In recent times several high profile data breaches and IT outages have made cybersecurity risks a core concern for governments and enterprises across the world. While organizations are constantly monitoring and reviewing their cybersecurity practices to mitigate risks, the new and emerging cyber risks are making it extremely challenging for security leaders to stay ahead of the game. In such a scenario, the question arises, how CISOs need a different kind of attitude and planning to deal with the new and ever-changing threat landscape.
New threat landscape and challenges
The threat landscape has dramatically changed in recent years. Growing activities from various threat actors, including state-sponsored hackers, cybercriminals, and malicious insiders are responsible for the some of the mega cyber threats in the past. As Sheril Jose, Head- Cyber Security at Pune-based Emcure Pharmaceuticals mentioned, “Today, attackers have reached a level of maturity and efficiency. They are taking advantage of the increased value and vulnerability of online targets that is resulting in a dramatic increase in attack frequency, complexity and size.”
Vijay Radhakrishnan, CISO of Mahindra & Mahindra Financial Services added that new threats are comprehensive and intelligent and are highly stealthy. “While threat assessment, monitoring and attack curtailment have gone in the direction of big data analytics, ML, AI and blockchain way, hackers work in similar war filed and are well financed to do so. It’s almost cyber militancy which is managed on a daily basis,” he explained.
A Quick Heal’s Annual Threat report 2019 states that most CISOs in India are grappling with newer issues such as cryptojacking, ransomware and threats to mobile devices. The increased use of new technologies as well as rise in the popularity of digital transactions in recent years is compelling organizations to adopt new techniques to manage the escalating threats in the organizations.
Again, these are not problems specific to India as the country is part of the connected global ecosystem. Advanced Persistent DDoS campaigns are now a norm in almost every country, and global growth of IoT devices provides a great breeding ground for hackers to enslave more and more devices, resulting with botnets in sizes never seen before. To further complicate things, attackers are taking advantage of SSL-encrypted traffic to camouflage their attacks, making it hard to determine malicious versus legitimate traffic.
Studies also show that the other most challenging part of organizations is budget and skill constraints. In fact, the impact of the talent and skills shortage is profound within today’s organizations. This shortage can prohibit strategic goals and leave businesses at risk, as stated by a new Forbes Insights and Fortinet survey. There’s also lack of support from senior management, preventing CISOs from implementing a cohesive cybersecurity strategy, it said.
Acting against cyber crime
Studies show organizations now have a huge responsibility to continually assess the security tools and processes in order to prevent a breach or cyber attack, and a number of them are investing more on their cybersecurity budgets from what they did even half a decade ago.
A recent report by Wipro highlights that one in five CISOs are now reporting directly to the CEO, 15% of organizations have a security budget of more than 10% of their overall IT budgets and 25% of organizations are carrying out security assessments in every build cycle, taking into consideration regulatory compliances. All of these indicate a silver lining in the increasingly complex threat landscape, even though experts believe this is just the tip of an iceberg.
Raja Ukil, Global Head for Cybersecurity & Risk Services, Wipro Limited remarked, “While a lot more is left to be done to address the changing landscape and enable a smooth and safe transition, security is gradually evolving to be a pervasive part of core business operations. Various countries are establishing active cyber defense strategies and functions to foster partnerships with the private sector enterprises and with other countries.”
Experts also observe, to be ahead of the game, CISOs are continuously reviewing their cybersecurity processes and practices to ensure that adequate and effective systems are in place. A recently released Cisco 2019 CISO Benchmark Study observes that CISOs are modifying and expanding their security strategies to address new and emerging security threats. Nearly half of the survey’s respondents (47%) report that they are now using outcome-based objectives to focus their security spending. For instance, many companies are investing in threat intelligence programs that are helping them identify, prevent and respond to these threats through informed decisions.
Wendy Nather, director of advisory CISOs at Duo Security, a Cisco unit, mentioned that CISOs are making sure that the results are tangible. “In terms of strategy, the vast majority of organizations (94%) are practicing incident response at least once a year; 61% are doing it at least every six months,” she informed. According to her, these exercise drills are helping enterprises develop the skills they need to face evolving security threats.
It is important to integrate security and business risk management. “Cybersecurity is not an isolated aspect of an organization. Its impact goes beyond IT and can have serious legal and reputational implications. IT security, then, should not be detached from the wider business risk management strategy,” Nather opined.
Ukil also tipped, “IT security no longer works effectively in silos; it needs to be part of the organization’s risk-based approach, something organizations are now realizing. Hence, it is essential that leaders strongly collaborate and build innovative ways to mitigate the risks. For example, CISO or risk officers should work with their C-suite colleagues to bring governance practices into the digital age.”
Since a lot of ransomware and phishing attacks are planned attacks and the root cause is employees in most of the cases, it is very important to ensure that adequate education and awareness is given to employees to make them a part of all the information security initiatives. The recent Fortinet survey, believes that organizations are paying more attention to training and educating their own employees on best practices and building cybersecurity awareness in order to prevent and reduce internal threats.
The road ahead
Top priorities for many CISOs in the coming year will be to enable an enterprise-wide holistic security approach and hire more cybersecurity staff, as the Fortinet report suggests. In 2020, 14% of CISOs will dedicate priority funding to adding more security personnel to their teams. Additionally, over the course of the next five years, 16% of CISOs aim to develop a culture of security throughout their entire enterprise.
Despite taking tangible steps to reduce cybersecurity risks, cybersecurity continues to be an ever-evolving struggle for organizations. Sophos in its research report titled ‘The Impossible Puzzle of Cybersecurity’, clarifies that there are ‘always’ some security holes not being plugged and it is here that CISOs need to pay greater attention. For example, the report explains, an up-to-date malware signature list won’t stop attackers hijacking your accounts, while rock-solid authentication won’t help if you’re not protecting your computers from ransomware.
“Effective cybersecurity demands defense in depth and proper risk assessment so that you can protect your weakest spots from attack first,” says Chester Wisniewski, principal research scientist at Sophos.
At the same time, companies are facing attacks via multiple channels, including email, web and app-based platforms, among others. Software vulnerabilities and unauthorized USB sticks or other external devices were also common attack vectors. Sometimes, organizations are also not aware that their networks were compromised.
Radhakrishnan too opined, “In order to manage the current threat scenario, security leaders need to keep abreast of the latest threats and prepare for the outcome of every strategy. Security should in fact be board’s top priority and the management should take it very seriously. Adoption of best in grade technology is important for every organization and CISO needs to constantly communicate the same to the C-suite.”
Wisniewski too believes, seasoned CISOs know that a good digital defense is not enough, so they are building a multilayered approach that includes stronger investment in people and process. Recognizing that some hackers will inevitably find a way in, organizations are also recalibrating their cybersecurity budgets to focus more on remediation. And many CISOs believe that their investments are already paying off.
To conclude, one can say, in order to stay ahead of the game, companies need to stay vigilant everywhere, since attackers are relentless in exploiting weaknesses. With limited budgets, and cyber risks mushrooming, it is paramount that organizations understand the ROI of cybersecurity so that they invest in those efforts that will result in maximum outcome. By being prepared yet flexible and implementing new and innovative techniques, CISOs will enable a scalable defense fit to counter the breaches ahead of them.