Adam Palmer, Chief Cybersecurity Strategist, Tenable, 0
While many aspects of the health crisis are unprecedented, the global remote-work movement has accelerated trends that already existed in the world of IT. As remote work becomes the new normal, organizations need to take stock and ensure proper controls are in place to avoid exposing the organization to critical risks. A study by Forrester Consulting commissioned by Tenable found that 97 percent of organizations in India have suffered one or more business-impacting cyberattack in the last 12 months, with 37 percent experiencing five such incidents in the past year.
Here are four strategies that CISOs should adopt to double-check security in the new remote work environment.
Focus on the Risks that Matter
There’s a tendency to mistakenly follow a traditional “check-the-box” approach to addressing every risk. This is akin to chasing your own tail because it provides no visibility of actual risks and consumes valuable resources and time on vulnerabilities that have a low likelihood of being exploited. Mature organizations are now looking towards a more comprehensive cybersecurity strategy that is risk-based. This entails using threat intelligence, vulnerability research and probability data to focus on risks that pose an imminent threat to the organization. Not all vulnerabilities are created equal and focusing on the most important ones is the easiest way to keep your digital assets safe.
Gaining Visibility in Remote Workers’ Risk Environments
As more employees merge personal technology with work devices, they introduce new risks into the enterprise environment - which expands the attack surface. An effective CISO needs asset visibility to protect the enterprise network and must strive to gain visibility of this new distributed landscape. The need for authenticated vulnerability discovery with agents and passive monitoring has become a necessity. Agents allow the monitoring of assets that are usually offline and therefore invisible to active scans, by using large scan windows. This makes assets detectable when they eventually connect to the network.
This also allows agents to evaluate online assets without the need for on-going host credentials while minimizing the network impact from large-scale concurrent scans. Findings from the same Forrester study indicate that while roughly 70 percent of security leaders globally say they have high or complete visibility into their organizations’ applications, data, IT, and cloud platforms, only six out of 10 have a similar level of visibility into OT, IoT, and mobile devices. This makes it more important than ever to protect the sprawl of interconnected technologies that make up the modern attack surface.
The question “How Secure are we?” Warrants a Clear & Concise Answer
When the C-suite or board of directors asks a CISO, “How secure or at risk are we?”, the last thing they want is a long-winded, technical answer. The Forrester study shows that only four out of ten security leaders can answer the question with a high degree of confidence. Business leaders want a clear picture of how at-risk they are and how that risk is changing as they plan and execute business strategies.
There’s a tendency for many security professionals to communicate the risk level of an organization using complex heat matrixes or RAG charts (Red/Amber/Green). A better approach would be to assign quantifiable measures to indicate the level of risk. The CISO should identify resources and assets by their risk profile and focus on the most critical ones. A clear-cut approach helps to guide strategic-decision making by the leaders. Often security leaders are unable to gain the resources they need because they are not able to successfully communicate the threats being faced by the organisation.
Channel Resources Appropriately
A CISO should continually reduce the company’s cyber exposure by prioritizing and managing vulnerabilities based on actual business risk. It is important to measure preparedness by looking at the level of risk reduction achieved instead of blindly chasing tool deployment metrics or other milestones. In a crisis, a CISO should drill into specific vulnerabilities and know what controls are really effective in reducing risk.
Demand assurance that the security team is focused on identifying and reducing critical vulnerabilities that pose a business risk. Remediation actions should be prioritised to reduce the organization’s overall cyber exposure.
In the fast-moving environment of cybersecurity, where the entire business may be at risk, organisations need to understand where to focus resources and investment to maximise their cyber risk reduction. It is imperative that business and cybersecurity leaders are on the same page when organisation-wide security is concerned.
The question “How Secure are we?” Warrants a Clear & Concise Answer
When the C-suite or board of directors asks a CISO, “How secure or at risk are we?”, the last thing they want is a long-winded, technical answer. The Forrester study shows that only four out of ten security leaders can answer the question with a high degree of confidence. Business leaders want a clear picture of how at-risk they are and how that risk is changing as they plan and execute business strategies.
The need for authenticated vulnerability discovery with agents and passive monitoring has become a necessity
There’s a tendency for many security professionals to communicate the risk level of an organization using complex heat matrixes or RAG charts (Red/Amber/Green). A better approach would be to assign quantifiable measures to indicate the level of risk. The CISO should identify resources and assets by their risk profile and focus on the most critical ones. A clear-cut approach helps to guide strategic-decision making by the leaders. Often security leaders are unable to gain the resources they need because they are not able to successfully communicate the threats being faced by the organisation.
Channel Resources Appropriately
A CISO should continually reduce the company’s cyber exposure by prioritizing and managing vulnerabilities based on actual business risk. It is important to measure preparedness by looking at the level of risk reduction achieved instead of blindly chasing tool deployment metrics or other milestones. In a crisis, a CISO should drill into specific vulnerabilities and know what controls are really effective in reducing risk.
Demand assurance that the security team is focused on identifying and reducing critical vulnerabilities that pose a business risk. Remediation actions should be prioritised to reduce the organization’s overall cyber exposure.
In the fast-moving environment of cybersecurity, where the entire business may be at risk, organisations need to understand where to focus resources and investment to maximise their cyber risk reduction. It is imperative that business and cybersecurity leaders are on the same page when organisation-wide security is concerned.