The role of CISO has been evolving as long as it has existed, which isn’t unusual considering the dynamic nature of cybersecurity. Awash with existing challenges and facing the ever-evolving landscape of the past year and a half, CISOs have had to adapt their cybersecurity programs to deal with more uncertainty and challenges as they look ahead. All too real examples include, facing a surge in ransomware attacks, securing a remote or hybrid work force, fighting to bring cybersecurity issues to the board, and many other organizational issues that contribute to gaps in cybersecurity performance just to name a few. Without further ado, let’s look at some of the details that keep CISOs up at night.
1. Surging Ransomware Attacks
Even before the start of the pandemic, ransomware attacks have been surging globally. In 2020, researchers found that ransomware attacks grew by over 150%, which has been followed by a string of high-profile ransomware campaigns. Earlier this year, an unprepared Colonial Pipeline fell victim to a ransomware attack, in response to which they paid the $5 million ransom against the advice of law enforcement and security experts. With both attacks on the rise and the average price of ransom demands going up, there’s more incentive than ever for hackers to index into ransomware rather than other forms of malware. CISOs need to be prepared to answer the rise in these kinds of attacks by ensuring a well-developed anti-ransomware process is in place that reduces the possibility of intrusion, but also an effective response plan that mitigates the potential impact of these infections.
2. Securing the hybrid working approach of the future
Now that businesses are beginning to return to the office, many are having a difficult time enticing employees to return to the office full time. As a result, many organizations have implemented hybrid working structures that allow for a mix of face-to-face interaction in-office in tandem with remote collaboration. Hybrid collaboration introduces potential headaches from both logistical and security perspectives as it requires a balancing act of securing on-premises resources as well as cloud computing infrastructure components. According to a Forbes survey, 76% of companies were forced to adapt to cloud services faster than anticipated; which has the potential to leave a lot of gaps to be filled.
3. Organizational inefficiencies
Hand-in-hand with worries about a hybrid collaboration workflow, CISOs must contend with the organizational inefficiencies introduced by such a model. The cybersecurity process is all about continuous improvement in organizational processes and keeping that improvement going during organizational shifts like these can be incredibly challenging. Communication, productivity, and performance all are at risk of deteriorating, which can have serious implications on the baseline cybersecurity performance of an organization. With 70% of businesses indicating that they will utilize a hybrid model, many are looking to maintain the surge in productivity first identified in the transition to remote work at the start of the pandemic.
4. Communicating cyber challenges with the board
With every new high-profile cybersecurity attack and data breach, cybersecurity concerns are increasingly becoming top priorities for executives, board members, and investors. Today, Gartner predicts that only 10% of boards of directors have a dedicated cybersecurity committee. However, they also predict that that number will rise to 40% by 2025, which is a good sign for cybersecurity initiatives and general cybersecurity preparedness. While this is a positive change for sure, some might argue that it isn’t coming quite fast enough. In the near future, CISOs may look to prioritize initiatives that better involve the board of directors in cybersecurity matters. We have talked previously about how to report cybersecurity performance metrics to the board, which will be extremely useful in establishing a process to involve the board of directors in cybersecurity conversations.
5. Integrating a cybersecurity culture throughout the organization
Creating a culture of cybersecurity excellence is one of the most important factors in establishing a strong baseline cybersecurity performance, especially if the goal is to reduce human errors that could result in security gaps. In Verizon’s 2021 Data Breach Investigations Report (DBIR), the authors determined that 85% of data breaches involved a human element and that errors (server misconfiguration, document misdelivery, publication errors, etc.) contribute to almost 20% of data breaches. So establishing an organization-wide initiative to drive home the importance of safe cyber hygiene practices and reducing error is human critical to preventing cybercriminals from getting their foot in the door. Unfortunately this is easier said than done, since it requires effort at all levels of the organization; there needs to a be a voice in every room and in every step of the process that advocates for safe cybersecurity practices. From the board to the intern, cyber hygiene needs to become an important evaluation factor in all steps of business operations if CISOs are to try and create a culture of cybersecurity excellence.
Many of these considerations require a high-level understanding of how well your organization maintains its cybersecurity performance in its day-to-day operations, which is difficult in many cases to see through the fog of bureaucracy and antiquated spreadsheets. Thankfully, there are tools that can help give you the insight you need to make the right decisions. CnSight looks from within your organization, providing executive-level insight cyber risk, effectiveness, and performance management. CnSight helps baseline and prioritize what is important to the business, ensuring alignment with organizational goals and risk appetite. Regardless of your current level of cybersecurity maturity, CnSight helps you chart a course to improving visibility and achieving better outcomes from your current investment in security.