Cybersecurity teams are “mostly” to blame for the persistent failure of business leaders to appreciate the magnitude and type of risk that cybersecurity issues present, a CISO and business advisor has concluded.
“There is definitely a growing appetite by board members and senior business leaders to be involved in cybersecurity decision making, but a lot of them are still struggling,” Phillimon Zongo, CEO & Founder of CISO Advisory, told CSO Australia in the wake of his presentation on cyber resilience at the recent ISACA OceaniaCACS conference.
“The problem is two-fold, and mostly lies within cybersecurity teams,” he explained. “Their ability to communicate cybersecurity up in a way that relates to critical business imperatives – such as customer retention and business growth – is still a big challenge. Business leaders don’t really understand what their [business] exposures are and what they need to do to improve that.”
A recent ISACA survey found that just 54 percent of ANZ business technology professionals believe their organisation’s leadership is digitally literate.
The second issue has emerged with what Zongo calls “the expanded cybersecurity attack surface”, which he attributes primarily to the growth of outsourcing and the undetected vulnerabilities introduced by those third parties.
“If you have hundreds of third parties, it’s very difficult to have a robust assurance program around them,” Zongo said.
The pace of digital transformation – which the ISACA survey found is complicated by the finding that less than a quarter of organisations believe their senior leadership is very receptive to adopting emerging technologies – had also confounded efforts to improve cybersecurity.
Applications, data and business processes were often being moved to cloud-based platforms without businesses having staff with the right skills to manage that new environment – complicating the transition for CISOs and compromising their ability to have meaningful discussions with their senior leaders.
Zongo knows this first-hand, working as an ISACA director and head of cybersecurity with a leading wealth management firm.
The new environment
While CISOs dealt with technological issues, business leaders were more concerned with issues about service delivery and process – and their investments need to reflect this by shifting the focus away from the “fortress mentality” to one based on robust mechanisms for ensuring cyber resilience.
“Enterprises are realising that if they are targeted by a well-resolved and determined threat actor, they will get in,” explained Zongo, who recently highlighted the threat in his book The Five Anchors of Cyber Resilience. “If that happens, the question is how can they rapidly restore important systems so they can minimise the downstream impact to their shareholders, customers, and employees?”
Addressing this question is difficult when most companies still try to address the business impact of cybersecurity breaches within the IT area: “the number of high-profile data breaches that we hear of, almost every week, is a clear indication that the previous model of managing this risk within IT has failed,” Zongo said.
“We are spending a lot of money in cybersecurity but not necessarily spending it on the right thing.”
Smaller companies had a particularly pointed challenge addressing these issues, because their resources are already limited and the chronic cybersecurity skills shortage had generally left them struggling to get the cyber resilience skills they needed.
This had prevented many smaller business IT organisations from being able to drive the transformational mindset shift necessary to reframe the cybersecurity conversation – particularly since that conversation is often currently built around the idea that organisations can address their resilience issues by embracing sprawling standards from NIST, ISO and the like.
“If you try to utilise these within an SME, the framework becomes overwhelming,” Zongo said. “A lot of people have 1 to 3 people in their cybersecurity teams – and attempting to mitigate the threats is a strategy that loses before you even start.”
Businesses need to rethink their cybersecurity strategies and evaluate their maturity to understand where their strengths and weaknesses lie – ISACA’s recent acquisition of CMMI provides one such suitable maturity model – to benchmark their position against their peers.
“The gaps between the best actor’s ability to attack, and our ability to defend, keeps widening because our exposure is much more than it was,” Zongo said. “But once you understand what those crown jewels are, you can focus those resources on what are the critical controls needed to be implemented around those assets.”