It is that time of year when we inevitably reflect on the last 12 months, make a list of resolutions to solidify exactly what our priorities should be going forward and how best we can achieve them. In ‘ordinary’ times, you could mingle with your peers at industry conferences and events, swapping stories and trading information, but as we are all too aware, those opportunities are still not as readily available as in previous years.
Over the last few months, we’ve engaged with scores of CISOs in a series of roundtable discussions. From these conversations nine topics emerged as top of mind going into 2022. If these roundtables had occurred around the same time Log4J started becoming an increasing issue, vulnerability management may have rounded it up to a top 10 list. So, for now – here’s the top nine:
There’s potential to optimize communication between senior management teams, advisory boards, executive leadership teams and CISOs. While some reported that they did have adequate opportunities to interact, the majority of CISOs we heard from shared that the conversations they had were often unstructured and often did not have a regular cadence. Unsurprisingly, there was also a feeling that the CISO role is still most valued when there is a crisis and conversely pushed down the priority list when there isn’t an incident happening.
The three ways this could be improved as discussed at the events we attended are 1) a structured governance model with high level representation 2) an agreed set of KPIs that reflect business requirements and 3) regular opportunities to demonstrate how security is a business enabler.
The CISOs we heard from revealed that resilience is an increasingly important topic in a broader sense, and it is essential therefore that security is resilient to change and can move with the business.
This can be achieved by planning for business continuity/disaster recovery activities ahead of time and sharing ownership of them. CISOs should be included in BC/DR activities, as their input is still essential in this process, but there is a clear need for more actions such as tangible top exercise to include business management in the discussion.
On more than one occasion the CISOs we heard from said that when the topic of risk arose during board discussions the security team was described as like a little island on its own. Establishing risk ownership and acknowledgement of risk with business colleagues can often be difficult, but to mitigate future risks, there is a strong need to identify several risk owners in the business and not simply delegate it to the CISO.
There was a view that recruiting new staff was difficult and, even with broad requirements, it can take months to identify a new hire which often leads to the undesirable situation of running with lean teams. A lot is currently being written about the “great resignation,” which is likely to continue to disrupt all industries as we head into the new year. So, it is fair to say, this issue is likely to get worse before it gets better.
Some CISOs are seeing remote working as a potential solution; distributed teams are seen as a necessity in some circumstances but there is also certainly a need to get teams to meet face-to-face on a regular basis.
For many CISOs, an increasing issue that needs to be addressed is that new solutions are being spun up in new areas without security teams’ knowledge — even when clear guidelines prohibiting such behavior are established within the business.
All too often speed and availability tends to trump security factors. As a consequence, they are constantly facing the ‘shadow IT’ issue, which will be exacerbated as more and more firms move to the cloud. Solving shadow IT challenges starts with usability, preventing risky workarounds by removing the obstacles that invite them. For more practical steps on what to do to drag shadow IT into the light, see our security report below.
This is still proving to be an issue, especially around third party assessments which are often very long, in a non-standard format, and made with very short timeframes for a response. The good news here is that there is some work being done to produce frameworks that ensure a standardized attestation for third parties such as in the UK’s financial services sector with The Bank of England’s Supervisory Statement – SS2/21: Outsourcing and third party risk management, which comes into effect on 31 March 2022.
Progress in this area is bound to be much welcomed, given how much CISOs need to be able to rely on tested processes, but CISOs still need to ensure their scope of risk areas are broad enough to include any vendor or employee that has remote login access to any enterprise applications. That includes any subcontractors that may work for the contractor, as credential-sharing is common across companies.
This is an issue where the value of data is not recognized. Privacy is becoming increasingly regulated with both regional and local regulation coming into force. The Schrems judgement will also require CISOs to take greater focus on data and where it is stored.
Over the past few years there has been a huge focus on the EU’s GDPR rules which has revealed the areas CISOs have been focusing their energy when it comes to data and privacy. Broadly speaking these include verifying user identity, checking the health of all user devices, and securing access to any application. For more detail on each of these, a link to our guide to data privacy which can be applied to areas outside of GDPR can be found below.
CISOs made it clear the topic of technical debt or security debt is gaining in importance. The need to manage older systems while adapting to the new environment and the risk and cost that this incurs is especially important to consider in the operational technology (OT) area.
In addition, some OT systems cannot be easily patched or even have basic security tools such as anti-malware installed on them. Finally this issue is especially pertinent when systems are still using end-of-life (EOL) software that remains critical to the organization.
To quote my Global Advisory CISO colleague Dave Lewis in his 2021 Virtual Cybersecurity Summit presentation earlier this year, Security Debt, Running with Scissors: to track and address security debt, organizations must develop and implement defined, repeatable processes. They should look to strategies like the zero-trust model, trust but verify, sanitation of inputs and outputs, and of course, make sure to execute patches instead of pushing it onto the next person.
This is the main tactical issue that concerned the CISOs we heard from more than once. This was aligned with a concern that the speed of compromise is quicker than before, resulting in reduced response times. Expectedly, considering the points raised in #9, this form of attack was of greater concern to those with legacy systems.
However, there are a host of tools and techniques that exist to make it significantly harder and more costly for hackers to gain access, even if they are moving faster. For specifics on what you can do to protect your company against ransomware, a link to a recent e-book on the subject can be found below.
The qualitative sample we have explored here gives a good summary on the direction of travel as we enter 2022, but for practitioners looking for a more comprehensive view to help them decide where to focus their efforts, we strongly recommend reading Cisco Security’s flagship data-driven security research report, the Security Outcomes Study.
The independently conducted, double-blind study is based on a survey of more than 5,000 active IT, security, and privacy professionals across 27 markets. This report dives into the top five practices with outsized influence on the overall health of an organization’s security program, and has been localized for eight specific markets: UK, France, Germany, the Netherlands, Italy, Spain, Russia and Saudi Arabia.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels