Category: Cyber Security

As cybersecurity increasingly influences business decisions and tech investments, CISOs have evolved from technical experts to business leaders. Therefore, they deserve a seat at the table and a voice in driving business outcomes. Research supports this with Gartner predicting that 70% of boards will include one member with cybersecurity expertise by 2026. Some organizations are already ahead of the game with CISO board representation. According to a Heidrick & Struggles survey, the share of CISOs on corporate boards doubled from 14% in 2022 to 30% in 2023.  

In this article, we will explore the importance and benefits of having a CISO on the board, the challenges of finding and retaining board-ready CISOs, and practical tips for CISOs to communicate with the board effectively.  

WHY CISOS MUST BE ON THE BOARD 

SMOOTHER CYBERSECURITY-RELATED INVESTMENTS 

CISO involvement in business decisions also means a smoother buy-in process from the board, especially with cybersecurity-related investments. Encouragingly, CISO relationships with the board are improving, with 53% of directors communicating with security leaders regularly and 65% of board members seeing eye-to-eye with CISOs (Proofpoint). 

Findings from a recent IDC study state:  

• 90% of executives reveal that CISOs are involved in important business innovation decisions 
• 60% state that cybersecurity leaders attend board and management meetings 
• 77% note that the personal influence of the CISO has increased 

According to Merritt Baer, CISO of Reco, a growing number of CISOs are reporting directly to CEOs. This closer relationship with business-driven C-levels allows CISOs to align security objectives with business goals, integrate cybersecurity into organizational culture, and most importantly, ensure budgets are optimized for the right cybersecurity initiatives. 

IMPROVED COMPLIANCE WITH TIGHTER REGULATIONS 

Boards now need to add a heavy item to their agenda – rising cybersecurity compliance and governance expectations.  

Following the July 2023 announcement by the U.S. Securities and Exchange Commission (SEC), U.S.-listed companies are now required to publicly disclose cyberattacks and share subsequent incident response plans within four business days. This proposal also includes a compulsory annual report on the boards’ cybersecurity knowledge and how they are informed about cybersecurity risks. This has set a global precedence, with similar regulations expected in Europe and APAC.  

Boards that don’t have a member with cybersecurity expertise will find themselves in a pickle. Worryingly, 98% of company directors do not have cybersecurity expertise (The Wall Street Journal). Additionally, Korn Ferry found that a pitiful 1.4% of companies have a current or former CISO on the board. Considering the rapidly developing regulatory landscape, CISO representation on the board is no longer performative – it’s a requirement.  

STRONGER CYBERSECURITY PRACTICES 

Cyberattacks and data breaches are costing businesses millions of dollars.  

For instance, data breaches cost USD4.45 million in 2023, up 15% from 2020, according to IBM’s Cost of a Data Breach Report 2023. Detection and escalation costs are now the highest portion of breach costs, jumping 42% since 2020. According to PwC, companies with more than USD10 billion report breaches of USD7.2 million while those companies with less than USD1 billion report USD1.9 million in damages.  

An organization’s reputation is on the line not only as a victim of a major cyberattack, but also if discovered that its CISO is underrepresented and underappreciated. Benjamin Frost, a Senior Client Partner in Korn Ferry says, “From a boardroom perspective, after a major data breach, if it’s suddenly discovered that your CISO is a fairly minor player within the organization, that’s not a good look from a litigation standpoint.”  

A common reason an organization fails to implement effective security practices is the lack of communication between the CISO and the executive board. CISOs also tend to overlook that the board has limited understanding of cybersecurity complexities. 

BOARDS MUST WORK HARDER TO RETAIN CISOS 

Being a CISO is stressful, and many of them don’t want to do it for long, leading to challenges with retention.  

A study by BlackFog found that almost 33% of CISOs are considering resigning, citing poor work-life balance and too much time spent on “firefighting” over meaningful work. It’s no surprise that the average tenure for a CISO is only 24 to 48 months (Coalfire).  

Therefore, organizations must motivate and build CISOs into business leaders and map their career trajectories more clearly. A Korn Ferry study reports that one in four security leaders may leave the industry by 2025, potentially due to limited professional advancement opportunities. Many CISOs aim to report directly to the CEO, and for good reason—80% of tech security leaders who do so receive the funding they need for security initiatives.  

Addressing this challenge requires more than technical skills. CISOs must have strong business acumen and political savvy to navigate cross-departmental dynamics, which does not come naturally for more technical CISOs. Robert Hansen, Managing Director of Grossman Ventures says, “Having looked at over 100 different CISOs, the ones that tend to do the best are business-centric CISOs. They tend to be the ones that are able to come to the table, work with the board and the executive team, and work across departments in a positive proactive manner.” 

HOW CISOS CAN SPEAK ‘BOARD’ LIKE A PRO 

It’s not enough that CISOs have a seat on the board, they must initiate important conversations surrounding cybersecurity strategies and break them down for the board in a digestible manner. Each board member should know: 

• The company’s most valuable assets, where they are located, and how they are protected. 
• What is at risk and the visibility into making the right investments and deploying resources to address those vulnerabilities. 
• Whether the organization leverages continuous monitoring to achieve business goals and remain cyber resilient in the event of a breach. 
• How cyberattacks impact the company’s bottom line. 

How can CISOs communicate the strategies above successfully? Dr. Aleksandr Yampolskiy, globally recognized cybersecurity innovator and Forbes contributor, advises security leaders to: 

• Leverage cyber risk quantification to highlight the economic impact of cyber risks by translating potential financial impacts into clear numbers. Focus on key figures that aid board decision-making. For example, inform board members that a $300K investment in a product can prevent a $2 million revenue loss from website disruption. 
• Conduct tabletop exercises that simulate cybersecurity incidents and define specific roles and responsibilities. These exercises help the board understand the organization’s incident response plan and identify gaps in an interactive manner. 
• Bring in a cyber expert to bridge the communication gap between CISOs and the executive board. This expert can help security leaders develop effective strategies for addressing security challenges and reduce the pressure and responsibility on the CISO alone. 

