CISO Insider: Issue 1

COVID-19 has required organizations to increase reliance on workplace flexibility and accelerate digital transformation—and these changes have naturally required some changes in security tactics as well. The perimeter has expanded and is increasingly hybrid, spanning multiple clouds and platforms. Although new technologies have been a boon to many organizations, enabling productivity and growth even in challenging times, the shifts have also presented an opportunity to cybercriminals, who work to exploit the vulnerabilities found in increasingly complex digital environments.

The uptick in remote work–related phishing attacks is top of mind for the security professionals I talk with—and we see that reflected in our research as well. In a Microsoft survey of security leaders conducted in 2020, 55 percent told us that their organizations had detected an increase in phishing attacks since the beginning of the pandemic and 88 percent said that phishing attacks had affected their organizations. I also hear regularly about spiking ransomware attacks, how malware remains a consistent threat, and how identity compromise continues to be a major challenge that plagues security teams.

Added to that, we know that nation-state attacks are increasingly aggressive and persistent. The NOBELIUM supply-chain attack, leveraging the SolarWinds platform, was one of many novel attacks that have made headlines in the last year. While flashy new techniques are what often capture the news cycles, CISOs consistently tell me that even these advanced threat actors, like most cybercriminals, tend to focus on low-cost, high-value attacks of opportunity.

To further illustrate this point, we’ve seen an uptick in nation-state attackers utilizing password spray attacks. Being a security leader is about managing risk and prioritizing—and many leaders tell me that strengthening their cyber hygiene to prevent the most common lines of attack, especially across their growing digital footprint, is their top priority. And our data and research support this sentiment—we estimate that basic security hygiene still protects against 98 percent of attacks (see page 124 in the Microsoft Digital Defense Report, October 2021).

You may be thinking that it’s easy to talk about fundamental security steps, but much harder to implement them in real life, especially when a team is overworked and understaffed. But I would argue that being a security leader is about managing both risk and prioritization—and that makes focusing on fundamentals a solidly pragmatic approach. All too often, security incidents aren’t a matter of IF but WHEN. There are hundreds of alarming cybersecurity stats such as about 4,000 cybercrime attacks are committed every day in the U.S. alone and more than 30,000 websites around the world are hacked daily.

I believe the best line of defense is taking a balanced approach and investing in incident detection and response alongside prevention.

Although it may seem difficult to invest in new levels of prevention while still trying to keep up with increasing demands on detection and response, finding the right balance between the two efforts is both essential and beneficial. A 2021 Ponemon Institute and IBM Security study found that organizations without an incident response team or a plan in place saw the average cost of data breaches go up by 55 percent. Security teams who can balance solid prevention with a strategy that includes an incident response and investments in detection and remediation tools will be well-positioned to weather the inevitable.

We’ve all heard about the great resignation. Over 40 percent of the global workforce is considering leaving their employer this year-and security leaders and their teams already feel under-staffed. I often speak with CISOs about how things are going overall, and affording, finding, and retaining top talent is one of their top concerns. And if top talent does leave, they are then faced with either finding new top talent or up-leveling the skills of those remaining. More efficient, integrated, and automated technology can help, but it’s not nearly enough.

Security buzzwords have become part of the everyday vernacular as cyberattacks show up in the news regularly—and these attacks (and the news about them) can deeply impact a company. But guess what? That isn’t all bad news. Given that cybersecurity has become a familiar topic across all areas of an organization, we are hearing that the concept of “security is everyone’s job” is beginning to resonate across organizations. Especially with new hybrid work models and security perimeters being pushed in all kinds of new ways—security leaders are increasingly relying on innovative ways to keep everyone safe, even as they are facing talent and skill gaps. Not “doing more with less,” but “doing more with different” is what innovative security leaders are all about these days.

While talent and skills shortages are definitely not a positive, there is a tiny ray of light here—creating a culture of security is becoming a reality. Many CISOs are telling us that one of the most effective ways to address their security challenges amidst staffing challenges is to build a culture of security where security is everyone’s job. CISOs are increasingly advocating for this notion that the entire organization can take on the responsibility of security, especially as they are facing staffing shortages or funding challenges.

Development teams, system administrators, and yes, end users, must understand the security policies that relate to them. Sharing information is fundamental and security teams are increasingly finding new ways to work with developers, administrators, and business process owners to understand risks and develop policies and procedures that benefit the entire organization.

Talent shortages and gaps in skills (especially in the ever-changing cybersecurity profession) have CISOs looking for new and innovative ways to stay ahead. One strategy we continue to hear about is an evolving “deputization” of employees outside of the security team. CISOs are looking to leverage the entire organization, with particular focus on training end users to be part of the solution and building support from adjacent teams.

Boosting and enhancing end user knowledge of security threats—like ensuring they understand phishing and the signs of subtle attacks—go a long way to increasing the eyes and ears of the security team, especially as a “tip of the spear” strategy, where end users are often an entry point for an attack. I’m not saying end users can magically be trained to catch everything but having prepared and alert users can dramatically reduce the load on security teams.

Another strategy is to deputize IT as part of security. Keeping the IT team closely connected to the security team and ensuring that IT is briefed on security strategies is helping many security leaders extend their mission to all areas of the organization.

Providing guidance and help on automation and other proactive workflow and task management strategies is a fundamental way CISOs are extending their teams and leveraging IT to help ensure solid security posture.

All cited Microsoft research uses independent research firms to contact security professionals for both quantitative and qualitative studies, ensuring privacy protections and analytical rigor. Quotes and findings included in this document, unless specified otherwise, are a result of Microsoft research studies.