maxkabakov - Fotolia
Many enterprise security leaders and teams struggle to get the resources needed to prevent data breaches, but the frequency of attacks and consequences of such events continues to rise. Consider some recent figures: The number of confirmed breaches in 2019 was nearly twice as high as in 2018, according to the "2020 Verizon Data Breach Investigations Report." Meanwhile, the most recent Ponemon Institute report on the subject put the average total cost of a data breach at $3.92 million in 2019, up from $3.86 million for 2018.
Despite such findings, only 67% of respondents said their organizations were prepared to respond to the theft of sensitive and confidential customer information that would require notification to victims, according to a February 2020 report from the Ponemon Institute and sponsored by Experian Data Breach Resolution. The study "Is Your Company Ready for a Big Data Breach?" also found that only 44% of those surveyed felt prepared to respond to a data breach involving business-related confidential information and intellectual property.
Executive teams and boards of directors fared no better in this area of organizational planning, with only 55% of C-suite executives and 40% of directors saying they were knowledgeable about their organization's data breach preparedness plans.
Given that reality, experts offered six steps CISOs and their organizations should take to strengthen their data breach prevention practices:
1. Make data protection a board-level priority
Too many executives and directors still don't recognize or accept the significant potential risk that data breaches pose to their organizations.
"When it happens to a competitor, it's just seen as a 'too bad for them.' It's only when a breach occurs to you is there a call to action," said Richard Stiennon, chief research analyst at IT-Harvest, based in Birmingham, Mich.
To get the board more fully engaged, Stiennon and others call on CISOs to improve their ability to explain security risks and data breach prevention plans in business terms -- explaining, for example, how much a data breach will cost the organization compared to how much it will cost to mitigate risks.
Marianne Bailey, director of advanced solutions at consultancy Guidehouse, based in Washington, D.C., said CISOs can't just go to the board with a problem; they have to go to them with a solution.
"A CISO has to go to the C-suite with a really good plan on how they're going to address the problem," Bailey said, because this approach helps CISOs gain the board's backing for their agenda.
2. Elevate the CISO position
Although many CISOs report to the CIO, Daniel Cohen-Dumani, partner and market leader for the Technology and Digital Transformation Advisory practice at Withum, advised against that reporting structure. He said the CIO's focus on constant access and availability can conflict with and undermine the CISO's goals and objectives.
Cohen-Dumani said mature cybersecurity practices have their CISOs report to the Chief Compliance Officer or the chief risk officer. Other experts recommend that CISOs report directly to the CEO or even the board.
David Menichello, director of CISO Advisory Services at BTB Security, a cybersecurity consulting and services firm, based in Bala Cynwyd, Pa., said, "CISOs need to make sure they're telling the right story at the right level."
3. Develop a more comprehensive approach
Some CISOs remain reactionary, putting out fires rather than working from a strategic vision that has identified organizational risks and risk tolerance levels, experts said. Even CISOs who have developed a security strategy often don't have enough resources to advance their efforts and create a more comprehensive program.
Marianne BaileyCybersecurity leader, Guidehouse
While CISOs do the best they can with the resources they're given, many don't have a comprehensive program required to be successful, Bailey said.
"CISOs have to be strategic because they can't be 100% protected," Bailey said. "They have to understand their threats, their business, the impact of each threat and how to mitigate those without impacting the ability to do business."
4. Gain more insight and visibility
CISOs should collect as much information as possible and log everything so they can fully understand their environment and what's happening, advised David Monnier, founding member of the Research and Education Networks Information Sharing and Analysis Center (REN-ISAC), based in Bloomington, Ind.
"Create an intelligence practice to augment your security practice -- total information awareness should be your goal," Monnier said, because more information makes it easier to identify when something is wrong.
Monnier added that advancements in automation and anomaly detection enable CISOs to analyze their environments much more effectively.
"This is a constantly changing environment, and the only way to get a hold of it is to learn as much as possible about your assets so you know when something is happening," he said. "The game is awareness, detection and prevention."
5. Continuously improve
Many security teams are on the right track, but they must learn to move faster, constantly expanding their use of existing processes and technologies and quickly evolving cybersecurity strategies as both new threats and security tools emerge.
Rahul Telang, professor of information systems and management at Carnegie Mellon University's Heinz College, said the drive to improve must be part of an organization's DNA. He added that the adoption of a security-minded culture must come from the top and be embraced by everyone to be most effective in a world because "the sophistication of protection goes up but so does the sophistication of the hackers."
6. And then improve faster
CISOs need to become more agile and seek to evolve their security practices as rapidly as the hackers evolve their tactics, said Tony Velleca, CISO of UST Global, an IT services and solutions provider, based in Aliso Viejo, Calif.
"A lot of things have changed for the better in security, but the threats are evolving faster," he said.
To help do that, experts point to SOAR (security orchestration, automation and response), as well as unified threat management, threat management tools and cyberthreat management frameworks, as a way to efficiently speed up detection and response.
Others point to automation, AI and machine learning, as well as real-time monitoring technologies, as essential for helping security teams react more accurately and effectively.
"You can't prevent all the attacks, but you should aim to get to them quickly," Menichello said. "The companies that have made tremendous strides are those who can prevent most things from happening, and if something does happen, they can spot it and eradicate it quickly and move on."