The Current State of Cybersecurity Performance

An interview with Brian Wrozek, VP, Corporate Security, Risk and Compliance Management and Physical Security

Members of ESI’s thought leadership team sat down with the experts behind Driving Cybersecurity Performance to examine the state of cybersecurity practices and the growing trends impacting the industry.

Driving Cybersecurity Performance is the latest multi-client study from ESI ThoughtLab. The study will include an in-depth global survey of CISOs in companies spanning the Americas, Europe, and Asia Pacific and represent firms of varying sizes, from $50 million to over $50 billion in revenue. Full findings will be publicly available in the Spring of 2020. For more information, please visit our project microsite.

In your opinion, what are some of the most challenging cybersecurity issues organizations currently face?

Balancing the needs to consistently do the fundamentals with meeting new challenges and threats. It is hard to consistently patch vulnerabilities day in and day out, over and over with the stress of knowing that it just takes one opening to allow an attacker into your environment. New projects dealing with the cloud, for example, are not only much more interesting, but they often come with more recognition. Naturally, employees want to work on those new, higher profile projects. Consequently, leaders are challenged with keeping continuity and focus on the foundational tasks where staff turnover is high due to low morale and the repetitive nature of the work. Plus, organizational gratitude for keeping the lights on is low. Rare is the company that celebrates meeting the patching SLAs, but roll out a new version of your website and it is bonus time. IT Operations has had this challenge for years, but security comes with additional risk and less willingness by management to outsource.

Third-party risk management is another area that is a tough problem to solve. The current practice of sending customized questionnaires to partners is not sustainable. Do you give your doctor a list of questions to test their medical acumen or ask your legal counsel to write an essay on their knowledge of case law or accept their degree, license and other credentials? Somehow, the industry must find a way to standardize and stop making extra work for already overloaded security personnel especially when it does very little to move the needle on reducing risk.

Lastly, the further blurring of the boundary line between personal and professional. Don’t get me wrong. I enjoy the freedom to work from anywhere but trying to secure a mobile, distributed, heterogenous and always on workforce is becoming impossible. In addition, the number of devices (think IOT) connected to my network continues to grow exponentially with many of them designed for consumer use and not to the standards traditionally required in the business world.

What industries need to be most proactive in improving their cybersecurity tactics?

I think the educational industry needs to fundamentally improve but not in the traditional sense. They need to make cybersecurity education a priority in primary and secondary education curriculums. A 20-minute talk once a year on career day or during National Cyber Security Awareness Month is not equipping today’s youths with the knowledge to protect themselves from cyber threats. In 2020, colleges and universities are still graduating thousands of engineers and programmers who are not required to pass a single, cybersecurity course before joining the workforce. It’s no wonder the OWASP top-10 hasn’t really changed in a decade.

The security industry needs to consolidate, standardize, and mature. We have too many products that address niche threats distracting cybersecurity professionals from more impactful work. We need more metrics for comparison and decision making.

With an upcoming US presidential election, cybersecurity is top of mind for the federal government. In general, how should local, state, and federal governments address cybersecurity?

Legislation needs to catch up to technology. The US lacks a national law that sets data security standards. There are no security statutes to set minimum data security requirements. Each state has their own, unique data breach notification law. Traditional notions of national sovereignty and country borders have not fared well when applied to the Internet and global commerce.

Spirited dialogue around the legal, moral, and ethical issues related to the future of autonomous machines and humanity augmented with cyber technology need to be happening now. As social media has proved, leaving these types of decisions to profit seeking corporations does not bode well for the average citizen.

How are organizations defending against cybersecurity threats?

Based on the unending news about breaches, not very well. On the plus side, seeing more adoption of automation and orchestration. In the past, security teams were so afraid of disrupting some aspect of the business or causing even a minor inconvenience to the end-user experience that issues would go unresolved or new solutions would be ignored. Now filtering rules are automatically updated in real-time, based on machine analysis of incoming phishing emails, rather than waiting for a change request to be reviewed and the next change review board meeting. We must allow security to adapt at the same speed as the attacks with the necessary procedures to revert to a prior state if necessary.

While technology and preventive investments remain a staple of security budgets, more companies are recognizing the need and benefits of rounding out their control portfolio with administrative and physical controls across the different categories or functions such as detective, corrective, deterrent, recovery and compensating. This is leading to an overall maturation of cybersecurity programs with repeatable and measurable processes.

Are there any regional trends in cybersecurity practices that you have noticed?

Look no further than the new CCPA and its impact on California residents. I recognize that many companies outside of CA will need to comply but the impact on small, local “mom and pop” businesses can be substantial relative to similar companies in states less regulated with laws that heavily favor businesses.

I’ve also noticed the shift in my own back yard in Dallas, TX. As more corporations move their headquarters to the area, the need for workers grows and the talent follows. The influx of cybersecurity talent encourages additional corporate investment in the area to tap into the talent pool, and the cycle feeds itself, unfortunately, at the expense of other locations. Companies recognize that employees have many options nearby, so they take steps to keep them happy. In addition, the quality of local networking, information sharing, and mentoring candidates helps everyone improve their game.

How are organizations equipping their staff to better understand/handle cybersecurity issues?

One game changer has been the gradual shift in attitude toward cyber incidents. No longer are they automatically career ending events with the CISO taking the blame. Allowing for bad cyber events to occur just like in the physical world has freed security personnel from defaulting to always answering no to aligning with the risk appetite of the company.

What is the first step to becoming more cyber secure?

Get professional cybersecurity help. Companies will spend tens of thousands of dollars on outside legal counsel, advertising and other SG&A service costs and then balk when it comes to investing in cybersecurity assessments. On the personal side, the same is true. People will hire plumbers and electricians but then think they can secure their entire smart home technology landscape by themselves.

What are the biggest trends you see taking shape within the cybersecurity industry that will have major impacts in the next 3–5 years?

Privacy will consume a much larger portion of the security activities and budget. We all realize that privacy is not just a Legal or HR issue. Advances in hardware and software technology are fueling a data collection and retention explosion. As data analytics becomes common practice across all facets of a company’s operating rhythm, protecting the confidentiality and integrity of the raw information and trending reports will expand beyond the current PII elements.

It will become increasingly harder to determine the credibility of the source particularly when it comes to news. Deepfake videos will become a popular social engineering technique evolving into an audio and video style of ransomware. When these deepfake videos are disputed, the initial reaction by the public will be the subject is trying to hide the truth making the task of clearing your name all the more onerous.