Login
As the majority of the global Covid fog finally started lifting in 2022, other events – and their associated risks – started to fill the headspace of C-level execs the world over. In my role, I regularly engage with CISOs in all kinds of sectors, representatives at industry bodies, and experts at analyst houses. This gives me an invaluable macroview not only of how the last 12 months have affected organizations and what CISOs are thinking about, but also how the upcoming year is shaping up.
Using this information, last year I wrote a blog summing up the nine top of mind issues I believed will most impact CISOs as we headed into 2022. Many of them still ring true now and will continue to do so, but some new concerns have risen up the agenda. Here are the topics that I think will be top of mind in 2023, and what CISOs can do to prepare.
One aspect that has come to the fore this year is the CISO’s position as ‘guardian of customers’ private data’ in the event of a breach, and their responsibilities over the level of disclosure they later provide. And here, we are not only talking about the legal duty to inform regulators, but the implicit moral duty to inform third parties, customers, etc. From my conversations this year, this whole area is getting CISOs thinking about their own personal liability more.
As a result of this, next year we could see CISOs tightening up the disclosure decision making process, focusing on quicker and greater clarity on breach impact, and even looking to include personal liability cover in cyber insurance contracts. CISOs will also likely be pushing more tabletop exercises with the executive leadership team to ask and answer questions around what is showed, to whom, and by whom.
Cyber insurance has become a newsworthy topic over the last 24 months, mainly due to the hardening of the market, as insurance products have become less profitable for underwriters and insurers’ costs have risen. But the topic will continue to be in focus as we move into 2023, with insurers demanding greater attribution – aka the science of identifying the perpetrator of a cybercrime by comparing the evidence gathered from an attack with evidence gathered from earlier attacks that have been attributed to known perpetrators to find similarities.
The need for greater attribution stems from the news that some insurers are announcing that they are not covering nation state attacks, including major marketplace for insurance and reinsurance, Lloyd’s – a topic I covered with colleague and co-author Martin Lee, in this blog earlier in the year.
Greater preparation and crystal-clear clarity of the extent to which attribution has taken place when negotiating contracts will be an essential element for CISOs going forward. For more practical advice on this topic, I also wrote a blog on some of the challenges and opportunities within the cyber liability insurance market back in June which you can read here.
Being a CISO has never been more complex. With more sophisticated attacks, scarcity of resources, the challenges of communicating effectively with the board, and more demanding regulatory drivers like the recently approved NIS2 in the EU, which includes a requirement to flag incidents that cause a significant financial implication or operational disruption to the service or to others within 24 hours.
With so much to consider, it is vital that CISOs have a clear understanding of the core elements of what they protect. Questions like ‘where is the data?’, ‘who is accessing it?’, ‘what applications is the organization using?’, ‘where and what is in the cloud?’ will continue to be asked, with an overarching need to make management of the security function more flexible and simpler for the user. This visibility will also inevitably help ease quicker decision making and less of an operational overhead when it comes to regulatory compliance, so the benefits of asking these questions are clear.
According to Forrester, the term Zero Trust was born in 2009. Since then, it has been used liberally by different cybersecurity vendors – with various degrees of accuracy. Zero Trust implementations, while being the most secure approach a firm can take, are long journeys that take multiple years for major enterprises to carry out, so it is vital that they start as they mean to go on. But it is clear from the interactions we have had that many CISOs still don’t know where to start, as we touched on in point #3.
However, that can be easier said than done in many cases, as the principles within Zero trust fundamentally turn traditional security methods on their head, from protecting from the outside in (guarding your company’s parameter from external threats) to protecting from in the inside out (guarding individual assets from all threats, both internal and external). This is particularly challenging for large enterprises with a multitude of different silos, stakeholders and business divisions to consider.
The key to success on a zero-trust journey is to set up the right governance mode with the relevant stakeholders and communicate all changes. It is also worth taking the opportunity to update their solutions via a tech refresh which has a multitude of benefits, as explained in our most recent Security Outcomes Study (volume 2).
For more on where to start check out our eBook which explores the five phases to achieving zero trust, and if you have already embarked on the journey, read our recently published Guide to Zero Trust Maturity to help you find quick wins along the way.
