The CISOs Report: A Spotlight on Today’s Cybersecurity Challenges

Originally published by CXO REvolutionaries here.

Written by Sean Cordero, CISO - Americas, Zscaler.

New attacks and attack classes demand new solutions and strategies

The swift evolution of IT infrastructures has made cybersecurity more challenging than ever for CISOs. They face a broader range of increasingly sophisticated threats aimed at a rapidly expanding and porous attack surface.

That’s why Zscaler recently contributed to The CISOs Report. This new survey polls CISOs across industries, explores their latest challenges, cites their top-of-mind goals, and examines the obstacles standing in their way.

Over four hundred CISOs across four continents were consulted to source the report’s findings. They make it clear that cybersecurity continues to challenge organizations of all sizes in both the public and private sectors. Consider:

• No organization, regardless of its size or operational context, is safe. Three-quarters report their organizations have been hit by at least one cyber attack that caused material damage in the prior year. More than two in three mid-sized organizations report security breaches. And 67% of all CISOs perceive the threat landscape to be worse now compared to a year ago.
• Threats are becoming both more complex and harder to defend against. Ransomware (like the Colonial Pipeline hack), phishing/spear-phishing, and supply-chain attacks (as with the Solar Winds exploit) lead the list of increasingly effective attack classes.
• Partnerships and suppliers bring a whole new class of concerns to the arena. Third parties of various types are cited as the top source of security risks, outclassing unpatched systems, cloud security gaps, and configuration errors by in-house admins.
• Software interoperability and extension frameworks are creating new security headaches. Respondents considered APIs the IT infrastructure element most in need of added security, beating out cloud apps/infrastructure and data infrastructure such as databases and file servers.
• Exposing PII or sensitive data belonging to external stakeholders causes CISOs the most concern. Breaches that directly affect customers and clients are far more problematic than internal issues like unauthorized access, compliance violations, or even financial damage.
• Simplicity is becoming a metric of security. Reducing the security stack to eliminate noise and redundancy makes organizations safer, more responsive, and effective when breaches occur.
• CISOs are investing serious time, money, and energy to resolve these issues. The top projects for CISOs at the moment include zero trust rollouts (almost 80% report already having initiated one), network microsegmentation, container security for virtualized application platforms, and security service edge (SSE) implementations.

A few recommendations to get your security strategy current — fast

While details of implementation will naturally vary from one organization to another, nearly all organizations that pursue these recommendations will see substantial improvement in security. Toward that end, we advise CISOs to consider the following ideas:

• Network-agnostic architecture is a step toward simplification. By doing away with hub-and-spoke topology and castle-and-moat security, CISOs move in the direction of a sleeker security stack. This shift in outlook can help organizations better secure business services and related assets that involve external clients and partners, third-party clouds, and remote employees. Adopt a scalable platform now, rather than playing an expensive game of catch-up when you outgrow your current security posture.
• Implement zero trust sooner rather than later. It may have once been sufficient to trust network transactions simply because they originated behind the company firewall, but modern threats require a modern response. Today, all entities involved in any network transaction, regardless of their location, should authenticate their identities via a process that goes beyond passwords or traditional MFA.
• Real-time SSL/TLS inspection is essential for securing even routine, non-critical operations. Cybercriminals know most internet traffic is encrypted and they take advantage of this fact to avoid detection or to bypass security controls. Modern security architecture should be able to inspect SSL/TLS traffic for malware and enforce DLP at scale, without sacrificing performance or user experience.
• It all starts with access control. Least privilege is a core component of any zero trust strategy. To determine which users should have access to a given app, both their identity and the context surrounding their access request must be established. Then, using microtunneling to connect end users or devices to specific apps rather than networks.
• Educating the user base is one of the best ways to defend against the ongoing threat of phishing. When technology falls short, the human mind can help make up the difference — when trained and sufficiently wary. Beyond training, the occasional test to reflect user understanding of best practices can help reinforce learnings.
• Specific response plans should be created, tested, and verified as effective for every primary threat and threat class. While it’s not possible to completely protect against emerging threats, a fast and effective response, implemented well, can substantially mitigate business impact.
• Partnering with a leading security provider can be a fast, effective, and budget-friendly way to design and deploy a customized security strategy and architecture. While most organizations lack the in-house expertise needed to address every threat, managed security services offer a broad array of specialists to help. Leading vendors provide experts in addressing the top concerns discussed in the report, including zero trust implementations, remote users, public cloud security, and API security.

Many of the CISO’s self-reported concerns listed in this report can be eased or eliminated by implementing zero trust network architecture (ZTNA). It obscures the attack surface, stops lateral movement in the event of a breach, and enhances remote users’ digital experience.

That’s likely why most CISOs – in addition to perceiving a more dangerous threat landscape than a year ago – reported zero trust initiatives already being well underway within their organizations.