Some of the biggest breaches have come down to small mistakes.
Hackers used a compromised password to access the company network via a virtual private network in the May 2021 Colonial Pipeline attack. A widely known vulnerability that hadn’t yet been patched was the entry point for the 2017 Equifax attack. And a bitcoin scam on Twitter started with spear phishing attacks on Twitter employees.
Of course, there’s no such thing as a perfect security program, but such events show that cybersecurity teams can’t afford to overlook anything.
Cybersecurity has become a board-level topic of concern, yet too often CISOs, as well as their C-suite colleagues, continue to position security as a technology issue rather than a business risk, says Niel Harper, CISO for the United Nations Office for Project Services (UNOPS) and a board member with the IT governance association ISACA.
That may seem like pure semantics, but Harper says there are indeed negative consequences when enterprise leaders view cybersecurity so narrowly.
“When they don’t see information security as a business risk, when they see it only as a technology risk, then they don’t see how it’s fully embedded into all aspects of the business,” he explains. “As a result, CISOs don’t have a full seat at the table; they don’t report to an executive and instead they’re reporting two or three layers down. And they don’t have the input into strategy at the executive level.”
Harper says he has seen CISOs turn that around by building relationships with stakeholders; they engage with them to understand their risks as well as their objectives and then show them how security plans address both those points.
The typical organization must meet multiple industry, regulatory, and legal standards in order to do business. The most well-known of those include the Payment Card Industry Data Security Standard, or PCI DSS, for organizations that process credit cards; the U.S. Health Insurance Portability and Accountability Act, or HIPAA, for anyone handling medical records; and the European Union’s General Data Protection Regulation (GDPR). There are standards and frameworks specific to security, such as ISO/IEC 27001, too.
CISOs can’t ignore the compliance standards that they must meet, but neither they nor their executive colleagues should assume that meeting required standards confirms that they’re safe and secure, Harper says.
“Compliance presents a false sense of security,” he adds. “In fact, breaches are rising despite the adherence to compliance at many organizations.”
Harper doesn’t discount the importance of compliance standards, but he says CISOs must always remember—and get others in the C-suite to understand—that such requirements aren’t dynamic and thus may not address emerging threats or accurately gauge an organization’s readiness as its circumstances (i.e., staffing, technology stack, risks) change over time.
“They’re a tick-the-box-type exercise and they don’t really give businesses a true picture of where their risks and exposures exist,” he says.
Companies are speeding up their digital transformations with moves to the cloud, more agile software development, and rapid responses to customer requirements. Not all CISOs are keeping pace and that has led to gaps in the overall enterprise security posture, according to multiple security advisors.
Enterprise teams express similar concerns. Take, for instance, the findings in GitLab’s most recent Global DevSecOps Survey, released May 2021. Some 84% of the 4,300 responding developers said they’re releasing code faster than ever before, but almost half (42%) said security testing happens too late in the process with nearly the same percentage saying it was difficult to identify and address vulnerabilities. Moreover, 37% said tracking the status of the bug fixes was challenging and 33% found remediation prioritization difficult.
“Security needs to be more agile and CISOs need to fundamentally think differently about how they approach cybersecurity,” says Tony Velleca, CISO of UST and CEO of CyberProof, a UST company.
A number of CISOs seem to be getting that message. The GitLab report found that 70% of teams have moved security considerations earlier in development, following the push to “shift left.” That’s up slightly from the prior year, when 65% said they had embedded security earlier in the process.
One of the greatest threats to a successful security program is being ensnared by “the tyranny of the urgent,” says Andrew Morrison, a principal at Deloitte and the firm’s Cyber Risk Services Strategy, Defense & Response leader.
He says CISOs and their teams can become so consumed dealing with the most immediate needs they face—even if they’re low-level issues—that they have no capacity to address strategic priorities; they spend their days chasing those minor issues that pop up instead of strengthening security for the more critical elements of the organization.
