While many have expected early on that 2022 would be a challenging year for cybersecurity in the wake of the COVID-19 pandemic and it's lingering effects being felt, few have imagined that 2022 would present some additional unique challenges that some businesses found more difficult to navigate. But at the same time, the past year provided some unique opportunities from which businesses have been able to draw the knowledge and experience needed for them to survive and evolve in their cybersecurity practices.
Being at the forefront of the business’ cybersecurity matters, CISOs are at the forefront of these challenges their respective businesses faced during the past year. Given their experiences over the past year, CISOs have learned 14 key lessons that other CISOs should take to heart for the benefit of their organizations.
1. Never wait for a geopolitical conflict to boost security
Russia's invasion of Ukraine spurred nationalist and criminal organizations to take sides and forced businesses to embrace government-issued guidance created to help them heighten their security posture. While the conflict has spurred questions and self-realizations among businesses with regard to their cyber resilience readiness, such questions should have been raised years ago.
2. Cybercriminals are not only on the rise, but their services have also become dirt cheap
Ransomware gangs and other threat groups have not only multiplied but also have become more capable of launching attacks on the supply chain and other internal infrastructure. Compounding matters is the fact that the hacker-as-a-business model has continued to gain traction, especially as groups are offering lower rates and, as a result, lower barriers for entry.
3. Untrained employees can cost a company millions
The aforementioned rise in cyberattacks can be partly attributed to the lack of employee awareness and training in dealing with these attacks. As a result, cybercriminals continue to target employees through phishing and other social engineering means in order to gain access and hack the company’s network. Fortunately, business leaders have started to pay more attention to these threats and are proactive in dealing with them.
4. Governments are legislating more aggressively for cybersecurity
Countries like the United States, the United Kingdom, and the members of the European Union have strengthened their cybersecurity legislation, especially in light of what has transpired over the past three years. Thus, there is also an added level of compliance in the implementation of cybersecurity measures. On top of this, businesses should also take note of the evolving data privacy and security rules as they continue to grow in complexity.
5. Organizations should keep better track of open-source software
The Log4j crisis brought to light the vulnerability of remote code execution and open-source software in general. While open-source software remains an invaluable resource for businesses seeking free and capable applications for various business needs, such software is also vulnerable to attacks and exploitation by cybercriminals looking to prey on businesses. As such, many businesses have learned to do better when it comes to incident response and asset tracking.
6. More effort should be put into identifying vulnerabilities
Organizations must strive to keep up with vulnerabilities in both open- and closed-source software given the evolving cyber threats going around. Admittedly, it is easier said than done given how many threats arise each day. Thus it helps to have vulnerability management tools that can help identify and prioritize vulnerabilities found in operating systems applications. It also pays to have a good AppSec program as part of the software development life cycle and a secure code set up at all times, especially given the fact that everything is code, from the networks to the software and policies in place.
7. Companies need to do more to protect against supply chain attacks
Supply chain attacks have been a major cause for concern in 2022 and while some businesses spent a lot on technology to solve these issues, they did not have the knowledge or insight as to these technology solutions fit into their existing ecosystem, if at all. Then there are tools such as the software bill of materials (SBOM) that have brought new frameworks and technologies, such as managing the aggregation of information and complementary frameworks such as supply-chain levels for software artifacts (SLSA), all of which have provided greater complexity and challenges. A review of the supply chain is in order, alongside a more comprehensive plan that will help the business identify the capabilities needed to navigate the waters in the event of a supply chain attack.
8. Zero trust should be a core philosophy
A zero-trust program is not only about the technology that validates and secures identities but also a discipline and culture of eliminating implied trust and replacing it with explicit trust that will greatly ensure the business’ security. Therefore, it is imperative that every single product or service should support single sign-on (SSO) and/or multi-factor authentication (MFA) and corporate and non-production networks should be isolated from production environments.
9. Cyber liability insurance is a must, despite increasing premiums
Some businesses tend to ignore having cyber liability insurance, partly due to the increasing premiums involved each year. That may be understandable for businesses that are experiencing cashflow issues. But given the increasing level of sophistication and danger posed by cyber threats now and in the future, insurance is a bitter but necessary pill to swallow for all organizations. One positive aspect of this is that with cyber liability insurance, organizations are more aware of the risks existing within the organization that are prone to possible exploitation by cybercriminals thanks to the stringent practices of insurers. This allows businesses to act upon potential threats and resolve them early on.
10. The "shift-left" approach to software testing is dated
There is risk in all phases of DevOps processes, so tooling and investigation have to shift everywhere within the process and not just the left. Because of this, it is important to increase security everywhere across the DevOps ecosystem, including the build system and the deployable artifact itself.
11. Using the wrong tool for the wrong asset will not fix the problem
Security is a complex matter and should not be treated in general terms such that it is treated as a solution that can be applied to all assets or resources. Instead, CISOs need to look at nuances and find the right tool for the problem they want to fix and the right cybersecurity solutions or services that adapt or work for the particular technology that needs to be protected.
12. Organizations need help understanding their complete application architectures
Tech is increasing in complexity every year, and organizations must understand their entire ecosystem to avoid major security flaws. In particular, applications are becoming more and more complicated as they are tied to something as fluid as cloud-native development practices. As such, it helps to break down tech operations into smaller blocks of responsibility to make tech more manageable and secure.
13. Security should be a continuous effort
Contrary to popular misconception, cybersecurity is not a “one and done” activity but is rather a dynamic affair so ensuring it is a continuous effort that requires a risk management approach. Therefore, companies should take the time and effort to identify critical processes and assets and determine what level of security exposure they are willing to accept.
14. Have plans in place
Given the unexpected challenges that arose in the past year and 2023 is expected to be a more difficult year, companies, especially CISOs, should make the necessary preparations now before they are struck by unexpected events. This allows the business to remain competitive and be able to thrive in spite of the situation.