Furthermore, LaLisha Hurt, a three-time CISO and public sector industry advisor at Splunk emphasizes researching each member’s background and their unique concerns. “Present security as a business enabler and not a cost center,” in addition to interjecting dollars and numbers wherever possible to describe the impact.   

In today’s complex cybercrime and compliance landscape, it’s crucial for CISOs to be heard by the board. They also must be provided with the necessary support and resources to perform effectively and avoid burnout. Security and compliance should not rest solely on the CISO’s shoulders; the board must share the responsibility. At the same time, CISOs need to enhance their business and communication skills to gain the board’s respect. Cyber resilience and culture start at the top, and CISOs need to lead the way. 

CISOs in the UK faced giant hurdles this year, from the persistent skills shortage and budget limitations to advanced cyberattacks and economic uncertainty. Despite these challenges, CISOs still had to fulfill the critical role of protecting their organization’s digital assets and driving cybersecurity investments. According to research by ECI Partners, CISOs are the most in-demand leadership role in the UK, and that demand will remain for the next five years.  

As the year draws to a close, what should UK CISOs prioritize in 2024 to ensure their organization is prepared for the evolving cybersecurity landscape? This article uncovers 7 key focus areas for UK CISOs to add to their agenda. 

1. BOLSTER CYBER RESILIENCE MEASURES  

According to PwC’s Cyber Security Outlook 2023, 90% of UK senior executives ranked the increased exposure to cyber risk due to accelerating digital transformation as the biggest cybersecurity challenge for their organization. Cyber risks trump other risks associated with inflation, macroeconomic volatility, climate change, and geopolitical conflict. 25% of UK business leaders are also bracing for their company to be highly exposed to cyber risks over the next five years.  

The Cyber Breaches Survey 2023 by the Department for Science, Innovation & Technology highlights the measures taken by large UK businesses to curb cyberattacks: 

• 63% have undertaken cybersecurity risk assessments in the last year  
• 72% have deployed security monitoring tools 
• 55% are insured against cybersecurity risks 
• 55% review the risks posed by their immediate suppliers 

Cybersecurity leaders at Dell and Accenture also suggest 3 key actions to CISOs to support cyber resilience and speed up recovery if attacked: 

• Implement a “lifeboat” scenario: Review technology dependencies, identify critical processes and assets, understand RTO/RPO requirements, and implement and regularly test recovery processes. That way, organizations can maintain operations if they suffer from a cyberattack.  
• Ensure the obligations of third parties align with the organization’s requirements: Identify which critical processes and assets are managed by third-party vendors, validate the scope and liabilities of contracted services, and ensure they align with the organization’s requirements. 
• Test the organization’s recovery capabilities: Employ external experts to simulate attacks on the organization’s defenses. Oversee how the IT and the business team would react and provide guided recommendations for improved security posture and resilience. 

2. MAXIMIZE CLOUD SECURITY INVESTMENTS  

MAXIMIZE CLOUD SECURITY INVESTMENTS  

As multicloud environments become more prevalent across industries, so do the cyber risks associated with them. PwC’s Cyber Security Outlook 2023 highlighted the top cybersecurity concern among UK business leaders: cloud-related threats.  39% of CISOs expect cloud-related threats to affect their organization the most. Cloud security threats pose the most risks compared to threats from laptop and desktop endpoints, web applications, and software supply chain. Therefore, it makes sense that UK CISOs are allocating the most budget to cloud security.  

According to findings by Cybersecurity in Focus, the top 3 expenditure areas among UK CISOs are: 

• 25% Cloud security  
• 20% Identity access management  
• 18% Security and vulnerability management  

Let’s look at how cloud security investments have paid off in the UK’s public and private sectors: 

• The Houses of Parliament appointed Ascentor to create a new information assurance process to address the increasing use of cloud-based solutions. Ascentor introduced a risk appetite statement and three different assurance paths based on information sensitivity. The assurance process is now well-established, and risks are regularly reappraised and managed. 
• Bravura chose Vodafone Cloud and Security as its hosting and connectivity partner to ensure the protection of business-critical data. Vodafone Cloud managed primary and backup hosting and fixed connectivity and security, freeing up the IT team’s time and increasing efficiency.  
• The UK Data Service faced the challenge of providing access to big data while meeting stringent privacy and security requirements. Therefore, the government body deployed solutions from Amazon Web Services (AWS) to offer a seamless and powerful search and analytics experience, enabling them to query any concept held in the data lake at the cell level and enrich data for better insights. 
• University of Sunderland sought help from CrowdStrike to modernize its cloud security systems after experiencing a data breach. CrowdStrike offered an effective solution to secure the university’s 5,000 endpoints with little administrative overhead with its unique combination of technology, threat intelligence, and skilled expertise.  

3. SECURE BIGGER CYBERSECURITY BUDGETS 

73% of CISOs predict that economic instability will negatively impact cybersecurity budgets (Proofpoint). Another report by iomart and Oxford Economics, Security’s Lament: The state of cybersecurity in the UK 2023, supports this, finding that UK businesses that experienced budgetary constraints suffered a 25% increase in cyber incidents.  

27% of organizations think their cybersecurity budget is inadequate to combat growing cyberthreats.  

Smaller budgets are hindering meeting cybersecurity goals and causing blind spots in cyber strategies. In addition, increasing cyber insurance premiums are taking a toll on overall budgets.  

On the other hand, a study by BSS, How CISOs can succeed in a challenging landscape, found that although 61% of CISOs reported increased funding, it was paired with unrealistic expectations and a lack of understanding by budget holders on business threats. Interestingly, 78% of CISOs only received extra funding after the organization experienced high-profile cyberattacks. This has led 55% of CISOs to use the funding to put out immediate fires instead of long-term investments in security solutions.  

