Micro Focus is now part of OpenText. Learn more >

You are here

You are here

9 strategic cybersecurity outcomes CISOs should focus on

public://pictures/swm.jpg
Stan Wisseman Chief Security Strategist, CyberRes
 

Over the past two years, chief information security officers have had to face an increasingly hostile cybersecurity landscape, with cyberattacks continuing to rise in volume, velocity, and sophistication—a situation aggravated by the borderless IT environment many CISOs find themselves working in.

What are CISOs doing to deal with the cybersecurity challenges facing them every day? They're focusing on strategies aimed at steeling their organizations against losses caused by cyberattacks, and bolstering cybersecurity's position as a contributor to their company's bottom line.

Here are the strategies have come to light over the past year in a series of podcasts Rob Aragao and I have produced called Reimagining Cyber. Here are nine of those strategies based on interviews with CISOs and cyber pros.

1. Implement a solid cybersecurity foundation

Without a solid foundation, your other cybersecurity investments will be undermined. CISOs like to build their foundations on popular frameworks, such as the NIST Cybersecurity Framework, the ISO/IEC 27002, and the SANS CIS Controls. The frameworks can be used to address fundamentals, which include asset management, password management, configuration controls, vulnerability management, patching, threat detection and prevention, user security awareness, and security reporting.

Any foundation must also embrace the fact that most employees of an organization won't be working in secure, controlled office environments anymore. As a result, adversaries will have more opportunities to work their mischief as use of online services, e-commerce, and videoconferencing increases and hybrid work-from-home scenarios become more commonplace. What that means is that any cybersecurity controls chosen by a CISO must offer always-on, multi-layered, adaptive protection against existing and emerging threats. The security controls must also be continuously updated based on global threat intelligence and past attack history.

2. Protect the data tsunami

The total amount of data created globally is increasing at a mind-boggling pace. Between 2020 and 2025 alone, global data creation is expected to nearly triple, to 180 zettabytes from 64.2 zettabytes, according to Statista.

With this figurative tsunami of information comes a need to protect more and more of it. Data that we think of as confidential—once limited to things such as user IDs and credit card numbers—has exploded to include all the data that is powering an organization's digital transformation—financial data, customer information, health and education records, and mobile and geographic location details about where customers are and what they're doing.

To properly protect an organization's data, CISOs need to identify and classify sensitive data. Otherwise any developer with a credit card can spin up a workload in AWS, upload data for testing, and misconfigure blob storage, creating a scenario ripe for a devastating security incident.

3. Secure cloud infrastructures

Movement to the public cloud and to cloud-native resources was well under way before the pandemic—the pandemic just accelerated it. There's no going back now.

Organizations are beginning to recognize that, especially as they move from consumption models based on infrastructure as a service (IaaS) to platform as a service (PaaS) and as they recognize the ramifications of the shared-responsibility model used by cloud service providers. Businesses are realizing that shared responsibility means sole responsibility as far as their data and applications are concerned. After all, if they lose their data and apps, they'll be the ones out of business, not the cloud service provider.

This essentially means that CISOs need to rethink their security policies to secure cloud infrastructures. They are likely faced with a hybrid environment—on-premises infrastructure mixed with IaaS, PaaS, and SaaS. Even if their organization has a cloud-first strategy, it takes time to make the transition. CISOs must deploy new technologies, holistic processes, and comprehensive governance models that provide visibility into the cloud instances and help secure the cloud infrastructure.

4. Leverage innovative, integrated solutions

The sheer volume and velocity of cyberattacks today are too much for cybersecurity analysts to handle alone. For example, experts expect a cyberattack to be launched on a business every 11 seconds this year. To cope with the wave of cyberattacks against their businesses, CISOs are changing their security controls to address the evolving threat landscape and turning to advanced technologies.

However, too much technology can be a bad thing, so CISOs are trying to keep cybersecurity tool sprawl under control to reduce inefficiencies and the need for operational support.

Many security programs have a tool smorgasbord that can impact their ability to effectively respond to threats and support business needs while creating inefficient workflows and higher overall costs. The problem is exasperated by a shortage of skilled cybersecurity talent, which forces programs to try to do more with less.

