Gauging Cybersecurity Resiliency and Why It Matters
Joao-Pierre S. Ruth
Information Week
Early this month, Accenture released results of its annual State of Cyber Resilience study, which asked more than 4,700 executives questions about their organizations’ effectiveness in halting cyberattacks.
Ryan LaSalle, senior managing director and Accenture Security’s North America lead, says resiliency (as the survey defines it) is a measure of the ability to survive and thrive while under cyberattack.
Which Cyber Defender Are You?
“Business Blockers” sought to prioritize cybersecurity resilience over the organization’s business strategy even to the point of being seen as impeding business objectives.
“The Vulnerable” did not have security measures aligned with their business strategy and held security at bare minimum.
“Cyber Risk Takers” focused on business growth and speed to market for the sake of the company strategy, though they understood and accepted the risks.
“Cyber Champions” pursued a balance where they aimed to protect the organization’s key assets while also aligning with business strategy so key objectives could still be pursued in a meaningful, reasonable fashion.
Security spending is up, LaSalle says, coming in at 15% of IT budgets in 2021 compared with 10% in 2020.
How organizations invest in security can determine whether increased spending actually results in improved performance, he says. “For a lot of people in the ‘Vulnerable’ category, their security and technology debt is pretty high,” he says. “They haven’t historically kept up with [tech] investment; they haven’t been able to get security embedded into all the programs they need; they’re always playing catchup and they will always be behind the curve.”
Numerous enterprises are still trying to figure out how to securely advance their business strategies in the cloud.
The conversation is changing, he says, with organizations showing that by making security part of the plan early, it is possible to accelerate cloud adoption. “You can get there faster and more surely by having security at the table in the beginning and starting to look at ways to automate the capabilities that are needed,” LaSalle says.
Link: https://www.informationweek.com/security-and-risk-strategy/gauging-cybersecurity-resiliency-and-why-it-matters?_mc=NL_IWK_EDT_IWK_daily_20211116&cid=NL_IWK_EDT_IWK_daily_20211116&elq_mid=10759
90% of IT Decision Makers Believe Organizations Compromise on Cybersecurity in Favor of Other Goals
VS Daily
Trend Micro Incorporated has announced new research revealing that 90% of IT decision makers claim their business would be willing to compromise on cybersecurity in favor of digital transformation, productivity, or other goals.
Additionally, 82% have felt pressured to downplay the severity of cyber risks to their board.
The research reveals that just 50% of IT leaders and 38% of business decision makers believe the C-suite completely understand cyber risks.
Although some think this is because the topic is complex and constantly changing, many believe the C-suite either doesn’t try hard enough (26%) or doesn’t want (20%) to understand.
However, 31% of respondents believe cybersecurity is the biggest business risk today, and 66% claiming it has the highest cost impact of any business risk – a seemingly conflicting opinion given the overall willingness to compromise on security.
There are three main ways respondents believe the C-suite will sit up and take notice of cyber risk:
62% think it would take a breach of their organization
62% it would help if they could better report on and more easily explain the business risk of cyber threats
61% say it would make an impact if customers start demanding more sophisticated security credentials
Link: http://vsdaily.com/90-of-it-decision-makers-believe-organizations-compromise-on-cybersecurity-in-favor-of-other-goals/
Study Reveals 70% of Security and IT Pros Find Security Hygiene and Posture Management Increasingly Challenging Over the Past Two Years
TMC Net News
MORRISVILLE, N.C., Nov. 18, 2021 /PRNewswire/ — JupiterOne, the cybersecurity industry’s leading cyber asset management and governance solutions provider, today announced the findings of a new survey by Enterprise Strategy Group (ESG), which warns of inadequate security hygiene and posture management practices at many organizations.
The ESG research found that 86% of organizations believe they follow best practices for security hygiene and posture management.
However, 70% of organizations said they use more than ten security tools to manage security hygiene and posture management, which raises concerns about data management and operations overhead, according to Jon Oltsik, ESG Principal Analyst and Fellow, and author of the report.
In addition, 73% of security professionals admitted that they still depend on spreadsheets to manage security hygiene and posture at their organizations.
As a result, 70% of respondents said that security hygiene and posture management had become more difficult over the past two years as their attack surfaces have grown.
Overall, the report suggests that security asset management programs are too often informal, disorganized, and immature.
