CISOs are under more pressure than ever to ensure their organisations thrive in order to survive, and investing in the right technology has a key part to play. David Higgins, EMEA Technical Director, CyberArk, offers his best practice advice and says that a massive budget increase isn’t required, but a change of approach.
CISOs, security leaders and their teams have demonstrated a huge amount of resilience throughout the pandemic. They’ve had to work with tighter budgets when cyber-risks have grown. And they’ve had to contend for board-level prioritisation among other organisational challenges. Even as companies look ahead towards brighter skies, frugality will be crucial to CISOs. Budgets will have to stretch further without compromising operational security.
It will be difficult for many to make this work. They will require a strategic change. But by focusing money and time where it’s most needed, CISOs can continue to ensure the security of their organisations’ assets.
Reconsider the way your employees engage with security
The pandemic has tested our vision for distributed work beyond anything we could have imagined. Remote teams have shown themselves to be incredibly resilient in continually rising to the challenge of blending their home and work lives.
Now though, CISOs have a unique opportunity to provide the strategic insights and direction needed to sustain and enhance remote and hybrid work models as many regions of the world start to transition out of lockdown. CISOs should encourage their organisations to move away from legacy approaches, and prioritise the implementation of new digital security strategies and user-friendly tools and policies to securely empower workers.
Adopt the principle of Zero Trust
There’s a broad consensus among CISOs that the complexity of today’s cybersecurity challenges demands a ‘trust nothing, verify everything’ approach – otherwise known as a Zero Trust mindset.
While this method repositions the security perimeter around individual identities, ensuring that everyone and every device granted access is who and what they say they are, it isn’t a one-size-fits-all approach. In fact, the best place for CISOs to start with Zero Trust is to identify their organisation’s greatest security risks, address them and then extend controls to new, less critical areas over time. It’s also equally important to work alongside IT and end-users to ensure they both understand and adopt this new model.
Think like an attacker
Threat actors will always find new and innovative ways to penetrate networks, steal data and disrupt business – it’s not a question of if, but when. The trick is to adopt an ‘assume breach’ mindset to help detect and isolate adversaries before they traverse a network and inflict damage.
Doing so means getting into the mindset of an attacker, something which can give CISOs the edge they need to stay one step ahead. Assuming any identity in the network has already been compromised means security teams can anticipate an attacker’s next move, minimise impact and stop threats before they reach valuable assets and cause harm.
This does not require a massive budget increase, but a change of approach.
Adopt a solution-focussed mindset
Sophisticated cyber intrusions such as the SolarWinds digital supply chain attack, prompted many CISOs to re-evaluate their risk tolerance levels, cybersecurity and risk management efforts, together with areas of ongoing vulnerability. Alongside this, companies have been urged to update their incident response strategy, using frameworks such as NIST to guide them.
If organisations are attacked, retrospectives should be used as part of their learning to further optimise incident response strategies and build resilience. For example, questions raised should move from ‘how were we compromised or breached?’ to ‘how can we stop it next time?’.
First quantify, then mitigate
Recent headline-grabbing attacks have made cybersecurity a regular boardroom discussion and business imperative. It’s the CISO’s responsibility to make sure cybersecurity remains at the top of the agenda, even when news cycles are quieter.
To do this successfully, it is critical for CISOs to quantify risk, resulting in mitigating actions in financial terms, and demonstrate how the cybersecurity programme will link to business objectives. Industry frameworks can also help CISOs demystify cybersecurity and bridge communication gaps with boards and executive management.
Use your IT team to communicate security principles to the organisation
Communication doesn’t stop at discussions with the board. In fact, today’s CISOs need to effectively articulate cybersecurity’s value proposition to customers, partners and also internal stakeholders. With digital supply chain attacks under scrutiny, the need to build trust by way of transparency has never been greater. The power of empathetic communication cannot be overstated here.
The good news is CISOs no longer have to shoulder the communication burden alone. By actively collaborating with IT security teams, CISOs can strengthen their message to various audiences and break down any siloes that have developed.
Adapting budget allocation to combat new threats
CISOs should prioritise these aspects of security to make the best use of their budgets. In fact, many of these tactics can be implemented without any budget reallocation at all. The aim should be the creation of a comprehensive security strategy to fit today’s most prominent threats.
However, for this to happen, security heads must proactively embrace an advisory position, offering guidance and strategy to key stakeholders straight away. To this end, CISOs should seek partners, both within the organisation and via external public and private partnerships, which will boost their advisory capacity, facilitate information sharing and accelerate the shift to the next stage of cyber-resiliency.
The road ahead will be fraught with cyberattacks, more sophisticated attack vectors and methods, and ever power-hungry cybercriminals. CISOs can make moves to ensure their organisations thrive, rather than merely survive, by prioritising their budget allocation to fit current threats.