How enterprises can stay ahead of risks, threats and potential attacks [Q&A]

Businesses are engaged in a constant cat-and-mouse game with hackers, attackers, and bad actors in order to stay secure.

Dominic Lombardi, VP of security and trust at Kandji believes that in order to stay ahead it's necessary to master basic IT and security hygiene, update and communicate your risk register, and work steadily toward a zero-trust security model. We spoke to him to discover more.

BN: It's been said the human element is the next organization versus hacker battleground, why is this and what comes next?

DL: Malicious threat actors always look for the weakest link, the chink in the armor. Last year, we saw more unique attacks focused on bypassing the weakest link within standardized security controls. The weakest link? The human element. Many of these security incidents were related to multi-factor authentication (MFA) spamming, in which MFA requests were repeatedly sent to people until a link was clicked or exploiting a misconfiguration on publicly accessible resources. Meanwhile, cybercriminals have unleashed social engineering attacks aimed to disrupt organizations across different verticals and markets. During these attacks, an individual impersonates a customer and calls the company’s support desk. In the process, the attacker obtains valid account access. The organization's lack of organizational-level security controls served as the attacker’s entry point, allowing them to gain a foothold in these environments.

In 2023, attackers will get more creative in their pursuits. Many of the security controls we put in place earlier are at risk of being bypassed due to human error. How do we ensure our security controls are fault tolerant? This starts with basic hygiene at a people, process, and procedural level. Work to build a proactive cybersecurity culture in which you document all ongoing processes -- basically, all the validation steps that ensure you properly identify and authenticate a person’s identity, information, and account ownership.

BN: Risk register has come up a lot lately as a critical tool to maintaining a secure environment, how should organizations handle this in 2023?

DL: Your organization's risk register should serve as a 'what if' manual that outlines current and potential security risks and how they could impact the organization. Organizations are facing constraints at all levels -- budgets, personnel, and time -- in 2023. Your risk register must catalog the various risk scenarios that face your business and provide visibility for your leadership teams to make more risk informed treatment plans.

Maturing organizations will double down on best practices, perform threat analysis, and continue to populate their risk register. The more visibility (and fewer cracks) you have, the less probability of unexpected negative outcomes. This involves maintaining a running asset inventory across your organization and mapping this inventory against security controls. Meanwhile, build out project plans to have a continuous rollout to fulfill some of the gaps. Think patch management, standardized configurations across servers, and a rigorous process for building, deploying, and maintaining new software. Remember that basic IT hygiene is 99 percent of the game.

BN: What is next for the CISO role? How important has this role become for enterprises?

DL: When it comes to cybersecurity, executive-level engagement is a must. That means the CISOs must take a seat at the C-level table (if they haven't already) and stay there. Recently, with the Joseph Sullivan/Uber case, we saw the first criminal conviction of a CISO/CSO for failure to effectively disclose a breach. To prevent miscommunication and promote total transparency, any CISO who does not report directly into the CEO should demand that they do -- immediately. To set themselves up for success, they should also ensure that the general counsel at their organization is in their 'peer set'.

At the C-level table, the CISO can also (continuously) champion the risk register to ensure they receive needed resources to remediate and reduce risk on an ongoing basis. Not to mention executive buy-in for the appropriate resources to resolve high-priority items. Keep in mind that new threats, risks, and updates will always populate your risk register. It is critical to actively work to remediate against this list; this prevents risks from escalating and becoming more complicated.

BN: IT and InfoSec continue to move following their own agendas, can security become more of a 'team sport'?

DL: Traditionally, IT and InfoSec teams within an organization pursued their own agendas. InfoSec secured the company and its users, while IT enabled people within the organization to work efficiently and effectively. InfoSec and IT teams must work more collaboratively to reduce the gap between identifying and addressing issues.

In many organizations, IT admins are joining the security team, as today’s global, decentralized workplace has broadened IT's responsibilities within the enterprise. IT admins have become a key part of the security organization, with 34 percent of Fortune 500 companies rolling the IT department into the CISO’s purview in 2021. This percentage was close to 80 percent in startups and emerging technology companies. As more enterprise companies follow the lead of modern SaaS and technology organizations, the next task will be creating (and using) the best tooling to bridge the gap between these two core competencies. How do you adjust for the overlap and enable bidirectional communication and collaboration?

BN: Zero trust seems to be a priority, especially as it pertains to the hybrid office, how should security organizations employ zero trust methods in the coming year?

DL: Security teams have been talking about the zero-trust cybersecurity approach for a few years. It used to be 'trust but verify'. The new zero trust -- in a workplace filled with multiple teams, multiple devices, and multiple locations -- is 'check, check again, then trust in order to verify'. Basically, organizations must validate every single device, every single transaction, every single time -- always.

Only six percent of enterprise organizations have fully implemented zero trust, according to a 2022 Forrester Research study. The complex and disparate workplace environments that are so common now make it difficult to adopt zero trust -- at least all at once. This does not mean organizations are not slowly rolling out zero trust across their environments and assets.

It would be easy when a company only has a limited number of environments. However, if you are using AWS, Azure, and GCP with an on-premises instance along with a private cloud where you are running virtualization through VMware -- that will take some time to uniformly roll everything out. Yes, companies are working towards zero trust, but it will take a bit longer than people like. As we all continue to embark on the zero-trust journey, we will see new solutions for complex problems companies are experiencing on premise and in public and private clouds.

Photo Credit: Olivier Le Moal / Shutterstock