It sugests that organizations would benefit from adopting greater integration technologies, advanced analytics, and process automation, according to ESG.
The survey exposed many dangerous vulnerabilities, as nearly one-third of respondents (31%) said they discovered sensitive data in previously unknown locations, and 30% found websites with a path to their organizations.
In addition, 29% uncovered employee corporate credentials or misconfigured user permissions, while 28% exposed previously unknown SaaS applications.
Perhaps most troubling is the fact that 69% of organizations admitted they had experienced at least one cyber-attack that started through the exploit of an unknown or unmanaged internet-facing asset, including software, cloud-based workloads, user accounts, and IoT devices.
As a result of these threats, the survey found that 80% of organizations plan to increase spending for security hygiene and posture management within the next 18 months.
The top budget priorities areas include data security tools (31%); cyber-risk quantification tools (30%); and cloud security posture management (28%).
Link: https://www.tmcnet.com/usubmit/2021/11/18/9496001.htm
Xenith Names Bill Long Chief Information Security Officer
TMC Net News
RESTON, Va., Nov. 17, 2021 /PRNewswire/ — Xenith Solutions (Xenith) today announced Bill Long has been named as the new Chief Information Security Officer (CISO) overseeing cybersecurity operations and strategy for Xenith and TRI-COR Industries (TCI); a wholly owned subsidiary of Xenith.
Mr. Long, who has been working as a Sr.
Cybersecurity Engineer for Xenith since it was founded, has over 40 years of industry experience in large enterprise network environments specializing in cybersecurity architecture, design, engineering, and operations.
Mr. Long will report directly to the owners of Xenith.
Link: https://www.tmcnet.com/usubmit/2021/11/17/9494467.htm
Survey Finds CISOs are Missing Holidays like Thanksgiving and Not Taking Vacation Due to Work Demands
Vigilance Security Magazine
A new report from Human Layer Security company Tessian reveals that two in five Chief Information Security Officers (CISOs) have missed holidays like Thanksgiving due to work demands.
In addition, one-quarter have not taken time off work in the past 12 months.
In addition to missing national holidays, Tessian’s report reveals that CISOs work, on average, 11 more hours than they’re contracted to each week while one in 10 works 20 to 24 hours extra a week.
As a result of their stressful jobs, 59% of CISOs say they struggle to always switch off from work once the working day is over.
A quarter of security leaders said they spend between nine and 12 hours per month investigating and remediating each threat caused by human error, while more than one in 10 spend over a day.
So it’s no surprise that 34% of CISOs reported spending excessive time on triaging and investigation.
In addition, 38% of CISOs believe they’re spending too much time in departmental meetings and reporting to the board on cybersecurity, while one-third also feel drained by administrative tasks.
Similarly, 38% of CISOs also report feeling that they are spending too little time on their own career development.
When asked to elaborate on what they are not spending enough time on, CISOs said: hiring talent for my team (36%), attending non-departmental meetings (38%), communicating to customers (35%), researching new industry updates and trends (36%) and working on my own career development (38%).
In addition, 42% of CISOs say they have missed a federal or national holiday like Thanksgiving or Christmas, and 40% have missed a family vacation due to work.
One-third of CISOs report being unable to exercise regularly.
Link: https://vigilance-securitymagazine.com/news/top-categories/case-studies/10900-survey-finds-cisos-are-missing-holidays-like-thanksgiving-and-not-taking-vacation-due-to-work-demands
Report: Only half of companies employ a CISO
Venture Beat
According to a new report from managed cloud service provider Navisite, nearly half (45%) of companies surveyed do not employ a chief information security officer (CISO).
However, 58% believe they should hire a CISO or CSO.
Due to a noticeable lack of cybersecurity leadership, Navisite found that 60% rely on other parts of their organization outside the CISO/CSO or security team, including IT, executive leadership, and compliance.
75% of organizations also reported an increase in overall threat volume over the last year, with ransomware (37%) and phishing/spear-phishing (33%) reported as the top cyberthreats.
Link: https://venturebeat.com/2021/11/19/report-only-half-of-companies-employ-a-ciso/
The dangers of “connected” healthcare: predictions for 2022
Maria Namestnikova
Secure List
For a second consecutive year, the time for Kaspersky to make its predictions for the healthcare sector comes amid the global COVID-19 pandemic.
Unfortunately, the virus still dominates most aspects of our lives, and, of course, the pandemic remained the biggest and most-discussed topic in medicine.