As with last year, ransomware continues to be the main tactical issue and concern facing CISOs. More specifically, the uncertainty around when and how an attack could be launched against the organization is a constant threat.
Increased regulation on the payment of ransomware and declaring payments is predicted, on top of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), the Ransom Disclosure Act, but that doesn’t help alleviate ransomware worries, especially as this will again put the CISO in the firing line.
CISOs will continue to keep a focus on the core basics to prevent or limit the impact of an attack, and again have a closer look at how any ransomware payment may or may not be paid and who will authorize payment. For more on how executives can prepare for ransomware attacks, read this blog from Cisco Talos.
Traditionally CISOs have talked about the importance of improving security awareness which has resulted in the growth of those test phishing emails we all know and love so much. Joking aside, there is increased discussion now about the limited impact of this approach, including this in depth study from the computer science department of ETH Zurich.
The study, which was the largest both in terms of scale and length at time of publishing, revealed that ‘embedded training during simulated phishing exercises, as commonly deployed in the industry today, does not make employees more resilient to phishing, but instead it can have unexpected side effects that can make employees even more susceptible to phishing’.
For the most effective security awareness, culture is key. This means that everyone should see themselves as part of the security team, like the approach that has been taken when approaching the issue of safety in many high-risk industries. In 2023, CISOs will now be keen to bring about a change to a security culture by making security inclusive, looking to create security champions within the business unit, and finding new methods to communicate the security message.
Last year, we talked about preparing for the ‘great resignation’ and how to prevent staff leaving as WFH became a norm rather than an exception. In the past year, the conversations I have had have altered to focus on how to ensure recruitment and retention of key staff within the business by ensuring they work in an environment that supports their role.
Overly restrictive security practices, burdensome security with too many friction points, and limitations around what resources and tools can be used may deter the best talent from joining – or indeed staying – with an organization. And CISOs don’t need that extra worry of being the reason behind that kind of ‘brain drain’. So, security will need to focus on supporting the introduction of flexibility and the ease of user experience, such as passwordless or risk-based authentication.
Just when we thought it was safe to go back into the organization with MFA protecting us, along came methods of attack that rely on push-based authentication vulnerabilities including:
There has been a lot written about this kind of technique and how it works (including guidance from Duo) due to some recent high-profile cases. So, in the forthcoming year CISOs will look to update their solutions and introduce new ways to authenticate, along with increased communications to users on the topic.
This issue was highlighted again this year driven by regulations in different sectors such as the UK Telecoms (Security) Act which went live in the UK in November 2022 and the new EU regulation on digital operational resilience for financial services firms (DORA), which the European Parliament voted to adopt, also in November 2022. Both prompt greater focus on compliance, more reporting and understanding the dependency and interaction organizations have with the supply chain and other third parties.
CISOs will focus on obtaining reassurance from third parties as to their posture and will receive a lot of requests from others about where their organization stands, so it is crucial more robust insight into third parties is gained, documented, and communicated.
When writing this blog, and comparing it to last year’s, the 2023 top nine topics fit into three categories. Some themes make a reappearance, seem to repeat themselves such as the need to improve security’s interaction with users and the need to keep up to date with digital change. Others appear as almost incremental changes to current capabilities such as an adjusted approach to MFA to cope with push fatigue. But, perhaps one of the most striking differences to previous years is the new focus on the role of the CISO in the firing line and the personal impact that may have. We will of course continue to monitor all changes over the year and lend our viewpoint to give guidance. We wish you a secure and prosperous new year!
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Speaking to many CISOs, it’s clear that many security executives view zero trust as a journey that can be difficult to start, and one that even makes identifying successful outcomes a challenge. Simultaneously, the topic of security resilience has risen up the C-level agenda and is now another focus for security teams. So, are these complementary? Or will they present conflicting demands that will disrupt rather than assist the CISO in their role?
One of the most striking results coming from Cisco’s latest Security Outcomes Report is that organizations with a mature zero trust implementation – those with basic controls, constant validation and automated workflows – experience a 30% improvement in security resilience compared to those who have not started their zero trust journey. So, these two initiatives – implementing zero trust and working to achieve security resilience – appear to complement each other while supporting the CISO when a cyber black swan swims in.
