Proofpoint’s 2021 Voice of the CISO Report has provided insight into the pain points for CISOs, as well as their key priorities looking ahead. Andrew Rose, Resident CISO, Proofpoint, talks us through the findings of the research and highlights how security leaders in the Middle East are dealing with the modern, complex threatscape.
Can you give us some key insights into the challenges that CISOs across the Middle East region have been grappling with?
The global statistics showed there was no single standout type of attack that CISOs are most concerned about. All scored pretty highly and all were in a very similar range. That really told me that the CISOs didn’t know where the next punch was coming from.
Looking at the Middle East, within the UAE we did see that the cloud risk was the lowest of all the regions – CISOs there did not really see cloud as a concern for them, perhaps down to the limited adoption of cloud in that region.
But when you look at the Kingdom of Saudi Arabia (KSA) it was entirely the opposite – cloud was the number one risk.
Generally, most other things were relatively in line with the global picture, although in KSA BEC was seen as more of a concern while in the UAE insider threat and phishing were higher.
We saw that CISOs are generally on high alert. They feel that there’s a big risk of a material cyberattack really happening in their organisation – globally that was around 64% of people but in the UAE 68% were concerned that something was really going to happen while in KSA the figure was 58%.
In terms of feeling whether they were unprepared for an attack, globally the average was 66% and KSA was in line with this, but 72% of UAE CISOs felt unprepared for the next wave of attacks, which shows the UAE really are scrutinising their situation.
Your report highlighted that there is still a lack of support from boardroom. What advice would you offer to regional security leaders in obtaining buy in from the C-suite?
CISOs are under a lot of pressure generally. Our research found that 67% of CISOs in the Middle East felt that role expectations were excessive, compared to
57% globally.
It’s a worrying situation and we’ve discussed things like CISO burnout and the number of people only staying in roles for up to 24 months before moving on.
Overall, across the globe, 25% of CISOs said they felt strongly supported by the board and in the Middle East 31% felt that the board really had their back.
That’s better than global average but still not ideal as you really want the board and the CISO to be working in synergy, understanding the risks, prioritising and being able to move forward together.
To address this, there are several things that CISOs should look to do:
- Make personal time. Don’t allow anybody else to deliver your security message to the board, make sure you own the message. Look for ways to speak to those board members outside of the boardroom to try and build personal relationships with them, because if you can show how your cybersecurity strategy is necessary to enable their personal projects and priorities, they will support you in every step.
- Create metrics and stories that link back to the business. It’s much more impactful if you can really make security seem intrinsic to the business success – make sure you link cybersecurity messages and stories to strategic business imperatives, industry trends and local objectives. so the board can see that this is not just an IT problem, it’s a business one too.
- Be pragmatic. As a CISO, you have to convey the risk to the board and ensure they understand the different choices, but respect that they have wider considerations. You must give them the information and your recommendations but let them make the best business choice – then it’s your job to implement it, whatever they decided.
I think most CISOs could actually bankrupt their organisation by trying to make it as secure as possible, but that’s not practical – we have to embrace some level of risk and we have to trust business leaders to make the right decisions based on the information that we provide them with.
Your research revealed that a majority of CISOs still consider human error to be their organisation’s biggest cyber vulnerability. What are the risks and how can these be mitigated?
So often when reading about people-centric security, you’ll see references to people being ‘a first line of defence’ or ‘a last line of defence’ or a ‘weakest link’. And I think all of those are a little unfair.
We need to consider people instead as our ‘primary attack surface’. Staff are under constant attack and data from the recent Verizon Data Breach Study highlighted that 85% of successful attacks had a human element, so the human aspect is vital.
The Middle East understands this – 70% of CISOs believe that users are one of the primary risks to cybersecurity within their organisation. And they’re worried about things like unidentified devices, unidentified tools and the security around data that people are working with. That compares to around 60% globally.
The most successful attack vector right now is phishing, followed by credential theft and then human error.
These top three successful attack vectors are all entirely focused on the human, so it’s quite clear that we really should be focusing security around that human to try and make them as strong as possible, because the repercussions of their failure can be quite catastrophic.
The first thing to do is to realise that the firehose of threats that reaches your organisation comes via email, so making sure that you’ve got great email hygiene in place because if you can cut it out, you’re reducing a huge amount of the risk to your enterprise.
The next logical step is to provide security training to staff to make sure the threats that do get through that gateway can be recognised and dealt with appropriately.
The final piece is to think about insider threats, identifying accounts that have been ‘stolen’ and are being used in a suspicious way, and then locking them down before they deliver ransomware or other attacks. Credential theft attacks mean you really need to be able to identify those suspicious activities and understand the context of what’s happening so you can react appropriately.
How can CISOs instil confidence in their customers, stakeholders and the market, that the new environment – whether they’re completely remote or taking a hybrid approach – is workable indefinitely?
For good or bad, we’re already in a remote work environment and I don’t think there’s any turning the clock back.
Looking at some of the data from the Middle East, two in three CISOs believe they are more vulnerable because they’ve moved to a largely remote working enterprise and 76% say they’ve seen more attacks since this has happened. And that’s worse than the global position.
Globally, 58% believe they’re more vulnerable and about 60% saw more attacks so the Middle East is feeling the pain of remote working a little more than global organisations.
One key aspect is that it’s essential for CISOs to get good visibility on where data is residing. Because if you don’t know that, you can’t protect it. Then you have to think about how you can make sure that the identity that accesses the data is protected too, usually via multi-factor authentication (MFA).
But attackers are looking for ways to bypass MFA so we have to stay alert to that as well. Knowing where your data is and putting MFA in place is a good start.
What are the top priorities for regional CISOs over the next few years and how does this compare to the global picture?
The fact that CISOs don’t know where the next punch is coming from drives a great diversity in strategies as there is no one area to prioritise. Globally we are seeing a focus on core security controls, that is putting in place endpoint detection and response, patching perimeter devices and core elements which help across a broad range of security threats.
However, within the UAE, there’s more of an external facing perspective. The first priority was addressing supplier risk and second was supporting remote working. Interestingly, KSA was different from most other global responses, because their top two were actually the lowest two for the rest of the world – 1) outsourcing security controls and 2) enabling business innovation.
What steps can organisations take to develop a strategy that addresses the ever-changing conditions and enables them to improve their security posture?
There are layers of control you need to put in place but the first thing that CISOs really need to do in the current environment is to prepare to fail. You need to have the playbook ready to go for when something does happen to respond to those common threats.
Next, stop the firehose of threats – emails are where your users are being targeted so securing them should be a top priority. In line with this, make sure you’ve got a great security culture and security awareness in place.
You must also look at access management – make sure you minimise the access so that the ‘blast radius’ of any security breach by credential theft is minimised. By putting in place concepts like least privilege, and segregation of duties, you really are reducing the risk to the organisation.
Analyse behaviour and look for insider threats and stolen compromised credentials, ensuring you understand what’s going on inside your network, where the data is being moved to and from, analysing that behaviour and looking for those red flags and for scenarios that suggest a risk is happening.
And finally wrap all of that up with testing to make sure these controls are effective and that they’re being applied everywhere that they need to be. And if you put all of those in place, then you’ve gone a long way to making sure your organisation’s in a decent place.