Published on November 9, 2023, 3:32 am
The advancement of cybersecurity infrastructure is directly linked to the increasing sophistication of threats, which has led CISOs and cybersecurity executives to spend a significant amount of time combating them.
In today’s complex enterprise networks, it’s challenging to keep track of all connected devices. The definition of assets has evolved, including not only traditional components but also multi-cloud workloads, ephemeral containers, serverless workloads, APIs, and infrastructure as code (IaC).
Each new technology implemented for digital transformation introduces additional attack surfaces that require constant monitoring, assessment, and remediation to mitigate risks.
According to Gartner’s 2020 CISO Effectiveness Survey, the average enterprise utilizes over 16 security tools, with some CISOs reporting 46 or more tools. However, merely having more tools does not necessarily lead to a stronger security infrastructure. Often there is a lack of actionable insights, critical coverage gaps, misalignment among teams, and challenges in prioritizing responses and remedies across security, compliance, and IT departments.
The IT infrastructure is becoming increasingly diverse and transitory—from on-premises to virtual environments, public cloud to private cloud or hybrid setups—and includes various domains such as IT operations (IT), operational technology (OT), and the internet of things (IoT). Additionally, the persistent IT skills shortage makes it difficult to hire experienced professionals who can effectively manage cybersecurity.
The complexity of IT systems is exacerbated by the absence of cybersecurity automation, limited cross-team collaboration, and the need for workflow coordination.
Today’s CIOs and CISOs find themselves grappling with these challenges while facing added pressures from boards that demand detailed tracking and reporting on cyber risk. The increased board-level focus on cyber risk is driven by governments worldwide taking significant measures against hacking groups. However, despite these efforts to safeguard digital assets in organizations globally remains uneasy about their ability to defend against ongoing threats.
The prevalence of catastrophic breaches, critical vulnerabilities with widespread impact, nation-state-backed attacks, and a surge in ransomware incidents underline the urgency of mitigating cyber risk. Just recently, Verizon’s DBIR 2022 reported a 13% year-over-year increase in ransomware attacks—a rise as significant as the cumulative increase over the previous five years. Additionally, vulnerabilities still serve as a popular exploitation vector for attackers to gain access to an organization’s environment.
With more than half of quarterly board agendas now including the CISO, corporate boards are increasingly concerned about cybersecurity and actively seek updates on cyber warfare, hacking campaigns, and new threat actors. The rising cost of successful cyberattacks also drives these concerns, with the average data breach cost reaching its highest point ever at US$4.24 million in 2021 (according to IBM’s reporting).
CISOs are expected to take a unique approach by addressing cybersecurity challenges such as budgeting, goal setting, and establishing plans for enhanced security measures. Simplifying discussions about cyber risk with company leadership, boards of directors, shareholders, customers, partners, and the wider market is crucial. Translating technical jargon into terms of bottom-line business risks enables better understanding and effective management of the growing array of threats.
Adopting risk-based methodologies is key to tackling cybersecurity challenges effectively. Organizations must address countless risks associated with cybersecurity—including outdated software applications or insufficiently developed software that fails to mitigate evolving risks. Integrated technologies managed by third parties or involved in a supply chain can also introduce additional risks. Further risks may affect physical or virtual infrastructures—endpoints, servers, network devices—as well as humans who may fall prey to malicious actors through errors or social engineering.
Given the responsibility CISOs have for reducing risk levels within their organizations’ environments, adopting risk-based methodologies is crucial. These methodologies should conform to industry mandates, government regulations, and financial audit standards while strengthening cyber defenses and ensuring continuous compliance.
To report effectively to executives and board members, cybersecurity practices should include clear metrics that showcase the success of security controls against internal objectives, industry benchmarks, and best practices. This reporting requires a three-step cycle: continuously monitoring the threat landscape, enabling swift response measures, and measuring metrics relevant to company leadership’s concerns.
The risk-based approach also challenges the conventional obsession with vulnerabilities alone. While there has been a staggering 5,116% cumulative growth rate in vulnerabilities in recent years, quantifying cyber risk in terms of business risk helps put this increase into perspective. Out of the multitude of known vulnerabilities (185,446), only a small percentage have actual exploits available and an even smaller fraction are successfully exploited by malware.
To achieve true risk reduction within an enterprise environment, vulnerability management must extend beyond simple vulnerability scores. Instead, it should consider all forms of risk to the business – including factors such as weak passwords that could pose a substantial threat despite being unrelated to known CVEs.
By focusing on vulnerabilities specific to their company’s exposure and employing a risk-based approach like this, security and IT teams can better control cyber risks.
In conclusion, enhancing cybersecurity infrastructure to counter increasingly sophisticated threats