Security resilience is the ability to withstand an incident and recover more strongly. In other words, ride out the storm and come back better. Meanwhile, zero trust is best known as a “never trust, always verify” principle. The idea is to check before you provide access, and authenticate identity based on a risk profile of assets and users. This starts to explain why the two are complementary.
The Security Outcomes Report summarizes the results of a survey of more than 4,700 security professionals. Among the insights that emerge are nine security resilience outcomes they consider most important. The top three outcomes for resilience are prevention, mitigation and adaptation. In other words, they prioritize first the ability to avoid an incident by having the right controls in place, then the ability to reduce and reverse the overall impact when an incident occurs, and then the ability to pivot rapidly without being bound by too rigid a set of systems. Zero trust will support these outcomes.
Preventing, or reducing the likelihood of a cybersecurity incident, is an obvious first step and no surprise as the most important outcome. Pursuing programs that identify users and monitor the health of devices is a crucial a preventative step. In fact, simply ensuring that multifactor authentication (MFA) is ubiquitous across the organization can bring an 11% improvement in security resilience.
When incidents occur, security teams will need a clear picture of the incident they are having to manage. This will help in them respond quickly, with a proactive determination of recovery requirements. Previous studies show that once a team achieves 80% coverage of critical systems, the ability to maintain continuity increases measurably. This knowledge will also help teams develop more focused incident response processes. A mature zero trust environment has also been found to almost double a team’s ability to streamline these processes when compared to a limited zero trust implementation.
When talking to CISOs about successful implementation programs, communication within the business emerges as a recurring theme. Security teams must inform and guide users through the phases of zero trust implementation, while emphasizing the benefits to them. When users are aware of their responsibility to keep the organization secure, they take a participatory role in an important aspect of the business. So, when an incident occurs, they can support the company’s response. This increases resilience. Research has shown that a mature program will more than double the effect of efforts to improve the security culture. Additionally, the same communication channels established to spread the word of zero trust now can be called upon when an incident requires immediate action.
Mature implementations have also been seen to help increase cost effectiveness and reduce unplanned work. This releases more resource to cope with the unexpected – another important driver of resilience surfaced in Volume 3 of the Security Outcomes Report. Having more efficient resources enables the security function to reallocate teams when needed. Reviewing and updating resource processes and procedures, along with all other important processes, is a vital part of any of any change initiative. Mature zero trust environments reflect this commitment continuous assessment and improvement.
Inherent in organizational resilience is the ability to adapt and innovate. The corporate landscape is littered with examples of those who failed to do those two things. A zero trust environment enables organizations to lower their risk of incidents while adapting their security posture to fit the ongoing changes of the business. Think of developing new partners, supporting new products remotely, securing a changing supply chain. The basic tenets of MFA – including continuous validation, segmentation and automation – sets a foundation that accommodates those changes without compromising security. The view that security makes change difficult is becoming obsolete. With zero trust and other keys to achieving security resilience, security now is a partner in business change. And for those CISOs who fear even starting this journey, understanding the benefits should help them take that first step.
Download the Security Outcomes Report, Vol. 3: Achieving Security Resilience today.
Learn more about cybersecurity research and security resilience:
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
We recently had the chance to discuss the top trend predictions for 2023, issued by Gartner®, and what these may mean for CISOs. The trends are below:
These showed several themes: internal pressures, external changes and solution adoption.
CISOs need to be aware of the pressures that may come from inside the business. C Level executives having risk related elements in their employment contracts (8) may result in a higher focus on Risk management. This may benefit CISOs to position cyber security as part of the Risk calculation and perhaps unlock more support for risk reduction initiatives.
Aligned is the concept of a culture of organisational resilience being mandated by CEOs (7). CISOs now talk about culture change in cyber security, making business colleagues identify as part of the overall security of the organisation. This may now include resilience. Again, this may provide a vehicle for change for CISOs.
Risk as a factor when assessing whether to do business with third parties (4) will highlight the third-party dependency issues that now concern CISOs. The perimeter is now long gone; security extends beyond the organisational remit of the CISO. The ability to understand and collaborate with third party security will become n increasing requirement. There is a downside for CISOs. Many are already burdened with the need to report on compliance and audits. This may increase as requests come in from business partners, current and potential, on the organisation’s cyber security posture.
