The survey of 405 senior IT, networking, and security decision-makers in the U.S., Canada, and the U.K. revealed 83% of organizations agreed building cybersecurity programs is expensive due to required tools, licenses, and personnel, and 80% agreed it’s challenging to fill specialized security roles. Most organizations (78%) have an incident management process, but about half (49%) agree they lack the teams and tools to be effective 24x7x365. Evolving security threats (53%) and the task of integrating new technology (53%) are cited as top challenges in maintaining security posture.
Engaging in meaningful discussions with business leaders has strategic value.
At Black Hat 2022, Chris Krebs, former director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), was the opening keynote. His talk examined today’s risk trends and what they mean for tomorrow’s network defenders. He suggested shifts in mindset and action are needed to successfully deliver better outcomes while recognizing that we will forever operate in a contested information environment. He shared three critical truths that are shaping today’s cybersecurity landscape. These topic areas are a great way to have a strategic, ongoing conversation with all your customers, especially those responsible for critical infrastructure.First Truth: Technology remains vulnerable because the benefits outweigh the risk.
Market pressures and economic headwinds will not help prioritize security over other business priorities. Technology will always be seen as an opportunity. To demonstrate the importance of prioritizing security, stress how every piece of new technology (and every device) we add to the ecosystem changes the threat landscape. Creating understanding becomes more complex when explaining how all the available cybersecurity solutions can be overwhelming for resource-constrained teams. Choosing tools that work together and deliver results can be daunting. Instead, Krebs recommends positioning improvements as an evolution, not a dramatic cutover to a new framework. It’s an iterative process that will provide steady improvement. Managed services can be an invaluable tool for ramping up when resources are tight.By helping business leaders understand this kind of complexity, you help justify the required investment.Second Truth: Predators understand the nature of your business. That’s why they’re targeting the supply chain and critical infrastructure.
Help customers understand one way to improve their security posture is to look at best practices (NIST, CISA, etc.). Be sure to consider compliance guidelines for both their industry and new regulations that are being enacted at all levels of government. Cyber criminals know this landscape. Your customer should too. Looking closely at the supply chain and critical infrastructure, decision-making is ultimately about risk management. Encourage your customers to clearly define risk at every level of the business. This goes beyond the organization. It includes relationships; third- and fourth-party risk management is critical. If your customers are using a lot of SaaS services, how risky are those? What exposures can they have? Krebs stresses understanding where the concentration of risk lies is essential.Third Truth: Business leaders do not adequately understand threat modeling or risk management.
Now that customers have defined the risk, consider how that extends to things outside their control. Encourage customers to look beyond the short term. It’s essential your customers consider where they want the business to be in three or four years. For example, how might international conflict affect their business? Their operations overseas? What if oil becomes extremely expensive, and they have to switch shipping methods? What if the value of the British pound drops precipitously? Geopolitical and economic factors can change quickly, and for organizations without contingency plans that include a cybersecurity strategy, risk can increase rapidly.“Strengthening cyber defenses and maintaining operation around-the-clock calls for businesses to make significant investments in sophisticated tools and highly skilled staff. Organizations often find their IT staff are stretched thin or not skilled enough to manage security technologies,” said Nathan Jenniges, Vice President, Cybersecurity Product Strategy at BlackBerry. “With 24x7x365 monitoring and mitigation, managed XDR could be the missing link, particularly for critical infrastructure organizations, which are greater targets for cyberattacks with potentially damaging results.”