Ten years ago, it was the norm for security breaches to be the sole responsibility of the chief information security officer (CISO). For this reason, the CISO role traditionally had a higher turnover rate, with many experiencing extreme burnout. But now, as data breaches make regular headlines and every organization becomes a lucrative target for cybercriminals, IT security has become a business priority, causing the full C-suite to take note.
Cybersecurity is now a business enabler, directly impacting the bottom line with emerging regulations and making it more of a priority than ever for organizations. In fact, according to the SEC’s updated guidelines that went into effect at the end of last year, public companies now have four business days to report a cybersecurity breach that may impact an organization’s bottom line to the SEC. This means that CFOs and CISOs will have to work together to ensure breaches are disclosed on 10-K and 20-F forms.
Security is about more than just a single moment in time. To keep up with today’s expanding attack surface and sophisticated threats, organizations must get proactive and create a culture of security that promotes a company-wide, always-on approach to assessing risks and defending against them. We’ve seen this evolution with financial and budget decisions, which each department now oversees, rather than leaving full responsibility to the CFO. Given the number of pathways that lead to a security incident, the culpability can no longer fall solely to the CISO — every department needs to have accountability. Here’s where organizations can start to foster such a proactive, company-wide approach to security that takes this into account:
Understand the threats of today
In today’s connected world, a company’s total number of attack surfaces and overall digital footprint continues to expand, giving adversaries many pathways to gain entry to networks and environments. As emerging technologies like artificial intelligence (AI) continue to infiltrate enterprises, the threat landscape gets even more complex — making it more challenging for cyber defenders to protect the business. In fact, a recent study found that 75% of security professionals witnessed an increase in attacks over the past 12 months, with an astonishing 85% attributing this rise to bad actors using generative AI.
In addition to the prevalent threat of generative AI, software supply chain security breaches are becoming increasingly alarming for many organizations, as attacks like MOVEit and Log4j resulted in millions of affected individuals and devices. These attacks are particularly concerning as it’s more difficult to understand what risks are brought in through third-party vendors.
While external network risks rise, internal networks are even worse. A NetSPI report found that internal networks have nearly three times more exploitable vulnerabilities than external networks and that web applications have a higher prevalence of high and critical vulnerabilities compared to mobile and thick applications. Internal network vulnerabilities are further put at risk with generative AI technology.
The expansion of the attack surface has also turned cybersecurity into an ‘all-hands-on-deck’ issue. Where the CISO used to be the sole head of cybersecurity, organizations now need a more holistic approach supported by the entire executive level. For example, CEOs and boards need to ensure the organization prioritizes security, CFOs need to ensure they are properly budgeting for security, and CIOs need to communicate with CISOs so the security team knows what applications are used that could pose a security risk.
Foster a security-first culture from the top down
Security needs a holistic, proactive approach that involves the entire company doing its part to keep up with today’s security demands — from the CEO and CISO, down to the temporary intern and third-party vendors.
With internal network vulnerabilities and web applications at the forefront of cyber professionals’ minds, developers and IT personnel must also consider keeping cybersecurity in mind during the development cycle. ‘Shifting left’ is not a new concept, but shifting security left is still a work in progress. However, as more and more internal network vulnerabilities crop up, it’s clear that application developers and security professionals need to communicate and collaborate to ensure end-to-end security.
But security needs to go further than just creating and securing applications. Today, all employees and customers must have some cybersecurity knowledge.
It only takes one employee to bring the whole system crashing down — reinforcing my earlier statement that an entire employee base needs to make security their responsibility, not just leave it up to their manager or CISO — making employee training critical. Employees should be trained from their first day to practice basic security hygiene and recognize phishing attempts; from there, training sessions should be regular and build off of the initial curriculum covered on day one. Training might not always prevent negligence, but it acts as an additional line of defense in the security arsenal, especially when done consistently.
Additionally, organizations should provide cybersecurity training for their customers, or at the very least, ensure customers are informed about data breach procedures. While a customer falling for a phishing attempt won’t cause a company-wide data breach, organizations can still suffer reputational damage if a customer believes they are responsible for data theft. Providing customers with an organization’s data breach policies can prevent customers from falling for branded phishing or vishing attacks.
Going beyond the people, cybersecurity itself also needs a holistic and continuous approach. Even experts make mistakes — it’s impossible to ensure complete security, so continually testing security systems can provide a strengthened security posture.
Cybersecurity is rapidly changing. As a result, teams are seeing an evolution from the CISO as the head security practitioner to a leader who works across departments to oversee an organization’s security program. Cybercriminals are becoming more sophisticated, threats are evolving, and the attack surface is expanding. CISOs alone cannot prevent or even anticipate all potential threats, which is why it’s critical that the whole organization, as well as external partners, work towards creating a secure future.
https://www.securitymagazine.com/articles/100626-cisos-arent-scapegoats-fostering-a-security-first-culture