Predictions for the year 2022
- Telemedicine will continue evolving.
- malicious counterfeits of telehealth apps will most likely appear in app stores: fake apps that will imitate the real thing and promise to deliver the same functionality.
- Demand for fake digital medical documents will increase, as will supply.
- The sensitivity of the medical data found in leaks will grow.
- The medical theme will forever be a popular one for use as bait in cybercrime schemes.
If the year 2022 does not see a wide-scale training process – and none is expected at the moment – we will witness a continued increase in the type of attacks in question.
Link: https://securelist.com/connected-healthcare-predictions-for-2022/104969/
Next Up on the Network Security Hype Cycle: CAASM
Elizabeth Wallace
RT Insights
Gartner’s Hype Cycle for network security has identified Cyber Asset Attack Surface Management (CAASM) as an emerging technology.
It could help companies and enterprises reduce vulnerability without reducing the visibility of cyber assets.
Gartner identifies the following drivers for CAASM adoption:
- Companies have full visibility into all digital assets for the first time, allowing for better security coverage.
- Companies see gaps and ensure remediated security steps throughout the environment.
- Companies also significantly reduce the time and effort going into audit compliance.
- CAASM reduces laborious manual retrieval systems and unites all assets across a single environment.
When audits happen, no one has to go looking for missing information.
It consolidates all assets into a platform with a single, normalized view.
All teams have access to this view, including any stakeholders responsible for the security or who could benefit from such a consolidated view and query capability.
Companies can finally accomplish bringing third party and shadow IT systems into the fold.
CAASM experiences less resistance than other solutions and could offer vital control back to IT.
CAASM is on Gartner’s “on the rise” list for good reason.
It’s experiencing increasing maturity, but still, some obstacles remain to its full market saturation.
Because it’s so new, companies may have challenges scaling CAASM and finding tools that integrate with it.
Integration teams may also block access.
The good news is that being on Gartner’s hype cycle provides incentives for companies to address both of these challenges.
Businesses looking to adopt these measures can keep an eye out for emerging resources as the cycle moves forward.
Although Gartner identifies a less than 1% adoption rate at the current moment, this emerging solution could be the next big thing in cybersecurity.
Companies must address security weaknesses in their networked applications as well as non-IT-controlled ones, and CAASM may finally provide a solution.
Link: https://www.rtinsights.com/next-up-on-the-network-security-hype-cycle-caasm/
Agencies entering ‘execution’ phase of Biden’s cyber executive order
Justin Doubleday
Federal News Network
Agencies have seen a deluge of new guidance and standards released since President Joe Biden’s May cybersecurity executive order, and a top White House cyber official says the government is now shifting into the execution phase of the sprawling directive.
The White House Office of Management and Budget also released a draft zero trust strategy, outlining the security architecture that underpins the executive order’s push to overhaul federal cybersecurity practices.
Earlier this month, the Cybersecurity and Infrastructure Security Agency also released a binding operational directive requiring agencies to patch a series of known vulnerabilities.
Agencies had two weeks to patch vulnerabilities discovered this year, and six months to remediate those identified between 2017 and 2020.
OMB is focused on ensuring agencies aren’t just aware of the vulnerabilities that are on their networks, but also have the resources to remediate them, DeRusha said.
The federal CISO was also recently given a second title as deputy national cyber director for federal cybersecurity within Chris Inglis’ new office at the White House.
As the national cyber director, Inglis serves as “a principal advisor to the president on cybersecurity policy and strategy, and cybersecurity engagement with industry and international stakeholders,” according to the White House.
Link: https://federalnewsnetwork.com/cybersecurity/2021/11/agencies-entering-execution-phase-of-bidens-cyber-executive-order/
Top 5 hottest topics at this year’s largest cybersecurity conference
ASTIG
PHILIPPINES – DECODE 2021, the country’s largest cybersecurity conference hosted free of charge by Trend Micro Philippines, welcomed over 1,200 Filipinos on its first day.
