Unlocking cybersecurity success: The need for board and CISO alignment
The C-Suite’s perception of cybersecurity has evolved dramatically over the past decade. It’s gone from being an afterthought for technology departments to worry about, to a cornerstone for business survival and operational strategy. The heightened awareness of cybersecurity stems from a deeper grasp of the legal, reputational and financial implications of data breaches. This, combined with regulatory pressures such as the original NIS directive, has forced leaders to enhance their organizations’ cybersecurity measures.
The result is that 75 percent of organizations now report that cybersecurity is a high priority for their senior management team. While on the surface this should be celebrated, when digging deeper, conversations between CISOs and the wider C-Suite often just revolve around high-profile or user-centric security risks. More technical and advanced threats such as those related to application security are overlooked. The race to embrace AI and increasingly complicated cloud infrastructures have also made communicating cybersecurity priorities even more difficult for CISOs.
Speaking into the wind
One of the root causes of the communication gap boils down to the fact that C-suite executives are rarely cybersecurity experts. This is underscored by the fact that 7 out of 10 C-suite execs say security teams talk in technical terms without providing business context. Through no fault of their own, executives do not possess intricate and detailed understanding of the cybersecurity landscape and subsequent priorities for risk management. As a consequence, 77 percent of CISOs say boards and CEOs focus too heavily on the ability to react to security incidents and not enough on reducing and preventing risk proactively.
It is this reactive approach, combined with a lack of focus on niche or specific areas of cybersecurity that creates blind spots and leaves organizations vulnerable. Application vulnerabilities continue to remain one of the most common initial access vectors for cyberattacks. In fact, the Data Breach Investigations Report (DBIR) recently identified a 180 percent increase in attacks involving the exploitation of vulnerabilities as the critical path to initiate a breach. Web applications were the main vector for initial entry points. To put this into context, 72 percent of organizations have experienced an application security incident in the past two years.
The impact of the communication gap is clear. As CISOs battle to provide insight into vulnerabilities and areas of cybersecurity that the business should prioritize, there is a lack of action and acceptance from the C-Suite. This means decision making is hampered, which delays the implementation of necessary measures to safeguard the organization. Without a clear grasp of these risks, executives are unable to prioritize resources effectively or devise fast responses, leaving the organization exposed to potential threats and vulnerabilities.
The AI and cloud headache
To complicate matters further, the growing complexity of cloud-native architectures means traditional security tools and approaches are often no longer fit for purpose. Strong access controls or perimeter-based techniques may have traditionally worked, but they can no longer keep up with distributed cloud-native architectures and multicloud environments. Specifically, 76 percent of CISOs cite the limitations of security tools for real-time identification of risks in dynamic cloud-native architectures as a key challenge.
Added to this, the AI boom has become somewhat of a double-edged sword. Organizations use it to achieve significant productivity and efficiency gains. However, AI has also offered a whole host of new opportunities for those seeking to breach their defenses, for instance through automated phishing attempts or deepfake engineering. In fact, 52 percent of CISOs’ top concern relating to AI is the risk of cybercriminals using AI to create new vulnerability exploits faster and execute them on a wider scale.
The remedy
For many organizations, there is a clear push to drive innovation on a scale not seen before, often leading to large and complex technology stacks. As a result, organizations are increasingly on the lookout for ways to overcome this complexity by automating processes across the DevSecOps lifecycle. These automation practices are critical to accelerating innovation because they provide a consistent approach to development and security processes, helping to minimize risk, preserve resources, and maintain regulatory compliance. In fact, 71 percent of CISOs say DevSecOps automation is critical to ensuring reasonable measures have been taken to minimize application security risk.
This level of automation will undoubtedly make the lives of CISOs easier, as potential vulnerabilities will be eliminated before services are launched. To take this one step further CISOs should look to unify their security and observability strategies. This approach will reduce the cost of investigating alerts from multiple tools. It will also deliver instant visibility into the impact of a security incident, and provide the insights needed to respond effectively. By having this further insight to hand, CISOs and the board can meet each other in the middle. Both parties will have crystal clear insight and data that can help them understand cybersecurity priorities and react accordingly.
Modern cybersecurity requires a new approach
Ultimately, for any organization wanting to grow and ensure its operations are seamless, they need a strong and collaborative cybersecurity strategy. The added complexity of AI and cloud requires a new way of thinking when it comes to how CISOs protect their organization and communicate business risk internally. By combining their security and observability strategies, CISOs can foster a shared sense of responsibility for cybersecurity with the board, helping to respond more decisively and minimize their risk exposure dramatically.
Image credit: Sashkin7/depositphotos.com
Ben Todd is Regional Vice President, EMEA Security Sales at Dynatrace.