CISOs Under Pressure: Protecting Sensitive Information in an Era of High Employee Turnover – Help Net Security

In this interview with Help Net Security, Charles Brooks, an adjunct professor in the Applied Intelligence Program at Georgetown University and a graduate in Cybersecurity Programs, discusses how zero trust principles, identity access management and managed security services are fundamentals for effective cybersecurity and how the implementation of new technologies such as artificial intelligence, machine learning and tracking tools can improve supply chain security.

CISOs believe they have adequate data protection measures in place, but many have faced loss of sensitive data over the past year. How can this apparent contradiction be reconciled?

Data loss despite protective measures is not that surprising. We’re all playing catch-up in cybersecurity. The Internet was invented in a government lab and later commercialized to the private sector. Hardware, software and networks were originally designed for open communication. Cyber ​​security was not initially a major consideration. That mindset has certainly changed due to the explosion of internet connectivity and commerce, and CISOs are also playing a big game of catch-up.

There are a multitude of causes that can explain the exfiltration of sensitive data. The first is that adversarial hackers have become more sophisticated and capable of hacking. The basic tools and tactics used by hackers for exploitation include malware, social engineering, phishing (the simplest and most common, especially spear-phishing aimed at corporate executives), ransomware, insider threats, and DDOS attacks. Furthermore, they often use advanced and automated hacking tools shared on the dark web, including AI and ML tools used to attack and explore victims’ networks. It’s not that easy for CISOs to defend against that ever-changing chest of hacker weapons.

Another important factor is that exponential digital connectivity driven by the COVID-19 pandemic has changed the security paradigm. Many employees now work from hybrid and remote offices. There is more attack surface to protect with less visibility and controls in place for the CISO. Therefore, it is logical to conclude that the most sensitive data is and will be exposed to hackers.

The notion of adequate protection is a misnomer as threats are constantly transforming. All it takes is clever phishing, misconfiguration, or a failure to patch in a timely manner for a gap to provide an opportunity for a breach. Finally, many CISOs have had to operate with limited budgets and skilled IT staff. Perhaps they have lower expectations of the level of security they can achieve under the circumstances.

As the economic downturn puts pressure on security budgets, how can CISOs optimize their resources to manage cybersecurity risks effectively?

CISOs must implement a prudent risk management strategy based on their industry and the scale they may follow to enable them to best optimize resources. A good risk management strategy will develop a vulnerability picture that identifies digital assets and data to protect. A risk assessment can quickly identify and prioritize cyber vulnerabilities so solutions can be immediately implemented to protect critical assets from malicious cyber actors, immediately improving overall operational cyber security. This includes protecting and backing up business systems such as: financial systems, email exchange servers, HR and procurement systems with new security tools (encryption, information and threat detection, firewalls, etc.) and policies .

There are measures in a vulnerability framework that are not cost-prohibitive. Such measures may include requiring strong passwords for employees and requiring multi-factor authentication. Firewalls can be configured and CISOs can make plans to segment their most sensitive data. Encryption software can also be convenient. Using cloud and hybrid clouds enables dynamic policy enforcement, faster encryption, reduces costs, and provides more transparency for access control (reducing insider threats). A good cloud provider can provide some of these security controls at a reasonable cost. Clouds aren’t inherently risky, but CISOs and enterprises alike will need to recognize that they need to carefully evaluate vendor policies and capabilities to protect their vital data.

And if a CISO is responsible for protecting a small or medium-sized business without a deep IT and cybersecurity team under them, and is wary of cloud management and costs, they may also consider external managed security services.

How can organizations better safeguard their sensitive information during high employee turnover?

This goes to the essence of the zero trust strategy. Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that shift defenses from network-based static perimeters to focus on users, assets, and resources. Organizations need to know everything connected to the network, devices and people.

Identity access management or IAM is very important. IAM the label used for the set of technologies and policies that control who accesses which resources within a system. A CISO must determine and know who has access to what data and why. If an employee leaves, you must revoke privileges immediately and ensure that nothing sensitive has been removed from the organization. There are many good IAM tools available from vendors in the market.

Certainly, with employee turnover, there are elements of ethics and trust involved. Insider threats to employees are difficult to detect and manage. Some of these can be addressed upfront in employment contracts with an employee understanding of the legal parameters involved, they are less likely to get away with sensitive data.

We have seen an increase in CISO burnout and concerns about personal responsibility.

Yes, burnout is a direct result of CISOs having too many responsibilities, too little budget, and too few workers to run operations and help mitigate growing cyber threats. Now personal liability factors exemplified by the Solars Winds CISO class action suit and the Ubers CISO lawsuit for obscuring ransomware payments have increased the risk. In an industry that already lacks the required number of cybersecurity leaders and technicians, CISOs must have not only the tools, but also the protections necessary to excel in their roles. Otherwise, burnout and liability issues will put more businesses and organizations at risk.

How do these challenges affect the overall effectiveness of CISOs in their roles and what steps can be taken to address them?

Despite the trends of increased frequency, sophistication, lethality, and liability associated with raids, industry management has been largely unprepared and slow to act to become more cyber-secure. A Gartner survey found that 88% of boards of directors (Boards) view cybersecurity as a business risk, rather than a technology risk, according to a new survey, and that only 12% of Boards have a dedicated security committee board-level information technology.

It’s time for executives outside IT to take responsibility for keeping the business safe, said Paul Proctor, research manager for risk and security. The influx of ransomware and supply chain attacks observed throughout 2021, many of them targeting operational and mission-critical environments, should be a wake-up call that security is a business concern and not just another problem to solve for IT.

CISOs not only need a seat at the C-Suite table, they also need insurance protections comparable to other executive leaders that limit their personal liability. There is no panacea for perfect cybersecurity. Breaches can happen to any business or person in our precarious digital landscape. It’s not fair or good business for the CISO to do this himself. In this context, cybersecurity should no longer be seen as a cost item for companies or organizations. It has become an ROI that can ensure business continuity and protect your reputation. Investment in company and CISO compensation and required portfolio of duties must be a priority for the future.

As supply chain risk continues to be a recurring priority, how can CISOs better manage this aspect of their cybersecurity strategies, especially with limited budgets?

Ensuring that the supply chain is not violated, including elements of design, manufacturing, production, distribution, installation, operation and maintenance is a challenge for all companies. Cyber ​​attackers will always look for the weakest entry point, and mitigating third-party risk is critical to cybersecurity. Supply chain cyberattacks can be perpetrated by adversaries of nation-states, espionage operators, criminals or hacktivists.

CISOs require visibility of all suppliers in the supply chain along with defined policies and monitoring. NIST, a non-regulatory agency of the US Department of Commerce, has suggested a framework for supply chain security that provides robust guidance from both government and industry.

NIST recommends:

• Identify, establish, and evaluate IT supply chain risk management processes and gain stakeholder agreement
• Identify, prioritize, and evaluate vendors and third-party vendor partners
• Develop contracts with third-party suppliers and partners to meet your organization’s supply chain risk management goals
• Evaluate third-party vendors and partners regularly using audits, test results, and other forms of evaluation
• Comprehensive testing to ensure vendors and third-party vendors are able to respond and recover from service disruption

Other mitigation efforts can be made with the acquisition of new technologies that monitor, alert and analyze activities in the supply chain. AI and machine learning tools can provide visibility and predictive analytics, while shorthand and watermark technologies can provide product and software tracking.