How CISOS can prevent cyberattacks
LIFE, as we know it, started with the cosmic big bang around 14 billion years ago. This was the incubation point that resulted in the birth of the physical universe and human society. It all started with the formation of two core building blocks – energy and matter.
Energy and matter eventually combined as part of evolution to form atoms and eventually, atoms formed molecules. Over billions of years, stars were born, and our solar system was formed. Life started and the rest, dare I say, is history.
So, why do I use a scientific analogy and what has it got to do with digital transformation?
Phil Quade uses this analogy in his book, The Digital Big Bang , to describe the similarities between the cosmic big bang and the digital big bang. It took billions of years to create the physical world we live in but only 50 years for the explosive forces of digital speed and connectivity to completely overhaul human society.
It is a fact that combining energy and matter can have two very different impacts and therefore, needs to be managed very carefully, eg, by splitting an atom, we can generate clean and sustainable electricity from nuclear power plants but also a nuclear blast, which is devastating.
The same principle applies to the core digital building blocks of speed and connectivity. Increased digital speed and connectivity realises exponential benefits to human society and naturally, every business wants to use this as an enabler to become more successful, efficient, sustainable, and of course, profitable.
Unfortunately, the need for speed and drive to connect increases cyber risk exposure that is not always taken into consideration. To seize the digital opportunities and maximise the benefits, organisations have been deploying new digital technologies at speed with little input from cybersecurity teams, which leave these technologies at times insecure and vulnerable to cyber-attacks.
An ever-increasing connectivity landscape also ensures that cyber adversaries have access to a much larger attack surface than ever before. It is literally eutopia for cyber adversaries to achieve their objectives ranging from cybercrime, espionage, disruption and hacktivism.
The truth is that if your systems are digital and connected in some shape or form to the Internet, you will never be able to fully secure it.
This leaves chief information security officers (CISOS) at crossroads.
How do CISOS support and enable their businesses’ need for speed and drive to connect during times when there has been a significant rise in the number of cyber-attacks? Whilst many of these cyber-attacks could have been avoided or at least mitigated through security by design, a CISO must be seen as an enabler of rapid transformation and not a preventer or obstacle.
To do this a CISO must resolve three core challenges as per the EY Global Information Security Survey 2021 or GISS:
> The cybersecurity organisation is severely underfunded – but funding is needed more than ever. One in three respondents (36%) expects to suffer a major breach that could have been avoided through better investment.
> Regulatory fragmentation is a headache, creating additional work and resourcing problems. Half (49%) say compliance can be the most stressful part of their job, and more fragmentation is expected.
> CISOS’ relationships are weak – when strong connections are key to Security by Design. A total of 76% say colleagues do not involve them in initiatives until after the planning stage has finished.
Here are some considerations for CISOS to address the mentioned challenges:
> Reassess your alignment with the business. CISOS and their respective teams have traditionally been very strong in understanding their current state and building roadmaps to achieve targeted future states.
Now is the time to focus your attention on the areas of cybersecurity where many have been weaker in the past.
Focus on strengthening your engagement with your internal stakeholders, ensure alignment with core business goals and objectives, and assess your stakeholders’ satisfaction with the performance and delivery of security services.
> Review your talent profile – but don’t expect the impossible. CISOS require support from flexible, multi-skilled cybersecurity professionals to not only address the internal challenges, but also the challenges an ever-increasing sophisticated threat landscape brings.
The best approach is to build a team that balances a combination of broad disciplines, with the understanding that each member has his or her own strengths and weaknesses.
This team must be integrated across all business functions so interpersonal skills, business acumen and technology skills must have an equal focus; and no single person will possess all these.
Don’t waste your time searching for unicorns but search for people with a passion for innovation and growth – who can also detect emerging threats and find flaws in defences.
> Shift everywhere – a new stakeholder compass. Most CISOS are very familiar with shifting their focus to involve cybersecurity from the beginning of the transformation or development lifecycle.
However, in this fast-paced digital environment, CISOS must also navigate four key stakeholder groups in equal measure – management; regulators and public policy makers; vendors, third parties, and the supply chain ecosystem; and engineers, product managers and customers.
CISOS need to be positioned at the centre of these four key stakeholder groups to achieve strategic influence.
Faced with a need for speed, drive to connect and growing cybersecurity threats, CISOS are being held back by several challenges, including budgets that are no longer fit for purpose, an outdated reputation among business partners, and the new approaches of cyber criminals.
If CISOS act now, they can become enablers of a secure, digitised future.