Magazine Button
What is the modern day CISO prioritising as cyber-risks continue to surge?

What is the modern day CISO prioritising as cyber-risks continue to surge?

CybersecurityDeep DiveEditor's ChoiceTop Stories

New research has revealed that over a third (36%) of the UK’s CIOs and CTOs say that rolling out IT security and information safeguarding initiatives are the key strategic priorities for their business in 2023 and beyond.

To meet this objective, 30% are actively hiring to boost their stretched IT teams. However, just under half say that candidates with the required information and cybersecurity skills are the hardest to find, while 29% cite problem solving as the most elusive soft skill, highlighting a growing skills gap for the industry.

This is according to specialist recruitment firm Robert Half’s 2023 Salary Guide, which analyses and reports on market salaries, hiring trends and skills requirements across the technology sector.

The news comes as the Government warns of the growing risk to UK businesses from cyber-attacks. According to the Department for Digital, Culture, Media & Sport’s Cybersecurity Breaches Survey 2022, almost one in three businesses (31%) and a quarter (26%) of charities suffering attacks said they now experience breaches or attacks at least once a week.

In addition to developing cybersecurity projects, the top strategic priorities for CIOs and CTOs in 2023 are increasing efficiency and productivity (31%), expanding cloud computing initiatives (26%), Digital Transformation schemes (24%) and developing Blockchain and Internet of Things (IoT) projects. This suggests UK businesses are continuing to build on the progress made following the pandemic by enhancing their online presence over the next 12 months.

After the demand for talent with strong problem solving skills, employers are on the look-out for candidates which can demonstrate teamworking (28%) and communication skills (27%), highlighting the need for employees willing to work effectively as part of growing IT teams.

The report also found that, due to the climate of information ‘insecurity’ allied to the relentless growth of digitalisation and ‘Big Data’, tech leaders are clear that roles are likely to be safe from recession fears. Political instability is forcing businesses to consider shifting away from offshored IT support, opting to bring it in house or work with managed services like Protiviti to maintain service levels. In addition, 30% plan to add new positions for permanent full-time employees and 22% will bring more temporary talent on board in the next 12 months to aid with growth plans.

Robert Half Director of Tech Placements, Craig Freedberg, said: “Growth, security and customer experience are at the forefront of leaders’ minds, creating unprecedented demand for developers, cloud specialists and IT security experts. Due to the growth of cloud and ‘Big Data’, security is a growing concern for many UK businesses and this will only increase as the vast number of digitalisation projects near completion.

“It is estimated that cybercrime will cost the UK around £27 billion every year, with around £21 billion of this coming from attacks against businesses, highlighting the urgent need for employers to source tech talent with the necessary expertise.

“However, our research shows that the demand for candidates with the sought-after skills far outstrips the supply and as such, we recommend employers upskill their current workforce to ensure vital IT infrastructure is cybersecure and fit for purpose.”

Jonathan Bridges, Chief Innovation Officer at exponential-e:

The cyber landscape is continually changing, but over the last few years the growing ransomware threat has remained constant. CISOs are no longer engaging in occasional firefighting exercises to combat ransomware, but instead dedicating significant resources to the on-going practice of protection and prevention. That mindset change is because ransomware is big business for sophisticated cybergangs; it’s now a billion-dollar industry, with the costs for unexpected victims set to exceed $250 billion in the next 10 years.

Hackers have developed a successful business model, comprising networks of thousands of cybercriminals, for whom ransomware is a full-time job. These highly intricate and rehearsed groups proactively seek vulnerabilities in businesses of all sizes almost 24/7 and use a wealth of resources to cause serious damage.

Despite this, most organisations’ approach to defence isn’t consistent with the reality that cyberattacks are inevitable and that needs to change. Too many take an apathetic attitude towards cybersecurity, with a large number of companies having no remediation plan in place to reduce the number of days of downtime they could face following an attack. That inaction could prove hugely costly when the inevitable does happen. A company with a £100 million turnover, for example, could lose £274,000 per day during an outage in the aftermath of a ransomware attack.

