Moving Forward: The biggest issues facing CISOs in 2020
Moving Forward: The biggest issues facing CISOs in 2020
Steve Katz was the world’s first Chief Information Security Officer (CISO), when he assumed the post at Citibank/Citigroup in 1995. He joined Citi at a time when the company was feared to be hacked. The hack resulted into Citi losing £6 million from corporate bank accounts, making it one of the rare unprecedented cybersecurity events of such a scale, then!
Cybersecurity breaches are more gruesome now. Mere thought of quantifying their scale and damage gives many security experts sleepless nights. And why wouldn’t they be concerned? After all, the information security and risk experts at the companies are the ones holding the front line of defense against the attackers.
Chief Information Security Officer is one of the most important executives in a company’s information security team. Responsible for maintaining a company’s vision, strategy, and program for ensuring adequate protection of business information, technologies and assets, a CISO’s influence reaches the entire organization.
Although the role of CISO was formally introduced in mid-1990s, the importance of this role has surged significantly driven by rapid digitalization, ever-increasing rate of digital engagements and growing network endpoints. According to the Global State of Information Security Survey 2018 (GSISS), 85% of businesses worldwide have a CISO or equivalent .
Business complexity and undefined role
The threat of cybersecurity breach is the biggest concern for businesses today. To deal with it, businesses across the world have implemented stringent information security regulations, deployed state-of-the-art security tools and have tried to hire best IT and information security and risk experts to fortify their cybersecurity framework. Companies do realize that potential cybersecurity risks could only be tackled when security technologies, cybersecurity experts and parties involved in the operational lifecycle, including employees, vendor partners and clients, work together.
Rapid transition to digital platforms, adoption of bring-your-own-device (BYOD) culture and increasing number of gig and part-time employees working offsite are some of the major drivers of a business’ performance, but these factors –at the same time- also contribute significantly to the cybersecurity risks of a company. Increased number of employees located away from the premises, improperly authorized devices entering the company’s premises under the BYOD model and third-party vendor partners and clients accessing enterprise systems from their own devices could unintentionally open a teeny-weeny window for the attackers to introduce anomalies in the enterprise’s IT infrastructure or gain access into the enterprise system.
This all has led to an increased need for continuous monitoring, protection and rapid remediation of cybersecurity risks and has increased the scope of responsibilities of a CISO, who has to ensure that data, assets, technologies and processes of a company are always protected.
What risks did the CISOs face in 2019?
The risks that are faced by CISOs are no longer confined to the business’ IT aspect but rather go beyond them to cover the processes, information security, customer privacy and much more. Increasing number of data breaches and their sever magnitude, together with growing concern about privacy among customers has made the situation very grave. Some of the risks that the CISOs faced in 2019 are as follows:
Cybersecurity skills and staffing shortage
In the Enterprise Strategy Group’s survey, 53% of respondents highlighted their organization faced problematic shortage of cybersecurity skills in 2018-2019 . This brings forth a fundamental issue that is hampering the businesses from having a strong defense against cyber threats. As the attackers get craftier, companies need good security personnel with adequate skills and knowledge to tackle different types of cyber threats. Knowledge of the new systems and the associated risks is not the only thing required in a good security personnel but a good know-how of on-premises legacy data processing systems is also of utmost importance as several businesses continue to maintain their legacy systems, feature outdated technology and are more prone to attacks.
According to Gartner’s CISO in Residence and Coach, VP Leadership Partner Cyber Security & Risk Management, Ash Ahuja, only a small number of CISOs have been successful in aligning the cybersecurity function with their organizational strategy. Many CISOs are finding it difficult to align their cybersecurity framework with the organization’s mission. This is restricting them from properly gauging the requirements of the business and the risk that their business could accommodate. Several business processes involve certain steps that conflict with the cybersecurity rules. This is proving to be a major concern for several CISOs, as they struggle to make their company’s IT infrastructure impermeable.
Growing instances of cyberattacks and increasing privacy concerns amongst consumers and governments has driven the demand for more stringent data protection regulations. In addition to the meeting the incumbent regulations, CISOs have also reported growing concern for the new proposed laws that are extremely stringent and could give them a hard time.
Cloud security and access management
With more and more processes moving to cloud and expansion of network endpoints, managing the security of cloud infrastructure and enhancing access and identity management have continued to count amongst the critical concerns for the CISOs in 2019.
Choosing the right technology and dealing with data
As the market continues to see a heavy influx of emerging technologies like machine learning, artificial intelligence, automation and orchestration, CISOs face a new dilemma of determining the right kind of technology solution that will align with the business requirements. Although in early stages, these disruptive technologies have proved their capabilities time and again. At the same time, these technologies could wreak havoc if they are in wrong hands. So, CISOs have to be very cautious and seek IT expert advice before selecting the technology that is good enough to protect the data and the processes while improving operational performance.
Classification of data
Companies are collecting consumer data from different sources through a range of online and offline initiatives. All this data adds to the huge pool of data that the organization generates while conducting its daily business. Higher volume of stored data requires increased monitoring. Companies are struggling to have in place a strong data governance practice to focus their monitoring efforts mostly on the critical data and not waste more efforts on the data, which is unneeded.
Principle of security within an organization
Most of the cybersecurity attempts come to fruition because of the negligence of a company’s internal staff. Unless the employees, including senior management, follow basic security protocols, a company cannot be protected against cyber threats no matter what cutting-edge technologies they put in place. The JP Morgan Chase Hack is a classic example of how a single uninformed or under-informed individual’s mistake can cause a cyberattack and result into massive losses. Educating individuals about the ways in which they could avoid a data breach from happening, continued to be of critical importance in 2019.
Challenges for CISOs in 2020
According to a latest report by Fortinet, around 50% of the CISOs have named hackers as the top threat for 2020, as the number of cybercrimes continues to increase and evolve. Distributed denial-of-service (DDoS) attacks, spyware and malware have been cited as the top three types of cyberattacks that the CISOs are expecting to face as they head into 2020.
Furthermore, CISOs are also concerned of expanding attack surface, as companies move to cloud systems, expand their IT network with the addition of more portable and offsite devices, use software defined networking and IoT devices. These mediums give attackers more entry points and help in expanding the magnitude of attack. More complex strategies are hence required to tackle attacks executed on different fronts. This makes the remediation more complex and time-consuming.
Shortage of highly-skilled cybersecurity personnel will continue to be a pain point for CISOs in 2020.
They will also have to brace for more stringent data protection rules like the European Union’s GDPR or the upcoming California Consumer Privacy Act, which is set to come into effect from January 2020.
Moreover, continuous and fast-paced technological advancements will keep the CISOs on their heels and be on a lookout for more sophisticated security tools that can effectively combat most advanced breaches too.