alphaspirit - Fotolia
In 2020, a world inexorably going digital was sped up by COVID-19, necessitating businesses to enable remote workforces overnight, without planning or preparation. This change required chief information security officers (CISOs) to ensure digital security on the go, simultaneously reckoning with new and emerging threats, while ensuring business continuity in a workplace that now featured a multiplicity of systems, networks, devices, programs, processes and overflowing information.
How CISOs should prepare for 2021
As cyberattacks grow in number and sophistication, 2021 is unlikely to be different. Based on what we have seen so far, two assumptions can be made. The pandemic will linger long into this year, and the virtualized workplace will expand as businesses grow. Both assumptions mean increased CISO workloads and more imponderables.
I believe there are seven imperatives for CISOs to focus on for 2021.
1. Make cybersecurity a boardroom agenda
As digital transformation has become the core component of almost all business processes, security has become a business concern, and as a result, cybersecurity should firmly be on the boardroom agenda of all organizations. The role of a CISO has significantly evolved from being focused on technology alone to also considering business risks as well. They should engage with their peers across business units, explaining the significance of having a robust cybersecurity program. The management level councils and forums shall serve as an essential medium to engage with stakeholders to drive strategic initiatives.
2. Invest in cloud security
As businesses continue to move to the cloud, CISOs must prepare against more (specific) threats -- data breaches, denial of service, insecure APIs and account hijacking, among others -- simply because the growing amount of information in the cloud attracts cybercrime. Most cloud service providers include built-in security services for data protection, regulatory compliance and privacy, secure access control capabilities for effective security risk management and protection in public cloud. Yet, it is critical for organizations to build a robust strategy for risk management framework, secure cloud design, security governance and skills expertise in the cloud as most incidents occur due to lack of a good security strategy in the company.
3. Implement basic IT hygiene
Cybersecurity is no longer the sole responsibility of IT teams and security teams. Security is as strong as the weakest link. Therefore, it is essential to ensure that every individual is aware and agrees to be an integral part of the ecosystem, thereby understanding and practicing IT hygiene, which will provide a healthy security posture. IT hygiene is the first line of defense that an organization can adopt by identifying what we want to protect, where these entities are located and who manages them. The answer to these three questions in a structured format and process is the essence of IT hygiene.
4. Build borderless security
The remote and distributed workforce functions by accessing resources on the cloud, from using collaborative platforms to critical work-related applications. The workflows are mostly happening on the public network or from untrusted devices, thereby stretching the enterprise perimeter beyond the traditional boundaries of an organization. Borderless security is the need of the hour to ensure safety as businesses continue to run from kitchen tables and living room sofas.
5. Create a culture of cybersecurity
A security culture is an essential part of the broader corporate culture that encourages employees to make decisions and fulfill their day-to-day duties according to the organization's cybersecurity policies. Business leaders need to nurture an organizational-wide mindset that prioritizes cybersecurity by empowering employees with adequate training to identify and report threats, create communities and conduct cybersecurity awareness sessions in creative, fun ways, and reward and recognize employees who contribute to a secure organization.
6. Modernize enterprise security architecture
The current scenario in most organizations is driven by the following themes: the expectation of having access to company resources from anywhere, any device, and securing remote infrastructure and IP; the ability to support cloud solutions and password-less authorization; the demand for automated and continuous compliance and zero trust-based network models; and, there is a move to security as a code and adherence to data privacy mandates. These themes are dictating the changes that need to be made to the enterprise security architecture.
7. Leverage new innovations
Trends show a rise in sophisticated cyberattacks using advanced technology in the areas of denial of service, malware, phishing, crypto-jacking, SQL injection, zero-day vulnerability exploits, watering hole attacks, social media disinformation and spoof accounts. Hackers with lesser technical skills resort to easily available ready-to-use hacking toolkits. To stay a step ahead of the cybercriminals, organizations need to invest in solutions using the latest and emerging cybersecurity technologies such as AI and deep learning, user and entity behavior analytics, blockchain, next generation breach detection and zero-trust networking solutions.
While new technologies have their advantages, they also threaten cybersecurity.
Local 5G networks, for instance, can be manipulated by malefactors influencing network design and architecture. With more technology components than previous technology standards dictated, it is to that extent more vulnerable to disruption.
As for AI, while it helps mitigate cyber threats, malicious actors could launch AI-powered cyber attacks, making AI both a friend and a foe. The spread of the IoT has seen data breaches and disruption from unsecured IoT devices. In the case of edge computing, devices present in its infrastructure need to be cybersecure as well as physically secure, meaning more work for CISOs.
Organizations need to be sentient and observant about the changes happening around them, the vulnerabilities present in the system and the technological innovations happening in the cybersecurity space to stay a step ahead of cybercriminals.
Every organization needs to find its own approach to cybersecurity
Prevention, risk management and mitigation are key, though there is no one-size-fits-all approach to cybersecurity. This must also take into account wherever applicable, deficient budgets, inadequate availability of technically trained staff and legacy infrastructure and solutions.
CISOs continue to guard against employee behavior ranging from the careless, the disgruntled and the malicious. Here, an appreciation of business risk and not just technology risk, will make the magnitude of what is at stake more appreciable.
That the CISO designation did not exist some years ago is proof of the significance of IT security in today's world. The pandemic may have upped the ante for CISOs dramatically, but the buck still stops with them.
About the author
Vishal Salvi is senior vice president, chief information security officer and head of the Cyber Security Practice at Infosys. He is responsible for the overall information and cybersecurity strategy and its implementation across Infosys Group. He is additionally responsible for cybersecurity business delivery, driving security strategy, delivery, business and operations, enabling enterprises' security and improving their overall posture. Salvi has over 25 years of industry experience in cybersecurity and IT across different industries. Prior to joining Infosys, he performed various leadership roles in cybersecurity and information technology at PwC, HDFC Bank, Standard Chartered Bank and Global Trust Bank.