How CISO's Need to Prepare for 2021?

Yogesh Potdar   

Last year, 2020, a world that was inevitably going digital was accelerated by COVID-19, forcing businesses to enable remote workforces overnight, without having the luxury of planning or preparation. Chief information security officers (CISOs) were required to ensure digital security on the go, simultaneously being aware of the new and emerging threats, ensuring business continuity in a workplace that now threw up a diversity of systems, networks, devices, processes and all these overflowing with unmaneagable information.


How CISOs need to prepare for 2021

As cyberattacks grow in number and sophistication, 2021 is definitely going to be no different. Basing on what we have witnessed so far, few assumptions can be made. The pandemic will continue long over the new year, and the virtualized, remote workplace will not only stay, but expand, and the businesses will grow exponentially, digitally. All assumptions point to stressed CISO workloads and more uncertainties.

I trust there are six essentials for today’s CISOs to pay attention in 2021.

1. Push for cybersecurity to become a boardroom agenda

Digital transformation has become the core aspect of all business processes, security has become a business concern, and as an outcome, cybersecurity must find a place resolutely be on the agenda of all boardrooms. A CISO’s role has evolved from being focused on technology alone to also keeping in mind business risks that may affect the performance, reputation and competency of the business. They must engage with their colleagues across SBUs, bringing in the significance of having a robust cybersecurity program. The management level meetings and forums must serve as an essential medium to participate with stakeholders to push strategic initiatives.

2. Invest in cloud and secure it

As threats to on-prem networks increase, more workloads need to be taken to the cloud. And as businesses continue accelerate the cloud journey, CISOs must prepare against specific threats – of data breaches, of DoS, of insecure APIs and account hijacking, among others - purely because the growing amount of information in the cloud attracts cybercrime.

Cloud service providers (CSPs) throw-in security services for data protection, compliances and data privacy, secure access control for security risk management and protection in the public cloud. But this isn’t good enough.

It is critical for organizations to build a strong strategy with a framework for risk management, secure cloud design, security governance and skills in the cloud as most incidents occur due to lack of a good security strategy in the company.

3. Bring in basic IT hygiene, create a security culture

Cybersecurity is a responsibility is the responsibility of the whole organisation and no longer the sole responsibility of security teams. We have known that Security is as strong as the weakest link in the whole system. For a healthy security posture, it is essential to ensure that every individual is informed and commits to be an integral and responsible part of the ecosystem, thereby understanding and practicing IT hygiene, as a rule. IT hygiene is the organisation’s first line of defence that an organization needs to embrace by identifying what, who and where they want to protect. 

Make security culture an integral part of the larger corporate culture that encourages employees to make decisions aligned to the organization's cybersecurity policies. Business leaders need to drive an organization-wide mindset that lays emphasis on cybersecurity by training employees to identify and report threats, and conduct cybersecurity awareness sessions in interesting ways, and recognise and even reward employees contribute to the organization’s security goals.

4. Security that knows no Borders

The fast increasing remote and geographically distributed workforce becomes more productive by accessing resources on the cloud, from using collaborative platforms to critical work-related applications. These workflows traverse over the public network and occur between trusted and untrusted devices, thereby extending the enterprise perimeter way beyond the outmoded boundaries of an organization. Borderless security is essential to ensure security as businesses continue to run from living rooms.

5. Improve enterprise security architecture

Most organizations in the current situation are driven by new outlooks -  the expectancy of having access to IT resources anytime from anywhere, any device, while securing remote infrastructure and IP; the ability to support new cloud solutions and password-less authorization; the call for continuous protection, continuous compliance and continuous visibility adhering to zero trust-based  models; these templates are dictating the changes that need to be made to the enterprise security architecture.

6. Innovation led security

Cyberattacks are getting more frequent and more sophisticated by the day spanning the spaces of denial of service, malware, phishing, SQL injection, crypto-jacking, zero-day vulnerability exploits and so on. Hackers groups offer skills and specialised targeted and dubious expertise through a ransomware-as-a-service. To remain a step ahead of the cybercriminals, organizations need to invest in solutions using the latest and emerging cybersecurity technologies such as AI &ML, UEBA, next gen breach detection and zero-trust solutions.

While new technologies bring in their advantages, they also threaten cybersecurity.

Operational Technology and IoT, for example, can be manipulated by threat actors influencing network design and architecture. More technology components mean being even more vulnerable to disruption.

Enterprises need to be sensitive and responsive and observant about the changes occurring around them. They need to have a proactive, evolving and innovative approach to cybersecurity space to stay several steps ahead of cybercriminals.

Your security approach to cybersecurity is unique to you

There is no one-size-fits-all approach to cybersecurity, prevention, risk management and mitigation are utmost important. CISOs must demand sufficient budgets, adequate availability of technically trained staff and decisions that brook no delay.

CISO title was non-existent few years ago. The pandemic has upped the expectations from CISO’s office dramatically, and if there is one person responsible for Cyber Security in an organisation, it is the CISO.