CISOs Still Tend to Ignore Supply Chain Risks: Study
While securing the remote workforce remains a top concern for CISOs as they continue to grapple with it, supply chains still represent an underappreciated risk after a year when they resulted in the most high-profile breaches including SolarWinds, Kaseya, and Log4j.
A new study that polled CISOs and cybersecurity leaders proved that even though in 2021, supply chain attacks dominated the headlines, with the Kaseya and SolarWinds attacks at the forefront and sophisticated attackers are looking to exploit vulnerabilities in pipelines and packages (such as log4j) to compromise organizations lower down in the supply chain, security leaders tend to overlook the same.
Instead as businesses went remote in 2020, 94% of CISOs noted securing their remote workforce an “absolute priority” or “priority”. To do so, cybersecurity leaders are looking to automation and risk-based approaches to overcome threats and vulnerabilities. In fact, the researchers found it surprising that only 49% of cybersecurity leaders consider supply chain risk assessment a priority. In an ideal world, this should be a key component of any organizations due diligence practices.
Good news however is, while in 2021 cybersecurity teams scrambled to secure users who left the security of the perimeter by going remote, in 2022, 78% of CISOs regard securing the remote workforce as a priority, making it the top priority for the second year running.
While it can be assumed that CISOs addressed the initial impact of those cohorts starting to work from home, remote workers remain an ongoing concern. Under hybrid work models devices moving in and out of perimeter defenses represent new challenges and vulnerabilities.
Ricardo Villadiego, Lumu founder & CEO told CXOToday, “While it’s not surprising that securing the remote workforce remains both a concern and a top priority for CISOs, we saw a 16% drop from last year’s survey which indicates that many organizations have made some progress over the past year, yet the fact that more than three-quarters of respondents (78%) still consider it their most urgent priority shows that much work remains to be done in terms of keeping workers and data secure as we learn to adapt to an increasingly hybridized work model.”
“The uncertainty and longevity of the pandemic has also helped threat actors open up new avenues of attack over the past year and that unease was reflected in this year’s survey. Most notably there was broad concern around supply chain vulnerabilities following the disclosure of several high-profile supply chain attacks such as the Kaseya and Solar Winds exploits as well as the recent Log4j zero day vulnerability this past December,” he says.
The study also found that in 2022, many top priorities concern the ease of cybersecurity operations. Automating threat detection and response (78%) and unifying threat visibility across all assets (62%) are some of our respondents’ top priorities. These measures indicate that tools that make the SOC team’s work more automated and more efficient are getting precedence. Demand for cybersecurity talent is only increasing. Efforts that help operators with their daily tasks not only make the most of an expensive resource but improve staff retention.
Improving the cybersecurity posture as a whole is at the forefront of CISOs’ minds. Enhancing cybersecurity testing beyond penetration testing (63%) and measuring the effectiveness of the cybersecurity ecosystem (62%) are being prioritized in 2022. With so many tools, projects, and methodologies to choose from, subjectively testing the system and its components is key. CISOs are looking to spend their budgets intelligently and get evidence of their performance that they can take back to their board.
The study also found that CISOs are least interested in outsourcing cybersecurity operations (17%). Smaller businesses without a CISO or cybersecurity staff might acquire the help of a 3rd party. However, organizations with mature information security stacks recognize the reality that cybersecurity is not just bought but operated. CISOs are committed to the constant measurement and improvement of their cybersecurity operations.
Villadiego concludes that all of which means that security leaders find themselves fighting battles across multiple fronts and are consequently looking to invest in new technologies and partnerships that help them attain greater visibility and become more proactive in how they identify and respond to threats.
