As CISOs (chief information security officers) and other cyber security leaders prepare for another year of defending against the threats and vulnerabilities their organizations face, it’s worth considering some of the major trends and considerations that could impact security programs this year.
Professional services and consulting firm KPMG has released a report on eight key factors to examine, and many of these apply to small and mid-sized businesses (SMBs) as well as large enterprises.
Expanding the strategic security conversation
Securing critical assets, systems, and sensitive proprietary and customer data is no longer solely an issue for security and IT professionals. Managing and mitigating risk to help the strategic viability and operational sustainability of the organization needs to be a shared responsibility that starts with the business.
Senior business leaders now understand that managing cyber risk for competitive advantage and long-term success starts in the boardroom and the C-suite. Offloading the strategic decision-making and management of risk, especially the risk inherent in digitization, is no longer good enough. Modern security tools can only accomplish so much in terms of risk reduction if business objectives don’t include an embedded robust security framework.
To better align cyber security with the organization’s strategic business objectives, CISOs and their teams must help leadership across the business gain an appreciation for what goes into security and privacy by design.
Achieving the x-factor: Critical talent and skill-sets
Increasingly, CISOs and their teams are understanding and speaking the language of the business, and they should communicate how the organization’s cyber security program supports and contributes to the growth of the bottom line.
The cyber security talent gap continues to be a problem. Not only is there a dearth of experienced professionals to fill all the necessary roles, but people tend to move around because they are looking for different experiences to strengthen existing skills and acquire new competencies, KPMG said.
Over the coming years, cyber security teams might have access to a pool of trusted outside resources, or gig workers, as workloads and capacity dictate. That will enable CISOs to staff teams to operate with a smaller, more strategic core and scale up and down as needed.
Adapting security for the cloud
Cyber security and cloud security are becoming synonymous, the report noted. All the principles that apply to on-premises security—data protection, identity and access management, infrastructure, and vulnerability management—are applicable to the cloud.
What’s different, KPMG said, is the technology. As cloud adoption has proliferated, the tools have changed. The cloud environment requires increased reliance on automation and necessitates automation from deployment to monitoring to remediation.
CISOs and their teams need to work with business partners to help ensure that everyone understands cloud-specific security requirements and collaborate with cloud providers to avoid misconfigurations.
Placing identity at the heart of zero trust
With the dramatic rise in remote work and ecommerce resulting from the pandemic, protecting sensitive data has never been more challenging. Organizations need to consider adopting a zero-trust mindset and architecture, with identity and access management (IAM) at the heart of the strategy.
Current IAM models, originally created to manage digital identities and user access for single organizations, are now being re-conceptualized to offer the right level of resilience as well as deliver critical authentication features suitable for federated, private, public, or multi-cloud computing environments, the report said.
As an automated approach that can help eliminate cost and manual processes, reduce the attack surface, and establish cyber security policies and principles, the zero-trust security model is increasingly being seen as a viable approach.
Exploiting security automation
Some of the biggest potential automation benefits come when there’s a focus on implementations designed to help solve business problems, the report said. For example: augmenting human talent by more efficiently orchestrating mundane tasks; gaining a competitive edge in areas where speed is important; and analyzing large, often unstructured data sets.
As the threat landscape continues to expand and increase in complexity, and the cyber security talent gaps continues to widen, companies will increasingly rely on automated security processes. They can automate security functions to free up resources by applying automation to routine, repetitive tasks.
Functions that were previously performed by highly trained professionals, such as vulnerability scanning, log analysis, and compliance can be standardized and automatically executed. This can speed up incident detection and response times and provide an opportunity for scalability.
Protecting the privacy frontier
At many companies, cyber security and data privacy are seen as different disciplines that often operate separately, the report noted. In an environment where so much sensitive data is used, the review of third parties, new systems and new applications requires a multi-disciplinary approach to privacy risk management. It should include both privacy and security from the design phase through to organizational change management.
Today, there’s more global awareness and recognition for individuals’ rights regarding their personal information. With the growing number of data privacy regulations, the focus on protecting data privacy and security is sharper than ever.
With so many different regulations, the regulatory landscape has become increasingly difficult to manage, particularly for businesses operating in multiple regions. Automation is a key to success, the report said, especially for organizations that don’t have the resources to manage areas such as privacy risk identification and reporting.
Securing beyond the boundaries
Companies large and small are looking to digitally transform their operations, and this involves taking a data-centric approach in which data is shared regularly throughout a connected ecosystem of partners.
This creates numerous opportunities for cyber criminals to compromise systems and data, and CISOs need to secure their own organizations while encouraging the broader ecosystem to be cyber secure.
Companies need to properly vet of potential vendors’ organizational security policies as well as the security built into the products and services to be accessed, the report said. This requires tremendous due diligence by each ecosystem partner. CISOs are faced with the difficult task of transitioning to a proactive approach that puts continuous monitoring, usage of artificial intelligence-based tools, threat intelligence, and zero trust at the heart of their ecosystem security model.
Reframing the cyber resilience conversation
Many companies today operate as digital businesses, and they need to consider how well they are prepared to recover from the potential impact of a major cyber incident. The report encourages CISOs and their teams to initiate a dialogue with senior leaders that challenges the assumption that the organization can either absorb a cyber attack or recover within a few days.
Companies should explore the ability to sustain operations if a disruption lasts for multiple weeks. They need to ask questions such as how prepared the company is to face a four- to six-week outage because of a cyberattack; how an outage would impact customer service; what an outage would mean for call and distribution centers; how an outage might impact the company’s regulatory and legal requirements; and others.
“Resilience demands an assessment of the key operational processes of the business and a strategy for protecting them,” the report said. “In today’s market reality, a major cyber event is almost inevitable for most companies. With that in mind, thinking about the evolving mindset of security professionals, the focus for many CISOs today is in equal parts likelihood reduction and consequence management.”
Learn more about how Cloud Workload Protection can optimize and improve your cloud and hybrid environments.