CISOs Adapt to an Evolving Security Landscape - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
IT Leadership // IT Strategy
News
4/5/2019
07:30 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

CISOs Adapt to an Evolving Security Landscape

New approaches and tactics are tried to curb incidents and lower financial losses.

Image: Maksim Kabakou - stock.adobe.com
Image: Maksim Kabakou - stock.adobe.com

Chief information security officers are modifying and expanding their security strategies to address emerging threats, finds the recently released Cisco 2019 CISO Benchmark Study.

Wendy Nather, director of advisory CISOs at Duo Security, a Cisco unit, says that CISOs and their enterprises are modifying their strategies to counter new and evolving security threats.

Nearly half of the survey's respondents (47%) report that they are now using outcome-based objectives to focus their security spending. "They’re not just collecting tools, but are making sure that the results are tangible," Nather says. "In terms of strategy, the vast majority of organizations (94%) are practicing incident response at least once a year; 61% are doing it at least every six months," she notes. "These exercise drills are helping enterprises develop the skills they need to face evolving security threats."

Facing the major challenges

Collaboration tends to be the most effective security strategy, the report states. "The most collaborative teams lose the least money," Nather explains. In fact, collaboration and the elimination of silos shows a tangible financial upside: 95% of security professionals report that their networking and security teams are very or extremely collaborative.

Wendy Nather
Wendy Nather

The high financial impact of security breaches continues to concern CISOs. Fifty-nine percent of respondents reply that the financial impact from their most serious breach was less than $100,000 -- the lowest category of breach cost listed in the survey. Forty-five percent of respondents report a breach with a financial impact exceeding $500,000. On the bright side, more than 50% of respondents state they are driving breach costs below $500,000. Unnervingly, 8% of CISOs claim their most significant breach of the past year cost more than $5 million. On the other hand, 93% of CISOs state that they are feeling more confident about cloud-delivered security and in securing the cloud.

CISOs' changing role

CISOs are now more involved than ever in "managing risk by contract," orchestrating and negotiating security with third-party providers and suppliers. "More CISOs appear to be comfortable with using cloud-based security services—93% of respondents agree that it makes their operations more effective and more efficient—and we expect this trend to continue," Nather says.

Employees and other system users continue to present the greatest protection challenges for many CISOs. Only 51% [of CISOs] rate themselves as doing an excellent job of managing human resources on security via comprehensive employee onboarding and appropriate processes for handling employee transfers and departures, according to the report.

[Editor’s note: CISOs and CIOs objectives sometimes put them at odds.  We review why this is happening and how this may impact where security leadership should fit in IT org charts.] 

Email security, phishing and risky user behavior remain top security concerns for CISOs, the study found. "In addition to addressing these risks with multi-factor authentication, advanced spam filtering and DMARC to defend against business email compromise, it’s essential to have an organizational process that starts with security awareness training on day one," Nather says. The perception of this risk has held steady for the past three years for 56% to 57% of respondents. Coupled with low levels of security-related employee awareness programs, this represents a possible major gap that the security industry can help address, the report states.

The methods CISOs and their staffs are using to measure their security efforts are changing rapidly, the study finds. The number of respondents who rely on ‘mean time to detection’ as a metric for security effectiveness decreased from 61% in 2018 to 51% in 2019. Meanwhile, ‘reported time to patch’ dropped from 57% in 2018 to 40% in 2019. As other measurement techniques lose favor, ‘time to remediate’ is gaining popularity as a success metric. The method was cited by 48% of respondents compared to 30% in 2018.

More teams involved

Driven in part by cyber insurance procurement, risk assessment and risk metrics that span multiple business units are playing an increasing role in technology selection, the study finds. These tools help CISOs focus on their operational practices. Forty percent of respondents indicate they are using cyber insurance, at least partly, to set their budgets.

Complex security environments incorporating tools from 10 or more security vendors could be hampering security professionals’ visibility across their environments, the report warns. Sixty-five percent of respondents do not find it easy to determine the scope of a compromise, contain it, and remediate from exploits.

Overall, the number of respondents experiencing cyber fatigue -- the urge to give up trying to stay ahead of security threats -- decreased from 46% last year to 30% this year. "We consider this very good news, as CISOs feel more confident in being able to defend their organizations," Nather concludes.

Cisco's Recommendations for CISOs

• Base security budgeting on measured security outcomes with practical strategies coupled with cyber insurance and risk assessments to guide your procurement, strategy, and management decisions.

• Reduce exposure and extent of breaches by doing the following: Preparing with drills; employing rigorous investigative methods; and knowing the most expedient methods of recovery.

• The only way to understand the underlying security needs of a business case is to collaborate across siloes -- IT, networking, security, and risk/compliance groups.

• Orchestrate response to incidents across disparate tools to move from detection to response faster and with less manual coordination.

• Combine threat detection with access protection to address insider threat and align with a program like Zero Trust.

• Address the No. 1 threat vector with phishing training, multi-factor authentication, advanced spam filtering and DMARC to defend against business email compromise.

 

 

John Edwards is a veteran business technology journalist. His work has appeared in The New York Times, The Washington Post, and numerous business and technology publications, including Computerworld, CFO Magazine, IBM Data Management Magazine, RFID Journal, and Electronic ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
Strategies You Need to Make Digital Transformation Work
Joao-Pierre S. Ruth, Senior Writer,  11/25/2019
Commentary
Enterprise Guide to Data Privacy
Cathleen Gagne, Managing Editor, InformationWeek,  11/22/2019
News
Watch Out: 7 Digital Disruptions for IT Leaders
Jessica Davis, Senior Editor, Enterprise Apps,  11/18/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
Slideshows
Flash Poll