Tom Goodwin, Business Continuity Specialist at the cloud and IT firm Kyndryl, offers three priorities for CISOs as the nature of risk mitigation changes.
The role of the CISO is evolving. More specifically, it is becoming more integral to business success than ever before. In an age where the threat landscape is expanding and cyber-attacks are increasing in volume and sophistication, who is more central to an organisation’s success than those tasked with protecting it?
Of course, I’m a bit biased. But there is something to this idea. Only 13 per cent of companies were not hit by malware or ransomware in the last 12 months, with 83 per cent hit more than once. Those are quite staggering numbers. They speak to the risks businesses face to continuity and data integrity at a time when most are driven precisely by data.
Considering all this, I think there are three major priorities for CISOs – and therefore, for businesses in general – to address in the coming months and years:
•Regulation vs Insurance: There needs to be a realisation that regulation lags behind where you need it to be for mitigating risk, and that insurance policies are shifting that risk and responsibility back into your hands.
•Proactive responsibility: Whether it’s a cyber-attack, geopolitical uncertainty, or an extreme weather event, your organisation needs to adopt a culture of becoming operationally resilient to survive the evolving threat landscape.
•Invest in recovery: Whilst a security perimeter is key, you also need to invest in automating and orchestrating recovery processes, enhancing recovery time and recovery point objectives, whilst simultaneously mitigating human error in restoring from backups.
Let’s look at these in more detail.
CISO Priority #1: Regulation vs Insurance
By its nature, regulation often follows risk, generally being put into place after a global or particularly impactful incident. The same applies in cybersecurity. And while there are now a raft of new regulations coming into place around the world, there is still a gap between what companies need to mitigate risk and what policy dictates.
This lag heightens the importance of insurance to cover the gaps, but it’s no longer enough to rely on this. Some insurers are now assessing risk and concluding that these gaps are simply too big. This has resulted in many deciding not to cover certain types of cyber-attacks. A high-profile recent example of this is Lloyd’s of London, which recently instructed its members to exclude nation state cyber-attacks from insurance policies beginning in 2023.
What can you do in this situation? If regulation is still catching up, and insurers are becoming more cautious (with premiums rising as well), I suspect we will see CISOs taking matters into their own hands. Resilience will become the name of the game, and no wonder. The financial implications of any downtime are huge, as well as the risks to brand reputation. If these risks face the very real threat of being uninsured, the best approach is surely to build up the resilience posture of the organisation.
This is borne out by research. Gartner estimates that around 70% of CEOs will mandate investment in organisational resilience by 2025, as a way to counter the mounting risks facing businesses.
CISO Priority #2: Proactive responsibility
Leading on from this, to become truly resilient, CISOs must be proactive in their approach to cybersecurity. The key to this is understanding where the business is now, where the gaps are, and where the business wants to get to.
Of course, modifying and modernising the way we manage and protect cloud environments can be a pretty complex task, especially between diverse departments within an organisation. The best way to handle this complexity is to develop a comprehensive resilience framework – one that consists of pre-defined, step-by-step processes and requirements to bring IT functions into greater alignment.
By developing such a framework, CISOs can get on the front foot when it comes to cybersecurity. It will help all IT leaders to contribute to greater resilience in a strategic and long-term manner. It’s my prediction that as insurance providers row back on the level of coverage they’re willing to offer, CISOs will need to take this proactive approach to take charge of risk mitigation.
After the frameworks come the investments.
CISO Priority #3: Investment in recovery
Frameworks are only as useful as the tools you use to implement them. CISOs need to invest in automation tools and solutions to orchestrate more robust recovery time objectives (RTO) and recovery point objectives (RPO). Sophisticated automation can also help to reduce the chance of human error and mitigate issues with automatic back-up and restore functions. Continuous testing and simulation exercises are also important tools when it comes to proactive resilience.
This should be a focus for all CISOs going forward. Investing in recovery capabilities is the only way to cover the gaps left by lagging inflation and changing insurance policies. Gartner’s analysis shows that this change in approach is already taking shape, with 60% of organisations set to embrace Zero Trust as a starting point for security by 2025 and 80% of enterprises to adopt a strategy to unify web, cloud services and private application access from a single vendor’s integrated security service edge platform.
Key takeaways
Regulation will, of course, continue to be laid down as governments get wise to the importance of cybersecurity for both public and private organisations. In the meantime, CISOs will have to shift their own approaches to safeguard business continuity and unshackle growth.
The three key takeaways here, I believe, are:
•CISOs need to recognise the gaps between regulation and risk, as well as how this is influencing the decisions of insurers.
•Proactive frameworks must be developed to identify how these shortfalls could impact their own organisation.
•There needs to be targeted investment in recovery capabilities, with automation and testing tools a prerequisite for successful resilience.
There are certainly many challenges to resolve, but by collaborating and being proactive, we can help to overcome them together.