Related to compliance and reporting is the issue of Privacy. It is predicted the consumer privacy will increase to cover most countries (1). This may require additional focus on the extent and scope to which Privacy is reported. Many CISOs address this already due to requirements such as GDPR. This may provide a strong basis to move forward. CISOs have seen Privacy as a positive. “Do you really need that data?” is a question often asked. Organisations can reduce the amount of unwanted data stored and needing security.
Responding to attacks and the relentless change in tactics is an additional trend. Payments for ransomware is contentious. From the morale, legal and practical aspects of making payments. If this becomes regulated (5) it may provide a clearer basis for decision making. Perhaps it may provide a for of deterrent for attacks. If the victim cannot pay why attack them? Perhaps this is just wishful thinking. On the negative side attackers may increase the capability of their tools in the operational technology environment with extreme impact (6). A current area of concern for CISOs that may increase in focus.
On a positive side a majority of organisation will adopt zero trust as a starting point for their security (3). However, many will not gain the benefits. CISOs are now increasing addressing the organisational and cultural change required to make Zero Trust succeed and realising it is not just about the technology. There are clear benefits that have been identified in Cisco research papers1. CISOs are looking to introduce new consolidated technologies in web, cloud services and private application access (3). This may reduce tech debt, enable smoother operational management, centralised policy control and better reporting.
https://www.cisco.com/c/dam/en/us/products/collateral/security/zero-trust-field-guide.pdf
Source: https://www.gartner.com/en/articles/the-top-8-cybersecurity-predictions-for-2021-2022
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
In our last blog, we gave a rundown of what the Telecommunications (Security) Act (TSA) is, why it’s been introduced, who it affects, when it starts, and how firms can prepare. Here, we take a closer look into the themes introduced by the Act, explore how the telecoms industry can explore zero trust to further improve its security posture, and outline the benefits that can be gained when complying.
When the Telecoms Security Act (TSA) was introduced, it was labelled as ‘one of the strongest telecoms security regimes in the world, a rise in standards across the board, set by the government rather than the industry’ by Matt Warman, former Minister of State at the Department for Digital, Culture, Media, and Sport. The industry is certainly feeling the impending impact of the act – with one industry pundit at an event we ran recently describing it as a ‘multi-generational change’ for the sector.
One of the headline grabbers stemming from the Act are the associated fines. With the new powers granted to it by the Act, Ofcom now has the responsibility to oversee operators’ security policies and impose fines of up to 10 percent of turnover or £100,000 a day in case operators don’t comply or the blanket ban of telecoms vendors such as Huawei. Sounds like the typical ‘stick’-based costly compliance messaging that no-one particularly wants to hear, right? But what if the TSA had some ‘carrot’-based business benefits that are much less discussed?
The TSA introduces a new security framework for the UK telecoms sector to ensure that public telecommunications providers operate secure and resilient networks and services and manage their supply chains appropriately. ny of the themes introduced in the code of practice can be aligned with the themes in a zero trust security model, which are also a focus for CISOs.
Zero trust security is a concept (also known as ‘never trust, always verify’) which establishes trust in users and devices through authentication and continuous monitoring of each access attempt, with custom security policies that protect every application. At Duo, our approach to zero trust is:
A crucial point to note here: much like a solution that claims to help with all aspects of the TSA, telecom providers should be wary of any vendor who claims to have a zero-trust product. Both are far much bigger than any ‘silver bullet’ solution purports to offer. But there is a good reason a zero-trust framework has been mandated by the US White House for all federal agencies, and recommended by the Australian Cyber Security Centre (ACSC) and the UK’s National Cyber Security Centre (NCSC).
As well as helping to mitigate the significant cyber risks presented to the telecoms industry, a zero-trust strategy provides many business benefits. Our recent Guide to Zero Trust Maturity shows that:
A robust zero-trust security program includes phishing-resistant multi factor authentication (MFA), access controls for devices and applications, risk-signalling, dynamic authentication, firewalls, analytics, web monitoring and more. As I said previously there is no one answer to zero trust, or indeed the TSA, but getting the basics right like strong MFA, single sign on (SSO) and device trust are an easy and effective way to get started.