Here are several strategies UK CISOs can take to seek more funding from the board:  

• Get support from other C-suites: By getting back up from the CFO and CEO, CISOs can understand business risks better to frame their funding requests. They can also reach out to colleagues in the purchasing and business units that will benefit from the extra funding. 
• Demonstrate ROI, TCO, and the bottom line: Communicating these three areas is crucial in securing cybersecurity funding. CISOs must take this opportunity to explore the right tools that can help illustrate the effectiveness and value of their security programs to the board.  
• Calculate the cost of not implementing security technology: To get the board’s attention, CISOs must calculate and communicate the financial risk of not implementing the security solution, including the likelihood and impact of a breach. 
• Understand the board’s risk appetite: How much expense the board is willing to incur in the event of a worst-case scenario varies depending on the organization’s industry, risk tolerance, cyber insurance coverage, data sensitivity, and regulatory environment. 

4. IMPROVE RELATIONSHIP WITH THE BOARD 

As cybersecurity-related matters align more closely with business strategy, communication between CISOs and board members is paramount.  Only 9% of CISOs state that information security is a top priority in the boardroom’s meeting agenda. 

Additionally, a mere 22% of CISOs participate in business strategy and decision-making (BSS). Board members are also not as concerned about the susceptibility of the organization to future cyberthreats. A whopping 79% of UK CISOs are worried about their liability in the event of a cybersecurity incident, while the board is more nonchalant; only 54% of directors expressed similar concerns.  

According to cyber risk management leader Bitsight, CISOs can improve board relationships with:  

• Ongoing communication: Regular open communication with the board on the organization’s cybersecurity posture, emerging threats, and the status of ongoing security initiatives is beneficial. This communication may be quarterly or semi-annual, depending on the needs of the organization. 
• Educational engagement: CISOs can provide the board with resources and updates on cybersecurity risks, their impact on the organization, and the measures being taken to mitigate them. This is especially important for board members without a technical background. 
• Risk reporting: Cybersecurity risks must be presented in the context of business risks. Explaining the potential impact of cybersecurity vulnerabilities on reputation, financial stability, and regulatory compliance can help the board understand the importance of cybersecurity investments. Risk assessments, metrics, and KPIs can be used to illustrate the potential impact. 
• Cybersecurity governance framework: This is a valuable tool for outlining the roles and responsibilities of the CISO, management, and the board in cybersecurity decision-making, budget approval, and incident response. 
• Incident response planning: The board should be involved in the development and testing of incident response plans. Board members must be aware of the roles they play in managing and overseeing the response. 
• Vendor and third-party risk management: The CISO should strategically manage and reduce risks associated with third-party vendors to increase the board’s confidence. The board should be informed of these risks and how the organization is mitigating them. 

5. NAVIGATE COMPLEX CYBERSECURITY REGULATIONS 

The UK’s cybersecurity regulation landscape is complex as the country does not have one unified cybersecurity law. Rather than a single regulation, UK organizations have to refer to a myriad of existing legislations and adapt them to their organization’s cybersecurity needs.  

However, UK companies are receptive to the implementation of data privacy regulations. 59% are very prepared for the Global Data Protection Regulation (GDPR) in the UK and EU, as well as the Data Protection Act 2018 (DPA), according to the 2023 Global Data Privacy Law Survey Report by Womble Bond Dickinson. UK respondents are also more comfortable about the impact of privacy regulations on their ability to conduct cross-border business, with 40% stating that they are willing to cover the extra costs incurred by the regulations. However, another study found that 29% of UK CISOs are frustrated with changing regulations. 64% of CISOs comment that regulations change before they can meet previous requirements (BSS).  

UK CISOs can do the following in the meantime: 

• Identify which cyber laws the organization needs to comply with by conducting extensive research or hiring a security expert. This includes international regulations if the company serves customers worldwide.  
• Create an Information Security Management System (ISMS) with processes the company needs to comply with. Refer to international standards such as ISO 27001 that can provide a suitable framework. 
• Keep the board informed on evolving cybersecurity regulations and ensure the organization remains in compliance. This includes discussing the potential legal and financial implications of non-compliance. 

6. BOOST UPSKILLING AND TRAINING PROGRAMS 

A September 2023 report from the Public Accounts Committee (PAC) warns that a lack of cybersecurity experts in the UK government should be of significant concern. Additionally, 48% of respondents agree that their organization suffers from a lack of expertise. 62% noted at least a quarter of their permanent headcount isn’t based in the UK, which highlights a deficit when it comes to knowledge of local regulations, compliance, and risk.  

According to a report by the Chartered Institute of Information Security (CIISec), most also claim the industry is facing a shortage of skills rather than people, hinting that better training could help alleviate challenges in this area. Research by Robert Walters concludes that the greatest shortages will be felt in Yorkshire (73%), London (62%) and the North (55%). Additionally, cybersecurity (56%) is the most sought-after skill in organizations. Instead of taking on the task of training and upskilling existing staff themselves, CISOs can seek support from third parties who offer cybersecurity training.  

For example, BT partnered with CAPSLOCK, an accredited cybersecurity boot camp, to retrain 30 employees over 17 weeks. They wanted to make clear that employees don’t need prior IT or security qualifications to break into the industry. Eight months after the boot camp, all learners are working in cyber roles at BT, aligned with their strengths and achievements in the program. Those who excelled in governance topics were assigned roles in governance and assurance, while those who performed well in technical modules are working in fields such as DDoS, security architecture and design, and forensics. 