So, how do CISOs protect their businesses against this tried and tested business model? Well, they need to start with outlook shift; cyberattacks should be deemed inevitable, but breaches are preventable.

CISOs should take the lead from the defence sector and implement ‘military grade’ defences that both cut the impacts of possible attacks and empower businesses to get back online in days rather than months. As attackers up the stakes and gain momentum from successfully securing ransoms, military grade protections focus on removing vulnerabilities by preparing for when the inevitable happens, not if it happens.

Those protections have recovery plans at their heart and should be considered mission-critical for enterprises too, given the importance of data to their day-to-day operations. More often than not, they’re founded on the 30/30/30 rule, which is a great model to adopt. Often when an attack strikes, there is a scramble to decide what needs to be salvaged. Instead, knowing what needs to be recovered in 30 minutes, 30 days and 30 weeks can mitigate potential chaos and save data that is essential to keeping the business going.

There’s more at stake than the financial impact – customer data, businesses’ brand and ultimately its reputation which undoubtedly will impact the future of the business. Tackling and breaking the ransomware business model must be at the core of a CISO’s defence strategy. It is no small ask but as cybergangs lay the groundwork for carefully orchestrated attacks, we all need to be ready.

Andrew Rose, Resident CISO, EMEA, at Proofpoint:

In my line of work, I speak to CISOs day in, day out about their main pressure points and as a former CISO myself I can certainly relate to many of them. The unfortunate truth is it’s very difficult to adequately prioritise certain strategies these days, as attacks are coming in from all angles.

We recently conducted a survey of CISOs across the world and one of the illuminating findings was a lack of consensus as to the most significant threats targeting their organisation. Insider threats topped the list at 31%, but were closely followed by DDoS attacks, Business Email Compromise and Cloud Account Compromise, all at 30%. Despite dominating recent headlines, ransomware only came in at 28%.

Thankfully, when remote working was thrust on organisations at the beginning of the pandemic, it became clear to CISOs that they had to prioritise their efforts to address the cyberthreats targeting today’s distributed, cloud-reliant workforce. If there’s one silver lining to the last two years, it’s that it drove a greater realisation that the architecture of our enterprises had fundamentally changed, placing users at the centre rather than technology. While threats are coming from all angles, CISOs have now embraced the need to focus on human-centric vulnerabilities which are at the heart of the most pressing threats.

With hybrid work here to stay and the impact of The Great Resignation being felt worldwide, the majority of CISOs have recognised the distributed nature of their critical information and become concerned with protecting this data from malicious or accidental leakage and insider threat. With employees now forming the defensive perimeter wherever they work, half of CISOs said that increases in employee transitions means that protecting data has become an increased challenge and that investment in information protection is top of the list of priorities for the next two years.

However, it’s important to note that sometimes CISOs are not the only ones at the wheel. While cyber-resilience is essential for their organisation’s operations and Business Continuity, other executives and board members may see things differently. Only 35% of the CISOs we surveyed said that their board sees eye-to-eye with them on cybersecurity issues, so we decided to ask the same questions to other board members to assess the degree of alignment. Concerningly, only 28% of board members see insider threats mitigation as a top priority opposed to 35% of CISOs. This lack of alignment is another potential security threat in itself.

There is learning required on both sides, but modern-day CISOs need to prioritise bridging the misalignment with board members and communicating more effectively, fostering collaboration and helping board members better understand the necessary strategies to combat today’s cybersecurity risks.

Dr Gareth Owenson, CTO and Co-founder of Searchlight Security:

Modern day CISOs are prioritising ‘pre-attack intelligence’ as a way to combat cyber-risk. Historically, they have focused on stopping cybercriminals once they’ve hit a network because this is where they have the greatest visibility of their adversary and, in theory, the advantage because the threat actor is on this infrastructure. However, what has become abundantly apparent from the continuing onslaught of attacks is that waiting until the cybercriminal hits the network is a too-little-too-late strategy. It is too reliant on the organisation firstly being able to detect the attack and secondly being able to mitigate it in time.

