Interviews

Safe road ahead

by Mark Rowe

David Higgins, EMEA Technical Director at the cyber firm CyberArk, discusses how CISOs can build cyber resilience.

CISOs, security leaders and their teams have demonstrated a huge amount of resilience throughout this time of unprecedented pandemic upheaval. Even as companies look ahead towards brighter skies, the notion of resilience will remain front-of-mind as business leaders grapple with challenging questions around how their cybersecurity operations evolve, even as the crisis begins to pass, and how they can keep cybersecurity at the forefront of business-level discussions.

In seeking to address these questions and incorporate some of the great innovations that have emerged in the face of adversity, there are a number of key themes we can expect to shape the evolving role of the CISO right across the industry:

Reimagining the way we work

The pandemic has tested our vision for distributed work beyond anything we could have imagined. Remote teams have shown themselves to be incredibly resilient in continually rising to the challenge of blending their home and work lives.

Now though, CISOs have a unique opportunity to provide the strategic insights and direction needed to sustain and enhance remote and hybrid work models as many regions of the world start to transition out of lockdown. We’re likely to see many move away from legacy approaches, and prioritise the implementation of new digital security strategies and user-friendly tools and policies, to securely empower workers.

A Zero Trust mindset

There’s a broad consensus amongst CISOs that the complexity of today’s cybersecurity challenges demands a ‘trust nothing, verify everything’ approach – otherwise known as a Zero Trust mindset.

While this method repositions the security perimeter around individual identities, ensuring that everyone and every device granted access is who and what they say they are, it isn’t a one-size-fits-all approach. In fact, the best place for CISOs to start with Zero Trust is to identify their organisation’s greatest security risks, address them, and then extend controls to new, less critical areas over time. It’s also equally important to work alongside IT and end users to ensure they both understand and adopt this new model.

Thinking like an attacker provides an edge

Threat actors will always find new and innovative ways to penetrate networks, steal data and disrupt business – it’s not a question of if, but when. The trick is to adopt an ‘assume breach’ mindset to help detect and isolate adversaries before they traverse a network and inflict damage.

Doing so means getting into the mindset of an attacker, something which can give CISOs the edge they need to stay one step ahead. Assuming any identity in the network has already been compromised means security teams can anticipate an attacker’s next move, minimise impact and stop threats before they reach valuable assets and cause harm.

Retrospectives can optimise response strategies

Sophisticated cyber intrusions, such as the SolarWinds digital supply chain attack, prompted many CISOs to re-evaluate their risk tolerance levels, cybersecurity and risk management efforts, together with areas of ongoing vulnerability. Alongside this, companies have been urged to update their incident response strategy, using frameworks such as NIST to guide them.

If organisations are attacked, retrospectives should be used as part of their learning to further optimise incident response strategies and build resilience. For example, questions raised should move from “how were we compromised or breached?” to “how can we stop it next time?”.

Quantifying risk

Recent headline-grabbing attacks have made cybersecurity a regular boardroom discussion and business imperative. It’s the CISO’s responsibility to make sure cybersecurity remains at the top of the agenda, even when news cycles are quieter.

To do this successfully, it is critical for CISOs to quantify risk, resulting in mitigating actions in financial terms, and demonstrate how the cybersecurity programme will link to business objectives. Industry frameworks can also help CISOs demystify cybersecurity and bridge communication gaps with Boards and Executive Management.

Communicating value

Communication doesn’t stop at discussions with the board. In fact, today’s CISOs need to effectively articulate cybersecurity’s value proposition to customers, partners and also internal stakeholders. With digital supply chain attacks under scrutiny, the need to build trust by way of transparency has never been greater. The power of empathetic communication cannot be overstated here.

The good news is CISOs no longer have to shoulder the communication burden alone. By actively collaborating with IT security teams, CISOs can strengthen their message to various audiences and break down any siloes that have developed.

The new heroes of digital transformation

These important themes are helping to shape the expanding role of our CISOs and security leaders, and highlight their important role as strategic advisors on digital transformation initiatives from the very beginning. Their input is enabling innovation to move faster, with greater protection in place.

However, for this to happen, security heads must proactively embrace an advisory position, offering guidance and strategy to key stakeholders straight away. To this end, CISOs should seek partners, both within the organisation and via external public and private partnerships, which will boost their advisory capacity, facilitate information sharing and accelerate the shift to the next stage of cyber resiliency.

The road ahead will be fraught with cyberattacks, more sophisticated attack vectors and methods, and ever power-hungry cybercriminals. CISOs can make moves to ensure their organisations thrive, rather than merely survive by heeding the aforementioned advice and embracing these future trends.

Related News

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing