It’s that time of year when we inevitably reflect on the past 12 months, make a list of resolutions to solidify exactly what our priorities should be for the future and how we can best achieve them. In ‘ordinary’ times, you might mingle with your peers at conferences and industry events, swap stories and exchange information, but as we all know, these opportunities are still not as readily available as the previous years.
Over the past few months, we have engaged with dozens of CISOs in a series of roundtables. From those conversations, nine topics emerged at the top of the list through 2022. If these roundtables had taken place around the same time that Log4J was starting to become a growing problem, vulnerability management could have rounded it off to a low. list of the top 10. So, for now, here are the top nine:
# 1: Better communication with the board
It is possible to optimize communication between management teams, advisory boards, management teams and CISOs. While some have indicated that they do have adequate opportunities to interact, the majority of CISOs we heard said the conversations they had were often unstructured and often did not have a regular cadence. Unsurprisingly, there was also the feeling that the role of the CISO is always the most valued in a crisis and, conversely, lowers the priority list when there is no incident.
The three ways this could be improved, as discussed in the events we attended, are 1) a structured governance model with high level representation 2) an agreed set of key performance indicators that reflect the requirements of the business and 3) regular opportunities to demonstrate how safety is a business catalyst.
# 2: make sure security is resilient to business changes
The CISOs we have heard about have revealed that resilience is an increasingly important topic at large, and therefore it is essential that security is resilient to change and can scale with the business.
This can be achieved by planning ahead for business continuity / disaster recovery activities and sharing ownership of them. CISOs should be included in BC / DR activities, as their contribution is always essential in this process, but there is a clear need for more actions such as a tangible high level exercise to include business management in the discussion.
# 3: risk should be a shared problem
On several occasions, CISOs we heard from said that when the topic of risk came up during board discussions, the security team was described as a small island in its own right. Establishing risk ownership and risk recognition with coworkers can often be difficult, but to mitigate future risks it is imperative to identify multiple risk owners in the business and not simply delegate them to the CISO. .
# 4: Prepare for “The Great Resignation”
There was a view that recruiting new employees was difficult and even with broad requirements it can take months to identify a new hire which often leads to the undesirable situation of working with small teams. Much is currently being written about the ‘big resignation’, which is expected to continue to disrupt all industries as the New Year dawns. So it’s fair to say that this problem may get worse before it gets better.
Some CISOs see remote work as a potential solution; Distributed teams are seen as a necessity in certain circumstances, but it is also certainly necessary to ensure that the teams meet regularly face to face.
# 5: keep IT out of the shadows
For many CISOs, a growing problem that needs to be addressed is that new solutions are being developed in new areas without the knowledge of security teams – even when clear guidelines prohibiting such behavior are established within the company.
Too often, speed and availability tend to outweigh the factors of safety. As a result, they are constantly faced with the problem of “shadow IT”, which will be exacerbated as more and more businesses migrate to the cloud. Solving the challenges of shadow IT begins with usability, avoiding risky workarounds by removing the obstacles that invite them. For more practical steps on what to do to bring attention to Shadow IT, check out our Security Report below.
# 6: Light at the end of the tunnel for third-party risk management?
This is always a problem, especially around third-party reviews which are often very long, in a non-standard format and carried out with very short response times. The good news here is that work is underway to produce frameworks ensuring standardized third party attestation, such as in the UK financial services industry with the Bank of England Supervisory Statement – SS2 / 21: Outsourcing and Third Party Risk Management, effective March 31, 2022.
Progress in this area will certainly be welcome, given how much CISOs need to be able to rely on tested processes, but CISOs should always ensure that the scope of their risk areas is broad enough to include any vendor. or employee with remote access. to all business applications. This includes any subcontractors who may be working for the contractor, as sharing of credentials is common in all companies.
# 7 more emphasis on data and privacy
This is an issue where the data value is not recognized. Confidentiality is increasingly regulated with the entry into force of regional and local regulations. The Schrems decision will also require CISOs to focus more on the data and where it is stored.
Over the past few years, much attention has been given to EU GDPR rules, which has revealed areas where CISOs have focused their energy when it comes to data and privacy. Generally speaking, these include verifying user identity, verifying the health of all users’ devices, and securing access to any application. For more details on each of them, a link to our guide on data privacy that may be applied to areas outside of GDPR is available below.
# 8 Manage security debt
CISOs have made it clear that the subject of technical debt or security debt is gaining in importance. The need to manage old systems while adapting to the new environment, as well as the risks and costs that this entails, is particularly important to consider in the field of operational technology (OT).
Additionally, some OT systems cannot be easily patched or even have basic security tools like anti-malware installed on them. Finally, this issue is particularly relevant when the systems still use end-of-life (EOL) software that remains essential for the organization.
To quote my Global Advisory CISO colleague Dave Lewis in his presentation of the 2021 Virtual Cyber Security Summit earlier this year, Security Debt, Running with Scissors: To Track and Address Security Debt, Organizations Must Develop and Implement Processes defined and reproducible. They should look to strategies like the zero trust model, trust but verify, sanitizing the inputs and outputs, and of course, making sure to execute fixes instead of passing them on to the next person. .
# 9 Ransomware, ransomware, ransomware
This is the main tactical question that concerned CISOs that we have heard more than once. This was in response to a concern that the compromise speed is faster than before, resulting in slower response times. As you might expect, given the points made in # 9, this form of attack was of more concern to those with legacy systems.
However, there are a plethora of tools and techniques that make it much harder and more expensive for hackers to gain access, even though they scale faster. For more details on what you can do to protect your business from ransomware, below is a link to a recent eBook on the subject.
The qualitative sample we’ve explored here gives a good summary of the direction of travel as we head into 2022, but for practitioners looking for a more comprehensive view to help them decide where to focus their efforts, we recommend highly to read Cisco Security’s flagship data-driven product. Security Research Report, Security Outcomes Study.
The independently conducted double-blind study is based on a survey of more than 5,000 active IT, security and privacy professionals in 27 markets. This report looks at the top five practices that disproportionately influence the overall health of an organization’s safety program and has been localized for eight specific markets: UK, France, Germany, Netherlands, Italy, Spain, Russia and Saudi Arabia.
We would love to hear what you think about it. Ask a question, comment below, and stay connected with Cisco Secure on social media!
Cisco Secure Social Channels