Security’s all-too-frequent appearance as a front-page headline making topic has put CISOs in the hot seat as CEOs and boards worry that it could be their names next in news stories trying to explain how a breach occurred.
Yet the CISO message to the C-suite might not be all that reassuring.
Some 64% of CISOs fear their companies are at risk of a major cybersecurity attack in the upcoming year and 66% feel their organization is unprepared to handle it, according to the 2021 Voice of the CISO Report from security software maker Proofpoint.
In response, CISOs are adjusting strategies to beef up their security posture. They seem to believe they’re on the right track: Proofpoint notes that 65% of CISOs believe they’ll be better able to resist and recover from cyberattacks by 2023.
Of course, each CISO has his or her own security roadmap, but common elements have emerged. According to CISOs, analysts and security leaders, the typical CISO priority list today has many or most of these 15 items:
1. A focus on fundamentals
Security fundamentals remain a top priority. “It’s not the fun, sexy cybersecurity topic, but it’s important that we make sure we’re handling the blocking and tackling appropriately,” says Tyrone Jeffrees, vice president of engineering and U.S. information security officer at the digital consultancy Mobiquity.
To that end, Jeffress says he and other CISOs remain focused on flawlessly performing asset management, patching, vulnerability management and configuration as well as delivering security awareness education and training.
Figures from the Proofpoint survey confirm this take, noting that enhancing core security controls is one of the most cited priorities listed by CISOs.
Related reading: The three most important ways to defend against security threats
2. Identifying, mitigating third-party risk
The SolarWinds attack, in which one of its platforms was hacked, bumped third-party risk to the top of the CISO priority list, says Neil Daswani, a veteran cyber security leader and co-author of Big Breaches: Cybersecurity Lessons for Everyone.
Daswani says the hack, first identified in late 2020, illustrates the need for CISOs to understand all the technology in use within their organizations so they can create appropriate processes for vetting their vendors and devise strategies on how best to mitigate risks.
3. Assuring security within enterprise code
Similarly, CISOs are becoming more focused on finding vulnerabilities within code used by their enterprise, says Brian Johnson, a security expert who co-founded the information security firm Crucyble.
“So much code is shared these days, and we’ve seen lots of code issues, code that we use from other people, possibly malicious open source code,” he says, noting that he and other CISOs are committing resources to examine new code being deployed and revisit code deployed code to root out any vulnerabilities or bugs.
Related reading: Why code reuse is still a security nightmare
4. Defending against ransomware attacks
Ransomware attacks hit new levels in 2021, with attacks on Colonial Pipeline and the multinational meat packer JBS shutting down critical infrastructure and impacting daily life in parts of the United States.
Such news has put CISOs on high alert, according to nearly all security leaders.
“This means continuously testing our security posture—both through internal testing and external testing by engaging third party security and compliance assessments as well as engaging leading global security researchers/testers. Rich data-driven and modern security monitoring to identify and methodically respond to threats is another key aspect. It is also critical to test our response preparedness via ongoing tabletop exercises that test various threat scenarios,” says Sanjay Macwan, chief information and chief information security officer at Vonage.
Related reading: Tabletop exercises: Six sample scenarios
5. Getting board-level support
“Another CISO priority is to make sure all the executives are aware of what’s going on in the threat landscape and what additional level of investment is needed to battle those threats,” says Daswani, who also serves as co-director of the Stanford Advanced Security Certification Program.
That has more CISOs presenting or even reporting directly to boards, experts say. In fact, Gartner, a tech research and advisory firm, estimates that 40% of corporate boards will have a dedicated cybersecurity committee by 2025, up from 10% in 2021. The firm’s research also indicated that boards now see cybersecurity-related risk as the second-highest source of risk for the enterprise, second only to regulatory compliance risk.
Related reading: 12 tips for effectively presenting cybersecurity to the board
6. Support for transformation and strategic goals
As organizations continue to digitalize and accelerate their transformations, CISOs are expected to keep pace. Consequently, CISOs are thinking about security as a business enabler.
“From the board’s perspective, the priority is to support the business and the business goals and to do so in a manner that allows us [as a business] to do things securely to protect our customers, our employees and the company overall, and to do so while providing a good customer experience. That’s the overarching mantra,” says David Levine, vice president of corporate and information security and CSO for digital services and information management provider Ricoh USA.
How CISOs support that mission varies from one enterprise to the next, experts say, adding that it is becoming a more universal priority for security teams year over year.
Related reading: What is security’s role in digital transformation?
7. Increasing agility
Kriss Warner, the global practice lead for cybersecurity consulting with Info-Tech Research Group and an ISACA-certified CISO, sees a related priority among most CISOs: The drive to “quickly adapt while remaining resilient.”
CISOs are training themselves and their teams to work in a more agile mode to keep up with the business, Warner says. “We have natural disasters, nation-state players [in the malware space], different things hitting CISOs from a board level, all these things require CISOs to be more nimble,” he adds.
