Today’s fast-paced business landscape requires decision-makers to constantly keep up with new tech and to determine how to continue efficiently innovating in a new world. For CISOs, the post-pandemic era means that adaptive, agile solutions are required to support enhanced business resilience and security efforts.Deryck Mitchelson, Field CISO and C-Suite Advisor EMEA at Check Point Software Technologies Limited has his assessment of the situation.
“CISOs should engage their current teams and be receptive to investing time in training when it comes to learning and upskilling in their existing professional field.”
Deryck Mitchelson, Field CISO and C-Suite Advisor EMEA at Check Point Software Technologies Limited
The Chief Information Security Officer (CISO) position has evolved. Today’s CISO role diverges substantially from the that of the past. The position has transformed from an in-the-shadows, mid-level technical role into a multi-dimensional, high-visibility senior-level position centered around business leadership, corporate risk governance and driving security decisions. The contemporary CISO is responsible for risk identification, for developing a culture of shared risk ownership, and for active risk management. This person also bears responsibility for building trust among stakeholders. The latter responsibility is a newer one on the list and if not executed well, can lead to negative outcomes.
CISOs need to understand the entirety of what’s going on within a corporation, from how their team’s decisions will impact business, to how the decisions of other departments will impact revenue streams. The ability to articulate business risks to the organization and to the board is also imperative.
CISOs face a range of complex challenges right now, as organizations go through digital transformation and the process of securing their remote employees. They have to maximize security with finite resources, while balancing the handling of tactical issues with their strategic leadership responsibilities. One of the biggest issues is that there simply aren’t enough security professionals to keep up with the rise in cyber threats and all the related problems created by this issue.
Cyberattacks on the rise
The landscape is changing, but only for the worse. The number of breaches and records exposed per year is escalating, despite billions of dollars of investment in cyber tools and the best efforts of security professionals. For quite some time now, cyberattacks have been a major concern for all organizations. In 2021, several cyberattacks demonstrated the willingness and ability of cyber threat actors to disrupt the operations of businesses and the supply chains that rely upon them. The total number of cyberattacks increased by 50% year over year globally and by 71% in the UAE in 2021. Unprecedented levels of cyberattacks played out as large-scale, multi-vector mega attacks that inflicted major damage on business and reputation. As a result, we find ourselves in the midst of the fifth generation of cyberattacks such as Codecov in April and Kaseya in July, and the Log4j vulnerability which was exposed in December of last year.
The most vulnerable sector in the UAE
All industries and companies face cyber risk, but some sectors are more targeted and at risk than others. According to Check Point Research, banks globally were attacked on average 700 times every week during the past year, a 53% year-on-year increase in comparison to previous year. From phishing scams and Denial-of-Service attacks to sophisticated attacks by nation-state actors, cyber threats targeting banks are continually on the rise.
The financial industry stands out as one with a great deal of sensitive and valuable information for attackers to target and numerous potential opportunities for cybercriminals to profit from their attacks. In fact, the finance and banking is the most vulnerable sector in the UAE with 926 weekly attacks per organization in the last six months, followed by the retail and hospitality industry with 582 and 151 weekly attacks respectively.
One of the most common scam tactics Check Point observe is tricking victims into clicking on fake sites that look similar to its legitimate sites. The attackers then look to use this site to trick the users into installing an application that will install malware on to the victims’ phone. Once this is done, they use this to steal the victims data and identity, using this information to scam the user and stealing money from the victims’ bank. According to Check Point Threat Intelligence Report, in UAE, an organisation is being attacked 906 times per week on average in the last 6 months. 95% of the malicious files in UAE were delivered via email in the last 30 days, and the most common vulnerability exploit type in UAE is Remote Code Execution, impacting 95% of the organisations.
Ransomware Escalates
Over the last few years, ransomware attacks have evolved to become the most disruptive type of cyberattacks organizations have to face. As well as disrupting organizations’ everyday processes and potentially causing an interruption to business, ransomware can have a major financial impact. In its most visible form, this means the ransom payment itself exacted by the criminal gangs, which can run into millions of dollars. In this research, we examine the additional hidden costs caused both during and after this type of malware attack. The long-term losses that the victims suffer after the attack are much more significant than most might assume.
Check Point Research has monitored a 203% increase in ransomware attacks to organizations in the UAE in the first quarter of 2022 as compared to that of 2021. The weekly average of impacted organizations stood at one in 30, versus one in 92 for the same period.
Ransomware attacks are on the rise but few people understand the hidden costs beyond that of the initial extortion payment. This can include response and restoration expenses, legal fees and monitoring costs, to name a few. Organizations are fortunately waking up to the threat of ransomware by having a clear response and mitigation plan. Indeed, the duration of ransomware attacks is reducing as a result. Ransomware attacks are now the most lucrative type of cybercrime, enabling criminal gangs to rake in huge profits.
The Skill level of the CISO
CISOs need to have a versatile set of abilities since they must address such a wide range of issues. The CISO’s job now includes value development in addition to risk management. A CISO adds value by exercising effective security management. Some CISOs come from technical backgrounds, while others come from business or risk management backgrounds. A CISO must effectively manage all three of those areas and more in order to succeed in the position.
It’s not enough to simply maintain good cyber hygiene and to then tout strong security. Too much is at risk and CISOs can be held to serious account. In turn, CISOs can’t afford to under-invest in security architecture. It pays to spend. CISOs and teams need to tackle security with best-in-class solutions offered by mature vendor partners.
CISOs should engage their current teams and be receptive to investing time in training when it comes to learning and upskilling in their existing professional field. Many industry experts frequently experience pressure on how they should use their time. Some companies may expect employees to perform some degree of activity in regard to their daily role even when they are attending official training sessions. If these professionals feel the necessity to carry out their day jobs, how can they concentrate on learning and upgrading their skills?
CISOs should also consider the kinds of training that are offered in the marketplace. It’s not necessarily a three-day, all-inclusive official course. One size does not fit all when it comes to learning and training. CISOs are inspired when a genuine personal goal is included in their training development plan because it creates a win-win situation.
Best Practices for the CISO
- Building trust and retaining accountability
As part of the trust-building process, at scheduled intervals throughout the year, CISOs provide updates, offering stakeholders assurances concerning implementation of the best cyber security practices, and strong cyber hygiene programs. Discuss how programs function to support security needs. Provide brief, non-technical overviews while touting the measures that they have implemented and standing by their legitimacy.
- Increasing accountability and trust
CISOs who have experienced a breach often wish that they had done more in terms of prevention. More preventative measures can limit ‘blame’ attributed to a CISO’s actions or inactions, and can quickly revive trust in a CISO’s competence.
After a breach, the narrative often changes from working to adjust cyber hygiene across the organization to needing more capabilities, more resources with which to bridge security gaps, and above all, more fiscal investments in cyber security architecture. This approach can also work to restore trust, increase accountability, preserve acceptance of security risk, and optimize owned cyber security technologies.