Many CISOs are drowning in ‘security debt’

(Image credit: Pixabay)

As Chief Information Security Officers (CISO) step up their game in order to fend off increasing volumes of attacks against their organizations, they’re met with mounting “security debt”, new research has said.

A report from cybersecurity experts F-Secure, found that despite facing a “well-organized” criminal industry, CISOs are getting better at repulsing many attacks.

Criminals are usually better-equipped than CISOs, mostly because they share the intelligence amongst themselves, with almost three-quarters of CISOs said criminals were also faster than they were.

Despite high-profile ransomware attacks, criminals are also increasingly interested in service and affiliate models, as they increase their effectiveness. CISOs, on the other hand, understand the motives of various cybercrime groups. Almost all (96%) believe they are driven by financial gain.

Overal, over two-thirds (69%) said that criminals had improved their attacking capabilities in the last 12 - 18 months.

Having the right detection technology

For F-Secure’s security advisor for Managed Detection and Response, Michael Greaves, CISOs are doing well despite “pervasive security debt”, mostly because they made the right investments. 

“However, it is the incidents that haven’t been discovered which worry us most,” he says. “Because of the sophisticated nature of some of these attacks, organizations may not have the technology or people to identify they are in the middle of a compromise that, for example, may result in a ransomware deployment months down the road.”

And speaking of sophisticated, hard-to-detect attacks, most CISOs (71%) fear employees are the weakest link in their cybersecurity chain. They worry criminals may use social channels and launch phishing, ransomware, or business email compromise (BEC) attacks. 

Further expanding on the idea of a liable workforce, F-Secure’s respondents said it is particularly risky securing the mobile or remote workforce, mostly due to their devices being separated from the traditional controls.

A vast majority of CISOs - 71% - report that their ideas about what constitutes “good security” has evolved recently.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.