Security's all-too-frequent appearance as a front-page headline making topic has put CISOs in the hot seat as CEOs and boards worry that it could be their names next in news stories trying to explain how a breach occurred.
Yet the CISO message to the C-suite might not be all that reassuring.
Some 64 per cent of CISOs fear their companies are at risk of a major cybersecurity attack in the upcoming year and 66 per cent feel their organisation is unprepared to handle it, according to the 2021 Voice of the CISO Report from security software maker Proofpoint.
In response, CISOs are adjusting strategies to beef up their security posture. They seem to believe they’re on the right track: Proofpoint notes that 65 per cent of CISOs believe they’ll be better able to resist and recover from cyberattacks by 2023.
Of course, each CISO has his or her own security roadmap, but common elements have emerged. According to CISOs, analysts and security leaders, the typical CISO priority list today has many or most of these 15 items:
1. A focus on fundamentals
Security fundamentals remain a top priority. “It’s not the fun, sexy cybersecurity topic, but it’s important that we make sure we’re handling the blocking and tackling appropriately,” says Tyrone Jeffrees, vice president of engineering and U.S. information security officer at the digital consultancy Mobiquity.
To that end, Jeffress says he and other CISOs remain focused on flawlessly performing asset management, patching, vulnerability management and configuration as well as delivering security awareness education and training.
Figures from the Proofpoint survey confirm this take, noting that enhancing core security controls is one of the most cited priorities listed by CISOs.
2. Identifying, mitigating third-party risk
The SolarWinds attack, in which one of its platforms was hacked, bumped third-party risk to the top of the CISO priority list, says Neil Daswani, a veteran cyber security leader and co-author of Big Breaches: Cybersecurity Lessons for Everyone.
Daswani says the hack, first identified in late 2020, illustrates the need for CISOs to understand all the technology in use within their organisations so they can create appropriate processes for vetting their vendors and devise strategies on how best to mitigate risks.
3. Assuring security within enterprise code
Similarly, CISOs are becoming more focused on finding vulnerabilities within code used by their enterprise, says Brian Johnson, a security expert who co-founded the information security firm Crucyble.
“So much code is shared these days, and we’ve seen lots of code issues, code that we use from other people, possibly malicious open source code,” he says, noting that he and other CISOs are committing resources to examine new code being deployed and revisit code deployed code to root out any vulnerabilities or bugs.
4. Defending against ransomware attacks
Ransomware attacks hit new levels in 2021, with attacks on Colonial Pipeline and the multinational meat packer JBS shutting down critical infrastructure and impacting daily life in parts of the United States.
Such news has put CISOs on high alert, according to nearly all security leaders.
“This means continuously testing our security posture—both through internal testing and external testing by engaging third party security and compliance assessments as well as engaging leading global security researchers/testers. Rich data-driven and modern security monitoring to identify and methodically respond to threats is another key aspect. It is also critical to test our response preparedness via ongoing tabletop exercises that test various threat scenarios,” says Sanjay Macwan, chief information and chief information security officer at Vonage.
5. Getting board-level support
“Another CISO priority is to make sure all the executives are aware of what’s going on in the threat landscape and what additional level of investment is needed to battle those threats,” says Daswani, who also serves as co-director of the Stanford Advanced Security Certification Program.
That has more CISOs presenting or even reporting directly to boards, experts say. In fact, Gartner, a tech research and advisory firm, estimates that 40 per cent of corporate boards will have a dedicated cybersecurity committee by 2025, up from 10 per cent in 2021. The firm’s research also indicated that boards now see cybersecurity-related risk as the second-highest source of risk for the enterprise, second only to regulatory compliance risk.
6. Support for transformation and strategic goals
As organisations continue to digitalise and accelerate their transformations, CISOs are expected to keep pace. Consequently, CISOs are thinking about security as a business enabler.
“From the board’s perspective, the priority is to support the business and the business goals and to do so in a manner that allows us [as a business] to do things securely to protect our customers, our employees and the company overall, and to do so while providing a good customer experience. That’s the overarching mantra,” says David Levine, vice president of corporate and information security and CSO for digital services and information management provider Ricoh USA.
How CISOs support that mission varies from one enterprise to the next, experts say, adding that it is becoming a more universal priority for security teams year over year.
7. Increasing agility
Kriss Warner, the global practice lead for cybersecurity consulting with Info-Tech Research Group and an ISACA-certified CISO, sees a related priority among most CISOs: The drive to “quickly adapt while remaining resilient.”
CISOs are training themselves and their teams to work in a more agile mode to keep up with the business, Warner says. “We have natural disasters, nation-state players [in the malware space], different things hitting CISOs from a board level, all these things require CISOs to be more nimble,” he adds.
8. Upskilling teams
Competition for security talent is fierce, with the pandemic exacerbating an already competitive market. According to Gartner, there has been a surge in demand for infosecurity roles, with a 65 per cent upswing in demand in the United States. So, CISOs continue to prioritise keeping their existing workers and training them for the specific skills they need to secure evolving environments, says Brian M. Gant, an assistant professor of cybersecurity at Maryville University. There’s a particular emphasis on upskilling workers in cloud security and threat intelligence as well as access and identity management.
9. Addressing IoT security
IoT Analytics in its State of the IoT 2020 report estimated that there were 12 billion internet of things connections last year, a number that for the first time surpassed the number of non-IoT connections. The market research firm predicted that there will be more than 30 billion IoT connections by 2025.
“Everything is being connected, and that’s something CISOs will have to strategically think about,” Gant says.
Gant say CISOs are paying greater attention to the security around connected devices and the data they produce. They’re developing strategies to know exactly what and how much they have connecting to their network. They’re also revisiting their identity and access management programs to include IoT.
Read more on the next page...