After a disruptive couple of years, we’re emerging into a much more digitised world with consumers and businesses capable of doing more than ever before. However, that progress hasn’t been reserved only for them – the threat landscape has similarly evolved, with bad actors intensifying their use of advanced technology to conduct more determined attacks on their victims.
This shift can be perfectly encapsulated in the number of zero-days we’ve witnessed over the past year. Zero-day refers to a breach or attack that happened because of a vulnerability in a piece of software that has yet to be patched because it hasn’t been discovered yet.
The past 12 months have seen a record high number of zero-days ever, according to Project Zero, a Google-funded team responsible for disclosing these sorts of bugs to vendors. And while this indicates greater transparency and dedication by security researchers to warn against these sorts of attacks, it leaves security professionals with the daunting challenge of continuously patching their critical – and vulnerable – estates.
The evolving role of the CISO
CISOs have a vital role to play when it comes to elevating their company’s security posture to protect it from threats.
CISOs, in partnership with identified stakeholders in technology, operations, and business design, lead changes that are meant to strengthen their organisation’s cybersecurity while elevating overall digital trust. To achieve this, they need to involve themselves in the business/product roadmap conversations and create a cybersecurity ecosystem within the enterprise. This will help create a culture of awareness, ownership, and accountability around security within the larger organisation from the get-go.
However, this is easier said than done. There are several factors that can impact a firm’s adaptation of a successful security strategy. Some factors are: a product’s time to market; the movement to hybrid work and the inherent exposure of a firm’s key assets in such a model; and employee engagement, especially as work-from-anywhere picks up pace. CISOs need to continually review and reprioritise adaption of security practices to meet business objectives, based on these and many more factors.
But more influential than any individual event or consideration has been the grand lesson we’ve all been put through in the past two years dealing with the pandemic. The ability to navigate unforeseen circumstances remain as relevant as the ability to plan and rehearse other known scenarios of business disruption – if not more.
Laying a future-proof foundation
Combatting the threat of cybercrime requires future proofing to prepare for the unforeseen. This entails safeguarding your assets on an ever-broadening threat surface. For example, with more processing and data on the edge, there are now more Internet-of-Things-related attacks; more 5G implementations with vulnerabilities found on enterprise software; and more zero-day attacks impacting quality of service and availability of converged and critical private networks. Additionally, while there has been meaningful clampdown on ransomware operatives, ransomware remains one of the largest cybersecurity risks for the enterprises.
The key thing to remember is that people are the first line of defense. Everyone in the company needs be aware of how they can protect themselves and the larger organisation. They also need to be equipped with basic cybersecurity knowledge, such as how to spot phishing attacks and how to respond to one, essentially creating and contributing to a pervasive culture of security within the business.
The next key element is ensuring the right mix of roles within your security, business, and IT teams. A diversity and spread of infosec skills are vital in combatting the multifaceted threats which often deploy heterogenous attack vectors. Rehearsing cyber drills with different attack scenarios will ensure teams come and act together deftly in times of crisis.
However, this mix of security expertise will only ever be as effective as your investment in the right security tools. Organisations can be guilty of incrementally investing in security technology, only focusing on tackling “trending” threats, and only plugging holes that are immediate. But if tools are not fully utilised or integrated into the broader security and IT strategy, these teams will only have a fragmented and incomplete view of risks.
So, overcoming these obstacles and changing the pervading perceptions around cybersecurity requires CISOs to invest in the right tools, technologies, and training to not only address the issues of the moment, but also future unknown disruptions.
Navigating choppy waters
Defending against cyberthreats has reached new heights of complexity for security teams. For example, a threat that stole headlines over the past year has been supply chain attacks such as SolarWinds hack and Log4Shell vulnerability, with these sorts of threats only set to become more nefarious and far-reaching in coming years.
These attacks were a harsh reminder for leaders that the weakest link in their supply chain doesn’t even have to be enterprise software but can be solutions sourced from third-party libraries and freeware development tools.
That’s why its essential security teams implement a third-party security program for their organisations, to get a handle on the potential cyber-risks emanating from their supplier ecosystem.
And aside from cyber threats, businesses also need to prepare for more privacy regulations. With the increase in cloud services – as well as multi-cloud and hybrid environments – manageable IT and security governance processes are crucial to understanding where and how critical data flows through an organisation. The more optimised these processes are, the more they will ease any strain of having to abide by current or future regulations.
It’s impossible to eliminate all the risks a business faces, but these are a few ways a CISO can bolster an organisation’s security stature. The real work comes in continuously reviewing and optimising those measures taken so you can incrementally become more secure – thus, more future-proofed.
By: Jaspal Sawhney, Global Chief Information Security Officer, Tata Communications