Good Chief Security Officers (often referred to as CISOs) are highly sought-after resources. Navigating the ever-changing cybersecurity environment full of evolving threats is not an easy task. That is why a skilled and proven CISO is something every company is fighting for.
According to Forbes Insight that surveyed more than 200 CISOs across a variety of industries, 84 percent believe the risk of cyberattacks will increase, and almost a quarter (21 percent) believe the capabilities of attackers are outpacing their ability to defend their organization.
The realities that these security leaders face everyday are not for the faint heart. We will discuss steps that successful CISOs are taking to protect their organization and customer data, all with finite resources.
What Do CISOs Do?
The daily tasks of a CISO boils down to allocating the limited resources they have to meet the growing range of cyber threats that face their business. Organizations were once focused solely on prevention defenses. They fought to keep anything and everything out of their network. However, as we now know, it is impossible to guarantee total prevention and protection.
Data breaches are inevitable, so heightened detection and response plans are a greater priority now. With that, CISOs are tasked with making the hard decisions. They direct their overworked teams to the most serious breaches. Above all else, they must balance their time and valuable resources, often pivoting from between tactical issues, communication plans, and strategic leadership guidance.
Two of the top issues many CISOs say they are facing at their organizations today include a lack of budget and a pool of talent to pull from. According the Forbes survey, more than a third (36 percent) cite the lack of an adequate budget as having a significant impact on their cybersecurity programs, and 18 percent cite it as their greatest constraint.
“There is no playbook for being a CISO,” says Dawn Cappelli, VP, global security and chief information security officer at Rockwell Automation. “Everyone realized that cyber threats like ransomware are out there and can hit anyone. Everyone realized that you don’t have to be the target, and you don’t have to have something specific that they’re after. It’s a dynamic environment.”
So, what do CISOs do? A CISO, perhaps more than any other senior executive, navigates uncharted territory every day. No other part of the business is changing this rapidly, and in no other part of the business are the stakes so high.
Threats and Capabilities
Threats are everywhere, and there is a lot at stake for businesses. According the Forbes survey, 36 percent of respondents selected brand and customer data as the highest priority for protection. In addition to placing priority on protecting data, enterprises put importance on intellectual property, because for many, this is the essence of their competitive advantage. Here is a list of other top attack targets that concerns CISOs the most:
- 36 percent list brand and customer data
- 20 percent list intellectual property
- 16 percent list downtown from denial of service (DoS)
- 15 percent list financial assets
- 12 percent list sensitive internal communications and personal identifiable information
In addition to the targets that concern CISOs the most, the survey describes the top attack modes that concern many other leaders in different roles across organizations everywhere. The top three include malware attacks, IoT-based attacks, and phishing.
“The more the footprint of technology grows, the more the security risk grows,” says Emily Heath, vice president and chief information security officer at United Airlines. “With the emergence of IoT and the OT world, pretty much everything is connected to Wi-Fi or Bluetooth. In an organization that’s so highly distributed and moving, literally, that’s always a challenge. You have to understand your business. For us, business operations are what defines the risk.”
What Can you Do?
The possibility of a breach is always there, so what can you do? Start by focusing on your organization’s reputation and its intellectual property. Unfortunately, if your intellectual property is stolen, prosecuting the cyber criminals can be tricky. Getting the information back is even harder.
To protect your intellectual property for a data breach, start by understanding what you have. Have ongoing communication with executives of each department once a quarter to update anything outdated and to continue revising protection plans.
It is also important to secure your intellectual property both physically and digitally. Storing this information in a colocation facility with the most stringent security features is advised.
There are different obstacles that every CISO must overcome, but some are similar no matter what industry you are in. Three factors that are unavailable to many CISOs include sufficient budget, a clearly defined central strategy, and the needed skills among internal staff.
With a tight budget, it is up to the CISOs on where to allocate it. There is not one single answer for where budgets should go. It depends on the risks that your business specifically faces and the information you are looking to protect. Having a clearly defined security strategy is more crucial than ever.
Those surveyed who reported being highly impacted by a lack of a central cybersecurity vision were:
- More concerned about cyberattackers’ capabilities
- Less confident looking forward in their ability to respond to threats
- Believe talent challenges contribute more to their inability to execute strategic initiatives
With the need to expand security teams, businesses are facing a debilitating shortage of talent. According to a recent survey of IT decision makers by the Center for Strategic & International Studies, 82 percent of employers say they are experiencing a shortage of cybersecurity skills, and “71 percent believe this talent gap causes direct and measurable damage to their organizations.”
The National Initiative for Cybersecurity Education reported that, as of January 2019, the U.S. faces a shortfall of some 314,000 cybersecurity professionals.
What Can you Do?
Without a proper budget, the security of your reputation, data, intellectual property, and everything else in between does not stand a fighting chance. Start by making the business care for a healthy security budget. Threats are only escalating, so your resources should too. Ask the C-suite to consider the cost of an increased budget versus the prospective cost of a data breach.
