Security leaders are facing growing pressures in today’s rapidly evolving cyber landscape. The rise in remote work means that many organizations are managing a complex web of in-person, online, and hybrid work scenarios while also juggling cloud migration to support their diversified workforce. There’s also the increase in the sheer volume of cyber attacks to contend with; between July 2020 and June 2021, there was a 1,070% increase in ransomware attacks alone.[1]
For Chief Information Security Officers (CISOs), this has created a variety of new challenges to contend with. Based on our conversations with security leaders, Microsoft has identified the top three focus areas that CISOs are prioritizing today so you can understand what steps your organization should take to guard against ongoing cybersecurity threats.
- Rapidly-shifting threat landscape and attack vectors
Organizations’ attack surfaces grow alongside the rise of the remote and hybrid workforces, stretching to span across multiple clouds and platforms. However, the new technologies that are required to facilitate stronger remote collaboration and productivity have also opened up new vulnerabilities for cybercriminals to exploit. Fifty-five percent of security leaders have detected an increase in phishing attacks since the beginning of the pandemic, and 88% say that phishing attacks have affected their organization.[2]
While news headlines are dominated by increasingly aggressive nation-state attacks and novel incidents like the NOBELIUM supply-chain attack, even advanced threat actors tend to focus on low-cost, high-value attacks of opportunity. Take the uptick in password spray attacks, for example. While large-scale attacks like the above aren’t an everyday occurrence, it is still important for security teams to be prepared in the event of a breach.
A healthy cybersecurity posture often comes down to a careful balance of managing risk and strengthening cyber hygiene practices. Microsoft estimates that basic security hygiene can protect against 98% of attacks.
The fundamental steps for securing your enterprise today in the face of evolving threats are as follows:
- Implement multifactor authentication (MFA) and a registration policy
- Gain visibility into your environment
- Focus on user education
- Stay on top of patching and vulnerability management
- Manage and protect all devices
- Secure configurations of on-premises and cloud resources and workloads
- Ensure back-up in case of worst-case recovery scenarios
- Rise in increasingly complex supply chain risks
The global supply chain is also a top-of-mind concern for CISOs, as many have been forced to expand their security perimeter outside of the security organization and IT. This focus makes sense given the 650% increase in supply-chain attacks from 2020 to 2021.[3]
As security leaders continue outsourcing apps, infrastructure, and human capital, they’re also searching for more effective frameworks and tools to evaluate and mitigate their risk across suppliers. Traditional vetting methods can help reduce risk when choosing a new vendor, but they aren’t foolproof. Security teams also need a way to enforce compliance and mitigate risk in real-time, not just during the selection process or a point-in-time review cycle.
One effective method for decreasing the impact of major supply-chain attacks and improving the overall efficiency of supply-chain operations is Zero Trust. Many security leaders rely on Zero Trust principles to protect their supply chains and strengthen their cyber hygiene foundation. First, they start by verifying explicitly. This simply refers to examining all pertinent aspects of access requests instead of assuming trust based on weak assurances like network location. For example, attackers typically weaken the supply chain by exploiting gaps in explicit verification. They might target a highly-privileged vendor account that isn’t protected with MFA or inject malicious code into a trusted application. Through Zero Trust, security teams can strengthen their verification methods and extend security policy requirements to third-party users.
The next principle of Zero Trust is to use least privileged access. This helps ensure that permissions are only granted to meet specific business goals from the appropriate environment and on appropriate devices. It also helps limit how much any compromised resource — whether user, endpoint, app, or network — can access others in the environment. It’s critical for cybersecurity teams to continuously evaluate any access requests or policies within their organization’s supply chain to minimize contact with critical systems and resources.
Finally, security leaders should assume breach. Rather than reducing the likelihood of an attack, assuming breach means that organizations can quickly detect and respond to threats by building processes and systems as if the breach has already occurred. They can use redundant security mechanisms; collect system telemetry; use it to detect anomalies; and connect that insight to automation aimed at preventing, responding, and remediating in near real-time.
- Creative organizational security despite talent shortage
Finally, CISOs are focused on finding and retaining top talent as a result of the industry’s workforce shortage. This is partially due to the “Great Resignation” that has left many teams (including security) understaffed. In fact, according to Cybersecurity Ventures, the number of unfilled cybersecurity jobs grew by 350%, from one million positions in 2013 to 3.5 million in 2021.[4] However, there’s also a push to make security everyone’s job — regardless of their position within the organization or their level of knowledge about cybersecurity best practices. In adopting this mindset, security leaders have been able to take a more innovative approach to keeping their organizations safe in the midst of talent and skill shortages.
To start, development teams, system administrators, and even end-users should be familiar with the security policies that are relevant to them. Likewise, some CISOs have said they are “deputizing” employees outside of the security team by boosting and enhancing end-user knowledge of security threats. Employees and end-users alike should know how to recognize common phishing techniques and the signs of more subtle cyber attacks. IT teams should also be kept in the loop and briefed on current security strategies. Focusing on automation and other proactive workflow and task management strategies is another easy way for CISOs to maximize their impact.
These three trends are only the tip of the iceberg when talking about where CISOs are prioritizing responsibilities; however, they paint a solid picture of the main concerns on their mind in today’s modern threat landscape. This is a great opportunity for organizations to reset and take a look at what they are prioritizing to determine if they are properly protected.
For more information on the latest cybersecurity threat trends, download the full CISO Insider report and explore our full library of security resources.
[1] https://www.fortinet.com/content/dam/fortinet/assets/reports/report-ransomware-survery.pdf
[2] Source: 2021 Microsoft research study of CISOs
[3] https://blog.sonatype.com/2021-state-of-the-software-supply-chain