Paul Anderson, Head of UK and Ireland, Fortinet, tells us how, by focusing on employee development, enablement and buy-in, CISOs can create a centralised security strategy that builds collaboration and reallocates security teams away from tactical, reactive work to more proactive and strategic efforts.
CISOs are facing a perfect storm when it comes to securing their networks. As the number of Internet of Things (IoT) devices increases exponentially, the scale, scope and even the definition of network has changed dramatically. Multi-cloud deployments and DevOps approaches have dispersed organisations’ data, while ever-increasing degrees of mobility create more and more points of access.
Modern CISOs must now protect a constantly expanding attack surface, with limited resources, at a time when cyberattacks are becoming increasingly sophisticated and security best practices are evolving – all while security talent becomes harder to find.
What contributes to these challenges and how can CISOs effectively address them? One of the clearest moves they can take to improve their organisation’s overall security posture is to prioritise employee training and create a proactive cybersecurity culture.
What’s getting in the way of CISOs’ ability to reach their cybersecurity goals?
According to recent reports, 35% of CISOs believe the lack of a centralised cybersecurity strategy and the lack of support from senior management are the top constraints to effective security. But when examining the reasons behind the lack of central strategy, many of the issues seem to start at the employee layer – both among IT employees as well as general employees across the various lines of business.
First, CISOs are dealing with the effects of the ongoing cybersecurity skills gap. According to the Center for Strategic and International Studies, 82% of organisations suffer from a shortage of cybersecurity professionals, hindering their ability to develop a more strategic approach to cybersecurity and to keep pace with new threats.
Instead, security teams end up staying focused on preventing existing threats, rather than using threat intelligence and advanced tools to identify and respond to unknown vulnerabilities and zero days.
The second challenge is around getting cybersecurity buy-in and participation from the executive suite and from the various lines of business. Among various security initiatives, the prevention, detection and response to insider threats are consistently listed among CISOs’ top-tier priorities.
Managing insider threats, both intentional and unintentional – like clicking on a phishing link, using weak passwords, or exposing the network to an unsecured device – eat up a lot of the security team’s time and resources, preventing them from focusing on threats from external sources.
Putting employees at the centre of cybersecurity
To address this, CISOs should give employees a more active role in cybersecurity. The key is to teach them how to avoid common attack tactics without limiting their productivity. In practice, this means developing a strategy around three main areas:
- Upskill the IT team: A truly efficient IT team will focus on threat detection and remediation rather than prevention. To achieve this, CISOs should ensure their security team has regular opportunities for further education in deploying, configuring and managing advanced security tools, as well as identifying and addressing new emerging threats. Proficiency in these types of integrated tools provides IT teams with enhanced visibility into how data is used and moved through the network, in addition to simplified management and analytics abilities. Additionally, hands-on training will ensure they have the ability to configure, install and troubleshoot their organisation’s security solution.
- Give time back to security teams: Cyberattacks are happening at machine speed – meaning security teams cannot keep up with threat correlation or basic remediation efforts on their own. One way to tackle this challenge is to deploy security solutions that make extensive use of automation through Artificial Intelligence and Machine Learning. Automated solutions make it easier to respond to anomalous activity and known threats attempting to breach the network – allowing security teams time to focus on strategy and remediation efforts. For example, rather than having security teams working around the clock to detect potential internal threats, they can use Machine Learning to understand what normal behaviour for employees looks like and then react when there are deviations. They can also be assigned menial tasks such as inventory management and patching, freeing up human resources to focus on higher-order activities.
- Create a culture of security: By focusing on training and enabling employees to perform basic security tasks such as updating devices, identifying suspicious behaviours and practising safe cyber behaviour across teams, CISOs can begin to establish a holistic security strategy that can stand up to today’s advanced threats. But beyond making sure that employees can identify phishing attacks or know how to update their applications on a regular basis, CISOs should also encourage collaboration between departments and the security team. This will reduce instances of inadvertent internal threats and increase overall buy-in for the security programme.
Within a context where cyber-risk is almost certain to escalate, effective CISOs will maximise their resources – and will then marshal their people, budget and expertise to fight the battles that matter most. This kind of flexible, scalable defence will prove most effective in the counterattacks against cyberbreaches to come.