Understanding the weight on security leader’s shoulders, and how to shift it
Article by Vectra.ai APJ director of security engineering, Chris Fisher.
Millions of dollars of government funding and internal budgets are being funnelled into cybersecurity to build resilience against sophisticated threats, indicating how serious this issue has become.
The latest Australian federal budget includes an almost $9.9 billion package to improve the country’s cybersecurity and intelligence capabilities. In New Zealand, Gartner finds that 73% of CIOs expect cybersecurity to be their biggest technology investment in 2022.
Meanwhile, the number of threats continues to skyrocket. In 2021, 8,831 incidents were reported to CERT NZ, a 13% increase on 2020. Individuals, small businesses and large organisations from all over New Zealand submitted incident reports. Across the ditch in Australia, over the 2020/21 financial year, the ACSC received more than 67,500 cybercrime reports, an increase of nearly 13% from the previous year.
When it comes to cybersecurity, threats have become more sophisticated and devastating to even large companies with sizable IT budgets. The commentary on the topic can be overwhelmingly negative and complicated.
In a bid to sift fact from fiction and provide actionable, tangible steps to creating a smarter security strategy, Vectra has released its A/NZ Security Leaders Research Report. This is part of a larger global study of 1,800 security decision-makers and focuses on uncovering how today’s organisations are tackling complex, modern cyber threats.
Uncovering the problems with security
According to Vectra research, the same digital transformation that is powering innovation has also dramatically expanded the attack surface. From the rapid proliferation of the cloud to the growing adoption of micro-services, DevOps and APIs, new pockets of opportunity are opening for cybercriminals to take advantage of.
To take an extreme example, in Australia, a report from the Australian Cyber Security Centre (ACSC) found that a quarter of cyber incidents reported to security officials within one-year targeted critical infrastructure, leading to potentially significant disruption in essential services, lost revenue and the potential of harm or loss of life. This trend follows suit in New Zealand, with the annual National Cyber Security Centre (NCSC) Threat Report showing there were 404 incidents affecting nationally significant organisations in the 2020/21 year, a 15% increase on last year’s total.
Breaches today can disrupt operations, damage supply chains, destroy customer trust and open companies to regulatory fines. Often cyber-attacks cost companies a huge amount, to the point that they may not recover. In fact, in 2021, global data breach costs rose from $3.86 million to $4.24 million, and ransomware attacks resulting in stolen data and lengthy operational outages can end up costing many times that. Some companies have reported losses in the millions. This evidence alone reveals why cybersecurity is now a board-level issue.
Within this threat landscape, what has become abundantly clear is that the old ways of defending operations are no longer working. Whether through system exploitation, phishing, using stolen accounts, or bypassing multi-factor authentication (MFA), there’s always a way in, and once inside, attackers are masters at staying hidden. To adequately defend against threats, security leaders and teams must evolve.
Four key factors that will drive change
The Vectra report found that in Australia and New Zealand, the majority (85%) of respondents stated that they felt traditional approaches wouldn’t protect against modern threats, and only 40% were confident their security tools would protect them. More than half (58%) reported they’d purchased a security solution that failed at least once, 60% were worried their tools had missed something, and 57% felt it was possible or likely they’d been breached while being unaware of it.
These findings make it obvious that security leaders are thinking about security, are aware that they’re on the back foot, and are looking for a better approach. The report also uncovered four key changes that can benefit organisations within the cybersecurity space.
For a start, a shift in thinking is required. Often, culture and mindset can be put aside in place of a technology solution, but this isn’t good enough. Security leaders need to consider how they can reorient their approach to threats, understand that attackers have the means to infiltrate even the most robust perimeters, and how to build a strong foundation. This starts at an employee level, first with the leaders within the organisation and then right down to the latest hire. A strong company culture with a security-first mindset will do a lot to build a strategy that works.
Part of the shift in thinking understands that a prevention first approach will no longer be enough. Legacy tooling and thinking is an impediment in the new threat landscape. Even so, many organisations continue to over-invest in a doomed prevention strategy that fails silently, leaving them open to being breached. We must move into detection over prevention thinking and protect against attackers in the way they are actually operating, as opposed to how you may think they are.
Another key focus for security leaders is their relationship with c-suite management and the board. As the propensity and cost of breaches increase, these key stakeholders are waking up to the risks posed by cyber-attacks, but they are not the experts. Security leaders need to find more effective ways to communicate risk and educate on how best to mitigate these risks, and get crucial buy-in for their strategies.
Finally, the report found that legislation and guidelines offer a useful starting point for businesses, with guidance and regulations helping to ensure businesses have a base security layer within their organisation. Even so, greater industry involvement and experience can help to make regulation more effective and offer a clearer understanding of the threat landscape, so leaders can move into implementing effective detection and response plans.
Finding a way forward
Genuine resilience begins with the right attitude. Many cybersecurity professionals understand that they simply can’t rely on legacy prevention-based tools any longer, nor can they rely on government advice and outdated input from boards.
By accepting this, CISOs can begin to create the right conditions for effective cyber risk management and stop breaches before they have a heavy impact. By doing so, organisations will be able to continue to evolve their culture and security strategy to protect against threats and win in their area of expertise.