Cisco's latest Cybersecurity Readiness Index says globally only 15% have a mature level of preparedness to handle security risks. The same Cisco report suggests that Indonesia (39%), the Philippines and Thailand (27% each) top the charts in overall cybersecurity readiness, better than Japan (5%) or Korea (7%).
For Kearney, the region's cyber resilience remains low and attributes this to a lack of strategic mindset and policy preparedness. It also says the absence of a unifying framework makes regional efforts largely voluntary, leading to an underestimation of value-at-risk, and resulting in significant under-investments.
The Kearney report concludes that the region's nascent cybersecurity industry faces shortages of home-grown capabilities and expertise along with fragmented products and solutions and few comprehensive solution providers.
The drastically evolving IT landscape means that the number of possible entry points for unauthorised access into systems has increased exponentially by 38% in 2022, according to CheckPoint Research.
The much broader attack surface for cybersecurity teams to defend arguably lessens the effectiveness of current practices.
"Furthermore, with how advanced and sophisticated cyber threats have become, there is simply too much at stake for enterprises. Hence, it organisations must adapt and evolve their cybersecurity strategies to remain protected and safe," said Edgio, chief information security officer, Darrin Reynolds.
Demonstrating value
Reynolds says an ideal CISO can navigate the tricky terrain of complex regulatory challenges tied to new technologies, aligning security objectives to business goals and showcasing how security efforts are protecting the company.
Tenable's chief cybersecurity strategist, Nathan Wenzler, opines that to be effective at their role CISOs must be aligned with the business, especially the finance organisation and strengthen their communication skills.
"Cybersecurity isn’t an IT function, it’s a risk management function that’s more aligned with finance than operations. Cybersecurity leaders who learn to align technical risks with an understanding of the financial risks faced by the organisation will be better able to communicate what cyber risks mean to the non-technical decision-making audience in the C-suite," he continued.
A view shared by Denis Donnelly, director of the security business unit at VMware SEAK who adds that it is vital to understand that the time and attention of senior business leaders is focused elsewhere - on the broader business environment.
"As a result, it’s incumbent on cybersecurity leaders to speak the language of business to their senior leadership. They should remove technical jargon and abbreviations from discussions and presentations, and instead focus on how their investments support corporate strategic initiatives whilst also helping to mitigate risk," he continued.
Esteban Gutierrez, CISO at New Relic opines that his effectiveness as a cybersecurity leader is wholly dependent on the effectiveness of his or her team.
"I coach my teams to hold as a key principle that their first job is relationship management. The investments we make in cybersecurity controls, policies, and procedures can have a profound impact on the ability of all employees in a company to do their work, and deliver on business commitment, and corporate goals."
Esteban Gutierrez
"When we partner with them as collaborators for how we spend our investments, we see much greater buy-in and much greater value from those investments because that collaboration allows us to truly meet the needs of the business with greater trust and security," continued Gutierrez.
Best practices in cybersecurity approaches
One suggestion from Wenzler is to proactively assess the environment as broadly as possible to understand where cyber risks exist wherever they are in the organisation.
"As part of that process, areas of the environment may be identified as “no go zones”, and those are exactly the areas which often create blind spots and likely should have detection, mitigation and response processes in place," he continued.
"Constant, persistent proactive assessment will also provide a better understanding of the complete environment and its security state before an attack successfully takes place, which puts the organisation in a better position to identify potential attack vectors and close them off before they’re exploited."
Nathan Wenzler
For his part, Edgio's Reynolds comments that an organisation adopts a set of industry-established standards to achieve a certain level of cybersecurity maturity. "However, I believe in the risk-based approach, where the focus is on adaptability, this can be tailored to an organisation’s risk profile," he pointed out.
"This approach involves continuous monitoring to ensure that our strategy remains effective and relevant in the face of threats by actively allocating our resources to prioritise cybersecurity efforts based on our most critical assets and vulnerabilities," he continued.
Donnelly suggests starting with a risk assessment to assess the current cybersecurity posture and identify vulnerabilities and potential threats.
He opines this will help the security team understand the areas where greater effort may be to be deployed. "Secondly, review and update your policies regularly to ensure they’re up to date and aligned with industry standards, and implement appropriate security controls like encryption, firewalls, intrusion detection & prevention systems and anti-malware software," he continued.
Essentials to security modernisation
To provide the most strategic benefit in a cloud-application-centric and hybrid worker future, it is important to modernise security efforts to reflect changes in the environment and regulation.
For Reynolds, this includes adopting multi-cloud integration and management. He explained that most enterprises are currently not achieving the maximum efficiencies across the environment, which impacts the operational benefits of the move.
He also pointed out that with the complexity of IT environments, real-time machine learning continuously measures performance and alleviates the strain of in-house IT teams.
"To modernise security efforts for a cloud-application-centric future, it is essential to prioritise a few key areas including implementing a zero-trust security model, using automation to improve security operations, and focusing on identity and access management."
Denis Donnelly
He also believes that organisations should invest in robust threat intelligence capabilities and prioritise regular security assessments and audits. It is important to have a strong security culture throughout the organisation and to ensure that security is a key consideration in all technology and business decisions.
Plugging the weakest link
Donnelly adds that a multi-faceted approach involves creating a comprehensive awareness and training program for all employees, starting from onboarding and continuously updating them with the latest security practices.
Why? Because at the end of the day – humans remain the weakest link when it comes to security.
Edgio's Reynolds says building a culture of security includes regularly communicating the importance of security and the potential risks associated with non-compliance.
"Reinforcing positive behaviour and highlighting successful security practices through recognition and rewards can also help foster a culture of security. Leaders should set an example by demonstrating a commitment to security and making it a top priority in all aspects of the business."
Darrin Reynolds
As a practising CISO, Gutierrez believes transparency is at the core of any effective cybersecurity program. He acknowledges that in many companies, cybersecurity programmes are driven by secrecy and principles of “need to know” and often treat everything as ‘classified’.
He acknowledges that there are times when discretion is necessary to handle an investigation or to deal with potential legal or regulatory issues, he opines that cybersecurity can’t achieve its goals without being open about the work security teams do, the vulnerabilities in tech, and incidents that have impacted the business.
"Talking about those things openly with employees goes a long way with getting people interested but most importantly getting people thinking about the risk they often accept on behalf of the company as they go about doing their work," Gutierrez concluded.
Wenzler adds that it is important to communicate in many ways to make sure it resonates with as many people as possible. That can mean emails, newsletters, lunch and learns, webinars, in-person meetings or anything else that might pique the interest of the user base.
"It’s a long game, and while culture and behaviour change won’t happen overnight, the payoff of investing this kind of time and effort is a distinguishing factor of the most successful, mature security programs out there," he opined.
