Counting Threats: 5 Things that Keep CISOs Up at Night

… additions to the attack surface:

1. The building comes alive. “Many organizations operate totally unaware of the threats within their buildings. More and more, IoT devices are slipping into company networks without IT’s knowledge, like smart thermostats,” warns Karl Soderlund, senior vice president of worldwide channels at Palo Alto Networks. “These devices can easily go undetected and thus unmanaged from a cybersecurity point of view. Typically, IoT vendors do not actively manage threats, and even if they did announce a vulnerability with a patch, reaching the individual who would know how or what to do with this information is rare. The biggest threat is not knowing the devices are there, and subsequently not providing patches and securing them.”
2. The cloud gives cover for bad actors. “Many businesses are moving to the cloud and are expressing increased concern about how they can best protect that data — this includes both infrastructure in the cloud as well as SaaS services,” says Rebholz. “MSSPs are increasingly looking to expand their visibility into the cloud, which helps secure the expanded perimeter organizations are building and address a key concern for CISOs.”
3. Supply chains deliver the bad with the good. “Much of the cybersecurity conversation in 2018 was centered on the threats posed by the supply chain, and how attackers now identify the most vulnerable partners as the attack vector to exploit their primary targets,” said Dror Liwer, founder and CISO at Coronet, a security provider for cloud applications. Thus the fear that a growing number of threats will be in ready supply from this source.
4. Professional services bite the hand that feeds them. “As attackers continue to identify vulnerable third parties to fulfill their objectives, evidence and common sense suggest that professional-services agencies are the next big target,” warns Liwer. “As such, the professional-services agencies that brands of all sizes regularly rely upon – including but not limited to PR firms, accounting firms, advertising agencies, staffing firms, actuaries and more – must bolster their defenses before an attack occurs.”
5. Data growth fills the universe, sets off a cacophony of never-ending alarms, and continuously feeds Godzilla-sized attackers. “One top concern for CISOs – and it will inevitably get worse in 2019 – is the sheer size of data sets that must be analyzed to identify security threats that are constantly emerging and disappearing. Even the most efficient technologies can cause alert fatigue in such a data-heavy environment,” says Simon Whitburn, SVP, cybersecurity services at Nominet, the official registry for .UK domain names and a cybersecurity vendor.

Given the scope and diversity of these sleep-depriving worries, what should CISOs and MSSPs focus on to validate their hard work is making a positive difference — and to ensure their continued employment has value to the organization? In short, skip the bells, whistles and confusing data points — and cut straight to the chase.

“Go beyond automated reporting that provides no value to the customer. Show progress over time on how the company environment is more secure; avoid the traps of showing blocked ‘attacks’ or number of alerts triaged,” advises Rebholz.

The focus, he says, needs to be on reducing business risk, and measurably so, such as in reducing the mean time to detection (the amount of time between security event and detection) or the mean time to remediation (the amount of time between detection and remediation).

“Simply put, MSSPs need to highlight not only how an organization has less risk because of their managed services, but also how they can address additional pain points that the CISO has. MSSPs need to focus on evolving from a security vendor to a trusted security adviser,” Rebholz added.

In short, when CISOs and their MSSPs truly become partners, they both tend to sleep better.