7. IMPROVE SELF-RESILIENCE AND BUILD A SUPPORT TEAM 

According to a study by Proofpoint, 74% of UK CISOs are experiencing unreasonable job expectations and overwhelming responsibilities. 79% are concerned about personal liability and 74% have experienced burnout in the past 12 months. Furthermore, 8% of UK CISOs work more than 55 hours per week, which is considered “a serious health hazard” by the World Health Organization (WHO).” Worryingly, 50% of respondents say their workload keeps them awake at night, more so than suffering from a cyberattack (CIISec). 

Global Resident CISO for Proofpoint, Lucia Milică Stacy, suggests the following on how organizations can support their cybersecurity leaders: 

• Bring in cybersecurity experts on the board who understand what the organization and the cybersecurity team grapple with.  
• Establish a cybersecurity risk oversight committee to interpret cyber risk and how it affects the broader business goals and the valuation of the organization.  
• Make sure CISO’s frustrations are heard by the board so there is transparency on the threats the organization faces, as well as what the security team goes through to fight those threats. 

In addition, CISOs can reduce stress and the possibility of burnout by delegating tasks to other team members, leveraging time-saving tools and technologies to automate menial tasks, and seeking support from other cybersecurity leaders who share the same challenges by joining business networks and attending industry events.  

By focusing on these seven areas, UK CISOs can better protect their organizations from unprecedented risks in the years to come.  However, it is important to note that CISOs cannot do this alone. CISOs are under immense pressure, and it is important for organizations to recognize the critical and stressful nature of their role. The board and executive team must equip CISOs with enough support and resources, in addition to recognizing and rewarding CISOs for their contributions. 

The number of open cybersecurity jobs globally is predicted to reach 3.5 million by 2025, marking a 350% jump over eight years (Cybersecurity Ventures). As the cybersecurity talent shortage continues to be a hurdle for CISOs and their peers, what measures can they take to empower and engage current employees? What can they do to find and attract cybersecurity professionals from an ever-shrinking talent pool?  

We speak with Roland Cloutier, former CSO at TikTok, on why it’s difficult to search for cybersecurity talent, how to adapt to the shifting expectations of today’s young workforce, what cybersecurity leaders can do to make their efforts visible to the rest of the organization, and more.  

WHY IT’S HARD TO FIND CYBERSECURITY TALENT

Cybersecurity is a demanding career field involving working odd hours and 12-to-16-hour days. Cloutier comments that only a special group of people can take on that level of mission-focused fight daily. One of the reasons he loves the cybersecurity field is that every day is different. However, this line of work is not for everyone. “The problem solving and understanding the deep issues is never fully complete or transparent. You have to dig for those answers. We hear that a lot from people that don’t end up going into cybersecurity.”  

Cloutier cites these reasons as contributors to the talent shortage:  

• BROAD, SPECIALIZED, AND ALL-ENCOMPASSING: Cybersecurity has so many specialized areas including cyber defensive operations, incident response, threat management, threat detection, content development, privacy enforcement groups, data defense, and more. “There are so many different aspects that require technical specialties. It’s hard to find talent for all these specific areas.” 
• DIFFICULT TO UNDERSTAND: “It’s difficult to understand what we need as leaders in this career field, to figure out how to make it easier to understand, and what type of further career programs to have.” 
• SUPPLY AND DEMAND: Cybersecurity professionals must be highly technical, university-educated, and trade-certified individuals to accomplish the field’s level of depth and understanding.  

“We’ve got an uphill battle in front of us. But there are a lot of incredible possibilities, especially with today’s new, young, and dynamic workforce.” 

HOW TO FIND CYBERSECURITY TALENT

• HAVE A 10-YEAR PIPELINE: Although the average job lifespan of a global CSO is two to five years, Cloutier advises cybersecurity leaders to have a 10-year pipeline when it comes to finding talent. “In the U.S., it starts in junior high school, and funding organizations in STEM with a cyber flair that are focused on bringing people to the company and understanding the cybersecurity field.” 
• HAVE A 10-YEAR PIPELINE: Although the average job lifespan of a global CSO is two to five years, Cloutier advises cybersecurity leaders to have a 10-year pipeline when it comes to finding talent. “In the U.S., it starts in junior high school, and funding organizations in STEM with a cyber flair that are focused on bringing people to the company and understanding the cybersecurity field.” 
• IMPROVE UNIVERSITY ALIGNMENT: Cloutier stresses that university partnerships must be continually aligned with organizational needs. Universities need to have the right disciplines within their undergraduate and postgraduate programs. “We want people to want to come to our companies. Large MNCs should have partnerships with two to four universities. The selection is small enough to directly manage those relationships.” 
• RECRUIT FROM THE MILITARY AND GOVERNMENT: He adds that many government agencies and militaries today have major cyber programs, cyber commands, and cyber defense organizations that train competent practitioners. “They may not have a traditional path to where they are, but they are great personnel that you can choose from. In Europe, organizations like Europol and Interpol have cyber specialists that come from law enforcement or the military. They have real-life experience and can support your team greatly.” 

