To say the past 18 months have been challenging for the Chief Information Security Officer (CISO) is something of an understatement. What started as a need to rapidly deploy and secure mass remote environments quickly evolved to mean supporting these environments in the long-term, not just for the company, but for and against the risks of the broader connected ecosystem.
At the same time, and at least partly as a result, this increasingly vast digital ecosystem faced a barrage of cyberattacks, both old and new, according to a study conducted by Proofpoint.
To make matters worse, cyber threats are not just increasing in number. The scale and scope of damage caused by these attacks has grown ever larger too. The SolarWinds, Microsoft Exchange and Colonial Pipeline attacks are just some of those to have recently highlighted the issue of systemic risk.
Once, such an attack may have led to downtime and loss for only the organization. Today, it can cast a much wider net. Disruption to one component in one organization can lead to breakdown, loss and interruption to numerous systems and services, potentially impacting the lives of millions of people.
All of these events have served to elevate the profile of the CISO. Once perceived as a more technical discipline, many are now realizing the role's importance in driving and enabling business strategy.
This changing role has brought added pressure — some believe too much. Over half (57%) of CISOs worldwide believe that the expectations of their superiors and colleagues are excessive.
Whether expectations are unrealistic or not, one thing is clear. The CISO now has a leadership voice. And they must use it to instill confidence at the highest levels of the organization, as the foremost executive on the front lines against the threat of systemic risk, reframing cybersecurity from a focus on protecting our organizations to one that enables them to thrive into the digital future.
The sprawling consequences of systemic risk
Systemic risk may be a familiar concept to some, but the complexity of today’s digital systems is introducing new systemic risks that are presenting unfamiliar threats to everyone.
Perhaps nothing exemplifies the scale of the task like the SolarWinds attack. It began with hackers adding malicious code to the company's software system. This was then unwittingly sent to SolarWinds' clients in the form of an update — clients that included numerous Fortune 500 companies and several U.S. Government departments, Homeland Security and the Treasury among them.
It ended with a full-scale international incident and sanctions imposed on the Russian government by the Biden administration.
Of course, no CISO wants to be at the heart of a diplomatic incident, but that is perhaps not the most pressing concern here. The New York State Department of Financial Services referenced the SolarWinds attack in its Cyber Insurance Risk Framework, noting that insurers must account for the systemic risk that occurs "…when a widespread cyber incident damages many insureds at the same time."
Insurers can pass some of that exposure back to their insureds, either through increased premiums or policy exclusions. But the foundational issue of understanding the economic impacts of these risks and effectively mitigating them still needs to be addressed, as most companies are largely self-insured for these losses.
And it's far from the only cause for concern. Government bodies and officials are increasingly pointing the finger at the boardroom, potentially opening the door for greater litigation and increased fines, as well as highlighting the need for cybersecurity governance oversight at the board level.
In December 2020, Chief Justice of the Delaware Supreme Court Collins Seitz Jr. said that boards needed to "demonstrate credibly that they are thinking proactively about systemic risk." In Europe, fines for such breaches can reach the hundreds of millions. That's along with the significant negative impact on shareholder value that usually follows such penalties.
With the stakes this high, CISOs must use their increasing influence in the boardroom to ensure the C-suite is aware of the potential impact of systemic cyber risk, the areas of the organization most vulnerable to it and the tools and resources required to protect against it.
Making the business case for defense in depth
The elevated role of the CISO may invite greater pressure. But it also means that there has never been a better time to make the business case for greater investment in cybersecurity. Or, perhaps more importantly, to dictate precisely where that investment is focused.
We know that people are the biggest cyber risk to most organizations, with over 90% of successful cyberattacks requiring some form of human interaction. And we also know that security awareness training can reduce susceptibility to common threats such as phishing.
But despite this, little cybersecurity spending is focused in this area. Network and endpoint protections account for over 70% of cyber defense spending, with email protection and security awareness training making up just 10% and 2%, respectively.
This needs to change. People are at the heart of successful cyberattacks, and they must be at the heart of our defenses too. These defenses need to be viewed as a system in and of themselves.
Ongoing, adaptive and in-depth awareness training is just one part of an effective cyber defense. Cybersecurity teams must also implement clear best practice policies covering password hygiene, bring your own device (BYOD), unauthorized applications and more. They must have tools in place to monitor networks and data, detect and deter advanced threats and automate threat response to limit collateral damage caused by delays.
It is up to the CISO to communicate the importance of such a deep and broad defense and how the consequences of failing to implement one will likely stretch far beyond the boardroom.