CISOs Should Assess And Reduce Cyber Exposure Gap
Diwakar Dayal, Managing Director for Tenable, explains, how CISOs can assess the cybersecurity exposure gap and the opportunity that exists for them to be better prepared for a cyber attack.
The number of cyber threats is growing exponentially – in size and scope – from the confines of the firewalls to traversing the network and lurking around the internet. The sheer increase in the number and types of IT assets, including cloud, IoT, mobile, and containers, makes it rather challenging for CISOs to identify and mitigate these attacks. New-age cyber security company, Tenable believes, the gap between an organization’s awareness of its cyber exposure and its actual degree of exposure from its digital footprint poses big security challenges and needs to be addressed immediately.
In a recent interaction with CXOToday, Diwakar Dayal, Managing Director for Tenable, explains, how companies should view their cyber exposure, how CISOs can assess the cybersecurity exposure gap and the opportunity that exists for them to be better prepared for a cyber attack. Excerpts.
CXOToday: A lack of focus on cybersecurity can be greatly damaging to a business. Do you think that Indian enterprises are fully equipped to face the cyber warfare?
Diwakar Dayal: There is an improved culture of security in India and many organizations are adopting a security-first mindset. That said, cyber-criminals are relentless and the attack surface is constantly expber anding as new technologies are brought onto corporate networks.
As Cyber Exposure continues to rise in strategic importance, the fundamental question facing organizations is, “How secure are we?”Cyber risk is one of the top business risks for CEOs and boards of directors.
CISOs are constantly being asked to quantify the organization’s cyber risk and compare it to best-in-class security and industry peers. But many organizations struggle to answer these critical questions, often lacking the data to benchmark themselves against industry peers or measure their overall cyber risk posture. This is a big void in the industry. How can you tackle new and emerging threats, if you can’t objectively measure your cyber risk?
This means that organizations must implement Cyber Exposure solutions that provide breadth of visibility into cybersecurity risk across the modern attack surfaces, including IT, Cloud, IoT and operational technology (OT); and deep analytics that translate vulnerability data into business insights for the C-suite and Board of Directors.
CXOToday: Recently, Tenable has released a report in collaboration with Ponemon Institute. One of the key findings of the report was 62% of respondents have suffered multiple attacks. What are the common threats that enterprises need to be aware of and be future-attack ready?
Diwakar Dayal: This report is specific to industries using ICS and OT. Digital transformation has connected once isolated OT systems to the internet, leaving them exposed to a new world of threats. Organizations need visibility into their converged IT/OT environments to not only identify where vulnerabilities exist, but also prioritize which to remediate first. The converged IT/OT cyber problem is one that cybersecurity and critical infrastructure teams must face together.
Generally speaking, most cybercriminals target the low-hanging fruit of a network. They would much rather leverage a known, but unpatched vulnerability than waste a 0-day exploit in an attack. This means organizations should focus their attention on foundational cybersecurity measures and practicing basic cyber hygiene.
CXOToday: What is the best way to measure cyber risk?
Diwakar Dayal: Organizations need to evolve from a technology – to a risk-based approach. This will help them prioritize remediation, communicate to the business and make data-driven decisions to reduce cyber risk. As a CISO or security expert, you need solutions that can help you manage, measure and reduce your cyber risk. These include:
Cyber Exposure Score: The Cyber Exposure score is an objective measure of cyber risk, derived through data science-based measurement of vulnerability data together with threat intelligence and asset criticality. Organizations can also leverage scoring to trend improvement over time as a measure of security program effectiveness.
Cyber Exposure Benchmarking: Organizations can use the Cyber Exposure score to benchmark themselves against industry peers and measure their overall cyber risk posture. At Tenable, we have processed over 1.5 billion instances of vulnerabilities per week. We also create data science to create its benchmarking knowledge base.
CXOToday: Digital transformation is changing the face of CISOs. Today, CISOs need to ramp up their digital frontiers and security protocols to stay secure. Do you think, it has added a lot to a CISOs plate?
Diwakar Dayal: Digital transformation has certainly stretched many CISOs and security teams thin. In 2018 alone, 16,500 new vulnerabilities were disclosed. And, according to Tenable Research, enterprises identify 870 unique vulnerabilities on their systems every day, on average. The sheer volume of vulnerabilities is overwhelming and can make it difficult for CISOs to discern signal from noise.
CXOToday: What tips would you recommend organizations to stay one step ahead of cyber-criminals?
Diwakar Dayal: Practicing basic cyber hygiene is one of the best ways to stay ahead of cyber criminals. The answer is not throwing money at the problem. Rather focusing resources on what matters most – patching your systems in a timely manner, configuring systems properly and using strong authentication practices.