CHANGING WORKFORCE DEMOGRAPHIC AND REQUIREMENTS  

• HUMAN CAPITAL MANAGEMENT (HCM): Cloutier stresses the importance of having a designated HR specialist for finding and engaging cybersecurity talent. “The HCM has to become a cornerstone of our organization to ensure that not only are we hiring and retaining people, but implementing programs as part of the business of security to ensure our teams are cared for.” He also mentions that the average age of today’s workforce is getting younger. “How do I engage with that workforce? Who are they and how do they want to be engaged?”  
• METHODS OF ENGAGEMENT: It’s as simple as sending out a survey to find out how the workforce wants to be engaged. Cloutier says that engagement in the past focused on one-on-ones and direct opportunities to listen to the leadership. He adds that the younger workforce wants weekly engagement on a more flexible basis. “You have to understand your workforce to find out what they are interested in. Engaging with your practitioners is something that all organizations should measure.” 
• A JOB FAMILY THAT REFLECTS ORGANIZATIONAL NEEDS: “Does your job family reflect the requirements of your business? Face it, none of us have firewall engineer one-on-ones or old network security job positions anymore. We have cloud security engineers and risk and threat analysts. These are very different job descriptions. We have to make sure that our job family reflects that.”  Cloutier adds that today’s workforce wants to join organizations with forward-thinking and leading capabilities. For example, what is the path of an analyst who wants to become a CISO?  “It’s important to have programs in place to train, educate, and elevate them into the next generation of the job family.” 
• TRUST IS ESSENTIAL: “As a leader, people are going to trust you when they understand what you’re doing. But that has to be transparent for both good news and bad.” Trust, transparency, and articulation are also important to get employees to believe in the company’s mission. “When I was at TikTok, I was there to allow freedom of speech and expression for people around the globe. We embed these concepts as a mission primer and continue to deliver our cyber risk and privacy services with a focus on that. If you can align what an individual is doing to that mission and articulate it to them, you’re going to have a happy employee that’s engaged in that mission and moving it forward.” 

“Cybersecurity professionals understand the concept of good and evil, and they want to use their technical skills to do good things and see the impact of their work.” 

LEADERSHIP MATTERS, ALWAYS

“There are many practitioners that have followed me from organization to organization over the past 20 years. When I asked why they stay, they say that they like working with my leadership and that I empower them to do their jobs well. Continuing to deliver that commitment to engage and be a positive leader is something that’s important to me.”  

Cloutier also highlights these areas for leaders to prioritize: 

• VISION, KNOWLEDGE, TRUST: “Those who work for us don’t always understand the decisions we make or why, so there’s pushback. But if you share that knowledge and vision of where you’re going, it creates trust and helps them become successful in the organization. Building trust is a major component of that.” 
• LISTEN, ENGAGE, ACT, COMMUNICATE: Listening is the most important and the hardest. “We’re fighting incidents, we’re trying to gain budget to tackle hard problems. These things take up our time. But stopping and listening to the beat of the organization and what they’re saying is going to make our jobs that much easier.” 
• WEEKLY TOUCHPOINTS: “With a new workforce, spend 30 minutes a week with the entire organization, a stand-up where they can dial in to ask questions. It really works. I know large global organizations record it and play it for teams that are in different time zones.”  

INDIVIDUAL SUCCESS = ORGANIZATIONAL SUCCESS  

“It’s hard to find people and keep them. But when word of mouth goes out that people can be successful in your organization and grow their careers, it’s fantastic,” Cloutier says. 

Individual success can translate to organizational success through consistent work in these areas:  

• EDUCATION: “We can’t send hundreds of people to events all over the globe, but we can buy a package of online-based training for our organizations where everybody gets an opportunity to learn. Consider education as a primary requirement in your budget process.” 
• RECOGNITION: “People want to be appreciated by their peers for doing great work. Doing that on a frequent basis really helps drive team camaraderie.” 
• FUTURE LEADERS AND RISING LEADERS: “I look at programs that focus on management — from individual contributors to management, and management to next-level executives. There should be special security-focused programs that are either six months or a year that provide training to make them next-generation effective leaders.” 
• COMMAND STAFF EXCELLENCE: “The requirements of leadership have continued to change. Understand the changes in the industry, technology, and investment theories for security programs. Your command staff wants to work for a leader that looks out for them.” 

BUILDING BUSINESS TRUST  

For cybersecurity leaders in a high-functioning organization, a lack of understanding from business-minded colleagues can put pressure on their teams. Therefore, Cloutier says that building programs that drive business success is vital.  

“We have a responsibility to our people to help build trust with the remainder of the organization.” 

• PROGRAMS THAT HELP DRIVE SUCCESS: “Discuss the strategic pillars your CEO has set out with your team. What can your organization do to help accelerate that? How do you promote that internally to show that you’re driving the business forward?” 
• PROMOTING ACROSS BUSINESS LINES: “Do you have an incredible technical leader who can do great things as a CIO or CRO? Consider doing these swaps where they can get promoted and be fully engaged in those departments.” 
• ORGANIZATIONAL EFFICACY, METRICS, AND TRANSPARENCY: “Make sure you’re driving your organizational effectiveness, not just standard metrics.  How are you ensuring you’re meeting the requirements of the organization financially? How are you delivering that transparently to the rest of the executive team in your organization?” 

KEY ISSUES TO ADDRESS URGENTLY  

• RETURN-TO-WORK AND WORK-FROM-HOME POLICIES: “Practitioners can work from wherever they want. You’re in competition with security, risk, and privacy practitioners that can work from home. Many major multinationals are now taking their analysts and IR teams and allowing them to totally work. It’s really up to you and your organization to have a plan that is fair.” 
• CHANGE OR BE CHANGED OUT: “The same job isn’t going to be there in the next five to 15 years. Make sure everybody understands the expectations of the next-generation job, what positions they should be focusing on, and what are their requirements. You have to get people comfortable with change in their career field and force them into it. If they can’t do defense operations in cloud or work around data, it’s going to be problematic. We have to push people in these areas and plan for it.” 
• STRESS: “Organizational stress has always been there. We need to make sure that we’re swapping people in and out, and that we’re giving time off and down days for training. When it comes to self-stress, make sure you’re physically and mentally fit. We all have ups and downs. This job is extremely taxing.  Be a leader who takes time off so that you can maintain that level of pressure and high output.” 

The biggest cybersecurity threats come from within the organization. 57% of businesses revealed that internal cybersecurity threats have become more frequent since 2020 (Cybersecurity Insiders). Therefore, it’s time for cybersecurity leaders to look inward and tackle the internal cybersecurity threats that pose as much risk to their organizations as external cyberattacks.

Internal Cybersecurity Threat #1: Human Error 

Human error was named the main cause of 24% of data breaches, according to IBM and Ponemon Institute’s recent Cost of a Data Breach report. Employees in the IT help desk, HR, and R&D are data security threats who are targeted by cybercriminals as they have access to valuable company information.  