CISOs are looking to innovative technologies to enable them to consolidate tools, streamline workflows, and improve process efficiencies. Those technologies include security orchestration and automated response (SOAR), application of artificial intelligence including machine and deep learning, extended detection and response (XDR), and security analytics. The hope is that these innovative solutions will improve process productivity while enabling organizations to reduce complexity and gain speed and scalability to detect bad actors quickly.

5. Shift to a zero-trust architecture

Remote work is here to stay, and the concept of securing a perimeter has essentially gone the way of the ivory-billed woodpecker. For business continuity, organizations must enable access of mission-critical assets to employees wherever they are located. Employees are probably accessing these resources from personal or shared devices and unsecured networks.

CISOs need to think strategically and implement borderless security based on a zero-trust architecture. ZTA requires that organizations always verify and never trust with respect to data, employees, networks, and devices.

That requires a redesign of security controls and identity and access management policies to reflect a shift to ZTA.

To do that, CISOs need full visibility into connected devices and endpoints in the enterprise. They must also have updated intelligence on what data is produced by connected devices, who is connecting to company networks and from where, what they are accessing, and whether they are authorized to access it.

6. Position cybersecurity as a business accelerator

Executives frequently view their technology investments as accelerators for their business. In contrast, cybersecurity is sometimes viewed as a drag, slowing down initiatives. Modern CISOs are changing this perception by building security into all business processes—particularly software development—to accelerate business and enable faster responses to customer needs and new data-driven opportunities.

Security is like brakes on a car. Most people will tell you that brakes make the car go slower. But it’s just the opposite. Brakes allow you to drive faster. The better the brakes, the faster you can go.

If you didn’t have brakes, you would have to be extremely cautious. You'd never be sure of your risks, never be sure if you would be able to avoid catastrophe. With brakes, you have a much clearer understanding of what your risks are and how you can respond to and manage them.

If you know what your brakes can do—how quickly they can stop the car— you can go much faster and manage the risk based on your own capabilities, insights, and judgments.

In business, cybersecurity provides a similar value, particularly in this era of digital transformation. Instead of slowing the business down, security can and should function as a business accelerator. It gives business leaders the knowledge they need to assess risk, and the tools they need to mitigate it.

Cybersecurity enables the business to work at full speed. The CISO's job is to ensure that good brakes are built-in and aligned to the organization’s risk appetite.

7. Manage cybersecurity risk

Cybersecurity has formally made the transition from an IT issue to a business concern. CISOs need to be aware of cyber-related business risks and be able to communicate these risks to executives effectively. Essentially, CISOs need to tell company brass: "Here are some risks to the business that I've found. If you want to avoid them, here are some security measures needed to do it."

Those organizations that create a cybersecurity-aware culture that starts with the board and percolates down are more resilient in the face of cyberattacks. When the leaders lead from the front, buy-in is easier among the employees in adopting and maintaining cybersecurity practices in their routine work.

8. Avoid regulatory penalties

Failure to comply with data protection laws, rules, and regulations can cost a company millions. Just ask Equifax, British Airways, Uber, and Marriott International. For smaller companies, it can be much worse, resulting in going out of business entirely.

Reducing the probability of a data breach helps organizations stay compliant and avoid compliance violation penalties. Both data protection and cybersecurity deal with protecting sensitive data from digital threats. This interconnection is why CISOs can’t take their eyes off of regulatory compliance, even when implementing a risk-based program.

9. Establish cyber resilience

It's not uncommon for organizations to have incident response and disaster recovery plans, but they often fail to provide what it takes for a business to continue to operate—even in a diminished capacity—when faced with catastrophic events , such as a global pandemic. That's why CISOs and business leaders need to develop robust continuity and resilience plans for such events.

As my colleague Rob Aragao recently noted, "We must shift to a model that puts resilience first—one that aligns with business outcomes while supporting the level of risk an organization is willing to bear."

"We can no longer simply say we are aligning to the business needs. We must engage and collaborate with the business-line owners to identify their priorities and measures of success," he wrote.

Priorities and placement matters

By understanding areas of importance, security teams can focus attention on both priority and placement of protection and detection mechanisms, Aragao noted. "They can then apply the appropriate measures to minimize the impact of actual security incidents."

They cannot continue to take an approach that applies the same level of security across all assets, he continued. "The reality is, cyber incidents will happen. The difference is this: Cyber-resilient organizations know their specific business operational needs and align their program to emphasize securing those critical business assets (applications, data, and digital identities)."

Keep learning

Read more articles about: SecurityInformation Security