CISOs Shift Priorities
In an evolving landscape
The sleepless nights for CISOs and executives are many due to the changing landscape of the digital world. A recent survey of CISOs (across a spectrum of industries and organization sizes) reveals the shift in CISOs’ top priorities for 2022.
The short of what they found involves cloud migration, the seamless integration of security testing and protection throughout the software development and deployment lifecycle (DevSecOps), cyber insurance, and motivators that have brought about more cybersecurity investment and focus.
When we look into the Forgepoint Capital CISO survey, they found that security hygiene and software supply-chain/vendor risk are the top two security priorities for CISOs at medium-sized organizations.
The report, which was shared with Dark Reading at the 2022 RSA Conference, finds that most breaches are because of unpatched systems, misconfigurations, poor passwords and other basic cyber hygiene steps not taken. The primary reason for not building multiple backups and failovers, with real security incident scenarios, is because of not having the budget to do so.
What was also noted was that challenges varied across industry segments. For example, for the healthcare industry 0% cited security hygiene as a priority. Forgepoint’s managing director, Will Lin, commented that this is because a nurse won’t need to worry about passwords and furthermore, they won’t be able to control the password requirements or have visibility of security hygiene aspects.
For professional services companies on the other hand, security hygiene is a high priority. In fact, the report shows that it’s a top focus for 80% of professional services firms, which is completely opposite healthcare. However, it is stated by Lin that this is only natural since this type of company is responsible for the security of their employees.
When we look at organizations with less than 50 employees, the report reveals that they are dealing with the cybersecurity workforce shortage. For these types of companies, talent development and social-engineering awareness are top two priorities because these can have major ramifications. Since the companies are smaller, their focus on human capital can affect greater change than large organizations. With larger companies, threat vectors remain because of the lack of access control. The bigger the team is, the more software and technology you use, the more threat vectors a business will have to handle. With this in mind, larger companies shift their focus from personnel to security automation and incident response.
Additionally, the report found that security professionals prioritize the areas with the highest return on investment (ROI). For the professional services industry the greatest cybersecurity ROI is found in taking steps for security hygiene, while for the healthcare industry it is taking steps to address software supply chain and third-party vendor risk due to need to secure connected medical devices. As you can see, the industry changes the cybersecurity ROI and therefore the focus of what a CISO will prioritize.
Forgepoint’s report also shows that cloud migration is driving security prioritization for medium-sized business CISOs more so than very large, large, or small sized businesses. Here’s the breakdown from the survey results.
- 73% of CISOs for medium-sized businesses note that cloud migration is a factor in 75% or more of their security efforts.
- For very large businesses (more than 10,000 employees) it is 13% of CISOs.
- For large businesses (1,000 to 10,000 employees) it is 43% of CISOs.
- For businesses with fewer than 50 employees it is 50% of CISOs.
It is interesting to see smaller businesses being more proactive with cloud migration and security compared to very large businesses. Lin notes that this is because big companies have a lot of legacy infrastructure, which makes the move to the cloud take longer. Smaller companies, on the other hand, are cloud native and need to cut costs, which the cloud helps with.
Another top security motivator for CISOs (in every industry except for professional services) is digital transformation. The adaptation to remote working has forced businesses to embrace software-as-a-service and other corporate working apps, which require security measures. It is a must to secure application programming interfaces, to have DevSecOps for embedding security into application development, and so on.
Lastly, the report highlights how traditional access control areas are still a priority for CISOs, as well as emerging areas such as cyber insurance.
- 40% of CISOs still prioritize data security.
- 41% of CISOs still prioritize identity security.
- 28% of CISOs prioritize cyber insurance.
Cyber insurance is being prioritized due to ransomware, malware, APTs and other cyber attacks that affect all types of organizations and are costly. The painful process of getting cyber insurance is discussed by Lin, as is the fact that insurance firms don’t cover ransomware incidents (we’ve talked about this too in some of our previous articles for regular readers) and the insurance policies may dictate exactly how the security dollars can be spent. Furthermore, if you don’t have MFA (multifactor authentication) on all accounts you may not qualify for affordable coverage. There’s also patching and a lot more that goes into getting approved for cyber insurance.
76% of CISOs expect their security budgets to increase this year and only 24% of them cite monitoring threat intelligence as a priority.
With an increase in budget, CISOs can ensure cybersecurity steps move in a direction to support their organizations as needed. For the more challenging areas, it will be about pivoting as needed and staying alert with the changing landscape.
If you need any support to drive your cyber resilience up a notch, reach out. Schedule your free consultation here: https://calendly.com/ncxgroup
Photo courtesy of watcharakun