Why CISOs Should Understand the Threat Landscape To Bolster Security in 2018

Doctors can’t prescribe proper treatment for patients without identifying and analyzing symptoms to make a clinical diagnosis. It’s the same for CISOs, who are responsible for their organization’s digital health.

If key decision-makers in enterprises don’t understand the types of threats that face their industry, the vulnerabilities in their network and risks following an infection or a data breach, they can’t create and enforce a legitimate mitigation strategy. Even if businesses do come up with a thorough plan, they still have to look out for new, more sophisticated malware variants and attack methods.

Cybercriminals may soon resort to machine learning algorithms to find patterns and develop hard-to-detect programs. Hackers are enhancing their methods, making it almost impossible for enterprises to adequately prepare for all possible threats. While insistence on a 100 percent detection rate and no false positives may be unrealistic, the best approach is to be innovative and maintain a fast response rate.

For instance, advanced attackers sponsored by nation states, cyber terrorists, espionage or organized crime groups might still bypass security and infiltrate the infrastructure, but at least companies should be able to immediately detect the attack and react to it to minimize the impact on its network, brand reputation and customers.

According to EY’s 20th Global Information Security Survey based on feedback from CIOs, CISOs and other IT executives from 1,200 organizations, decision-makers fear unknown advanced attacks because they don’t know how to properly address them. When addressing ways to fend off generic malware or attack methods, though, organizations showed great confidence in their cybersecurity strategies. Whether they are dealing with unpatched vulnerabilities, phishing campaigns, basic DDoS attacks, customized malware, insider threats, zero-day exploits or manipulation of IoT devices, it is critical for businesses to understand the current threat landscape for multi-layer security.

Until recently, companies may have been somewhat oblivious to attacks and threats, or not as focused on cybersecurity, waiting for an attack to happen before taking serious measures. EY found that businesses feel more at risk than in the past year due to cybersecurity fiascos such as the Yahoo and presidential data breaches, the WannaCry ransomware attack on over 200,000 Windows computers from 150 countries, the Mirai malware global infection that infected IoT devices to launch DDoS attacks on Dyn DNS or the NotPetya/Goldeneye ransomware that hit Ukrainian utilities and caused collateral damage in countries including the US, Russia, Australia and Denmark.

But IT executives complain that too few investments and resources are assigned for cybersecurity, unless a data breach occurs and speeds up financing.

While understanding the threat landscape is vital, organizations can’t overlook legal responsibilities. For example, in case of a data breach, 17 percent of respondents wouldn’t let all their customers know that their data was leaked, while 10 percent would cover up the incident. Considering the deadline for compliance with the EU’s GDPR is May and “only 8% describe their plan as robust and spanning third parties and law enforcement,” enterprises should clearly outline their incident response competences and make cybersecurity a priority in their budgets.