Building cyber-resilience into security strategies

Padlock symbols on a cog - cybersecurity strategies
(Image credit: Shutterstock)

CISOs and their cybersecurity teams have shown resilience during the pandemic. They’ve been challenged by smaller budgets and more sophisticated attacks, both trends which will continue in the coming year. Despite this, CISOs will need to form a comprehensive strategy to ensure the security of their organizations, while securing board-level security prioritization.

About the author

David Higgins is EMEA Technical Director at CyberArk.

It will be difficult for many to make this work, and so here are several themes which will help CISOs to develop their strategies:

Changing our approach to work

The pandemic has tested our vision for distributed work beyond anything we could have imagined. Remote teams have shown themselves to be incredibly resilient in continually rising to the challenge of blending their home and work lives.

Now though, CISOs have a unique opportunity to provide the strategic insights and direction needed to sustain and enhance remote and hybrid work models as many regions of the world start to transition out of lockdown. We’re likely to see many move away from legacy approaches, and prioritize the implementation of new digital security strategies and user-friendly tools and policies, to securely empower workers.

Adopting the Zero Trust mindset

There’s a broad consensus amongst CISOs that the complexity of today’s cybersecurity challenges demands a ‘trust nothing, verify everything’ approach – otherwise known as a Zero Trust mindset.

While this method repositions the security perimeter around individual identities, ensuring that everyone and every device granted access is who and what they say they are, it isn’t a one-size-fits-all approach. In fact, the best place for CISOs to start with Zero Trust is to identify their organization's greatest security risks, address them, and then extend controls to new, less critical areas over time. It’s also equally important to work alongside IT and end users to ensure they both understand and adopt this new model across the board.

Approaching security like an attacker

Threat actors will always find new and innovative ways to penetrate networks, steal data and disrupt business – it’s not a question of if, but when. The trick is to adopt an ‘assume breach’ mindset to help detect and isolate adversaries before they traverse a network and inflict damage.

Doing so means getting into the mindset of an attacker, something which can give CISOs the edge they need to stay one step ahead. Assuming any identity in the network has already been compromised means security teams can anticipate an attacker’s next move, minimize impact and stop threats before they reach valuable assets and cause harm.

Learning from recent attacks and breaches

Sophisticated cyber intrusions, such as the SolarWinds digital supply chain attack, prompted many CISOs to re-evaluate their risk tolerance levels, cybersecurity and risk management efforts, together with areas of ongoing vulnerability. Alongside this, companies have been urged to update their incident response strategy, using frameworks such as NIST to guide them.

If organizations are attacked, retrospectives should be used as part of their learning to further optimize incident response strategies and build resilience. For example, questions raised should move from “how were we compromised or breached?” to “how can we stop it next time?”.

Quantify risk to prioritize budget

Recent headline-grabbing attacks have made cybersecurity a regular boardroom discussion and business imperative. It’s the CISO’s responsibility to make sure cybersecurity remains at the top of the agenda, even when news cycles are quieter.

To do this successfully, it is critical for CISOs to quantify risk, resulting in mitigating actions in financial terms, and demonstrate how the cybersecurity program will link to business objectives. Industry frameworks can also help CISOs demystify cybersecurity and bridge communication gaps with Boards and Executive Management.

Communicate your value to the board and business

Communication doesn’t stop at discussions with the board. In fact, today’s CISOs need to effectively articulate cybersecurity’s value proposition to customers, partners and also internal stakeholders. With digital supply chain attacks under scrutiny, the need to build trust by way of transparency has never been greater. The power of empathetic communication cannot be overstated here.

The good news is CISOs no longer have to shoulder the communication burden alone. By actively collaborating with IT security teams, CISOs can strengthen their message to various audiences and break down any siloes that have developed

Providing strategic advice to secure your organization's future

These important themes are helping to shape the expanding role of our CISOs and security leaders, and highlight their important role as strategic advisors on digital transformation initiatives from the very beginning. Their input is enabling innovation to move faster, with greater protection in place.

However, for this to happen, security heads must proactively embrace an advisory position, offering guidance and strategy to key stakeholders straight away. To this end, CISOs should seek partners, both within the organization and via external public and private partnerships, which will boost their advisory capacity, facilitate information sharing and accelerate the shift to the next stage of cyber resiliency.

The road ahead will be fraught with cyberattacks, more sophisticated attack vectors and methods, and ever power-hungry cybercriminals. CISOs can make moves to ensure their organizations thrive, rather than merely survive by heeding the aforementioned advice and embracing these future trends.

David Higgins

EMEA Technical Director, CyberArk.