Pre-attack intelligence means gathering information on cybercriminals before they hit the network, when they are in the planning or ‘reconnaissance’ stage. One of the best sources of this information is the Dark Web because malicious activity often starts to emerge on Dark Web forums, groups and marketplaces that are hidden away from the eyes of law enforcement agencies and security teams. Monitoring the Dark Web and collecting information from underground online spaces provides organisations with intel they can use to improve their defences, as many actors have frank and open conversations about their latest victims and next plan of attack. By tracking these conversations, organisations can identify references or mentions to their business or their suppliers – which is often the starting point for cyberattacks.

Consequently, we’ve observed increasing demand from CISOs to gain access to Dark Web sources for their pre-attack intelligence. This visibility can be used to identify weak points in an organisation’s security structure, or to foresee a cybercriminal’s plan of action before potential exploitation. In some cases, pre-attack intelligence can also help to stop threat actors in their tracks. For example, the ability to search on the Dark Web for company credentials can enable CISOs to enforce password changes on compromised accounts, to prevent access to systems. Leaks can also indicate if CISOs need to implement additional layers of security protection, like Multi-Factor Authentication, for specific areas on their company network.

CISOs can also leverage Dark Web intel to determine how their organisation and the wider security team can best prevent the tactics of the threat actors targeting them. A popular tool that’s accessible to all organisations is the MITRE ATT&CK framework that helps to effectively map a defence strategy against techniques threat actors are using and advises on how organisations can stop them in the pre-attack stage of the ‘Cyber Kill Chain’ – the first point of disruption. For organisations to have the best chance of stopping cyberattacks, they must take action in the Cyber Kill Chain as early as possible.

Pascal Fortier-Beaulieu, CSO at WALLIX:

As cyber-risks continue to grow, one of the top challenges facing today’s CISO is how to safeguard company data. The question is often ‘when’ a business will fall victim to a cyberattack, rather than ‘if’ and therefore today’s successful organisations are the ones that are prioritising data protection. Organisations are looking at not only the first line of defence, but how to limit the risk and threat, should an attacker breakthrough.

Now more than ever, knowing who has access to your data and how they access it should be top of mind for most CISOs. Not only are insider threats among some of the most common data breaches we have seen, but with employees working and accessing data outside of the traditional office, it opens up a whole range of new vulnerabilities. Whether we think of long-time employees, remote team members, or external providers, all it takes is a simple mistake, a lost device or for credentials to be stolen and the business is vulnerable. Insider threats don’t have to mean negligence or a malicious employee, in fact, in many cases what we see is cybercriminals trying to penetrate the system through an employee’s credentials as it will give them access to highly sensitive data.

While we can’t get away from the risks posed by insider threats entirely, adopting a proactive approach can leave businesses with the best toolkit they need to create a secure digital future. Data is going to continue to be the priority for today’s CISO’s and therefore stealing data is going to continue to be the goal of most cyberattacks.

By prioritising key cybersecurity principles such as the notion of least privileged, businesses will be well positioned to stop a cyberattack in its tracks. At the same time, Privileged Access Management (PAM) tools are one of the most effective methods when it comes to securing access and they can provide a helping hand to under pressure teams. Employees should only have access to the data they need, when they need it. Not only will this protect them, but it will ensure strong compliance and is a good practice that all businesses should implement.”

Mark Malecki, Chief Technology Officer at ISTARI:

One of the things the modern-day CISO should prioritise is how to execute cybersecurity tools with efficacy.

Facing an ever-increasing number of cyberthreats, an organisation’s IT and security teams must align on the technology they use to prevent poorly executed security operations.

