“Hats off to the CISOs!”
These were the opening remarks Senior Principal Analyst and ESG Fellow Jon Oltsik used to greet the participants of our recent CISO Think Tank virtual event, a recognition appropriate for today’s security leaders who have faced extreme challenges and adversity over the past year alone due to COVID-19, not to mention the never-ending onslaught of ransomware attacks.
The threat landscape has expanded, the number of threat actors and their persistence have increased to unprecedented levels, and the skills shortage has worsened. Not only do we lack the individuals to fill security positions, but we also don’t have the proper skills to meet our adversaries head-on.
Kicking off our virtual roundtable to discuss such challenges, Jon led a group of security executives into a deep dive on their priorities, concerns, and expert knowledge surrounding today’s security threats. We had a lively discussion with CISOs on the front lines as they considered what effort it takes for organizations to combat the cyber risks plaguing industries today. Here’s what’s top of mind for today’s CISOs.
The Evolution of Security Operations
The stakes have always been high in the security industry, but we’re now seeing a deeper focus on analysis and metrics that push for proactive measures when it comes to protecting an organization’s environment. With ransomware attacks increasing exponentially in the past year, the attention of board members, executives, and employees not usually associated with security efforts are now bringing cyber initiatives to the forefront of business operations.
Don’t Neglect the Basics
Too often the fundamentals of cyber hygiene don’t get the attention they deserve. Organizations are becoming inundated with new and innovative cyber tools entering the market, but it is crucial they take the time to determine exactly what their environments need before adding another product to their toolsets. Without this scrutiny, organizations will be blind to how their network is failing in the most rudimentary ways, alert fatigue will increase, and security professionals will continue to stay one step behind the next attack.
Identify Risk – And Help Out Those Who Don’t
As cybersecurity professionals, we’re used to looking at the world through a risk-based lens, but not all of our colleagues across the organization think this way. However, you need to understand both your environment and business and work with leaders around the organization to properly identify and categorize risk. This starts with a solid governance model that brings together business owners, senior leaders, and the security team to analyze the biggest risks to an organization. The whole leadership team should understand and be able to identify potential risks and the potential business impact. Security is a team sport.
Zero Trust Collaboration
Implementing a Zero Trust security model will look different for each organization. As two business partners begin to work together, it’s important to discuss exactly what such a model will look like to each of them by referencing the same resources that will direct them into building that type of environment. Ensuring that a conversation is started with a good frame of reference around each businesses’ definition of Zero Trust will become essential to continued proactive security measures. Aspects of this conversation will need to address a single asset management system (where single sign-on and multi-factor authentication is required for all employees) and a focus not only on people, but the devices that are connected to an organization’s network.
Today’s increasingly complex technology ecosystem is driving demand for extended detection and response (XDR) from larger companies that have on-premises data centers. Prioritizing an open, vendor-agnostic approach to XDR, known as Open XDR, will allow for deep integration across best-of-breed tools from a diverse set of vendors, delivering the right combination of technology, field-validated content, and resource empowerment to increase visibility, reduce complexity, and manage risk.
We’d like to extend a sincere thank-you to all of the panelists and participants of our recent CISO Think Tank discussion. The conversation served as a timely inflection point for the fearless security leaders, as well as members of the press who joined in the dialogue.