By: Paul Baird
To operate successfully, companies need reliable, trustworthy, and secure IT to support their processes. For many years, IT was perceived to be necessary as a cost of doing business rather than a means of enabling the business in the first place. This attitude has changed, and today IT is inseparable from how businesses operate. In its State of Cybersecurity Resilience 2023 report, Accenture found that organizations that closely align their cybersecurity programs to business objectives are 18 percent more likely to increase their ability to drive revenue growth. Similarly, Deloitte’s 2023 Global Future of Cyber Survey report found that 56 percent of business leaders ranked greater efficiency as the biggest impact of cyber security investment, closely followed by detecting problems sooner at 55 percent.
At the same time, investments in IT security have grown. International Data Corporationpredicts that global spending on security will top $219 billion in 2023, a 12.1 percent increase over 2022. This is despite economic pressure that has slowed other areas of technology spending. Such spending is warranted, as the Business Continuity Institute’s Cyber Resilience Report 2023reported that 74 percent of organizations saw an increase in cyber attacks during the last year.
With so much emphasis on technology, and so much to lose if things go wrong, it is no surprise that IT security leaders are under the spotlight of the board. They want to know what risks exist, the potential business impact those risks pose, and how they are being managed or mitigated. More importantly, with so much funding being made available to security teams, boards want to know what specific actions are taking place right now, not in the future, to limit risk exposure.
For chief information security officers and other IT security leaders, increased attention comes with greater accountability as well. For example, the Securities and Exchange Commission filed Wells Notices against members of the leadership team at SolarWinds in relation to the cyber attack the company suffered, signaling it intends to file a civil enforcement action against the recipients for alleged violations of U.S. federal securities laws. This follows the case against Uber’s CISO, who was found guilty of misconduct relating to a data breach that occurred in 2016.
With all this in mind, it is essential to have a long-term view of your cyber security program in place in order to have any chance of staying ahead of threat actors. Getting business support for your cyber security program is a step in the right direction, but it should not be your end goal; once that backing is secured, attention needs to be focused on results that align with desired, previously agreed upon business outcomes.
The first step is prioritization. Within today’s complex digital environments, the many potential issues and challenges that can affect digital assets can make it harder to focus efforts to achieve maximum positive impact. Worse, this reality can be difficult to communicate to board members, who won’t want to delve into particular circumstances or challenges. They will want to focus on the biggest risks that might affect the organization and what is being done to mitigate them.
Prioritization of security issues has been a challenge for many years, but can offer the biggest opportunity to counter security risks at the source. For example, in our TotalCloud Security Insights 2023report, we found that many cloud security deployments were failing to implement standard security best practices. The average failure rate for AWS deployments around Center for Internet Security benchmarks was 34 percent, rising to 57 percent for Microsoft Azure and 60 percent for Google Cloud Platform. Best practices can effectively eliminate whole swathes of potential threats, but time and resources are required to implement them. By looking at the bigger picture, best practices can be used to mitigate whole areas of tactics, techniques and procedures (TTPs) that threat actors commonly employ.
Similarly, we can look at the issues that represent specific threats to our organizations. In our TruRisk Research Report for 2023, we found that 25,228 known vulnerabilities were discovered over twelve months. This is a huge number of issues to consider. Yet only 159 of these issues were actually weaponized with exploit code, and only 93 were actually exploited by malware. Similarly, 539 issues from previous years were exploited by threat actors, and 118 were more than three years old.
What does this tell us? First, security issues can be difficult to fix. The reasons why security fixes don’t get implemented are: a lack of awareness that vulnerabilities exist within the organization’s infrastructure, or the concern that making a change would break other applications and systems. Understanding these risks and managing them effectively is a bigger issue than simply looking at numbers of potential vulnerabilities that must be managed, so providing the right context to your board over time is essential.
Second, not all issues are created equal. What represents a serious or business-critical risk to your organization may not be a risk at all to another company. Business risks are organic, changing in severity over time due to internal and external factors. For instance, a security flaw that is nothing to worry about on its own can become critical if it can be used as part of an automated attack chain involving other vulnerabilities. Synthesizing all this data, understanding it in context, and applying prioritization to risks over time should help you manage security, remediation, and