Set the right focus
Recently we hosted a virtual event discussing the top 5 things CISO’s are talking about. Each month we will be taking a deeper dive into each item.
Organizations are faced with highly sophisticated cyberthreats during a time of massive digital transformation and rapid adoption of disruptive new technologies, which now combined is creating opportunities for greater impacts.
Unlike years ago, when cyber-attacks were predominately targeted at specific companies or organizations based on the criminal’s ability to monetize their systems or information, today’s attacks cover the full spectrum from targeted to opportunistic. Moreover, threats today can include everything from ransomware and information theft to espionage and cyber terrorism.
Of course, it’s no surprise to see such expansive growth in the cyberthreat space, in many ways driven by the fluidity of cryptocurrency, but also the hyper-speed increase in the complexity of computing systems. Complexity is security’s nemesis. It’s exponentially more difficult to secure and effectively monitor an environment with many layers and moving parts as opposed to simply one computer or network.
Enter in Web 3.0, AI, ML, and digital transformation. Evolving technologies, capabilities and approaches help organizations innovate, improve, and explore new opportunities. Nevertheless, at the same time there is a dramatic expansion, both in width and depth, of vulnerabilities and vulnerable conditions. We’re already experiencing new forms of vulnerabilities and risks with AI and serious challenges with software supply chain. In short, the target environment for cyberthreats has exploded and offers many criminal opportunities.
If not careful, organizational security groups could find themselves chasing every squeak and rattle in the environment. Everything can be a threat and vulnerabilities will be increasingly difficult to manage, much less discover. For some, the pressure will be too great and will quickly become overwhelmed. For others the attempt to keep up will exhaust people and resources; the scale of the technical environment and threat landscape is too great to take on in a single swing.
Security programs will need to move away from being judged on comprehensiveness and technical prowess to how well they can focus and prioritize. As an industry, the security community – naturally - has been predominantly focused on technology to solve security problems with mixed results. Moving forward, the role of risk management will start to reemerge.
Moreover, in the new adoption of risk management emphasis will be placed on the threat, such as types, methods, processes, tactics, techniques, drivers, motivation, and criminal interconnects, and aligning them with environmental vulnerabilities, which include technical gaps, but also operational gaps. Of course, importantly will be evidence of any active exploitation, such as the existence of tools, methods, and processes available to cybercriminals.
Risk management is taking information about your environment and evaluating exposures relative to the full reality of the threat landscape and using that specifically to drive decisions and prioritization. The ability to keep pace with cyberthreats has proven to be not only difficult, but expensive. However, you can use what they don’t necessarily have – an understanding of what you have and what is important.
Prioritization is emerging as the primary focus of cybersecurity teams. It’s not easy prioritize, because something is always important and critical. Nevertheless, prioritization is not only possible, but it is required to address an ever-changing environment.