As IT organisations operate a majority of defensive technology, it is also important to adopt a proactive mode of operation instead of reacting to issues in a fire-fighter-like manner. Cyberattacks happen very quickly and it is easy to make the mistake of playing whack-a-mole and ignoring the quality aspect of cyberprotection. In the past, the efficacy of protective security solutions has been below par, bringing to light how CISOs must address how to monitor, detect and respond to attacks.

Security experts should prioritise improvements in these areas and find ways to bridge the gap between company boards and their understanding of cybersecurity risk management. Ultimately, accountability does not solely reside with the CISO, but the CISO is responsible for helping the board understand the issue in a clear way. Boards must be aware of their legal responsibility to improve cybersecurity efficiency.

However, it is almost impossible to decide on the best way to respond to and govern enterprise risk if a clear view of risks and threats is not shared in a relatable manner. This lack of understanding can lead to boards adopting a compliance-based perspective to cyber-risks, which can be detrimental, as it depends on purely meeting national/sector-based standards. As a basic step, CISOs deserve an invitation to board meetings involving cybersecurity.

Another issue CISOs face is the type of relationships they have with vendors. Due to the high volume of vendors on the market and the increasing number of newcomers, CISOs find it hard to navigate the market. At the same time, vendors are under pressure to market their products in a competitive landscape and, as a result, may make uninformed or misleading claims about security capabilities to CISOs. Improper implementation, configuration or management of the purchased products can exacerbate this disconnect, further resulting in purchases falling short of delivering on a promise.

Tim Erridge, Managing Partner, Unit 42, Palo Alto Networks:

CISOs are dealing with an ever-increasingly complex set of challenges – the capricious threat landscape, rapid digitalisation throughout the extended enterprise and the supply chain. To accommodate this, they must focus on how to achieve a continuous evolution of their security programme.

Sustainability of capabilities and optimising the return on investments already made are key objectives, also demonstrating that appropriate due diligence was taken when forming strategic and operational decisions. CISO stakeholders are growing in both number and sophistication, so it has never been so important to be able to demonstrate how effective you are being and why you decided to prioritise activities. This comes down to an ability to generate empirical evidence of control effectiveness and refer back to how your program is proportionate to your organisation’s specific and unique threat profile.

So what does this mean in practical terms? CISOs must shift to an intelligence-led and data-driven approach. This requires prioritising investment in:

  • Strategic threat intelligence – to inform cyber-risk management, develop credible threat and risk scenarios and comprehensively map these into attack paths and develop an aggregate perspective of prioritised tools, tactics and procedures. This should also be used when assessing asset criticality. An asset may not be deemed of high business value, but if it has a weakness actively being exploited in the wild it should be considered high impact.
  • Asset and attack surface management – creating an ability to continuously enumerate the full extent of the extended enterprise and understand comprehensively any exposures across it (noting that ‘attack surface’ is not just your perimeter, but all opportunities for an attacker to create undesired consequences.
  • Agile and adaptive controls – enabling preventative and detective controls implemented to be adapted to new insights from visibility created above. Shifts in the threat or in business processes (and the assets that support them) should result in an operational or tactical response that fine-tunes the existing controls to better mitigate or detect any attack exposures. A continuous process that iteratively seeks to maximise control effectiveness and therefore optimise the ROI.
  • Security control validation – continuous testing of mitigating controls, detection capabilities and response playbooks, prioritised by the aggregate view of credible threats. This requires a holistic combination of collecting meaningful metrics, continuous purple teaming and breach and attack simulation technologies.

These key focus areas ask a lot, but really represent the only way to build truly effective resilience, because they embed sustainable capability to facilitate a perpetually reinforcing or ‘self-evolving’ ecosystem. The secret ingredient to successfully mobilising a threat-informed defence while dealing with an asymmetrical threat is intelligent automation.

Consequently, automation must also be high up CISOs’ agendas, because it addresses the shortage of cyberskilled manpower as well as the sheer number and frequency of innovative and ruthless cyberattacks that need to be anticipated, combatted and evidenced as so.

Click below to share this article

Browse our latest issue

Intelligent CISO

View Magazine Archive