Gartner says the endlessly expanding digital footprint of modern organisations is introducing new security challenges. The pandemic response has accelerated hybrid work and the digitalisation of business processes in the cloud.
2022 showed us what sustained big-game ransomware attacks, including multiple attacks on the digital supply chain, deeply embedded vulnerabilities, and increasing attacks on identity systems, can do to vulnerable organisations.
When coupled with the shortage of skilled security staff at all levels, in almost any part of the world, you have to ask: how did we survive 2022, and can we thrive in 2023?
Cybercrime, specifically ransomware. Keeping up with regulations can be challenging. According to our CyberArk 2023 identity security threat landscape, over 70% of organisations surveyed have experienced ransomware attacks in the past year.
Supply chain, and third-party issues. Many cyber incidents happen through a third party. Our CyberArk survey shows that 62% of the organisations have done nothing to secure the software supply chain post the solar winds attack.
Cyber resilient. Organisations may suffer from loss of customers and revenue, pay compliance fines or even fail in an audit.
Go beyond security and technology
Grossman noted that to be effective in their role, including earning the trust of the Board and other members of the C-suite, CISOs need to understand business issues – and this is happening today.
Bryan Kissinger, author of CISO: How to Organise, Evangelize, and Operate an Enterprise-wide IT Risk Management Program, explains that the continued intensity of cyber terrorism attacks, regulatory and compliance requirements, and customer privacy concerns are driving the need for a business-minded CISO to lead organisational efforts to protect critical infrastructure and sensitive data.
He suggests that a CISO must be able to both develop a practical program aligned with overall business goals and objectives and evangelise this plan with key stakeholders across the organisation.
Grossman concurs adding that almost 70% of global C-levels said that they are making correct identity security-related decisions, compared to more than half of all other personnel.
"There is a gap. In the Asia Pacific region, the statistics are even lower, only 50% of C-level executives believe they are making correct identity security-related decisions."Omer Grossman
Security is a team sport
Kissinger says that the modern CISO cannot sit in a bunker somewhere in the IT operations centre and expect to achieve buy in and support for the activities required to operate a program.
For his part, Grossman proposes that the secret sauce to a successful CISO career lies in “how do you govern not only with sticks but also with carrots. How do you balance the built-in tension between productivity and security?
He offers a few principles that work:
- Collaboration and trust are key: Wherever there is trust, you can convince others.
- Understanding the business process is a must.
- You must have clear communication around risk management: Security has to be seen as a key enabler for the business. Security isn't the enemy.
The influence of technology
According to the Capgemini Research Institute report, Reinventing Cybersecurity with Artificial Intelligence: the new frontier in digital security, 56% of executives participating in the survey say their cybersecurity.
To counter the threat, respondents accept AI as fundamental to the future of cybersecurity. For 64%, they expect it to lower the cost of breach detection while 74% it will enable them to respond faster.
“AI offers huge opportunities for cybersecurity,” says Oliver Scherer, CISO of Europe’s leading consumer electronics retailer, MediaMarktSaturn Retail Group. “This is because you move from detection, manual reaction and remediation towards automated remediation, which organisations would like to achieve in the next three
Grossman argues that the industry is reaching an inflexion point where technology’s growth becomes exponential.
"We have reached an inflexion point for AI lately, specifically with the derivative capability through ChatGPT. Cybercriminals are leveraging AI for cyberattacks. I see AI fighting AI in the near future and the good guys will win eventually."Omer Grossman
He commented on being less concerned with quantum computing as he believes the technology is still years away from maturing. Still, he acknowledges quantum computing will be key to secure private and public encryption.
Like many other technology practitioners, Grossman does not believe in a future-proof cybersecurity strategy. He suggests that organisations include identity security, as a crucial piece of the cyber security pie.
"Identity-based security controls are critical for detecting network attacks," he added "but they've already made their way inside organisations' infrastructure. With them in place, organisations can focus on protecting our most valuable assets to prevent data theft and disruption to their key risks in the cybersecurity world."Omer Grossman
He opined that zero trust, supported by identity security is key. "Never trust, always verify every user's identity. Ensure that devices are validated and privileged access is intelligently limited to just what they need," he concluded.
Click on the PodChat player to listen to Grossman detail his recommendations for architecting security for an unknown future.
- You recently attended the Gartner Security & Risk Management Summit (2023). From your perspective what is the key to learning from the Summit?
- What are the top 3 concerns of pre-occupying CISOs, heads of security and CIOs?
- In 2023, has the role of the CISO changed much? Can you identify if any – the most significant change (priority) in the role in 2023 compared to previous years?
- As your role at CyberArk is an internal one, how do you work with the security team and the CISO, the rest of the C-suite, and the Board when it comes to the security of CyberArk?
- AI is with us now (albeit still maturing) whereas quantum computing is still 5-10 years away. How are these two technologies impacting how cybersecurity technology and practices?
- Is there such a thing as futureproofed cybersecurity strategy?