“It’s then that security stops being a program, and it’s just a tactical reaction to what’s happening. The urgent replaces what’s important,” Morrison adds.
Although challenging to extricate a security team from such a scenario, Morrison says CISOs can do so by identifying the greatest risks and focusing on counteracting those, thereby aligning security work with enterprise priorities. That in turn will allow them and their teams to become less reactive and more strategic in how they handle issues that come up. “They’re then managing events, not just reacting to them,” Morrison says.
On a similar note, Jinan Budge, a principal analyst at Forrester, says failing to prioritize stakeholder engagement can hinder the implementation of a strong security program.
“Without this, CISOs don’t know what to prioritize or how to get buy-in,” she explains. CISOs who don’t prioritize stakeholder engagement are also more likely to face resistance from their executive colleagues and possibly even see their funding for projects clipped. “CISOs may look at their strategies and think they did everything,” she says, but they won’t have a full picture of enterprise risks unless they’re working with stakeholders to co-create and co-design cybersecurity strategies alongside business strategies.
Building a great security team but failing to create a security-minded culture throughout the enterprise is a surefire way to undermine success, the experts we spoke with say.
Statistics bear that out. Verizon’s 2021 Data Breach Investigations Report found that 85% of the breaches in 2020 involved a human element.
As Om Moolchandani, CISO and head of research at the cloud tech company Accurics, puts it: “A click on one wrong link could undermine the whole CISO agenda.”
CISOs must develop effective security awareness and training programs aimed at helping all employees understand that they have a role to play in security.
“Culture is important because it’s a force multiplier for the CISO and his or her organization,” Morrison says. “Almost every attack is accomplished today through a compromised credential or some violation of personal trust—social engineering, phishing, getting a password. So, effective security has to include making everyone who is a target aware [of those risks]; it has to include making security everyone’s job.”
Similarly, CISOs who neglect their teams and the culture of their security department will quickly find that the security program suffers as a result, veteran security leaders say.
“People often think of team toxicity or poorly functioning teams as affecting the individual, but it also impacts cybersecurity posture and risk,” says Budge, whose research focuses on enabling the success of the CISO role; creating transformational cybersecurity strategies; and building security awareness, behavior, and cultural programs.
She adds: “If your team is busy fighting, if they’re calling HR, they’re not innovating, they’re not automating, they’re not thinking about the bigger picture or strategy. And that all leads to a nonfunctioning security team.”
Unhappy workers are also more likely to leave. That will likely leave CISOs not only short-staffed but facing an even more difficult time getting new hard-to-get security experts. Afterall, what security worker would want to join an unhappy team when there are plenty of job opportunities out there?
That negatively seeps into the broader organization, too, she says. “It then further adds to the negative impression of security. [Other employees will think] ‘We can’t speak to them, they can’t even speak to each other.’”
If CISOs find themselves presiding over a toxic culture, they need to muster their leadership skills to implement the management and workplace strategies, such as teambuilding programs and training programs, that can put their departments on a better path, Budge says.
CISOs have their pick of a growing number of emerging technologies and processes, such as extended detection and response (XDR), behavioral analytics, threat hunting and the zero trust model. But those advanced options won’t deliver real security gains if CISOs aren’t executing perfectly on the more basic elements of a solid security program and if they haven’t tuned them all to the specific needs of their own organization.
“What we’ve seen recently when we do analyses on breaches, there are technical loopholes or security flaws that the adversaries took advantage of,” Moolchandani says.
To be truly effective, he says organizations need security programs that are tailored to their particular risks and most likely source of threats. A utility, for example, is more likely to be targeted by hacktivists and nation-state actors than a small-scale retailer, while they both are vulnerable to attacks of opportunity. CISOs who understand those points tailor security strategies to the organization’s particular requirement. And focusing on perfecting the basics of cybersecurity can, in Moolchandani’s words, “provide the maximum value even with the limited budgets they have.”