Today’s organizations face a complex cybersecurity landscape, with hybrid networks pummeled by ever-morphing threats. The first chapter of this year is peppered with high-profile data breaches at T-Mobile, MailChimp, PayPal, and Chick-fil-A. Global geopolitical instability increases the risk of cyber threats. Experts at the World Economic Forum’s recent annual meeting warned of a “gathering cyber storm.”
In a complex climate, organizations benefit from strong security leadership at the helm with the vision to build and maintain a robust security program while optimizing available resources. But resource constraints and economic uncertainty can dissuade midmarket organizations from filling a permanent chief information security officer (CISO) role.
The services of a virtual CISO (vCISO) benefits companies that aren’t ready to commit to a full-time CISO but still need an “on-demand” advisor on a contract basis. Converge Cybersecurity experts share their thoughts on organizations’ top security concerns this year and how vCISO services can help address these concerns and mitigate risks.
(1) Cloud concerns
The rush to the cloud over the past few years has been transformational for organizations. But as cloud usage increases across the board, attackers focus more of their attention there. And, while there are a few known breaches of actual cloud infrastructure, errors and oversights on the part of organizations using the cloud are common and lead to an overwhelming number of breaches.
“With the move to the cloud comes a lot of inherent risk that I think a lot of organizations are unprepared for these days, in terms of knowing how to configure their different cloud environments correctly, knowing which tools they have integrated, and who has access,” says Niko Zivanovich, cybersecurity enterprise architect at Converge Cybersecurity.
Misconfiguration is the number one cause of cloud-security-related incidents, with mistakes such as overly permissive access, unrestricted ports, or publicly accessible storage buckets leaving cloud environments open to unauthorized access. The complexity of multicloud environments increases the attack surface, making it challenging to keep track of the tools integrated into the cloud environment. The cloud also doesn’t offer the visibility available in an on-premise data center, making it more difficult for organizations to detect attackers.
A recent Sophos study shows that throughout the previous year, 56% of organizations using IaaS experienced an increase in the volume of attacks, and 59% saw an increase in attack complexity. These attacks show no sign of slowing down in 2023.
“From a vCISO perspective, addressing these cloud concerns ties back to the security control reviews that we perform,” Zivanovich says. “That means helping you understand what data you have in the cloud, what cloud environments you are in, and how advanced your organization’s cloud is, security-wise.”
A Converge vCISO can spearhead a cloud security assessment effort, working with Converge cloud experts and pen testers to prioritize issues and then building a roadmap to alleviate them, Zivanovich says.
(2) Compliance and regulation
Organizations face increasing compliance requirements stipulating a more comprehensive approach to security. Five US states adopted new data privacy laws that are enforceable in 2023, and nearly 40 other states are considering or have recently introduced cybersecurity-related bills.
Standards are continually updated to keep pace with the threat landscape and technology evolutions. For example, a new version of the PCI DSS becomes effective in 2024 and includes 63 new requirements covering a large swath of security topics. The new mandates that organizations must implement with version 4.0 include extended MFA, stricter password requirements, privileged account management, continuous monitoring, and new controls to protect against ecommerce attacks.
At the same time, organizations that commit violations of data privacy regulations are encountering steeper fines. Australia recently raised its penalty for companies who suffer serious data breaches from AU$2.2 million to a maximum of AU$50 million. Of the top ten fines handed down for data protection violations, most were incurred within the past two years, ranging from $41 million to a staggering $1.2 billion.
Anton Abaya, professional services manager, GRC and cloud at Converge, says data privacy regulations are top-of-mind for organizations he works with and that a vCISO can lay out a plan to help address regulatory and compliance risks.
“Most organizations don’t have a good handle on what data they’re storing and processing,” says Abaya. “First, it’s understanding what data they have and classifying it. Next, it’s figuring out which jurisdictions the organization operates in and which standards and regulations it is subject to. Third is figuring out how to follow those requirements—identifying the tools and processes that can facilitate the protection of the data we’ve identified.”
(3) Staffing challenges
In a world where cybersecurity experts are in high demand and expensive to hire, staffing is a major concern for security leaders. More than 60% of companies have unfilled cybersecurity positions and understaffed teams, according to ISACA. Companies also face challenges with retention—a third of surveyed cyber professionals are reportedly considering leaving their job within the next two years due to stress and burnout.
Many organizations seek outside help to mitigate these challenges. According to NewtonX, 56% of organizations are now outsourcing up to a quarter of their cybersecurity staff to managed service providers or third-party staff augmentation providers.
Zivanovich says organizations often lack a thorough understanding of how to best solve their staffing needs and how to best employ managed services and automation using their available budget resources. These are areas that a vCISO’s expertise can tackle.
“We help organizations understand, based on their budget, how many security personnel they can dedicate to security functions,” Zivanovich says. “What is their business specialty? What drives their revenue? What do you need in-house in terms of those specialties from the security side? These are questions that organizations should get to the bottom of in 2023 to be sure their cybersecurity addresses their business needs.”
(4) Ransomware and emerging AI threats
Ransomware has loomed large in security leaders’ minds, and 2023 will be no different. The Ransomware-as-a-Service model continues to allow threat actors to scale their operations and execute attacks with readymade tools. Gartner analysts predict that human-operated ransomware will become an even bigger threat in 2023.
“We are seeing a lot of clients who are very worried about ransomware and about making sure they have backups that are protected from ransomware,” says Chris Bullock, senior consultant, vCISO, at Converge Cybersecurity.
In one positive sign, a new study by Chainalysis shows that ransomware profits dropped roughly 40% in 2022. According to the report, attacks have not necessarily reduced, but more victim organizations refuse to pay. Threat actors still raked in at least a hefty $457 million, showing that ransomware remains highly lucrative.
The reality is that any threat to the ransomware business model leads threat actors to adapt their online exploitation approach to use other means. The recent unveiling of the ChatGPT AI chatbot adds to their options, creating a plethora of opportunities for misuse by cyber threat actors. If the bot can be used to compose essays, generate code, and explain how something works, it can certainly be used to write malware, generate phishing emails, or provide a tutorial of how to hack websites.
A vCISO can help organizations better address ransomware, malware, and other threats by devising and implementing strategies to strengthen the comprehensive security posture, starting with a ransomware readiness assessment. Organizations need procedures and tools to perform proper backups, update tools, and patch security holes. A vCISO’s expertise can also help coordinate strong incident response plans. In cases when an attack has already happened, a vCISO can provide crucial leadership to help the organization respond and recover.
(5) What to do with risk
Risk is everywhere in cybersecurity—in systems, data, applications, people, third-party suppliers, the digital supply chain, and on. A major question security leaders grapple with is how to address this risk.
Organizations commonly choose to transfer the risk to a cyber insurance provider—but in 2023, this has become a less viable option, says Zivanovich.
“Fewer cyber insurance carriers nowadays are playing ball,” says Zivanovich. “They are getting out of the cyber insurance industry, and the ones staying in are making it impossibly hard to meet their requirements to qualify for coverage, let alone pay out for claims.”
A vCISO can help organizations decide if they should invest in cyber insurance and try to meet the insurer’s requirements or do their own business impact analysis to understand their organization’s particular risk and then spend the money accordingly.
An organization’s board is ultimately liable when a breach occurs but effectively reporting the current state of the information security program can be challenging. A vCISO can assist with the language and information the board will find helpful and compelling.
“You have to do something with the risk. You can’t ignore it,” Bullock says. “Helping organizations understand the risks that are unique to their organization, helping them with a risk registry, and then risk reduction or compensating controls is something that’s a big part of what a vCISO service can help with.”