With cyber threats becoming more varied and challenging to stop every day, CIOs and CISOs need to take a strategic approach to securing their organizations.
Too many organizations still rely too heavily on point solutions. These include web application firewalls, antivirus software, endpoint detection and response, and other tools intended to stop specific types of attacks from getting a foothold in networks, said Spiros Liolis, chief technologist of global alliances at Micro Focus.
And yet one well-engineered phishing email targeted at just the right employee with just the right payload can get past even the most ambitious and multilayered defenses.
Cybersecurity silos are gone, or should be, Liolis said. “It is a strategic question. Organizations need to start thinking about [cybersecurity] in a very systemic way, but the majority of them do not even know where to start.”
Attacks are back to pre-pandemic levels
According to the World Economic Forum’s Global Risks Report 2022, “Growing dependency on digital systems—intensified by COVID-19—has altered societies. … At the same time, cybersecurity threats are growing—in 2020, malware and ransomware attacks increased by 358% and 435%, respectively—and are outpacing societies’ ability to effectively prevent or respond to them.”
As more people return to the office post-pandemic, malware is moving in right along with them. According to WatchGuard’s Q4 2021 Internet Security Report, malware aimed at corporate networks is back to pre-pandemic levels—with 68% of zero-day malware using encrypted connections such as HTTPS to evade antivirus software.
To combat rising threats, visibility, automation, and integration “are imperative,” said Marc Laliberte, senior security analyst at security vendor WatchGuard. “Companies need unified security approaches, which eliminate the gaps caused by disparate and disconnected solutions and offer IT teams more visibility and clarity into the threats they must deal with daily.”
Because systemwide ripple effects will be emitted by each new addition to or change to an organization’s technology footprint, its business practices and process, or its people, CISOs need to focus less on individual technologies aimed at specific threats and think more holistically about what to protect, why they are protecting it, and—only after thinking about the other two—how to protect it.
Ask the right questions
Making this shift in thinking starts by asking a few basic questions, said Liolis. The first and most important is why you are protecting certain organizational assets over others. Unless you know the reasons, you may end up spending money and effort on protecting the wrong things.
Answering this question starts with a business impact analysis, Liolis said. This assessment helps to identify organizational assets and systems that are truly mission-critical versus ones that are no longer as important. The changes wrought by the COVID-19 pandemic are a great example of how quickly organizational priorities impact cybersecurity thinking.
Once offices emptied out and everyone started working from home, tools to manage a newly remote workforce such as mobile device management, endpoint detection and response, identity and access management, and cloud access security brokers suddenly became priorities.
“Changes in the organization itself will change the processes and therefore the technology, so that’s why you’ve got to look at it holistically, as a system,” Liolis said. “Ask yourself, ‘What is making up my revenues? What is making up my core business? What are my mission-critical services or products?”
You will need to run this exercise before you can identify the specific cybersecurity tools needed to protect your most critical assets.
Use a high-level scorecard
Brian Shea, CIO of MedOne Hospital Physicians, uses a high-level scorecard to help simplify this process. Standard red, yellow, and green indicators show whether certain types of cybersecurity tools—or policies such as endpoint encryption or multifactor authentication—are in place and which asset categories are being protected.
He also lists the vendor, technology, or methodology deployed (such as pen testing) to protect each asset.
The scorecard does not substitute for strategy, but it helps simplify it so Shea and his team know which areas can be considered safe, which ones need work, and which ones need further investment. Once he knows where to spend his budget, he can ask the right questions about deploying and managing the solution in-house or engaging with a third party-provider such as a managed services providers.
“From a strategy perspective, you need to know where you stand,” Shea said, “but you need to do it in a way that’s palatable. A lot of organizations get quickly paralyzed by the amount of things they have to do and [figuring out] what direction to take, so they don’t do anything. Or they might do the wrong thing.”
Look at security as a stakeholder
Part of the problem for CIOs and CISOs is that security is reactive in nature—both to threats and to organizational moves, adds, and changes, said Jeff Pollard, vice president and principal analyst at Forrester. Security should follow the direction of the organization, not the other way around.
That’s why he advises his clients to look at it from a stakeholder perspective. There are three: the organization and its shareholders or owners, employees, and partners.
“Those are the inputs to your security strategy,” he said. “Because those are the things that you are charged with protecting, that’s where your responsibility exists.” A CISO can’t decide to “suddenly go on a spree of protecting nonfungible tokens and stuff like that if your company is not adopting them.”
Once you understand the risks of each group, what you need to protect, and the degree to which security can take priority over things such as ease-of-use or access, then the CISO can begin to select the right tools for the job. But the approach to making these decisions should always be top-down, not bottom-up.
Don’t overemphasize risk
Forrester’s Pollard also believes that looking at cybersecurity solely through the lens of risk is an all-too-common but mistaken approach. Risk is a consideration, but it is often influenced by factors outside of the CISO’s control, including regulatory changes or business decisions. Also, some industries have a higher tolerance for risk than others.
If a valuable asset is viewed solely through the lens of risk, then protecting that asset should be a high priority. This is common sense. But, if the costs of protecting that asset are too high compared to its relative value on, say, the dark web, then that tradeoff may not be worth it to the business. “I tell a lot of security leaders that overemphasizing risk is going to get them fired,” Pollard said.
In other words, risk is relative, said Micro Focus’ Liolis.
“Doing an impact analysis will tell you why you are protecting the organization,” he said. “Because if I’m going to lose $3.5 million or I’m going to lose this or I’m going to lose that … that is going to define your risk appetite to a very large degree.”