In my podcasts and blogs late last year, and through all of the news headlines that I read, there was one, new common theme that was occurring very rapidly: Holding the C-Suite ultimately responsible for the Cybersecurity events that take place at their respective organizations.
Of course, responsibility also means accountability. To this extent, we have seen CIO’s and even CISO’s being terminated on the spot, or even being held financially responsible if they did indeed become an unfortunate victim.
As we have approached into 2019, holding the C-Suite to the highest levels of standards will be an area in which everybody will be looking at literally through a microscope. Because of this, what is the CISO doing (or for that matter even the CIO) doing differently this year than they did in 2018? This question was asked in a recent survey conducted by Cisco, entitled the “2019 CISO Benchmark Study”. Here is what they found:
*There is a trend now in the increase of vendor consolidation:
The old myth was that the more you spend on different Security technologies, the more fortified you will be. But CISOs are starting to realize it is difficult to keep track of all of these tools, especially when each one of them come from a different vendor. It is also very difficult to create a harmonious and unified reporting system (especially when it comes to alerts) to the IT Security staff with disparage equipment. To this end, many organizations are trying to reduce the total number of different vendors that they depend upon. For example:
àIn 2017, only 54% of the respondents reported using 10 or less vendors. In the survey for this year, this level has increased to 63%. This is actually good news, in the sense that CISOs are now becoming effective in the way they spend their IT budget, and also that the attack surface is decreasing.
*The CISO is now enforcing team collaboration across all departments of their organization:
In the past few years, securing the lines of defense was thought to be of the sole responsibility of the IT department. While this is true to a certain degree, the CISO is now starting to realize that it “takes a village” in order to fully protect their company. After all, non-IT employees have a huge stake in this as well, as they have to maintain good levels of “Cyber Hygiene”, and report anything out of the ordinary. The good news is that this is now starting to happen, slowly:
à95% of the CISOs have reported in this survey that their IT and Networking teams are working closely together, and because of this, the average financial impact from a Cyberattacker was just below $100,000. This is the lowest reported level in years.
*There is a movement now to migrate the entire IT Infrastructure to the Cloud:
It’s true that CISOs can be resistance to change, and that it takes a very persuasive argument to make them change their way of thinking. This is especially true when it comes to the IT Infrastructure. Many CISOs have been reluctant to move their entire IT Infrastructure to the Cloud from their current “On Prem” environment. The survey found that:
à93% of the CISOs are making a full transition to the Cloud in 2019, and that they have more confidence than ever before that their IT Assets will be much better protected than ever before.
*CISOs are now realizing the importance of procuring Cybersecurity Insurance:
Having Cyber Insurance was once viewed simply as line item expense, and in 2019, the CISO now views having this is just as important as having health insurance. The survey found that:
à40% of CISOs are now purchasing this insurance in order to protect themselves financially further in the case they become a victim of a Cyberattack.
*There is now a realization that a well-rested and rewarded employee makes a productive one:
Despite all of the news we hear about the serious shortage of a skilled workforce in the Cybersecurity Industry, it is not all glamor either. People in this field (and even Cyber journalists like me) have to work long hours just to keep up. CISO’s are now finally starting to realize this, as it is now dawning upon them that their employees are the critical link to keep their companies safe. The survey found that:
àThe level of the so called “Cyber Fatigue” has decreased by 30% just this year alone.
But despite these improvements that the CISO is taking, they still resonate some fears that they feel are sort of out of their control at the moment, at least according to the survey. These are as follows:
*The use of Artificial Intelligence (AI) and Machine Learning (ML):
Back in 2018, and even today, these tools are viewed as a must have for organizations in order to automate their Security processes and to help predict what the Cybersecurity Threat landscape will look into the future. But there has been negativity towards this as well, as these can also be maliciously used by the Cyberattacker. The survey found that:
àThe plans for implementing AI and/or ML has decreased by well over 67%. The primary reason for this is that many CISOs still do not fully understand these tools, and that implementing them into their IT Infrastructure is still at the infancy stage.
This has and will continue to be the biggest obstacle for Corporate America. The CISO is starting to become aware of this and are trying to implement programs to train employees on a regular basis (like once a quarter or so). The survey also found out that:
à51% plan to start Cybersecurity training employees right on the very first day when they start work.
*Phishing still remains the number one threat vector:
Almost 60% of the CISO respondents still fear Phishing, and the after effects that follow from it.
*There are too many metrics in which to gauge true Cybersecurity success:
The C-Suite is always fond of getting to the point with metrics and numbers, and what it means to the bottom line. Of course, they are used to understanding all of them, but not the ones that relate to Cybersecurity. The survey also found out that:
àOne metric is now primarily being used in order to get some sort of baseline understanding of Cybersecurity success: This is the “Time to Remediate”, and it reflects how long it took the organization, overall, to respond to and contain a Cyberattack. It seems like that the use of this particular metric has increased by 48% just in 2019 alone.
My thoughts on all of this?
It is finally refreshing to see that the C-Suite, especially the CISO, are now taking proactive steps to help protect their respective organizations. But of course, there are challenges that still have yet to be addressed and have been detailed in this blog. But these are only at the tip of the iceberg, there will be many more as 2019 lumbers onwards.
It is important to note that it is difficult to predict these hurdles, as the Cyberattacker keeps changing their modus operandi. But as long as the CISO keeps a checklist of what needs to get done, and makes the effort to do it, that will be a huge step forward in of itself.
I am not trying to defend the CISO, but remember, in the end, there is only so much that he or she can do. It literally takes each and every employee to remain motivated on a daily basis to help keep the companies they work for protected and secure. But as the old saying goes, leadership comes from the very top, and the employees take direction and act on that, whether it is for the positive or negative.