet in the middle with an optimal solution that suits the customers’ needs and best-practice security policies. 

The ‘go-to-market’ strategy should be ‘Security First’, ‘Data is King’ and ‘Protect All The Things’. The customer benefits from these strong security-focused data practices.

CybersecAsia: How can these three go-to-market strategies help CISOs to balance customer security and customer experience? 

Aladdin: Thankfully, many security products and features needed to secure an environment have negligible impact on the customer experience. In fact, in many cases, security functionality is built so seamlessly into the experience that customers hardly even notice the mechanisms in place.

Similarly, authentication factors like SSO and MFA make the experience more secure and even smooth with a simple one-touch or typing in a response code. For many customers, security is now at the forefront of their attention. Years and years of public breaches have etched security requirements into customers’ minds, many often moving to services for more security features. I for one have changed financial institutions after becoming privy to some security shortfalls of some accounts in search of more secure ones.  

Security in digital services is often quoted as the single most important requirement. Convenience comes in a close second. In my opinion, security and trust are tightly blended into the reputation of an organization. If a firm makes the headlines because of a security failure or compromise, the trust of thousands of customers will likely be diverted to competitors.

In this day of rampant cybersecurity risks, when it comes to the customer experience, all organizations should be focused on ‘Security First’. Ultimately, creating a secure customer experience should be the driving motivation for all CISOs.

CybersecAsia: What major cyber factors should CISOs consider when planning investments for next year?

Aladdin: Unfortunately, budgets will be limited, so CISOs will bank on cloud-based scalable security solutions, crowdsourcing and the affordable but effective cyber training educating of the entire workforce to shave costs.

The major focus will be in identification and education: the first is about identifying which technologies give them the most value for their budget to solve cybersecurity challenges. Now that may take some discovery work to find out.

Next, education involves developing a continuous education and security cycle to get the whole organization to consider cybersecurity as part of the corporate DNA.

In some sectors, CISOs are expecting budgets to increase by at least 11% in the next two years, so this may be used to fund cross-pollination of security training to employees to enhance the security posture. Combined with best practice and corporation-wide data security, CISOs’ budgets will be spent in the most beneficial way to manage the hybrid work model. 

CybersecAsia: Healthcare is likely a major target of cyberattacks next year…

Aladdin: This industry has been on state-sponsored and independent cyberattackers’ list for a few years now.

Healthcare information is the most profitable information to sell on the black market. The National Health Information and Analysis Center, the Financial Services Information Sharing and Analysis Center, and the Center of Internet Security are hosting training to defend against ransomware. 

Key defenses for this vulnerable sector remain:

  • adoption of similar tight cybersecurity approaches of financial services companies
  • shifting security left
  • external and internal penetration tests and rolling out SDLC programs to identify security touchpoints throughout a development lifecycle
  • patch management and end-to-end encryption
  • develop strong fundamental security knowledge and educate all of the players in the industry from the top-down and the bottom up.

Remember, hospitals are often exposed to social engineering and malicious insider attacks, so extra attention must be paid to the least privileged access in healthcare networks. 

CybersecAsia thanks Aladdin for the light from his guiding lamp.