What keeps CISOs up at night? Is it the looming concern of a threat? The uncertainty of cloud security? Wondering if you have enough cyber pros on the frontlines to defend and protect? Maybe it’s all three –and more. CISOs are carrying a lot of security responsibility on their shoulders, all while trying to make sure their department is transparent, vigilant, agile, and of course, secure. Focusing on so many areas of digital opportunity, security vulnerability, and defensive improvement make it challenging for CISOs to truly dedicate attention to any specific operational “thing” for too long before they have to move to the next issue. Adapting to this rapid change of pace in the security industry can compromise security strength and lead to growing concerns about whether teams are really prepared for the next threat. We’ve pinpointed the top five cybersecurity concerns of CISOs that are stuff nightmares are made of.
This shouldn’t be a surprising concern. Threats are ever-evolving just as technology and digital connectivity is. While CISOs strive to keep their defenses up to snuff with the latest technology, there is always a new weakness waiting to be exploited. The recent government shutdown is a perfect example. It pulled many defenders off the frontlines of security, leaving the door wide open for malicious hackers to walk on it and do unimaginable damage. Also, the 2016 election attracted black hat hackers to manipulate public perception of the race via the use of social media. There’s always a new threat, a new vulnerability to be wary of—and CISOs are looking for ways to ensure their teams are always ready, always prepared, and have the proper support they need from machines and fellow colleagues to keep assets and people safe from harm.
While CISOs desire agile operations and solutions, many still follow a linear “waterfall” model with sprinklings of agile adaptations. Developers, in particular, create security solutions tend to follow prescriptive, step-by-step requirements without always considering how security fits into the bigger solution picture. One can imagine the repercussions of such an approach. Failure to close the widening gap between deployment velocity and security implementation can yield weak security resilience. CISOs wonder if their organizations are strong enough to have both deep security testing in place and remediation plans effective enough to remove any semblance of fear, uncertainty, and doubt. DevSecOps spells opportunity for agile security as the approach advocates for the integration of security “checks” during every stage of development from planning to coding to testing and deployment and monitoring.
IoT and Cloud Security
As work migrates out of the traditional office, users are moving off the network and accessing the cloud directly. More applications and servers are moving to the cloud to save money, achieve scale, and obtain greater access. However, massive amounts of sensitive data are now stored in the cloud and the “location” of that data and perceived lack of visibility is concerning for CISOs. According to a Kaspersky Lab study, one in three CISOs ranked cloud computing as a top security risk. Part of a CISO’s job is to apply controls to cloud security but when other responsibilities including managing security solutions take priority, concerns of cloud security often go unalleviated.
Cybersecurity Skills Gap
This is one of the reoccurring nightmares for CISOs: finding and retaining enough security talent to bolster a capable cyber team with the right skills to address attacks. CISOs need a solution to improve the cyber skills at their company but can’t realistically send everyone away to class. Likewise, CISOs may realize they have skills gaps on their teams and assessing their competencies and hiring the right talent is becoming a growing challenge. Further, every CISO is concerned about their company being the next news headline of a cyberattack, so they are constantly worried about their overall cyber readiness and keeping their teams razor sharp. Looking down the barrel of a 300,000+ security job shortfall in the U.S. alone, CISOs fear their teams, whether large or small and mighty, may not have all the skills they need to effectively top new threats.
It’s been a bad few years for cybersecurity leaders with the growing number of well-publicized hacks of large and small companies. Naturally, such news leaves many consumers and company stakeholders distrusting companies who fall victims to these attacks. What’s worse is trying to rebuild trust after an attack. It’s not a flip of a switch or apologetic PR statement that automatically regains public trust in data security for a company. It can take months or even years for a company to bounce back from a breach of any magnitude. Privacy issues, security and device addiction are all elements that need to be addressed from the beginning in order to take ownership and responsibility of how customer data is stored, used, transferred, and accessed.
There’s often too much momentum in the way of today’s cyber operations to allow for any kind of change but this is something that MUST change. CISOs and their teams live with cybersecurity worries, threats, and “unknown unknowns” that are simply too scary to block out. Frustrated talented resources and limited budgets perpetuate these cybersecurity nightmares. For CISOs to wake up from these horrible scenarios, they need to consider new ways to develop their teams and foster holistic “security is everyone’s responsibility” cultures in order to move forward. New threats, cloud security issues, and skill gap concerns can be quelled with the proper persistent learning solutions in place to empower and augment cyber teams toward a stronger security infrastructure. Likewise, educating the entire staff, not just the IT department on security issues and best practices ensure everyone will have sweeter dreams.