How CISOs can better defend their organizations against cyberthreats

More chief information security officers are modifying their security strategy from one of prevention to one of detection and response, according to a Forbes Insights report released Wednesday.

How CISOs can gain a better understanding of their cybersecurity attack surface At RSA 2019, Emily Heath of United Airlines explained the top security challenges businesses face.

Chief information security officers face a range of challenges, obstacles, goals, and initiatives when dealing with cybersecurity issues and protecting their organizations against cyberattacks. Once key question CISOs must grapple with is how to allocate limited staff, budget, and other resources to meet the ever-growing array of cyberthreats.

In a survey of more than 200 chief information security officers conducted by Forbes Media, 84% believe that the risks of cyberattacks will increase in the foreseeable future, while 21% feel that the capabilities of cyberattackers are growing faster than the ability of their organizations to fend them off. In short, security professionals see themselves and their organizations as falling behind in their effort to thwart cyberattacks.

SEE: Special report: A winning strategy for cybersecurity (free PDF) (TechRepublic)

Cybercriminals target different types of information and assets held by organizations. But 36% of the respondents cited brand and customer data as the highest priority and the greatest concern in terms of the information they need to protect. Some 20% pointed to intellectual property as an area of concern for cyberattacks, while 16% mentioned downtime due to Denial-of-Service (DoS) attacks, 15% referred to financial assets, and 12% noted sensitive internal communications and personally identifiable information.

Organizations also face a range of threats and risks from cybercriminals. But malware attacks were cited as the most worrisome threat by 17% of the respondents. Internet of Things (IoT)-based attacks, phishing, ransomware, cryptojacking, DoS attacks, zero-day exploits, and SQL injection attacks also made the list as some of the top fears among CISOs.

As on example, IoT botnets can infect a range of systems, including key end points like medical devices in a hospital or switches in a power plant, says the report. One variant called VPNFilter can monitor protocols and steal website credentials. This botnet also contains a kill switch that can destroy a host device and introduce a cyber weapon into a network.

CISOs face various challenges trying to protect their organizations and fend off cybertheats. The biggest constraint described in the report was the lack of an adequate security budget, cited by 18% of respondents. The lack of support from senior management, the lack of cooperation by employees, the lack of cyber training for non-IT employees, and a shortage of skilled cybersecurity workers were also mentioned as major challenges.

One constraint that was cited as having a huge impact was the lack of a central cybersecurity strategy. Those who pointed to the lack of a strategy as an issue were more concerned about the capabilities of cyberattackers, less confident in the ability of their organizations to respond to threats, and more apt to believe that a shortage of qualified cybersecurity workers affected their ability to execute strategic cybersecurity initiatives.

SEE: 10 ways to raise your users' cybersecurity IQ (free PDF) (TechRepublic)

There is a growing realization that organizations simply cannot fend off every cyberthreat, and that some breaches are inevitable. With that thought in mind, many CISOs said they believe that their limited resources would be better spent managing priorities and sharpening their detection and response tactics rather then trying to prevent every attack. And to help, respondents are looking more to artificial intelligence (AI).

The security leaders surveyed said they want to better integrate security into their network operations, and that they want analytics to provide the visibility into traffic across the network, including insider activity, to help them detect and investigate anomalous behavior.

"AI is essential for us to be able to respond quickly enough to attacks," Dawn Cappelli, vice president of global security and CISO at Rockwell Automation, told Forbes Media. "When you look at how quickly WannaCry and NotPetya spread across networks, it was incredible. There was no way a human could respond quickly enough to shut that down. It has to be technology—machine learning and AI technologies—that shuts the threat down."

The CISOs surveyed expressed a range of initiatives they have in mind to better respond to cyberthreats. For the coming year, 14% of the respondents said they want to hire more cybersecurity staff, 14% want to create a culture of security, 13% would like better security training for employees, 12% want better threat forensics, and 10% want to improve the expertise of security management.

The lack of a qualified cybersecurity staff creates several obstacles, according to the respondents, including an inability to execute strategic cybersecurity initiatives, an inability to train employees in security practices, difficulty keeping up with new security challenges, difficulty qualifying and managing security vendors, an inability to detect breaches after they've occurred, and an inability to respond to breaches.

Tips for CISOs

In evaluating the feedback from the respondents, Forbes Insights came up with the following action items and recommendations for CISOs to better protect their organizations against cyberthreats:

  • Focus on protecting the brand and its reputation, and on intellectual property. These are the core targets of most malicious actors and the most important assets in the CISO's care.
  • Make the business case for the CISO's budget. Threats are only escalating, and resources must be maximized. Ask senior leadership to consider the cost in increased budget versus prospective loss. The average cost of breaches in the U.S. is $7.9 million.
  • Automate your resources as much as possible. Your security staff will continue to be limited to tactical aspects unless automation takes on some of the more repetitive functions, allowing your employees to adopt a more strategic and effective security stance.
  • Move more resources from prevention to detection and response. Don't just rely on defense, but also focus on deploying detection and response tactics and technologies.
  • Be sure you are focusing on your people. This means employee training, education, understanding, and the building of a culture of security awareness.

Also see

Technician works on a laptop in a data center

Image: iStockphoto/EvgeniyShkolenko