Social Engineering 

Also known as human hacking, social engineering is often the entry point of a large-scale cyberattack. Social engineering allows cybercriminals to bypass firewalls, antivirus software, and cybersecurity measures. It takes nearly nine months for companies to identify and contain data breaches caused by social engineering (IBM). Phishing is by far the most common type of social engineering attack. 

Phishing

In Management Events’ report, Navigating the Future of Cybersecurity, 75% of European cybersecurity leaders named phishing as the most worrisome cybercrime. In addition, the IBM Security X-Force Threat Intelligence Index 2023 found that phishing was a leading malware infection in 41% of incidents. Phishing attacks are also easier to execute with Phishing-as-a-service (PHaaS) offerings such as phishing kits and open-source phishing frameworks (Zscaler).  

Notable Phishing Attacks  

• Facebook: Evaldas Rimasauskas and his team stole over $100 million from the tech giant by defrauding specific employees. Rimasauskas impersonated a computer manufacturer and sent employees invoices for genuine goods and services, directing them to wire money to fake bank accounts.  
• Microsoft 365: Employees were tricked into installing malicious code on their devices. The targets received a pop-up notification saying that they had been logged out of Microsoft 365 and invited them to re-enter their login credentials. Those credentials ended up in the hands of hackers.  
• Google Drive: Targets were tagged in a suspicious document with malicious links to a phishing site. They received a legitimate email notification from Google containing the comment’s text and a link to the relevant document. Acting on this urgency, targets unintentionally clicked on one of the malicious links and were asked to enter their login credentials.

Internal Cybersecurity Threat #2: A Growing Remote Workforce

A whopping 91% of IT personnel experienced pressure to jeopardize security to enable business continuity within remote work conditions (HP Wolf Security). Therefore, it’s unsurprising that work-from-home and remote work practices have led to increased internal cybersecurity threats. A study by Check Point recorded a 38% jump in cyberattacks in 2022 compared to 2021 due to the rise of remote and hybrid working conditions.  

Unsafe Data Storing and Sharing Practices  

Company data becomes more vulnerable with the rise of remote and hybrid work. It’s difficult to ensure that all employees are practicing healthy data storing and protecting practices. Terranova Security found that only 53% of employees understand their role in protecting company data, and 35% express low concern if company data was stolen. Sharing confidential company information with third parties could have dire consequences. All it takes is a moment of carelessness such as accidentally posting something publicly or sending information to the wrong email address.   

The Use of Unauthorized Devices 

According to Lookout’s State of Remote Work Security Report, 92% of remote workers use personal devices such as smartphones and tablets to do work. Additionally, personal devices connected to insecure Wi-Fi networks may leave them susceptible to malware and viruses. Portable devices like USB sticks also pose a cyber risk. Although convenient to use, portable devices are easy to steal and are goldmines for cybercriminals – especially if they contain valuable company data.  

Internal Cybersecurity Threat #3: Shadow IT 

Shadow IT is still a bane for CISOs as it offers unmanned entry points for cybercriminals to breach. Gartner found that 41% of employees acquired, modified, or created technology outside of IT’s knowledge. In addition, 57% of small and midsize businesses reported shadow IT activity (Capterra). Remote workers are also more likely to utilize shadow IT, but enforcing security controls proves to be a challenge. 80% of IT staff dealt with objections from remote team members who did not agree to additional security measures (HP Wolf Security).  

Dissatisfaction with Current Tools 

According to a Beezy report, 61% of employees were unsatisfied with the tech stack at their jobs. Existing tools were buggy and difficult to integrate with legacy systems. 85% of them also relied on shadow IT tools despite the risk of their activities being monitored. Popular shadow IT includes personal messaging platforms, video conferencing, cloud storage services, and collaboration dashboards.  

Shadow IT Made Easier with Digitalization  

Shadow IT is more widespread than ever before due to the ease of buying and launching software without consulting cybersecurity teams. The ubiquity of cloud services has also made shadow IT more prevalent.  

“In the past when you used to have to procure hardware and know how to get a network connection, there was a barrier to entry. Cloud has lowered that barrier,” says Joe Nocera, leader of the Cyber & Privacy Innovation Institute at PwC.  

Furthermore, undocumented APIs are a relatively new form of shadow IT. A report by Cequence Security found that 68% of organizations experienced shadow APIs.  

Types of Internal Cybersecurity Threat Actors 

Internal cybersecurity threat actors include current employees, former employees, business partners, and suppliers who have access to an organization’s computer systems, data, and cloud platforms. Internal threat actors in cybersecurity either act unknowingly or have dishonest intent. 63% of internal data breaches are attributed to negligence, and cost companies an average of USD 11.45 million (Ponemon Institute). 

Common Insider Threat Indicators 

According to CrowdStrike, events that may indicate the presence of an insider threat actor include strange authorization requests for access to company documents, logins at odd hours, and unusual surges in traffic. Cybersecurity leaders should also keep a close eye on employees who display suspicious behavior such as conflicts with peers, absenteeism, unreliability, and underperformance at work. In addition, employees who display anger and resentment due to factors such as a lack of career progression could also pose an insider threat risk.  