The TSA will be a huge undertaking for industry, but it is important to focus on the benefits such a wide-reaching set of regulatory rules will inevitably result in. As another guest from our recent event put it: ‘the TSA is full of the latest and modern best practice around security, so the aim really is to raise the tide and all ships, which can only be a good thing.’
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
In November 2020, the Telecommunications (Security) Bill was formally introduced to the UK’s House of Commons by the department for Digital, Culture, Media & Sport. Now, after several readings, debates, committee hearings, and periods of consultation, the Telecommunications (Security) Act is quickly becoming reality for providers of public telecoms networks and services in the UK, going live on 1 October 2022. Here, we outline what exactly the requirements mean for these firms, and what they can do to prepare.
The Act outlines new legal duties on telecoms firms to increase the security of the entire UK network and introduces new regulatory powers to the UK Telecoms regulator OFCOM to regulate Public Telecommunications Providers in the area of cyber security. It place obligations on operators to put in place more measures around the security of their supply chains, which includes the security of the products they procure. The Act grants powers to the Secretary of State to introduce a so-called Code of Practice. It is this Code of Practice which contains the bulk of the technical requirements that operators must comply with. Those not in compliance face large fines (up to 10% of company turnover for one year).
Following the UK Telecoms Supply Chain review in 2018, the government identified three areas of concern that needed addressing:
Following the review, little did we know a major resilience test for the telecoms industry was about to face significant challenges brought on by the Covid-19 pandemic. Data released by Openreach – the UK’s largest broadband network, used by customers of BT, Plusnet, Sky, TalkTalk, Vodafone and Zen – showed that broadband usage more than doubled in 2020 with 50,000 Petabytes (PB) of data being consumed across the country, compared to around 22,000 in 2019.
There is no question the security resilience of the UK telecoms sector is becoming ever more crucial — especially as the government intends to bring gigabit capable broadband to every home and business across the UK by 2025. As outlined in the National Cyber Security Centre’s Security analysis for the UK telecoms sector, ‘As technologies grow and evolve, we must have a security framework that is fit for purpose and ensures the UK’s Critical National Telecoms Infrastructure remains online and secure both now and in the future’.
The legislation will apply to public telecoms providers (including large companies such as BT and Vodafone and smaller companies that offer telecoms networks or services to the public). More specifically to quote the Act itself:
As the requirements are long and varied and so the timelines to comply have been broken down to help organisations comply. The current Code of Practice expects Tier 1 providers to implement ‘the most straightforward and least resource intensive measures’ by 31 March 2024, and the more complex and resource intensive measures by 31 March 2025.
Tier 2 firms have been given an extra two years on top of the dates outlined above to reflect the relative sizes of providers. Tier 3 providers aren’t in scope of the regulatory changes currently but are strongly encouraged to use the Code of Practice as best practice. The Code of Practice also expects that these firms ‘must continue to take appropriate and proportionate measures to comply with their new duties under the Act and the regulations’.
The TSA introduces a range of new requirements for those in the telecoms industry to understand and follow. These will require a multi-year programme for affected organisations. An area of high focus for example will be on Third Party controls and managing the relationship with them.
However there are more common security requirements as well. From our work with many companies across many different industries, we know that establishing that users accessing corporate systems, data and applications are who they say they are is a key aspect of reducing risk by limiting the possibility of attacks coming in through the front door. This is a very real risk highlighted in Verizon’s 2022 Data Breaches Investigations Report, which states that around 82% of data breaches involved a human element, including incidents in which employees expose information directly or making a mistake that enables cyber criminals to access the organisation’s systems.
Therefore, one area to start to try and protect the organisation and take a step on the way to compliance is to build up authentication and secure access to systems, data and applications. However even this can take time to implement over large complex environments. It means gaining an understanding of all devices and ensuring there is a solid profile around them, so they can be reported on, attacks can be blocked and prevented, and access to applications can be controlled as needed.
We will be creating more information around the Act as we move closer to the deadlines, including part two of this blog where we will take a deeper dive into themes introduced by the bill, how it compare with other industries’ and jurisdictions’ cyber security initiatives, and explore what else the telecoms industry can do to improve its security posture.
We are also running an event in London on 13 October: ‘Are you ready for TSA?’ which will include peer discussions where participation is welcome on the TSA. If you are interested in attending, please register here.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
FreshRSS 