Board CISO & CSO CEO & MD

W-INSIGHTS, Topics on the agenda for CISOs in 2022.

Issues on the agenda for CISOs in 2022

If you're responsible for cybersecurity, you're probably getting a lot of attention from all corners of the organisation these days, as cybersecurity is now much more than just a budget discussion for most organisations. With digital transformation, the rise of remote working, escalating geopolitical challenges and the simultaneous increase in cyber-attacks, it is clear that adequate cybersecurity is the foundation of any successful business.

According to a Gartner¹ survey , 64% of board members say they will significantly change the economic structure of the company to focus more on digitalisation. However, 88% also say that cybersecurity is a risk to the business. Especially in 2021, the number of ransomware incidents, supply chain attacks and phishing emails will increase dramatically, and the space for cyberattacks is expanding with developments such as remote working. As a result, CISOs will need to raise awareness of the importance of cybersecurity across the organisation and align it with business activities and objectives, especially in 2022.

Executives INSIGHTS / CISO Thought Leadership Circle

Q_PERIOR, Armando Chiodi, Partner Cybersecurity Consulting & CISO

In today's world, security is rightly increasingly perceived as an essential attribute of digitised processes and businesses. In some organisations, security is still seen as an outsider and an additional cost. Companies that are more aware of current cyber threats are much more advanced and accept security as an essential part of the business model. The latter, with their holistic and integrated approach, find it much easier to attract experts as employees. This is a highly competitive market and candidates also need to be convinced of a security culture where their contribution is valued.

CymbiQ, Marco Marchesi, Founder & Chairman

We see strong demand for Managed Security Services in many areas of cyber security, particularly in the SOC and CSIRT sectors. The increase is probably due to the difficulty in finding specialist staff. However, awareness at executive and board level has also increased significantly due to numerous media reports.
We expect ransomware attacks to increase again in the second half of the year as the cybercrime industry recoups losses from the war in Ukraine.

Bystronic, Simon Schlumpf, Chief Information and Security Officer / CISO

Companies that have not yet addressed the issue often do not know what profile they really need to strengthen their cybersecurity. But once they do, the difficult search begins: there is a shortage of cybersecurity talent in the market.

Omicron, Thomas Schneider, Chief Business Officer, CBO

Companies with a porous security apparatus and no clear risk and incident strategy will inevitably be confronted by cybercriminals who dictate their criminal business model professionally and according to all the criteria of the market economy. The higher a company's barriers to protect business-critical information, and the more regularly and measurably they are reviewed, the greater the chance that criminals will not simply force a company into the role of victim.
Skilled IT security professionals and day-to-day security practices, such as a modern zero trust policy, play a crucial role. Our customers are often faced with the question of whether the internal IT department can build up this expertise and maintain the appropriate level of IT cybersecurity, or whether an external service provider should take over some or all of this work.

NOMANO, Dr. Henrik Czurda, Managing Partner & former SIX Executive Director

Be paranoid, don't trust the surface. There is no such thing as absolute security; you should at least be better than the most unpleasant threat that you cannot economically absorb. IT security is complex and the cyber threat can be really dangerous. It's about money (ransomware) and power (Trojans that can shut down entire power plants and turbines - like Stuxnet in Iran). It's not about good people; you need the best.
Because even cyber terrorists are learning fast and developing their tools in the direction of big data and, above all, AI.

Talk to us about your 2023 security roadmap.

Current cyber threats to watch out for

Ransomware

Ransomware attacks in 2021 (e.g., JBS and Colonial Pipeline) demonstrated the significant financial gains hackers can make with a single attack. As a result, we can expect a wave of copycat attacks in 2022.
Ransomware is the fastest growing attack strategy, where malware is used to deny a user or organisation access to their computer's files. By encrypting these files and demanding a ransom for the decryption key, cyber attackers put organisations in a situation where paying the ransom is the easiest and cheapest way to regain access to their files.

Supply chain attacks

According to a recent Survey² of 1,200 security professionals across a range of industries, over 90% of organisations have suffered a security breach due to vulnerabilities in their supply chain.

As the average company's ecosystem of suppliers grows, it's not surprising that cyber attacks on supply chains are also multiplying. As software stacks grow larger and software components become more interconnected, this year hackers will target key players in the supply chain that they can disable. As the saying goes, a (supply) chain is only as strong as its weakest link.

Phishing E-Mails

Phishing emails are by far the most common and successful way for attackers to gain access to personal data, and attackers are increasingly posing as legitimate third parties. According to a recent estimate by the World Economic Forum³, 70% of salespeople still fall for phishing emails.

While automated tools can help, it's important to embed cybersecurity awareness into the culture of the organisation. Fortunately, the number of successful phishing attacks drops by a factor of nine when a company conducts regular phishing email drills.

Remote working and digitalisation

In 2022, millions of organisations will continue to adopt remote or hybrid working, and traditional network and endpoint security measures may no longer be sufficient. Employees are now working over private Wi-Fi networks, using personal devices and often in unsupervised conditions, increasing the threat landscape for organisations.

Over the past year, CISOs have taken steps to address these security gaps, but securing remote working remains a significant challenge. Robust identity and access management (IAM) is coming to the fore as a necessity in an organisation's security infrastructure.

With the rise of remote working and general digitisation, organisations in almost every industry are struggling to secure their applications. In 2021, Silent Breach² found that 92% of web applications tested had serious or critical vulnerabilities. The attack surface for most organisations continues to grow rapidly, and CISOs must defend against cyber-attacks on multiple fronts: web, mobile, social, physical, wireless, cloud and more.

The vast majority of CISOs perceive the threat landscape to be larger than it was a year ago. 75 % report⁴, having suffered at least one cyber attack that caused material damage, with 65% blaming today's easily accessible IT landscape.

What's on the CISO's agenda in 2022?

CISOs should raise awareness of the importance of information security throughout the organisation and align it with business activities and objectives. However, only 12 % of CISOs¹ manage to address all the tasks and challenges at hand.

A strong Zero Trust policy and robust identity management will help turn the tide. Organisations report that implementing or enhancing a Zero Trust model is their top security priority this year. Nearly 79 % of CISOs surveyed say⁴they have already started implementing it, with a further 18% actively planning to do so.

At the same time, you need to improve the security of customer data by measuring the effectiveness of your security programmes. However, an organisation can never be 100% protected from cyber attacks, and as a CISO you need to explain why. An organisation must ensure that its critical assets and data are protected as much as possible. If the most critical assets are protected against the most likely threats, then you are on the safe side. Organisations should not waste money closing vulnerabilities that have no real impact.

To help organisations better understand their level of protection, CISOs also need to be able to quantify the risk of cyber-attacks in euros. This means working out how much it would cost to respond to and recover from a specific breach, and multiplying that by the likelihood of such a breach.

There are some measures you can start with, such as regular communication with executives outside the company's IT department, as everyone in the organisation has an impact on the effectiveness of security measures. Business decision-makers need to be informed about new security standards and technologies, and it's your job to make them aware of future risks. In addition, you should develop automation strategies that will speed up, simplify or even eliminate the response to cyber attacks.

The final, and perhaps most important, IT security measure is to expand or improve the skills of your team. Talent in this area is scarce and expensive, and while cyber managed services often fill the gaps, external partners can introduce new risks without careful oversight. Strengthening the skills of your cybersecurity team can give your organisation a competitive advantage.

#CyberSercurity #CISO