[BreachExchange] What tops the CISO’s Christmas list this year?

[Destry Winant]

https://www.itproportal.com/features/what-tops-the-cisos-christmas-list-this-year/

As we move closer to December 25th, our thoughts are turning to
Christmas –­ whether we like it or not! But while most of us will be
winding down in anticipation of the festive break, IT security
practitioners will be busier than ever. Cyber-attacks continue to
increase in both scope and severity, with organisations facing an ever
widening range of security vulnerabilities, including unauthorised
access, DDoS, device theft, data loss and insider threats.

As the industry looks towards the 2019 threat landscape, many experts
point to state-sponsored attacks as one of the most significant risks.
In the UK National Cyber Security Centre (NCSC) 2018 Annual Review,
CEO Ciaran Martin explained that these threats “constitute the most
acute and direct cyber threat to our national security.”

With a tough year ahead, we spoke to a range of IT security experts to
discuss the 2018 Christmas must-haves, and what every CISO should have
at the top of their wish list:

Luke Brown, VP EMEA at WinMagic:

“It’s that time of year when, as the song goes, it’s beginning to look
a lot like Christmas. Unfortunately, cyber criminals stop for no man –
not even Father Christmas. So, arguably over the holiday period when
many of us will have our attention focused on other things, it’s even
more important to ensure that your organisation’s security posture is
as robust as it can be. Top of every CISO’s Christmas wish list should
be the ability to encrypt their sensitive data, wherever it resides –
from end-point to Cloud and everything in between. Then, should the
worst happen – and sensitive data is compromised – an end-to-end
encryption platform will serve as the last defence, meaning that only
those who are authorised to access the data, access it. And no one
gets special treatment. Not even Father Christmas. Simply put, even if
you’ve been good all year, if your name isn’t on the list, you can’t
read it.”

Jon Lucas, Co-Director at Hyve Managed Hosting:

“It’s hard to pick one key gift for CISOs this Christmas, so instead
why not pick a multitude wrapped up in one, shiny package? As an
increasing number of organisations are moving to the cloud due to the
flexibility and scalability it offers, having strong security measures
is vital to ensuring that any solutions you implement are effective
and reliable. The best managed hosting providers will offer a
multi-layered suite which should include services such as data
encryption, a DDoS defence system, and intrusion protection and
detection systems. With data breaches up 75 per cent in the last two
years according to the ICO, organisations should be prioritising their
cloud security this Christmas to avoid risking an attack; because when
you’re in the middle of cooking the Christmas turkey, you shouldn't
have to be worrying about your data centre going down!”

Steve Blow, Tech Evangelist at Zerto:

“Surely the main thing every CISO wants on their Christmas list is the
ability to recover from any kind of downtime instantly – without
customers even realising anything has occurred, and with no data being
lost. In 2018, it became clear that current backup solutions are no
longer fit for purpose, with nearly half of all businesses
experiencing an unrecoverable data event in the last three years. And,
as ransomware attacks in particular will more than likely grow in
2019, CISOs need to focus on enabling an ‘always on’ business –
weathering the disruption and getting back online within seconds
without the data loss. With this sort of reliable data availability,
CISOs can finally enjoy a Christmas break and let concerns about
ransomware and security threats take a back seat in the New Year to a
more positive focus on proactive cybersecurity and preparing for
whatever the next threat on the horizon may be. With Santa’s sack full
of resilient gifts, eliminating these concerns will be more than
merely a Christmas miracle.”

Oscar Tovar, vulnerability verification specialist at WhiteHat:

“As a CISO, the charitable spirit of the holidays opens the door to
reconnect with your board ahead of the New Year. Here are a few key
‘gifts’ you can ask for this year to improve your organisation’s
security posture:

- Service Exposure Audit – Most organisations don’t have a full
inventory of their exposed services, and many don’t have any inventory
at all! Having a strong understanding of all the places your
organisation’s infrastructure is exposed to the world is the first
step in securing them. How can you protect things that you don’t even
know about?
- Employee Security Awareness Training – Even the most basic
understanding and awareness of security can go a long way. Ninety-five
per cent of security breaches involve at least some interaction with
an employee – whether it’s getting them to click a malicious link,
open a dangerous file, or provide restricted information over the
phone. A basic security awareness training can help your employees
identify these situations and stop the attack before it even starts.”

Christopher Leppard, Managing Consultant for Advisory – Governance,
Risk & Compliance, Six Degrees:

“A long Christmas wish list from me this year, but these items are
fundamental to businesses looking to improve their security postures
in 2019:

Staff training and awareness – staff remain the greatest strength and
weakness of every business. Recent successful attacks have relied
heavily on fooling staff, and so staff training and awareness should
be well structured, clearly delivered, comprehensive and regularly
repeated.

- Get the basics right – the fundamentals of patching, access control
and understanding how your network operates haven’t changed since
networks were invented. When done properly, they will provide a lot of
protection. Equally, defence-in-depth may be an old concept, but it is
still relevant.
- Vendor and third-party risk management – GDPR highlighted the
importance of understanding your supply chain and ensuring they are
also doing things correctly. Reputational damage is a real possibility
if this is not considered.
- Go beyond compliance – compliance to a recognised standard is to be
encouraged, but it requires cultural change to properly implement and
maintain, which is not to be underestimated.
- Set realistic budgets – the average cost of a breach is now
estimated at $3.2million. However, the real cost could be much higher.
Comprehensive security requires proper investment in staff and the
implementation and management of the right solutions.
- Board level recognition – the CISO function should be board level,
or reporting directly to them. It is a critical role, and boards must
understand the risks they face and how they are best mitigated.
Ignorance is no longer an excuse.
- Website security. Understand what is operating on your website.
Third party scripts are very common, and are a major source of
compromise. The recent British Airways hack is a prime example.
Multi-factor authentication. Use multi-factor authentication wherever
you can. It’s straightforward to use, and will significantly
strengthen your business’s security posture.”

For most CISOs, the Christmas wish list will be a non-exhaustive list.
While there are many tools and areas of support security professionals
already know they will need next year, just as many new items will be
added as we move into 2019.  As the threat landscape continues to
evolve in both complexity and scope, CISOs have a tough year ahead!