Related reading: 6 security shortcomings that COVID-19 exposed
8. Upskilling teams
Competition for security talent is fierce, with the pandemic exacerbating an already competitive market. According to Gartner, there has been a surge in demand for infosecurity roles, with a 65% upswing in demand in the United States. So, CISOs continue to prioritize keeping their existing workers and training them for the specific skills they need to secure evolving environments, says Brian M. Gant, an assistant professor of cybersecurity at Maryville University. There’s a particular emphasis on upskilling workers in cloud security and threat intelligence as well as access and identity management.
9. Addressing IoT security
IoT Analytics in its State of the IoT 2020 report estimated that there were 12 billion internet of things connections last year, a number that for the first time surpassed the number of non-IoT connections. The market research firm predicted that there will be more than 30 billion IoT connections by 2025.
“Everything is being connected, and that’s something CISOs will have to strategically think about,” Gant says.
Gant say CISOs are paying greater attention to the security around connected devices and the data they produce. They’re developing strategies to know exactly what and how much they have connecting to their network. They’re also revisiting their identity and access management programs to include IoT.
Related reading: How IoT changes your threat model: 4 key considerations
10. Security by design
Shifting security left is a priority for Macwan, the Vonage CIO/CISO.
“Simply put, in everything we do—products and services for our customers or tools and technologies that enable our employee experience—all must embed appropriate security, privacy, trust and compliance from the get go,” he says.
Other CISOs echo those thoughts and likewise list security by design as a priority.
“Security issues cost exponentially less to fix when discovered during development before deployment to production, so it is a critical part of my roadmap (and many of my colleagues) to put security feedback into developer pipelines and empower developers to make security relevant decisions early and safely,” says Kyle Tobener, head of security and IT for technology firm Copado.
Related reading: What is DevSecOps? Why it’s hard to do well
11. More automation
To help security teams better cope with a broader IT environment and ramped-up attack activity, many CISOs have accelerated their deployment of automation technologies.
In fact, the Proofpoint survey listed “improve security automation” as No. 4 on its list of priorities identified by responding CISOs.
Jeffress says CISOs are using automation to better identify threats and speed response as well as enforce security standards throughout the development and deployment of new code into the environment. He notes that automation is a key part of creating secure code, implementing security by design, and moving to the increasingly popular zero trust security model.
Related reading: Getting started with security automation
12. Strengthening remote work security
Proofpoint’s CISO survey reveals that almost two-thirds of responding CISOs believe that remote work has made their organizations more vulnerable to cyberattacks, with 58% of them seeing more targeted attacks since enabling widespread remote work.
“People could be putting themselves and the company at risk not intentionally but because the work environment is so different,” Levine says.
That has CISOs enacting zero trust and identity-first security strategies to create a secure work-from-anywhere business model, according to analysts, researchers, and consultants.
Related reading: 10 security tools all remote employees should have
13. Securing the cloud
Nearly 40% of organizations responding to the 451 Research survey for its Voice of the Enterprise: Cloud, Hosting & Managed Services, Budgets & Outlook 2021 increased their public cloud use during the pandemic, with the vast majority of them indicating the move to public cloud would be permanent.
Levine’s company is part of that trend, and that has him rethinking security strategy. He’s deploying new tools, processes, and governance models to support the infrastructure. And he’s implementing a comprehensive cloud security governance program to get his team visibility into his company’s cloud environment and to enforce adherence to proper configurations and security standards.
Related reading: AWS, Google Cloud, and Azure: How their security features compare
14. Keeping up with emerging, evolving privacy laws
Virginia passed the Consumer Data Protection Act (CDPA) in early 2021, enacting regulations similar to the California Consumer Privacy Act. Colorado followed suit in July, with its Colorado Privacy Act (CPA).
Such actions are created a growing patchwork of privacy regulations that organizations must track and follow.
That has CISOs, in cooperation with compliance and others within enterprise leadership, trying to put in place the technologies and processes that effectively and efficiently address the various laws as they stand today and as they continue to evolve, Warner says.
“It is almost a daily conversation with CISOs and business leaders. They’d like to deploy something and want to move into new markets, but they need to integrate serious privacy and security laws into their programs to do that,” he says.
15. Building continuity plans to account for global events
Levine is addressing another security issue revealed by the pandemic: shortcomings in his business continuity plans. He says he and other CISOs are revisiting their continuity and resiliency strategies that for the most part did not account for a worldwide impact event.
“We had plans, but it didn’t contemplate everybody going home overnight,” he says, adding that the old plan assumed geographical diversity of staff and facilities would allow for work in one impacted area to shift to unaffected regions. “Now we have to rethink what business continuity looks like.”
Related reading: Business continuity and disaster recovery planning: The basics