What tops the CISO’s Christmas list this year?

(Image credit: Image source: Shutterstock/violetkaipa)

As we move closer to December 25th, our thoughts are turning to Christmas –­ whether we like it or not! But while most of us will be winding down in anticipation of the festive break, IT security practitioners will be busier than ever. Cyber-attacks continue to increase in both scope and severity, with organisations facing an ever widening range of security vulnerabilities, including unauthorised access, DDoS, device theft, data loss and insider threats. 

As the industry looks towards the 2019 threat landscape, many experts point to state-sponsored attacks as one of the most significant risks. In the UK National Cyber Security Centre (NCSC) 2018 Annual Review, CEO Ciaran Martin explained that these threats “constitute the most acute and direct cyber threat to our national security.”

With a tough year ahead, we spoke to a range of IT security experts to discuss the 2018 Christmas must-haves, and what every CISO should have at the top of their wish list:

Luke Brown, VP EMEA at WinMagic:

“It’s that time of year when, as the song goes, it’s beginning to look a lot like Christmas. Unfortunately, cyber criminals stop for no man – not even Father Christmas. So, arguably over the holiday period when many of us will have our attention focused on other things, it’s even more important to ensure that your organisation’s security posture is as robust as it can be. Top of every CISO’s Christmas wish list should be the ability to encrypt their sensitive data, wherever it resides – from end-point to Cloud and everything in between. Then, should the worst happen – and sensitive data is compromised – an end-to-end encryption platform will serve as the last defence, meaning that only those who are authorised to access the data, access it. And no one gets special treatment. Not even Father Christmas. Simply put, even if you’ve been good all year, if your name isn’t on the list, you can’t read it.”

Jon Lucas, Co-Director at Hyve Managed Hosting:

“It’s hard to pick one key gift for CISOs this Christmas, so instead why not pick a multitude wrapped up in one, shiny package? As an increasing number of organisations are moving to the cloud due to the flexibility and scalability it offers, having strong security measures is vital to ensuring that any solutions you implement are effective and reliable. The best managed hosting providers will offer a multi-layered suite which should include services such as data encryption, a DDoS defence system, and intrusion protection and detection systems. With data breaches up 75 per cent in the last two years according to the ICO, organisations should be prioritising their cloud security this Christmas to avoid risking an attack; because when you’re in the middle of cooking the Christmas turkey, you shouldn't have to be worrying about your data centre going down!”

Steve Blow, Tech Evangelist at Zerto:

“Surely the main thing every CISO wants on their Christmas list is the ability to recover from any kind of downtime instantly – without customers even realising anything has occurred, and with no data being lost. In 2018, it became clear that current backup solutions are no longer fit for purpose, with nearly half of all businesses experiencing an unrecoverable data event in the last three years. And, as ransomware attacks in particular will more than likely grow in 2019, CISOs need to focus on enabling an ‘always on’ business – weathering the disruption and getting back online within seconds without the data loss. With this sort of reliable data availability, CISOs can finally enjoy a Christmas break and let concerns about ransomware and security threats take a back seat in the New Year to a more positive focus on proactive cybersecurity and preparing for whatever the next threat on the horizon may be. With Santa’s sack full of resilient gifts, eliminating these concerns will be more than merely a Christmas miracle.”

Oscar Tovar, vulnerability verification specialist at WhiteHat:

“As a CISO, the charitable spirit of the holidays opens the door to reconnect with your board ahead of the New Year. Here are a few key ‘gifts’ you can ask for this year to improve your organisation’s security posture:

  • Service Exposure Audit – Most organisations don’t have a full inventory of their exposed services, and many don’t have any inventory at all! Having a strong understanding of all the places your organisation’s infrastructure is exposed to the world is the first step in securing them. How can you protect things that you don’t even know about?
  • Employee Security Awareness Training – Even the most basic understanding and awareness of security can go a long way. Ninety-five per cent of security breaches involve at least some interaction with an employee – whether it’s getting them to click a malicious link, open a dangerous file, or provide restricted information over the phone. A basic security awareness training can help your employees identify these situations and stop the attack before it even starts.”

Christopher Leppard, Managing Consultant for Advisory – Governance, Risk & Compliance, Six Degrees:

“A long Christmas wish list from me this year, but these items are fundamental to businesses looking to improve their security postures in 2019:

Staff training and awareness – staff remain the greatest strength and weakness of every business. Recent successful attacks have relied heavily on fooling staff, and so staff training and awareness should be well structured, clearly delivered, comprehensive and regularly repeated.

  • Get the basics right – the fundamentals of patching, access control and understanding how your network operates haven’t changed since networks were invented. When done properly, they will provide a lot of protection. Equally, defence-in-depth may be an old concept, but it is still relevant.
  • Vendor and third-party risk management – GDPR highlighted the importance of understanding your supply chain and ensuring they are also doing things correctly. Reputational damage is a real possibility if this is not considered.
  • Go beyond compliance – compliance to a recognised standard is to be encouraged, but it requires cultural change to properly implement and maintain, which is not to be underestimated.
  • Set realistic budgets – the average cost of a breach is now estimated at $3.2million. However, the real cost could be much higher. Comprehensive security requires proper investment in staff and the implementation and management of the right solutions.
  • Board level recognition – the CISO function should be board level, or reporting directly to them. It is a critical role, and boards must understand the risks they face and how they are best mitigated. Ignorance is no longer an excuse. Website security. Understand what is operating on your website. Third party scripts are very common, and are a major source of compromise. The recent British Airways hack is a prime example. Multi-factor authentication. Use multi-factor authentication wherever you can. It’s straightforward to use, and will significantly strengthen your business’s security posture.”

For most CISOs, the Christmas wish list will be a non-exhaustive list.  While there are many tools and areas of support security professionals already know they will need next year, just as many new items will be added as we move into 2019.  As the threat landscape continues to evolve in both complexity and scope, CISOs have a tough year ahead! 

Image source: Shutterstock/violetkaipa