CISOs need smarter cybersecurity investments. Source: Shutterstock

CISOs need smarter cybersecurity investments. Source: Shutterstock

New cybersecurity report issues calls to action for CISOs

COMPANIES have always struggled with cybersecurity, but with new and emerging technologies making hackers more sophisticated, the challenges are growing significantly.

While companies are investing in cyber-insurance to cope with the significant penalties that regulators are imposing on businesses that fail to defend customer data, most have talent gaps that are constantly growing.

Cybersecurity jobs are difficult to fill and businesses tend to struggle to hire even the most junior executive to support the organization’s security function.

At a time when surface area vulnerabilities are growing rapidly and networks are exchanging data with collaborating organizations, Chief Information Security Officers (CISOs) seem to be fighting a losing battle.

Fortunately, according to a new report by Willis Towers Watson, Baker McKenzie, the Security Industry Association, and others, business leaders understand the plight of CISOs as well as the growing need to better defend the company’s identity and infrastructure in cyberspace.

Hence, CISOs are being provided with larger budgets to augment cybersecurity capabilities — but the report cautions against making the wrong investments.

Given the ocean of risks that cybersecurity professionals face every day, making the right technology, people, and process investments might seem hard at first. However, CISOs must think carefully about the return on their investment and the security that it brings to the organization on the whole.

Here are three things that CISOs must keep in mind when dealing with extensive cybersecurity budgets intended to defend an organization against all threats in the digital world:

# 1 | Don’t spend all your money on cybersecurity technology

“Investment in proactive deterrence is key,” said Security Industry Association Director of Standards Joe Gittens.

“The cost of recovery is very high, so it is critical that companies invest more to build resiliency, harden their products and systems to make security breaches more difficult, and thereby protect themselves from the time and expense of recovery. They must invest to make their ‘crown jewels’ tougher to get to.”

That being said, WSJ Pro Cybersecurity Research Director Rob Sloan who also spoke to Tech Wire Asia previously said, “Technology alone is not enough to manage cyber risk—it never was and never will be.”

“Organizations need an approach that balances people, process, and technology in a way to maximize operational effectiveness at quickly identifying, investigating, and countering attacks”.

# 2 | Plan to protect against internal and external threats

Cybersecurity specialists and CISOs often get caught up with a few key threats, and although that’s not a big deal, the reality is that companies need to defend themselves on all fronts — be it internal or external, be it malware, ransomware, spam, botnets, DDoS, or anything else.

Technology investments can help protect against some of these threats by automating and simplifying how they’re dealt with — however, other measures must be taken in order to ensure 360-degree protection.

Internal threats, for example, can only be neutralized by training staff periodically and communicating clearly to them that they are responsible for the actions they take online on their devices while in the corporate environment or when accessing the network from home or client organizations.

# 3 | Your partners deserve your trust — and periodic security scans

While the culture of innovation and collaboration in today’s digital world dictates that organizations open their digital information highways to partners, the reality is that these partners often carry a certain degree of cybersecurity risk.

Therefore, organizations need to enforce strong standards in terms of devices and connections that are permitted to join the network, and the kind of checks that are performed at each instance.

Most CISOs and cybersecurity experts are of the opinion that permanent pre-clearance is not a concept that can thrive in today’s world, especially with cybersecurity incidents at organizations going detected for years — affecting partners via trusted connections just like these.