Sometimes sticking to the basics is the best approach. That’s what CISOs say they will focus on as their priorities in the second half of 2022.
“Regardless of everything else happening in the world, and all the latest shiny baubles in security, it's important to maintain the basics,” said Jon Davis, CISO at Oomnitza.
Those basics include single sign-on, endpoint protection, proper patching, security awareness and training, encryption, and multifactor authentication.
The reason for making standard security best practices a priority is simple: when you take the easy stuff for granted, Davis said, it opens the door for risks.
Size matters
In companies with 50-1,000 employees, CISOs considered security hygiene the most critical security priority according to a study by Forgepoint Capital.
The priority is born of resource constraints. These organizations typically lack the budgets to build layers of backups or failovers, according to the report.
This differed from the smallest organizations, which emphasize talent development and social engineering awareness. Enterprise-scale organizations have prioritized incident response and digital transformation.
Humans in SMBs play a much more vital role in the organization’s overall security posture than they do in the enterprise. Smaller companies don’t have the budgets available for some of the more sophisticated security systems that large companies bring in.
That puts the onus on human behavior to keep the network secure. That includes putting more emphasis on security hygiene, such as cyber awareness education to avoid phishing attacks, or encouraging regular use of MFA and better password management.
Cybersecurity leaders, like all business leaders, want to tackle priorities with an eye toward cost-saving measures. Meanwhile the threat landscape is constantly changing.
“Right now, my team and I are sticking to basics and working to advance security without having to make more significant investments or add tooling,” said Ryan Davis, CISO at NS1.
“As the year progresses, we look at our roadmap about where the business operates and what is achievable given the overall economic climate,” Davis said.
The hybrid workforce
As the world continues to adjust to life with COVID-19, more companies are requiring their employees to return to the office, at least part time.
The return dates for many of the largest organizations have been fluid, shifting as positive cases rise and fall. Securing the hybrid workforce is an issue that CISOs are prioritizing, especially as they see this as a long-term, if not permanent, work model.
While many companies are turning to zero trust as a way to offer security for a hybrid workforce, Jason Lee, CISO at Zoom, admitted there is no one-true definition of zero trust. So CISOs are charged with finding the zero trust solution that will work for them.
Lee’s approach is to protect the person and their devices, no matter where they are. “It’s an end user security strategy that I want to reinforce,” said Lee.
In tandem, one of Lee’s priorities as a CISO is to come up with ways to better enable his business to work in this new environment.
One security solution he is pursuing is getting rid of passwords. No one likes passwords, and they open up the company to too many risks. Lee’s favorite approach is to leverage a hard token combined with a biometric, which will offer a secure MFA option (and gives users no choice but to use a second authentication tool) no matter where the user is located.
Engaging leadership
More than 60% of security leaders don’t believe their efforts are fully supported by their organization’s board of directors, according to research by Encore. The same study also found that C-suite leadership doesn’t like to talk about cybersecurity until a data breach occurs. Bringing this leadership on board with cybersecurity issues is a top priority for CISOs as 2022 continues.
The good news, said Davis, is that leadership is being very responsive to security findings and prioritizing them appropriately. “They are investing wisely into security and security products.”
The government might be pushing this relationship building higher on the priority list. An Executive Order from the Biden administration directs government agencies and all organizations to improve information sharing and take steps to become more cyber resilient. This will require better communication between leadership and CISOs.
At Zoom, Lee is already working on this priority. His company has formed a cyber committee within the board. Lee engages with this committee with a 90-minute meeting quarterly and has regular ad hoc meetings to discuss the latest threats and other security-related concerns.
Engaging coworkers to meet priority goals
Having security priority goals may help CISOs plan their strategies, but if everyone in the company doesn’t buy in, they likely won’t succeed. That’s why encouraging a proactive partnership for company-wide security is a top goal for Davis.
To achieve this goal, communication with staff may need to be reframed as “security needs your help to succeed” rather than “security is here to stop you from making mistakes.”
“This kind of communication is critical to make sure everyone in the company understands their role in achieving our security goals,” said Davis.
The goal of security priorities is to protect the business from risk. CISOs may set the priorities, but it is up to everyone, from the board of directors to the front-desk receptionist, to make sure those priorities are achieved to meet the No. 1 goal: a successful business.