The average cost of a data breach in the U.S. is currently $7.9 million.
While proposing your budget, understand where exactly the money plans to go. Use your existing budget as a starting point. From there think about what you will need to add, remove, or adjust to achieve your goals.
Strategy and Technology
The Forbes survey shows that more CISOs are repositioning their security strategy from prevention to more effective detection and remediation. Security leaders want to integrate security into network operations, and they want analytics to help give them the visibility into cross-network traffic, including insider activity, that can help them detect and investigate unusual behavior.
With big plans and even bigger constraints, automation is more important than ever. Internal teams will continue to be restricted to tactical aspects unless automation takes on repetitive functions, enabling them to take a more strategic and effective security stance.
“The sheer volume of data that is available these days from every sensor in every single piece of equipment make it an impossibility. The fundamental concept of security is understanding from a visibility angle. The other big part of it is understanding what normal looks like. And true machine learning helps you with this. Analytics ‘listens’ to an environment; it can understand what normal and abnormal looks like,” said Heath
The move towards automation also cuts down on insider threat risks. According to Verizon’s 2018 Data Breach Investigations Report, 20 percent of incidents, and 15 percent of breaches, originate from people within the organization. Tools take away the insider threat risk and help to monitor your network for abnormalities, so swift action can be taken.
What Can you Do?
Studies are showing the transfer of resources from prevention to detection and response planning. Try not to just rely on defense, but also focus on deploying detection and response tactics and technologies.
CISOs that were surveyed stated that an average of 33 percent of their budget was currently on prevention, but they hopped to lower that to 27 percent. In contrast, CISOs stated that they wanted to increase both their detection and response budget.
Wrapping it Up
We have learned that all CISOs wear many hats and have to make tough decisions every day. While each CISO is battling the unknown, some are more confident with their direction than others. Hopefully this guide has shed light on areas of change and how you can start taking action.
In review that top priorities of a CISO are and should continue to be protecting the enterprise’s brand. Cybercriminals are looking to steal your company and customer data, including intellectual property, so securing should be at the top of your list.
In addition, it is time to make the case for a better budget in the coming year. Threats are escalating, so having the proper resources to deal with them are a must. Spending more upfront on security will lower costs later when breaches occur. It is also important to provide your employees with proper training and education, so they are aware of suspicious instances.
It is also time to automate as many processes as possible. With a lack of staff and skill, automation can take over those repetitive functions, enabling you to use the staff you do have for more strategic roles. Technology can also help to detect issues quicker than a human, making the response time much better.
Finally, the time to move your resources from prevention to detection and response is now. CISOs have started to accept that they cannot defend everything. Deploying detection and response tactics and technology is the way to go.
Find a Strategic Partner in LightEdge
It is critical for every organization, big or small to have a CISO on staff. If this is not feasible for your organization, it is important to partner with organizations who have expert CISOs available for you to tap into for disaster preparedness and audit readiness.
LightEdge’s Chief Security Officer, Michael Hannan, is a free resource to all of our customers. He helps businesses reduce vulnerabilities, eliminate blind spots in their security strategy, and quickly respond to security threats when they occur. LightEdge’s highly trained compliance and security experts take the guesswork out of keeping your business protected. Trust our expertise to ensure you are covered through our security and compliance services, including risk management, information security, audit preparedness, and support.
As a top-tier colocation services provider, we provide a high level of availability and reliability through secure, certified data centers and dedicated staff onsite. Our customized and scalable services give you the control, whether you need a colocation rack, cage, or custom suite now or in the future.
With geographically dispersed facilities across all of the US power grids, our data centers are the heart of our operation and yours. We have a wide range of colocation and disaster recovery solutions delivering advanced shared infrastructure designed to enable operational and financial efficiency, reducing the burden on your IT staff.
Customers turn to LightEdge to reduce risk of non-compliance, scale security, and for the predictably and cost-effectiveness. LightEdge provides customers with an extended team of experienced engineers and helps to focus resources on agility and differentiation. Are you curious how your current provider stacks up? Our security experts will provide a free security assessment to see how you measure up against the latest compliance and security standards. No risk, no commitment. Contact us today to get your free security assessment.
- How To Mitigate And Respond To Data Breaches
- Why Insider Threats Are The Biggest Danger To Your Data
- Top Network Security Threats And How To Prevent Them
- Cybersecurity Break Through Infographic
- Your Business Needs A Cybersecurity Break Through
- The Future Of IT Security: What To Know And How To Survive
- Here’s How To Develop A Cybersecurity Recovery Plan
- What Is Disaster Recovery As A Service (DRaaS)?
- How To Determine If Your Business Is PCI Compliant
- What All Healthcare Companies Need To Know About HIPAA Compliance
- PCI DSS Cloud Compliance: Your Guide to a Smooth Cloud Migration
- 6 Best Practices for Data Security in the Cloud Infographic
- The Best of Both Worlds: Colocation and PCI DSS Compliance
- Ultimate Guide to a Highly Compliant Cloud Environment