1) Now, Else Be Too Late: Relevant Just-in-Time Decisions
2) Ransomware: 2021 Threat Landscape
3) Cybercrime Through the Lens of Law Enforcement and Private Partners
4) The Evolution of a CISO Role
5) Get IT Girl, Careers in Cybersecurity, and Cybersecurity Fundamentals
Link: https://astig.ph/decode-2021-hot-topics/
Top cybersecurity conferences for when Black Hat and RSA aren’t right | #cybersecurity | #conferences | #cybersecurity | #infosecurity | #hacker
Angela Dennis
National Cyber Security
DerbyCon
Security BSides
ShmooCon
CanSecWest
Ultimately, the decision of which cybersecurity conferences to attend will depend on which ones best meet the needs of the individual.
Link: https://nationalcybersecurity.com/top-cybersecurity-conferences-for-when-black-hat-and-rsa-arent-right-cybersecurity-conferences-cybersecurity-infosecurity-hacker/
Zero Trust Truths, Ransomware Risks, IoT Threats & Reality Recognition
Tim Eades
vm Blog.com
2021 was the year when ransomware went mainstream, and so did the realization that much of our digital life counts as essential infrastructure for work, play and survival.
For organizations dealing with cyber vulnerabilities, accelerated digital transformation and migration to complex cloud environments, the consequences of increased vulnerabilities became more stark.
After a record year for both cyberattacks and enterprises transforming their IT infrastructures, don’t expect to see this change any time soon.
In 2022, we can expect to see four main challenges created by organizations’ lack of cyber preparedness and visibility into their IT environments.
First, Zero Trust will continue to be a high-level concept that means something different to everyone.
Next, C-suites will continue to be threatened by the specter of ransomware attacks.
Another trend that will continue to accelerate is the merging of the physical realm, e.g., the Internet of Things (IoT), and the realm of cybersecurity.
Finally, 2022 is shaping up to be the year when observability emerges as a primary element to provide comprehensive security and increased resilience to the enterprise.
Link: https://vmblog.com/archive/2021/11/22/varmour-2022-predictions-zero-trust-truths-ransomware-risks-iot-threats-reality-recognition.aspx
Deloitte: Absolute security ‘an unrealistic nirvana’
Heather Wright
iStart
“Absolute security is an unrealistic nirvana,” says Simon Owen, Deloitte global clients and industries leader, in the Deloitte 2021 Future of Cyber report.
Seventy-two percent of the nearly 600 global C-level executives surveyed for the report said their organisations experienced between one and 10 cyber incidents and breaches in the past year.
In Australia the ACSC received more than 67,500 cybercrime reports in the year to July – that’s one report every eight minutes.
The latest report from Cert NZ, meanwhile, shows there were more than 1,350 cyber security incidents responded to by the agency in Q2.
Unsurprisingly, the Deloitte report notes the impact of digital transformation as a factor in the increase in cyberattacks, with 69 percent of global leaders – consistent across all geographies – saying they’ve noted a significant increase in attacks.
“Leadership must make intelligent risk-based decisions on what to protect, and what assets are less important,” Owen says.
Those decisions need to be made swiftly, he warns, with continual reassessment as environments inside and outside the organisation changes.
Collective global spending has now reached $145 billion a year and is predicted to exceed $1 trillion by 2035, according to the World Economic Forum.
Link: https://istart.co.nz/nz-news-items/deloitte-absolute-security-an-unrealistic-nirvana/
New Cybercriminal Capabilities and Talent Challenges Ahead
Tal Mozes
vm Blog.com
1) DarkCloud Is Coming.
Get Ready for a Stormy 2022
Ransomware and malware are already available as a service, and will use cloud native technologies to attack cloud infrastructure at scale.
2) Cyber Insurance Will Require Incident Readiness
3) Three Ransomware Trends to Watch in 2022
Regulators will increase the responsibility and accountability of victims of ransomware for their part in the game.
Boards of directors will bear personal responsibility if their organization is a victim of ransomware, increasing the importance of preparedness for risk, cyber risk, and ransomware.
Attackers will become more sophisticated.
Upping the ante from encryption to double extortion will no longer be enough.
Now attackers will have enough data and environment access to be able to conduct denial of service attacks, making it that much harder for organizations struggling with DDoS (on top of encryption and extortion) to return to business as usual.
4) More Cloud = Bigger Resource Gap
5) New Cyber Talent Will Turn to Hacking
6) Increased Attacks on SaaS
7) Pandemic Increases Pressure on CISOs to Improve Readiness
Link: https://vmblog.com/archive/2021/11/23/mitiga-2022-predictions-new-cybercriminal-capabilities-and-talent-challenges-ahead.aspx