How IT Can Align with CISO Priorities

As company digital transformation plans progress, the role of the Chief Information Security Officer (CISO) is becoming ever more challenging. PwC’s latest Global Digital Trust Insights Survey shows that today’s cyber risks are too big for CISOs to handle alone, and 46% of CEOs surveyed are backing CISOs to drive collaboration on security in the coming year.

On their growing to-do list, CISOs must conduct risk and resilience assessments, identify a cyber strategy, and find ways to comply with ever-changing industry and country regulations. Many tasks will be managed using data held across the company, data that in many cases IT has access to. Because of this CIOs and their IT teams are in a great position to help.

Factors impacting the role of the CISO

1) A growing reliance on digital technologies

As companies invest more in digitalization, the IT environment is becoming more complex, distributed across a hybrid mix of on-prem and public cloud. With the attack surface growing, CISOs must understand, and assess the following risks:

• IT estate vulnerabilities: To mitigate security risks, the organization must have complete, up-to-date information about all IT assets – hardware, what’s running on it, where it is located, who is using it, and for what purpose is it being used. Are devices and applications updated and patched on a timely basis? Without a robust IT asset lifecycle management (ITALM) policy in place, mistakes can happen that put company and customer data at risk, such as the case where lack of security checks at a data center owned by German software vendor, SAP, led to the theft of four SSD sticks, with one later appearing on eBay. In another well-documented case, a mistake made by an IT asset disposition (ITAD) vendor meant that data-bearing equipment wasn’t wiped and customer information was exposed, leading to a $35 million penalty for Morgan Stanley.
• New technologies: How are ITAM and cybersecurity practices being extended to new technologies outside the traditional IT domain? What third-party systems and applications are being introduced and how are they connected to the existing infrastructure? If a cyber attacker gains access through them, can they also access financial data or impact critical systems?
• The impact of Shadow IT: Given the reliance on cloud and user-owned devices, it’s easier now for departments and individuals to purchase and use applications without going through formal channels. CISOs must understand if and how that is being discovered and managed within the company. the risks posed by shadow IT, the policy in place for software purchasing, and if users are aware of that policy.

The PwC survey found that companies were most concerned about cloud-related threats (47%) and attacks on connected devices (42%) over the next 12 months, making it vital to understand where and how everything is connected to secure the environment.

2) Growing attack threat

As ongoing geopolitical uncertainty increases the threat of attacks. How vulnerable is your organization? Cyber factors are woven through the Department of Homeland Security (DHS) Security Report for 2024, with threats to critical infrastructure predicted to continue over the coming year. It’s no surprise that since PwC’s 2023 survey the healthcare industry was most impacted. Global average cost of a damaging cyberattack was found to be $4.4 million but the healthcare average was 25% higher and 47% of healthcare organizations reported a breach of $1 million or more. The next most impacted industries were tech, media and telecom, financial services and energy and utilities.

PwC also noted a growing threat from generative AI (GenAI), with 52% of respondents expecting GenAI to lead to catastrophic cyberattacks in the next 12 months. GenAI and social engineering are being used in sophisticated phishing attempts targeting employees and third-party vendors. It’s vital to conduct an ongoing user education program that highlights emerging techniques. You should also identify, where relevant, if third parties are doing the same. One cyber-attack group reportedly bragged that it took 10 minutes to infiltrate MGM Resorts system by identifying an employee through LinkedIn and duping an employee at a third-party vendor.

Companies can reduce the risk of human error breaches, by moving towards a zero-trust model. Earlier this year, Gartner noted that zero trust is a critical strategy for most organizations, but that few had completed implementation. Gartner predicts that by 2026, 10% of large enterprises will have a mature and measurable zero-trust program in place, up from 1% today.

3) Regulatory impacts

As technology and cybercrime evolve, so do regulations. While in many heavily regulated industries there have long been restrictions on where data should be placed, timely reporting is also now also being highlighted. Earlier this year SEC announced new cyber security reporting rules, that require public companies to disclose any ‘material’ cybersecurity incident within four days after determining that it is material.

The implementation of observability and monitoring tools is going to be key in preventing cyberattacks from going unnoticed. One T-Mobile breach occurred when an attacker gained access through an API at the end of November 2022, but this went undetected until the beginning of January 2023 impacting 37 million accounts.

For many it’s not if, but when your organization will be attacked so a resilience assessment is vital, understanding dependencies between systems and vulnerabilities and identifying how and well your own organization’s critical infrastructure and financial data is protected. In the EU, the Digital Operational Resilience Act has put in place certain requirements for companies in the financial sector to ensure they remain operational if an attack occurs.

Collaborating to manage risk

With so much at stake, IT can help CISOs manage activities by:

• Providing access to a complete, always up-to-date asset inventory and reports on operating systems and patch status as well as on historical issues to identify vulnerabilities and develop risk assessments.
• Helping deliver an ongoing employee education program, explaining zero trust and software purchasing policies and the latest techniques being used by attackers.
• Assisting with the implementation of zero trust using methods such as introducing observability and monitoring technology for incident detection, identifying user profiles, and defining standard packages of access permissions.
• Maintaining the cadence of endpoint updates and patches across the entire estate, and introducing multi-factor authentication.
• Collaborating to define a process for incident reporting, to remain compliant with all relevant regulatory and country requirements.

Become ‘Stewards of Digital Trust’

Of the 3,876 business and tech executives surveyed by PwC, just 179 respondents were consistently following standard practices of cyber defense. PwC calls them “stewards of digital trust” and finds they are experiencing fewer breaches. And when they are impacted, attacks aren’t as costly. Managing risk is made easier through streamlined security solutions and they have greater confidence as they introduce new technologies to the business.

Budgets for 2024 will be spent on modernizing cyber security infrastructure (49%), with optimizing current technologies and investments (45%) as the highest priorities. The barriers to becoming stewards of digital trust are not financial or tool-related as PwC found that respondents aren’t slowing down spending on cybersecurity. The struggle is in understanding how companies can reap the benefits of their investments. PwC suggests asking if the IT architecture is too complex to protect or if companies are making it easier to find gaps in their defense.

Of course, IT architecture is complex, and applying manual processes to identify and resolve issues is not going to work. It’s going to take time to pull together asset inventories and gather data on historical issues for risk assessments. There’s no way to manage this manually in a dynamic environment. It’s clear that cybersecurity asset management cannot be controlled using a spreadsheet or a single database.

Applying intelligent automation to cybersecurity

For IT to assist CISOs with their objectives they must leverage data intelligence combined with business process automation. That can be done through the application of a digital platform conductor (DPC), a tool now highlighted in six Gartner hype cycles as transformational.

Using a digital platform conductor IT can:

• Automate data integration and analysis, taking data from all relevant sources to deliver an accurate, real-time picture of the entire technology estate that can be viewed from any angle for risk assessments, decision-making, and reporting.
• Automate end-user communications to streamline education programs.
• Automate IT change programs such as system updates, patching, asset refresh, and more to reduce the burden on IT and maintain security and compliance.
• Enrich data gained from observability and monitoring.
• Provide analysis of historical incidents.
• Define user profiles and access privileges for zero-trust implementations.
• Automate workflows using pre-defined triggers to comply with internal and external security requirements.
• Better leverage the capabilities of all existing and future technology investments.

Using a DPC, IT and CISOs will be better informed about the environment and can make intelligent decisions, act faster on issues, and reduce the risk and implications of cyberattacks.

Book a demo with ReadyWorks to understand how a DPC can facilitate greater collaboration between CISOs and CIOs and streamline the implementation of a robust cybersecurity strategy.