CISOs Face Lack of Buy-In for New Security Solutions – Until It’s Too Late

The global pandemic has pushed many organisations to adopt remote working on a scale that was unthinkable until now. For Chief Information Security Officers (CISOs), the challenge has been to secure the system as more of the workforce attempts to connect from outside of the network – often from new or unsecured devices or connections.

But something strange has been happening. Instead of focusing on security, stakeholders have tended to focus on things like connectivity and left the door wide open for malicious attacks against their systems.

As always, CISOs have been vocal about the need to upgrade security as the system experiences new demands. However, stakeholder buy-in has been lacking. In fact, it appears that decision-makers and senior board members are only approving security patches and heightened endpoint protection after a major security breach has occurred.

According to a new report featured on The Register, 60% of enterprises will almost always upgrade their security after a major security breach – but are unlikely to get stakeholder buy-in until a breach occurs. Respondents were quoted as saying, “A big breach or data loss has been the best way to get buy-in.” Another claimed that, “The only thing that motivates senior management is when they’re under threat in some way – loss of their job, bonus, etc. Otherwise it’s business as usual.”

This approach to cybersecurity is like waiting for a bomb to go off. And with legislation like the GDPR carrying with them hefty fines for non-compliance and loss of personal data, the ramifications could be dramatic – at a time where many organisations cannot afford to lose money unnecessarily.

The stakeholder mindset is unlikely to change any time soon, so here are just a few ways that CISOs are keeping their organisations secure.

Patching is a necessary part of any management of IT infrastructure, but it has never been so vital as it is today. Software infrastructure is now more complex and has a wider range of functionalities than anything before it. While this level of complexity empowers users with more functionality, it also opens the door to hackers – the more complex the software infrastructure, the greater chance that a vulnerability is present, will be found, and will be exploited.

A proactive approach to patching would therefore be the most logical route for organisations to take. But this is costly and time consuming, not least because a patch may break a legacy system or introduce new risks. So, many organisations choose to wait until a vulnerability is exposed and exploited to address it. However, by not prioritising vulnerabilities, CISOs are inviting cybercriminals to attack their systems.

Not so with a proactive approach. Now, experienced CISOs are establishing vulnerability management processes to protect their enterprises from software vulnerabilities and malicious hackers. These processes span identification, notification and remediation.

1. Identification: Security teams utilise manual and automated scanning to identify any vulnerabilities in software infrastructure
2. Notification: Vulnerabilities are raised with the relevant people and assessments of full risks are carried out
3. Remediation: The final step is to patch applications or adjust configurations to mitigate the risk

You can establish a process like this at minimal cost but for maximum gain. We’ll be addressing this topic more in coming weeks – watch this space!

Remote working has transformed the way businesses work, mostly for the better. Many professionals have been able to continue working throughout lockdown, keeping their businesses afloat and finding new and innovative ways to deliver services.

Nevertheless, remote working hasn’t only been positive – it has brought new security risks along with it. According to CCS Insight, the average employee has 4.9 connected devices that they may use to connect to the enterprise network, including laptops, tablets and mobile phones. If left unprotected, each of these devices could act as the source of a security breach.

Antivirus software is the main defence against malicious attackers in this instance. But for a full business endpoint security software solution, CISOs require a package that includes firewalls, email protection, anti-spam, malware detection and removal, and the ability to control or limit certain user actions.

Endpoint protection shouldn’t stop there. The best solutions also include functionality to detect unsecured devices, which can then lock out of the system before important data becomes compromised.

Though more costly as a security solution, endpoint security must be enhanced in a time of remote working. IT Security teams should to present this as a cost-saving measure, rather than a sinkhole for investment. A security breach is likely to cost a lot more if your workforce is using unsecured devices to access enterprise networks.

The main reason that CISOs struggle to get buy-in for authentication tools is cultural. But this doesn’t need to be the case. Two-factor authentication (2FA) and multi-factor authentication (MFA) tools are a cost-effective way of securing your enterprise network at a small price.

If you haven’t already rolled out MFA, now is definitely the time. In late 2019, Alex Weinert, Director of Identity Security at Microsoft, wrote that, “Compared to password attacks, attacks which target non-password authenticators are extremely rare.” MFA is not only more secure, it turns out that cybercriminals aren’t even targeting it. That’s because “less than 10% of users use MFA per month in [Microsoft’s] enterprise accounts (and that includes on premises and third party MFA). Until MFA is more broadly adopted, there is little reason for attackers to evolve,” Weinert went on to say.

Put simply, MFA is both secure and remains untargeted by cybercriminals – making it an easy and logical addition to any CISOs arsenal that they should easily gain buy-in for.

Trouble arises when CISOs start to request new processes like Identity and Access Management (IAM). But in a world of remote working, it’s increasingly difficult to know who has access to what and whether their device is secure. CISOs must have control of access at all times to keep the system secure.

Getting buy-in from decision makers should be framed in terms of productivity gains as well as security gains. CISOs should combine that with the financial upside of keeping confidential data under wraps to see positive interactions with the rest of the C-suite.

In addition, authentication should also be framed as a compliance requirement. The GDPR states that only those individuals who need to access data should have access to that data. IAM policies and technologies ensure those compliance needs are met.

Deception security isn’t new, but it has only just started to make headway in the cybersecurity sphere. With deception, a CISO may deploy a decoy that cybercriminals could see either as the main strength of the software infrastructure or as a possible vulnerability. In each scenario, the cybercriminal will either be deterred from trying to attack the software or will end up attacking a false vulnerability. Whatever the case, the enterprise network remains secure.

These deception tactics have their roots in traditional military and security sectors, but CISOs have a lot to learn from these precedents. For instance, if a CISO deploys a decoy that harbours a false vulnerability in the network, they could unearth more about the types of attacks the organisation faces without putting the network at risk.

The downside to deception tactics is that they can prove expensive. Many businesses have limited resources as it is – both monetary and computational – so creating and deploying decoys could be seen as a waste of time.

But when CISOs gain buy-in for other aspects of new remote-working strategies, they are pushing for deception security as an additional, and worthwhile, investment.

What is zero trust security? It is an approach to cybersecurity wherein no one from either inside or outside the network is trusted by default. Everyone is required to verify their identity to gain access to the network.

In addition to rolling out greater authentication policies, it’s also recommended to take a zero-trust approach to cybersecurity. Everyone, regardless of rank or responsibilities, or whether they are within the network or outside of it, should be made to verify their identity when requesting access to resources. By adding another layer of security to your network, CISOs are limiting the possibility of a security breach and protecting the enterprise.

The great thing about zero trust is that it can be rolled out relatively cost-free. All you need are an authentication tool and a change in policy to adapt the cybersecurity approach. In this new reality of remote working, it should be easy to get buy-in from the C-suite.

To truly bolster security in this area, CISOs are also investing more in network traffic analysis (NTA). Now that the workforce is distributed and remote, CISOs must monitor all traffic attempting to connect to the network. That way, if an element of the authentication process is compromised they can rely on another level of security to identify malicious behaviour.