Following the generic strategies below, CISOs can evolve to boost corporate cyber resilience without needing to travel to the future
According to Project Zero (a Google-funded team responsible for disclosing software bugs to vendors), the past 12 months have seen a record high number of zero-days ever.
While this indicates greater transparency and dedication by security researchers to warn against zero day attacks, it leaves security professionals such as CISOs with the daunting challenge of continuously patching their critical and vulnerable estates.
When it comes to elevating their company’s security posture, CISOs have a vital role to play. In partnership with identified stakeholders in technology, operations, and business design, they lead changes that are meant to strengthen their organization’s cybersecurity while elevating overall digital trust. To achieve this, they need to involve themselves in the business/product roadmap conversations and create a cybersecurity ecosystem within the enterprise. This will help create a culture of awareness, ownership, and accountability around security within the larger organization from the get-go.
However, this is easier said than done. There are several factors that can impact a firm’s adaptation of a successful security strategy:
- a product’s time to market
- the movement to hybrid work
- the inherent exposure of a firm’s key assets in such a model
- employee engagement, especially as the work-from-anywhere model picks up pace
CISOs need to continually review and reprioritize adaption of security practices to meet business objectives, based on these and many more factors.
The CISO’s evolving role
In the past two years dealing with the pandemic, one grand lesson that is more influential than any individual event or consideration has been: the critical need to be able to navigate unforeseen circumstances and to plan and rehearse other known scenarios of business disruption.
Clearly, combatting cybercrime requires future proofing to prepare for the unforeseen. This entails safeguarding corporate assets on an ever-broadening threat surface. For example, with more processing and data on the edge, there are now more IoT-related attacks; more 5G implementations with vulnerabilities found on enterprise software; and more zero-day attacks impacting quality of service and availability of converged and critical private networks.
Additionally, while there has been meaningful clampdown on ransomware operatives, ransomware remains one of the largest cybersecurity risks for the enterprises.
The key thing to remember is that people are the first line of defense. All personnel in the company need be aware of how they can protect themselves and the larger organization:
- They need to be equipped with basic cybersecurity knowledge, such as how to spot phishing attacks and how to respond to one—essentially creating and contributing to a pervasive culture of security within the business.
- There must be a right mix of roles within cybersecurity, business, and IT teams. A diversity and spread of info security skills are vital in combatting the multifaceted threats that often deploy heterogeneous attack vectors. Conducting cyber drills with different attack scenarios will ensure teams come and act together deftly in times of crisis.
- The right mix of roles will still only be as effective as the right investment and usage of the right security tools. Organizations can be guilty of incrementally investing in security technology: only focusing on tackling ’trending’ threats, and only plugging holes that are immediate. But if tools are not fully utilized or integrated into the broader security and IT strategy, then teams will only have a fragmented and incomplete view of risks.
So, overcoming these obstacles and changing the pervading perceptions around cybersecurity requires CISOs to invest in the right tools, technologies, and training to not only address the issues of the moment, but also future unknown disruptions.
Navigating choppy waters
With memories of massive supply chain attacks such as the SolarWinds hack and Log4Shell vulnerability still fresh in mind, defending against cyber threats has reached new heights of complexity for security teams.
These sorts of threats are set to become more nefarious and far-reaching in the coming years, and they are a harsh reminder for leaders that the weakest link in their supply chain does not even have to be enterprise software, but can be solutions sourced from third-party libraries and freeware development tools.
That is why security teams must implement a third-party security program for their organizations, to get a handle on the potential cyber risks originating from their supplier ecosystem.