Cybersecurity Operations Need Upgrades, Moving in the Right Direction


Posted on by Robert Ackerman

Amid the onset of the last month of 2023, this is a good time to explore the volume of cyberattack carnage this year and how corporations and other organizations have fared in their annual combat. Should numbers tell the whole story? Or, regardless of what they show, are organizations nonetheless making progress in building the kind of security posture they really need?

 

If the numbers are your priority, the year is shaping up as another loser in the cybersecurity world. 

 

According to the Identity Theft Resource Center, a non-profit that tracks the number of publicly reported cyber breaches, there were 2,116 data compromises in the first nine months of 2023, a 17% increase from 1,802 in all of 2022 and much larger than the 1,862 breaches reported in 2021 -- the previous yearly record. Meanwhile, ransomware groups, arguably the single most toxic category of cybercriminals, breached more than 2,200 victims in the first half of the year alone – a 20% increase over the first half of 2022.

 

However, I would put this aside, at least for the moment. Instead, I contend that corporate SecOps (security operations) – the prevalent collaborative approach unifying IT security and operations teams, to work as one to maximize protection of organizational digital assets, thereby reducing the risk of cyber threats, are doing a pretty good job.

 

They are certainly faring better than they have in the past. Influential boards of directors listen more to security executives, increasingly aware of the financial and reputational damage associated with data breaches and ransomware attacks. In addition, rank-and-file cyber training is improving, cybersecurity budgets continue to rise slowly, and more companies have aggressively begun vetting vendors to better guard against troublesome outside partners.

 

These bright spots are noteworthy, even though they stand aside dark spots. The volume of cyberattacks and breaches have risen this year, as they typically do, because hackers are increasingly sophisticated and now often armed with machine learning technology and artificial intelligence. In addition, corporate cybersecurity budgets, while up again, are far less so than average, a reflection of economic troubles, according to the 2023 Security Budget Benchmark Summary Report.  And, too, the severe shortage of security talent persists. According to the latest Cybersecurity Workforce Study by ISC2, two-thirds of U.S. organizations don’t have all the cyber pros they need, partly because of sub-par qualifications.

 

There clearly remains room for substantial improvement in cybersecurity arenas. Steps that matter most, such as the prioritization of cybersecurity measures, must be continuously analyzed and improved and highly attuned to the chronically changing cybercriminal landscape. 

 

Effective security starts by knowing what matters most to your organization at any given time. Getting key corporate leaders aligned to this will focus their efforts, avoiding distractions, such as big security news outbreaks. 

 

Here are other important operational considerations for corporations and other sizable organizations to further analyze and improve:

 

+ Keep abreast of cyber hygiene. Corporate managers and executives need to make sure your company is doing the basics well. Examples of controls important to every company include patching, asset management, multi-factor authentication and periodic employee security training. These steps can easily make the difference between becoming the victim of a breach or sidestepping one.

 

Discussing cyber hygiene isn’t as easy as, say, various company cyber risks. You may have to explain the concept of cyber hygiene, which is the corporate equivalent of a person eating and sleeping well and getting regular exercise. These behaviors don’t prevent illness, but they often mitigate it.

 

+ Track progress in reducing select cybersecurity risks. Create a treatment plan after key risks have been identified. Outline an approach to increase the risk and assign responsibility to a designated person. Also, target a resolution date for each identified risk. Some risks have longer lead times than others and may require interim measures. Lastly, make sure required resources are available.

 

+ Don’t be driven by cyber-attack headlines but keep abreast of them. They may be relevant. Remote cyber-attacks can spark feelings of fear, uncertainty and doubt among the CEO, the board and other executives. For a CISO, in particular, it’s embarrassing if the CEO asks you about an incident before you know about it.

Depending on the significance of the news, it may be a good idea to proactively reach out so that the news comes to you with your context.  

 

Small and medium-sized companies – especially the former – have fewer resources and may find these steps harder to navigate. Nonetheless, it’s in their interest to do so as best they can. If they can’t afford hiring a CISO, whose job is to defend against the rising tide of daily cyber threats, they may want to consider temporarily hiring a vCISO (a “virtual” Chief Information Security Officer) -- an outsourced cybersecurity practitioner who offers expertise remotely on a part-time or contractual basis. vCISOs develop many of the same services as a traditional CISO, such as developing and implementing security strategies.

 

Some CISOs themselves, meanwhile, might want to polish their act a bit and improve their people skills, especially when they deal with other executives and board members and periodically face difficult discussions about security. CISOs have highly technical backgrounds but don’t tend to put much emphasis on soft skills. They should improve them. The most effective CISOs don’t merely solve technical problems. They’re also expected to solve business and people issues.


Contributors
Robert Ackerman

Founder/Managing Director, AllegisCyber Capital, & Co-Founder, cyber startup foundry DataTribe

Technology Infrastructure & Operations

security operations risk & vulnerability assessment professional development

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs