Cybersecurity has come a long way from the Morris Worm in the late 1980s. Worms and anti-virus technologies dominated the security landscape for the next decade or so due to the implosion of the internet and e-mail. In the mid-2000s, due to increased sophisticated and dynamic methods of hackers and attackers, resulting in faster malware signatures than the anti-virus systems could manage, cyber security-encompassed endpoint security, web application firewalls, intrusion prevention, database security and data leakage prevention.
The next phase of the cyber war was the advent of ransomware. High profile breaches and attacks including 0XOMAR, the NSA Leaks, and the attack on Yahoo preceded the still fresh WannaCry Attack on Microsoft Operating Systems based computers in May 2017 was unprecedented, affecting more than 200,000 computers across 150 countries. Less than two years from then and before the pandemic struck, several Distributed Denial of Service (DDoS) attacks caused New Zealand’s stock market to shut down on a temporary basis.
The increased breadth, speed, scale and huge damages caused by threats, advent of cloud, mobility, stringent privacy and infosec guidelines and increasing penetration of information technology systems in automotive, aerospace, telecoms, utilities, smart cities, healthcare and other verticals, made CISOs and CIOs deploy and invest in more proactive threat detection-based defence mechanisms and systems. In mid-2019, in this research by Gartner, the key trends encompassed:
- Cyber risk assessment and stringent policies,
- Focus on inhouse or outsourced Security Operation Centres for threat detection and prevention
- Password-less systems
- Including cyber security considerations SAST, DAST, IAST and RASP during the Development Cycle phase rather than at the end
- Deployment of Cloud Security Platforms
CISOs had been working with CIOs, CHROs and Chief Security Officers in providing hardware and software based cyber security frameworks, policies, infrastructure and applications to protect their extended enterprises. These above-mentioned trends necessitated ever increasing cyber security budgets and skilled manpower. With ever increasing breadth and depth of threats, the defence solutions and infrastructure of detection, removal and prevention have been spiralling in terms of complexity, heterogeneity, cost of acquisition and support and associated maintenance and manpower cost with specific niche skills.
The difference in the work environment in the pandemic
Prior to the pandemic, the CISO, and the cyber security teams were working unobtrusively in the background either in conjunction with the CIO or Chief Security Officer. The defence tools mentioned before including anti-virus, endpoint security, web application firewalls, intrusion prevention, database security, data leakage prevention would be deployed within the safe, monitored environment of the company network/LAN/VPN. These tools would quietly help ward off malicious attacks, breaches and prevent deliberate or unintentional information leakages externally. Employees would be secure behind the company network with updates, patches, and new solutions deployment in the background by the information security team.
Employees would be usually given an Information Security Manual and Non-Disclosure Agreement for compliance. Some would undergo regular InfoSec Training and adhere to a basic list of dos-and-don’ts to follow on their computers, on the network and internet.
More than 18 months into the pandemic, the new workplace is in some ways a contravention of the CISO’s best practises. Work from home, hybrid working, bringing your own device, home Wi-Fi, and shared devices have added to the potentially highly insecure environment. Moreover, increasing percentages of gig workers have added to the security considerations as well. Cyber criminals and hackers have upped their ante exponentially during this period.
Other business and technological considerations
On one hand, the business uncertainties along with extended lockdowns, fluctuating demands and vast industries being in slow recovery mode, have necessitated tighter spending budgets. On the other hand, the emergence of 5G, IoT, smart cities and appliances, connected cars, AI, edge computing and other trends necessitate an even higher focus and spending on the people, technology and processes to ensure cyber resilience of these emerging areas.
The trends of virtual or shared CFOs have also permeated through the CIO and CISO world as well, especially for SMBs.
With the accelerated breadth of threats and corresponding cybersecurity solutions and defence platforms, there has been a growing and steady skills and experience talent shortage across specific skill sets and functions such as information security auditors.
How are CISOs addressing this in the post recovery phase?
This research by Deloitte highlights the increase in cyber attacks (three-fold in some countries), the rise in potential attacks across WFH endpoints, video conferencing services as well as breadth, novel malware and other malicious attacks, and a cross functional approach to address these challenges. Additionally, criminals are leveraging the dark web and AI increasingly.
CISOs are now relying on tools such as Threat Hunting and Prevention, Security Incident and Environment Management (SIEM), Security Orchestration and Response (SOAR), red and blue teaming along with the traditional mobile and computer endpoint security. Machine Learning capabilities improve the efficiency and effectiveness of a continual basis.
CHROs are working closely with CISOs to enable the employees and gig/contract workers to formulate, communicate and train them on the best InfoSec practises, some of which encompass the basic dos-and-don’ts of devices, surfing, installing, working, day to day common work practises, checklists, software updates and procedure to follow in case of any breach along with a support and escalation matrix
The combined CHROs and CIO teams facilitate robust training, communications, up-skilling and assessments, rewards and recognition programmes. Cyber Security Day, Security Champion, Spot the Intruder contests and similar initiatives are fostering curiosity, self-learning, and engagement by the employees.
Paradigm shift in the tech investment and solutions landscape
The combination of business uncertainty, shrinking budgets, skill and experience talent shortages and the need to invest in an-ever increasing plethora of defence systems especially considering the new trends, have brought enterprises and SMBs in a dilemma. Many simply do not have the budgets, skilled manpower or the preparedness turnaround time to be ahead of the threat landscape and be in a perpetual state of readiness through investment. Acquiring and maintaining these current and new systems along with skilled people and trainer teams is quite challenging for many in these times.
CISOs wish to see better ROI, minimise the obsolescence risk of their technology investments, be outcome based, cost effective and work in a hybrid environment.
In this paper, Gartner highlights the importance and considerations for Secure Access Service Edge (SASE) which has already been accelerated by COVID. The SASE ecosystem will be powered by a cloud-based architecture which companies could tap into seamlessly for all types of threat hunting, detection, analysis and training. Cross functional teams: network, telecoms, operations, finance, application and infrastructure BUs would collaborate even more closely.
Not dissimilar to PaaS (Platform-as-a-Service), SaaS (Software-as-a-service), and IaaS (Infrastructure-as-a-Service), Cyber Security as Service (CSaaS) can leverage an on demand in house or outsourced combination of security operations center (SOC), Security Information and Events Management (SIEM) system, and Security Orchestration, Automation and Response System (SOAR), including the necessary people, technologies and processes to facilitate these deliverables.
The CSaaS services can encompass Vulnerability Assessment and Penetration Testing (VAPT), Managed Detection and Response (MDR), SIEM, SOAR, risk assessment, identity and access management, DevSecOps. Email and endpoint security, firewall management, training and advisory services and others on a subscription, as a simple service basis endpoints or incidents.
This recent article on LinkedIn highlights similar challenges and the path forward for cybersecurity in utilities of today.
The way forward
In the post-COVID recovery phase, CISOs are no longer the sole responsible custodians of enterprise data and cyber security. Finance, HR, IT and top management work with the cybersecurity team to enable a proactive, pre-emptive, agile, powerful and responsible latest technology cyber security framework. CSaaS and SASE business models can achieve these objectives and culminate in an agile, technologically up to date cost-effective, responsible, and secure enterprise minimising loss of data, customer trust, non-compliance, disruption of services and down time.