This October 2022 is Cybersecurity Awareness Month. What started as a US initiative to create awareness about safe practices online has expanded into a global effort.
According to wearesocial, 62.5% of the global population has gone online at the start of 2022. The report noted that ongoing restrictions because of the COVID-19 pandemic, and the difficulty of research and reporting on trends, may mean the figures could be higher.
At US$6 trillion in losses, cybercrime has become more profitable than the entire global trade in illegal drugs, according to Bain & Company. Regrettably, the firm says 25% or fewer companies follow basic cybersecurity best practices.
“It’s imperative that C-suite leaders champion a cybersecurity strategy that is robust enough to repel the vast majority of attacks, and ensures the organization is resilient enough to quickly recover from any that succeed.”
Bain & Company
Not enough lessons to go around?
Hacking may have started as early as the 1960s at universities in the US that housed mainframes – presumably by curious hackers and those looking to improve existing systems by making them work more quickly or efficiently.
Cybersecurity began in 1972 as a research project on The Advanced Research Projects Agency Network (ARPANET), the precursor to the internet. Cybersecurity, as a practice, traces its roots to 1987 when commercial antivirus programs came to market.
Since then, the escalation of cyberattacks and solutions to fix the gaps have only led to continuing frustrations on the part of victims – individuals and corporations – that continue to pay the consequences of being connected.
When asked why we continued to be handicapped by these attacks, Phillip Ivancic, APAC head of solutions strategy at Synopsys, says blames it on the complexity and difficulty to achieve security at scale.
“Furthermore, put simply, there is a profit motive for attackers, so they are incentivized to keep innovating their attack techniques.”
Phillip Ivancic
“Most CIOs now understand that applications and application security is a priority and underpins digital transformation. They recognize the need to fix vulnerabilities as early as possible in the development cycle and to have a “Software Bill of Materials” so that each component of their applications,” he elaborated.
For Darrin Reynolds, chief information security officer at Edgio, the low awareness among individuals and organisations lead to dangerous cybersecurity practices and with too many security leaders today falling for the seduction of the exception rather than the discipline of the essential,
“The sheer number of devices alongside the democratisation of cyber-attack techniques has meant that the effort-reward ratio has never been more favourable for attackers,” he added.
SailPoint’s senior vice president for Asia-Pacific, Chern-Yue Boey, concludes that ultimately, as technology grows more pervasive, cyber actors too will opportunistically evolve their strategies to maximise the expanded threat surface.
“Rather than react retrospectively, business leaders will be wise to stay ahead of cyber threats by pre-emptively shoring up on their defence arsenal and employing intelligent solutions that can outsmart cyber attackers,” he advised.
Who is in charge – CIO or CISO
Not all organisations have a dedicated Chief Information Security Officer (CISO). First introduced in 1995, the Chief Information Security Officer (CISO) role was designed as a response to the ever-increasing need to maintain the security of information and operations contained within the internal technology infrastructures upon which corporations relied.
However, given that the Chief Information Officer is the custodian of an organisation’s information technology infrastructure, he or she has natural accountability for the security of the organisation as well.
So is cybersecurity a CIO or CISO role?
Ivancic believes it’s a joint responsibility: the CISO has domain expertise, but CIOs are driving digital transformation strategy.
Boey says the digital age calls for a redefinition of the CIO-CISO relationship – especially when tackling the responsibility of helming the cybersecurity charge. With more enterprises accelerating their digital transformation journeys, thereby interconnecting their business itself with the digital domain – safeguarding the business IT ecosystem becomes central to safeguarding their success.
“CIOs would then be prudent to work concertedly with CISOs to ensure efforts to digitally transform their business do not also compromise the overall cybersecurity of the firm. Enforcing an undergirding security framework can help CIOs and CISOs build on a strong basepoint as they scale digital efforts."
Chern-Yue Boey
Reynolds says organisations are learning to separate the “I” from the “T” and think of technology as distinct from the information to utilize data effectively. Ultimately, cybersecurity and data protection are required topics that are covered by the senior leadership and represented by competent and cogent expertise.
Gartner noted that since 2020, the drastic uptick in cybersecurity events has caused 88% of boards of directors to acknowledge that cybersecurity is a business risk and not just an IT problem, up from 58% just five years earlier.
“CIOs must rebalance accountability for cybersecurity so that it is shared with business and enterprise leaders,” says Paul Proctor, distinguished VP analyst at Gartner.
“They are thought of as the ultimate decision maker and authority for protecting the enterprise’s security, but really, business leaders make decisions every day that impact the organization’s security. They should share accountability.”
Paul Proctor
How to prioritise cybersecurity in 2023
“It is vital for CIOs to help their executive colleagues understand that the technical risks can be translated into business risks," suggested Ivancic. He further opined that the onus is on the CIO to help demystify cyber controls and help all stakeholders understand that baking security into a project is now just (to steal a term popular during Covid) “the new normal”.
Reynolds suggests that CIOs start driving the implementation of zero-trust architecture (ZTA). Given organisational reliance on cloud services and an increasingly distributed workforce, ZTA is critical to mitigating the frequency and severity of attacks.
“It is like how athletes do not expect to engage in a competition where the opponent never scores a point. Business leaders should not tolerate the delusional belief in cybersecurity and business protection where they will never be a target of cyberattacks."
Darrin Reynolds
For his part, Boey believes that CIOs must place identity security at the core of their overall cybersecurity strategy.
In 2023, staying ahead of the security curve will require businesses to steer away from manual processes and instead leverage AI and ML-based identity solutions. With AI and ML, enterprises can get intelligence and insights into access privileges, abnormal entitlements, and potential risks so they can easily control access throughout a user’s lifecycle, mitigate threats and empower their workforce.