Over the past two years, chief information security officers have had to face an increasingly hostile cybersecurity landscape, with cyberattacks continuing to rise in volume, velocity, and sophistication—a situation aggravated by the borderless IT environment many CISOs find themselves working in.
What are CISOs doing to deal with the cybersecurity challenges facing them every day? They’re focusing on strategies aimed at steeling their organizations against losses caused by cyberattacks, and bolstering cybersecurity’s position as a contributor to their company’s bottom line.
Here are the strategies have come to light over the past year in a series of podcasts Rob Aragao and I have produced called Reimagining Cyber. Here are nine of those strategies based on interviews with CISOs and cyber pros.
1. Implement a solid cybersecurity foundation
Without a solid foundation, your other cybersecurity investments will be undermined. CISOs like to build their foundations on popular frameworks, such as the NIST Cybersecurity Framework, the ISO/IEC 27002, and the SANS CIS Controls. The frameworks can be used to address fundamentals, which include asset management, password management, configuration controls, vulnerability management, patching, threat detection and prevention, user security awareness, and security reporting.
Any foundation must also embrace the fact that most employees of an organization won’t be working in secure, controlled office environments anymore. As a result, adversaries will have more opportunities to work their mischief as use of online services, e-commerce, and videoconferencing increases and hybrid work-from-home scenarios become more commonplace. What that means is that any cybersecurity controls chosen by a CISO must offer always-on, multi-layered, adaptive protection against existing and emerging threats. The security controls must also be continuously updated based on global threat intelligence and past attack history.
2. Protect the data tsunami
The total amount of data created globally is increasing at a mind-boggling pace. Between 2020 and 2025 alone, global data creation is expected to nearly triple, to 180 zettabytes from 64.2 zettabytes, according to Statista.
With this figurative tsunami of information comes a need to protect more and more of it. Data that we think of as confidential—once limited to things such as user IDs and credit card numbers—has exploded to include all the data that is powering an organization’s digital transformation—financial data, customer information, health and education records, and mobile and geographic location details about where customers are and what they’re doing.
To properly protect an organization’s data, CISOs need to identify and classify sensitive data. Otherwise any developer with a credit card can spin up a workload in AWS, upload data for testing, and misconfigure blob storage, creating a scenario ripe for a devastating security incident.
3. Secure cloud infrastructures
Movement to the public cloud and to cloud-native resources was well under way before the pandemic—the pandemic just accelerated it. There’s no going back now.
Organizations are beginning to recognize that, especially as they move from consumption models based on infrastructure as a service (IaaS) to platform as a service (PaaS) and as they recognize the ramifications of the shared-responsibility model used by cloud service providers. Businesses are realizing that shared responsibility means sole responsibility as far as their data and applications are concerned. After all, if they lose their data and apps, they’ll be the ones out of business, not the cloud service provider.
This essentially means that CISOs need to rethink their security policies to secure cloud infrastructures. They are likely faced with a hybrid environment—on-premises infrastructure mixed with IaaS, PaaS, and SaaS. Even if their organization has a cloud-first strategy, it takes time to make the transition. CISOs must deploy new technologies, holistic processes, and comprehensive governance models that provide visibility into the cloud instances and help secure the cloud infrastructure.
4. Leverage innovative, integrated solutions
The sheer volume and velocity of cyberattacks today are too much for cybersecurity analysts to handle alone. For example, experts expect a cyberattack to be launched on a business every 11 seconds this year. To cope with the wave of cyberattacks against their businesses, CISOs are changing their security controls to address the evolving threat landscape and turning to advanced technologies.
However, too much technology can be a bad thing, so CISOs are trying to keep cybersecurity tool sprawl under control to reduce inefficiencies and the need for operational support.
Many security programs have a tool smorgasbord that can impact their ability to effectively respond to threats and support business needs while creating inefficient workflows and higher overall costs. The problem is exasperated by a shortage of skilled cybersecurity talent, which forces programs to try to do more with less.
CISOs are looking to innovative technologies to enable them to consolidate tools, streamline workflows, and improve process efficiencies. Those technologies include security orchestration and automated response (SOAR), application of artificial intelligence including machine and deep learning, extended detection and response (XDR), and security analytics. The hope is that these innovative solutions will improve process productivity while enabling organizations to reduce complexity and gain speed and scalability to detect bad actors quickly.
5. Shift to a zero-trust architecture
Remote work is here to stay, and the concept of securing a perimeter has essentially gone the way of the ivory-billed woodpecker. For business continuity, organizations must enable access of mission-critical assets to employees wherever they are located. Employees are probably accessing these resources from personal or shared devices and unsecured networks.
CISOs need to think strategically and implement borderless security based on a zero-trust architecture. ZTA requires that organizations always verify and never trust with respect to data, employees, networks, and devices.
To do that, CISOs need full visibility into connected devices and endpoints in the enterprise. They must also have updated intelligence on what data is produced by connected devices, who is connecting to company networks and from where, what they are accessing, and whether they are authorized to access it.
6. Position cybersecurity as a business accelerator
Executives frequently view their technology investments as accelerators for their business. In contrast, cybersecurity is sometimes viewed as a drag, slowing down initiatives. Modern CISOs are changing this perception by building security into all business processes—particularly software development—to accelerate business and enable faster responses to customer needs and new data-driven opportunities.
Security is like brakes on a car. Most people will tell you that brakes make the car go slower. But it’s just the opposite. Brakes allow you to drive faster. The better the brakes, the faster you can go.