Death and taxes are said to be life’s only two certainties. As organisations continue their digital transformation journey, you can add the certainty of an expanding cyber threat landscape and the unrelenting barrage of attacks that come with it.
Peter Firstbrook, Gartner research vice president, says “The pandemic accelerated hybrid work and the shift to the cloud, challenging CISOs to secure an increasingly distributed enterprise — all while dealing with a shortage of skilled security staff.”
“Increasingly, they are finding themselves moving away from traditionally only dealing with IT to now becoming a business advisor on operations as well. Within the region, we are seeing cyber champions, or mature organisations typically in FSI or public sector industries, being the ones whose CISOs have been responding well to taking on a more business-centric position,” he elaborated.
He cited Accenture’s 2021 State of Cyber Resilience report which found that Singapore saw an 89% spike in attacks per company, a worrying reflection of the rampant cybercriminal activities plaguing businesses in a hyperconnected climate.
Key cybersecurity trends and challenges
Drawing from the Accenture report, du Plessis is adamant that ransomware is the number one killer, and our cyber threat intelligence report shows a 107% increase in attacks YoY. Cloud-centric and supply chain attacks are also on the rise and will continue to plague organisations unless there is an industry-wide change in cybersecurity standards.
“Organisations are also facing difficulties in attracting and retaining cyber talent due to a hot market. Cybersecurity cultural awareness too is ranking high on business agendas and will become a greater priority in the future,” he added.
Impact on current security strategies and posture
Asked about the implication of these challenges to CISOs, du Plessis observes the rise of two types of companies addressing these challenges. The first is the traditional mature cyber champion company, which continues to invest progressively in security and maintains cyber hygiene.
“The other type, which we’re seeing a lot now, is cyber risk-takers. These are usually start-ups that are consciously deciding to undertake a higher level of risk so that they can go to market quickly. These companies are normally looking at automation and service providers as they have a lean CISO team,” he continued.
Make-up of CISO team
According to du Plessis, traditionally, a one-person CISO team would have focused primarily on cyber risk and governance. “If your company only has a small budget, that’s what you would go for by keeping control over what you can,” he commented.
He posited that if the budget is more abundant, the CISO team will then expand to include personnel who handle the business and operational aspects, architectural reviews and standards, strategy on cyber direction, as well as an incident handler that monitors and responds to cyber threats.
Best practices of a sound cybersecurity strategy in 2022
- Cyber resiliency — Companies must accept and prepare for breaches, for business continuity, and understand how to communicate to stakeholders when hit by a cyber-attack.
- Engage managed service providers — organisations can engage MSPs to ensure constant monitoring and detection of threats through services like MXDR.
- Zero-trust — By adopting zero-trust both as a practice and mentality, frees up the business to focus on other core competencies.
- Cyber hygiene — Consistent and continuous maintenance can eliminate vulnerabilities.
Addressing the security talent shortage
Like many parts of the world, technical talent is a shortage, more so in developing markets. This is particularly acute around cybersecurity talent.
The report, The Life and Times of Cybersecurity Professionals 2021, noted that among the 489 cybersecurity professionals surveyed, the top ramifications of the skills shortage include an increased workload for the cybersecurity team (62%), unfilled open job requisitions (38%), and high burnout among staff (38%).
According to 95% of respondents, the cybersecurity skills shortage and its associated impacts have not improved over the past few years and 44% say it has only gotten worse.
Accenture’s du Plessis says organisations can mitigate this through reskilling their employees via cyber training programmes. He believed that it is also important to invest in and nurture the younger generation for they will constitute the future workforce.
“The best cyber leaders are those who practice servant leadership. The key to retaining talent lies in giving them a mission, and the better CISOs can raise up their team while always maintaining the mentality that they are here to serve their team,” he added.
Guide for CISOs in 2022
Asked for one key piece of advice for CISOs in 2022 to help guide him or her in tackling the role, du Plessis instead offers three factors to consider:
- Capturing the strategic picture of cybersecurity in the business so that executives understand how it fits into the business
- Speaking the business-relevant language of the board and the C-suites for efficient communication on the cybersecurity agenda
- Building cyber muscle memory for C-suites through attendance at cyber events so that they are familiar with the space
Click on the PodChat player to listen to the details of the dialogue with du Plessis.
- Looking back (2020-2021), what has been the single biggest challenge for the CISO and security team? How have they responded to this challenge?
- Are CISOs in Asia able to adapt to talking in business terms to the CEO and the Board?
- What are the key cybersecurity trends and challenges that organisations are currently facing (2022)?
- What are the implications of these challenges for CISOs and how does this affect the company’s security strategy and posture?
- What are some best practices or must-haves that constitute a sound cybersecurity strategy in 2022?
- What is the one piece of advice for the CISO in 2022 to help guide him or her in tackling the role?