As we look ahead, there are many reasons for optimism in cybersecurity. Defenders are maturing in their approach, we’re getting better at articulating cyber threats in the language of business risk, and we’re continually improving cross-sector collaboration.
But we still face a challenge navigating the changing threat landscape, something I discussed with industry peers on an HP-hosted CISO panel. I believe the cybersecurity industry needs to build on the positives by understanding cyber strategy more clearly in the context of good corporate governance, and by addressing the growing diversity and skills gap within our cybersecurity talent pool.
When Change Is the Only Constant
As IT modernizes to support remote work, new customer experiences and evolving business processes, we’re seeing attack surfaces expand exponentially. On the one hand, this contributed to a record number of compromises in 2021, while the number of published vulnerabilities surged to an all-time high.
Yet there’s another story behind the headlines. For years, we’ve been talking about the same old paradigm of attacker and victim. In this one-to-one relationship, the attacker targets a victim and either succeeds or doesn’t. Today, we’re seeing more of what I would call “one-to-many” attacks. Supply chain attacks are nothing new, but we’re seeing an uptick in their sophistication and ambition. Attackers have realized they don’t need to constantly go one-to-one. They can find a common hub that connects hundreds or even thousands of potential victims and compromise it. For close to the same effort expelled, they have a significant step up in ROI.
As organizations look to manage supplier risk, spiraling costs, and geopolitical tension in the post-pandemic world, the complex web of interdependencies upon which they rely is growing. This is most apparent in the airline industry. It was fascinating to hear United Airlines VP and CISO, Deneen DeFiore, explain how the mindset in cyber is shifting from data protection to resilience. Understanding these supplier dependencies is critical to managing risk effectively, to minimize the operational impact of cyber threats.
Collaboration Will Be Key
This mounting complexity also makes industry collaboration more important. It’s only via collaboration with the right public and private sector organizations that we can understand how attackers are operating. Part of this involves organizations thinking about what is and isn’t helpful to disclose around breaches. We can all agree that indicators of compromise (IoCs) are out of date as soon as they’re published. So, what is relevant that can be shared between organizations?
Today’s conversation is too centered around whether an organization was breached or not. If breaches are close to inevitable, we should focus more on sharing breach findings and post-mortem results that will help others.
The way CISA coordinated information sharing during the early days of the Log4Shell saga offers a useful model. The agency did an amazing job organizing and sharing information from different industry sources. Let’s learn from it. Because as Ian Pratt, HP’s global head of security for personal systems, explained, cybercriminal organizations are run like businesses now. They’ve become masters at sharing intelligence, information, and tooling to further their objectives.
A People Problem
This touches on another critical point. The industry is short of more than 2 million cybersecurity professionals globally. In this moment of crisis, we should nurture the beginnings of something far bigger and better by growing our talent pool and breaking down the barriers to joining our sector.
There’s an opportunity to make the cybersecurity tent bigger by looking outside of the industry. We could bring in more nontraditionally educated people, as we don’t necessarily need college degrees for every role. We could target workers mid-to-late in their careers who have a rich set of skills in areas such as risk management or communication.
Diversity is also critical, but much work needs to be done. According to findings in an HP-commissioned study, 30% of women in the US applied for a promotion last year. However, of those that applied, only 40% of women were successful, vs. 52% of men. Cybersecurity, like the tech industry as whole, has a diversity issue, particularly with getting women into senior roles. We must understand how to best support women and their careers, as this is key for fostering a diverse workforce and attracting new talent.
Employers must do better at harnessing this large pool of untapped talent. As Siemens USA Chief Cybersecurity Officer Kurt John explained, diversity is the No. 1 way to drive creativity in response to the threats that we all face.
The good news is that boardrooms are starting to appreciate the importance of diversity and cybersecurity — just as CISOs are beginning to talk about cyber in the language of business risk. That offers definite grounds for optimism.
What has increasingly dawned on me is that, as cybersecurity leaders, we’re much more likely to make the right decisions for the enterprise by viewing cyber in the context of effective corporate governance. I believe that’s the way to craft an enterprise-specific strategy. Let’s make the “G” in environmental, social, and governance (ESG) really mean something for cybersecurity and get ourselves onto the front foot.