How to Mitigate Internal Cybersecurity Threats

Review Cyber Awareness Training  

• Adapt training to fit the company culture and risk profile 
• Organize function-specific training so that employees are aware of how their responsibilities relate to company data  
• Cover topics such as data management, incident reporting process, personal device policies, passwords, and physical security 
• Conduct phishing simulations  

Practice Good Cyber Hygiene

• Identify security gaps such as outdated software and database performance issues 
• Review access control and data protection policies among remote workers 
• Tighten access control among current and former employees, business partners, and vendors   
• Prepare a comprehensive cyber hygiene plan that covers daily, monthly, quarterly, and yearly upkeep and maintenance activities 

Improve Employee Cybersecurity Awareness  

All employees should:  

• Use strong passwords and change them regularly  
• Recognize signs of phishing scams 
• Report colleagues who demonstrate suspicious behavior  
• Not share login credentials with anyone, even colleagues  
• Be wary of what they share about themselves and their workplace online 

Fortify Organizational Cyber Resilience  

• Perform a thorough cyber resilience assessment that includes risk factors, access points, and industry-specific cyberattacks 
• Back-up mission-critical data 
• Encrypt data, MFA, and SSO logins  
• Devise a mobile device cybersecurity strategy 
• Leverage AI and machine learning to improve cybersecurity systems  
• Work with IT personnel to perform organization-wide shadow IT audits  
• Set up a crisis management team and incident response plan 

Cybersecurity leaders must implement consistent, ongoing, and up-to-date practices to instill a security-first mindset among employees to stay ahead of the latest cybercrimes and keep confidential data out of the hands of malicious actors.  

Organizations face an unprecedented array of cyber threats that constantly evolve in complexity and sophistication. It is imperative for security and IT leaders to stay ahead of the curve by exploring merging cybersecurity trends that will help safeguard their organization’s valuable assets and maintain a robust security posture.

From the convergence of networking and security to threat intelligence and the Cybercrime Atlas, we explore the transformative trends shaping the future of cybersecurity.

1. Convergence of Network and Security

Before the rise of hybrid clouds and networks – an estimated 76% of organizations use more than one cloud provider – businesses would build their security layer on top of their networks. However, the architectural complexity of this approach led to poor user experience, increased cybersecurity risk, and presented many challenges in maintenance and troubleshooting.

As the threat landscape evolves alongside technological advancements, organizations need a modern approach to security and networking which offers end-to-end visibility to allow quicker identification and reaction to potential threats.

One way to do this is by converging networking and security. The three main aspects of this are:

1. Adopting a distributed firewall: Also dubbed a hybrid mesh firewall by Gartner, organizations need to secure across their entire network infrastructure including location, device, content, and applications by implementing a network-wide security policy such as Zero Trust.
2. Consolidating vendors: Instead of selecting vendors based on the “best of breed”, companies should consolidate technology vendors to just a few that can work together in the ecosystem. Solutions that are designed to work together will lead to a well-integrated security network allowing security teams to optimize their strategies.
3. Implementing OT-aware strategy: Organizations must create a layer of defense around the OT components connected to their network using capabilities like Network Access Control, data segmentation, and micro-segmentation.  to strengthen the security of OT devices on the network, moving toward a zero trust model.

Evolving approaches and perspectives to network and security are imperative to meet changing organizational demands, the fluctuating threat landscape, and emerging technological advancements.

2. Threat Intelligence

Also known as cyberthreat intelligence or CTI, threat intelligence is data regarding cybersecurity threats that are collected, processed, and analyzed to understand potential targets, attack behaviors, and motives. Threat intelligence enables security teams to be more proactive and data-driven in their prevention of cyberattacks. It also helps with more efficient detection and response to attacks that may occur. All this results in reduced cybersecurity risks, prevention of data breaches, and reduced costs.

IBM notes that cyber intel reveals trends, patterns, and relationships that will give an in-depth understanding of actual or potential threats that are organization-specific, detailed, contextual, and actionable. Threat intelligence is becoming an indispensable tool in the modern cybersecurity arsenal.

According to Gartner, the six steps to the threat intelligence lifecycle are:

1. Planning: Analysts and stakeholders within the organization come together to set intelligence requirements that typically include questions stakeholders need answers to such as whether new strains of ransomware are likely to affect their organization.
2. Threat data collection: Based on the requirements defined in the planning stages, security teams collect any raw threat data they can. For example, research on new malware strains, the actors behind those attacks, and the types of organizations that were hit, as well as attack vectors. The information comes from threat intelligence feeds, information-sharing communities, and internal security logs.
3. Processing: The team then processes the data on hand in preparation for analysis. This includes filtering out false positives or applying a threat intelligence framework. There are threat intelligence tools that can automate this stage of the lifecycle which utilize AI and machine learning to detect trends and patterns.
4. Analysis: The raw data is analyzed by experts who will test and verify the identified trends, patterns, and insights to answer the questions raised and make actionable recommendations tailored to the organization security requirements.
5. Dissemination: The insights gained are shared with the relevant stakeholders, which can lead to action being taken based on those recommendations.
6. Feedback: Both stakeholders and analysts look back on the latest threat intelligence lifecycle to identify any gaps or new questions that may arise to shape the next round of the process.

3. Employee Trust

Though zero trust is growing as a cybersecurity principle – and it has proven to be effective in protecting organizational assets – the overapplication of this approach on employees could lead to negative effects at the workplace.

Cerby’s State of Employee Trust report found that 60% of employees reported that when an application is blocked, it negatively affects how they feel about the organization. The erosion of employee trust and reduced job satisfaction is a result of overreliance on controls that block, ban, and deny employees from using specific applications. In fact, 39% of employees are willing to take a 20% pay cut if they could have freedom to choose their own work applications.

Though the zero trust approach lowers the cost of data breaches by 43% (IBM), the same approach cannot be applied to employees. The Cerby study found that higher employee trust led to higher levels of workplace happiness, productivity, and contribution.

Experts recommend that organizations adopt an enrolment-based approach to security that balances cybersecurity and compliance requirements with trust-forward initiatives. This will help organizations build digital trust with their employees by giving them more control over their tools while maintaining security and reliability.

Other trust-based initiatives that can build employee trust include:

• Ongoing training and support to keep employees updated on the latest tools and technologies.
• Incorporating employee feedback into the decision-making processes.
• Constantly communicating with employees on their workflows and security needs.

4. Cybercrime Atlas

The Cybercrime Atlas is an initiative announced by the World Economic Forum (WEF) back in June 2022 to create a database by mapping cybercriminal activities. Law enforcement bodies across the globe can then use this database to disrupt the cybercrime ecosystem. The first iteration of the Cybercrime Atlas was officially launched in 2023. The concept was ideated by WEF’s Partnerships against Cybercrime group that is made up by over 40 public and private organizations. The Cybercrime Atlas itself is made by WEF in collaboration with Banco Stander, Fortinet, Microsoft, and PayPal.

Though the Cybercrime Atlas won’t be available for commercial use, its use by law enforcement agencies will create ripples in the cybersecurity landscape. Analysts from around the world were gathered to come up with a taxonomy for the Atlas. From there, 13 major known threat actors became the initial focus. Analysts used open-source intelligence to collect various information about these threat actors from their personal details to the types of malicious services they used. The information collected was investigated and verified by humans. The data will eventually be shared with global law enforcement groups such as Interpol and FBI for action.

The goal of the Cybercrime Atlas is to create an all-encompassing view of the cybercrime landscape including criminal operations, shared infrastructure, and networks. The predicted result of this is that the security industry will be better able to disrupt cybercrime. By February 2023, the project moved from its prototype phase to a minimum viable product. Essentially, there are now dedicated project managers and contributors working to build the database and work out the relevant processes.

It was also noted that the information being used to build the database is open-source, meaning there is no issue with country-specific regulations on data. Once the open-source repository is created, there will not be security or proprietary constraints in sharing the data with local law enforcement agencies.

Though commercial organizations will not be directly using the Cybercrime Atlas, they will still indirectly benefit from it. As the project develops and matures, law enforcement agencies will be better equipped to investigate cybercrimes and catch threat actors.

Automation is no longer optional in cybersecurity. In fact, it is the fastest and most effective way to deter cyber attacks while also offloading mundane tasks that are traditionally managed by humans. However, improperly implemented automation can lead to significant errors and damage to reputation and financial performance.  

What does that mean for the human factor in cybersecurity? Albin Zuccato, CISO of ICA Gruppen walks us through the different levels of automation and how it can serve to reduce the human factor.

What Can Businesses Do With Automation?

AI or automation is the automatically controlled operation of an apparatus, process, or system by mechanical or electronic devices that take the place of human labor. Here, security comes into play because automation concerns processes – how can organizations ensure their network is secure? 

Second, automation is widely adopted as a way to replace human labor, which is directly responsible for a lot of errors in security – i.e. the human factor. 

“I do not see an option in security not to use automation.” 

Albin notes that there are three goals for automation in security. These are: 

• Speed: Automation increases reaction speed, which is crucial for stopping attacks and containing viruses. 
• Efficiency: Automation allows for better utilization of resources and replacement of human labor which tends to be less efficient. 
• Noise reduction: Also known as the human factor. People are creative and very good at solving new problems. But when it comes to solving the same problem over and over, automation is more efficient and consistent in its solutions. This allows organizations to recalibrate and stabilize their processes.  

Having said that, humans are still superior in certain aspects of security. So a balance must be struck. Albin explains that it helps for businesses to think about where they need automation the most by examining their internal security processes.  

Three Levels of Security Processes  

Artistic 

This is where penetration testers try to find new vulnerabilities in a network while handling critical security incidents, which are never the same. This requires artistry, which is something humans excel in.  

The benefit of automation at this level is noise reduction by utilising a playbook or manual for security incidents that will ensure solutions carried out are consistent. Automation here is a tool to reduce the human factor and as a support to allow humans the flexibility they need to handle such situations requiring artistry.  

Craftsmanship 

These are where processes have some variability and require skilled workers. There may be patterns and repetitive processes with some level of variation that benefits from the eyes of a human who has the larger context of the business network and security goals. 

Here, automation can help with taking over the more repetitive processes to reduce the human factor while still giving human teams to focus only on the variations when necessary.  

Industrial 

This is the most common level of security processes that make up security and where automation is most effective. At this level, processes have very little variability and are mostly repetitive. Generally, humans do not accelerate here, which is where automation can have the biggest impact on noise reduction. With machine learning and AI, industrial processes can be streamlined and made incredibly efficient with little human intervention. 

The Challenges of Automation in Security 

With any new technology come challenges. Albin cautions that trust will be a big issue as automation is adopted not just by businesses but by bad actors as well. It will be an ‘arms race’ as both sides begin to adopt AI and machine learning. Organizations do not have the luxury of waiting to see how the technology evolves as they risk being behind the curve.  

“We have to learn now and start incorporating AI and automation into our processes.” 

Explaining ICA Gruppen’s use of automation in security processes, Albin says that the company has reduced its dependence on human decisions which therefore has reduced human errors.  

Albin added: “Automation must happen, and I think the most important part here is that we do automation that is purpose-driven.” 

A purpose-driven approach to automation is the way forward, noted the CISO who explained that a company should decide what they want to achieve with different kinds of automation to get the most out of it. After all, there are plenty of tools in the market promising different outcomes. Clarity will be crucial.  

He also stressed the need to focus on where humans can be most effective.  

“With automation, the creativity of humans can be boxed into areas where they will be most effective – let automation take care of the rest and reduce and correct errors.” 

No Escaping the Human Factor 

Finally, Albin advised that human error is something every security team needs to accept because it is unavoidable. However, it can be curtailed with the effective deployment of automation.  

This is because while most attacks, which are carried out by machines, are best counteracted by machines, smart humans can still outclass them.  

Albin added, “I believe strongly that we need to reduce the human factor, but I do not believe that we should eliminate it.” 

He went on to say that the best thing organizations can do with automation is to just start because like every new approach, it is a learning process. Start by defining goals and then jump straight into experimentation, learning, and adapting.