Americas

  • United States

Asia

Oceania

Andrada Fiscutean
by Andrada Fiscutean

14 lessons CISOs learned in 2022

Feature
Dec 12, 202212 mins
CareersCSO and CISO

The coming new year is a good moment for chief information security officers to reflect upon what they've learned this year and how to apply this knowledge going forward.

many lit hanging bulbs
Credit: Thinkstock

We’re about to finish yet another erratic year, in which Elon Musk bought Twitter, Russia invaded Ukraine, and many workers returned to their offices. We also saw, for the first time, a security chief sentenced to prison for concealing a data breach.

These events and many more have changed the business landscape and forced CISOs to steer a course through uncertain waters. “With the shifts in the cybersecurity landscape, 2022 has been a milestone year we will look back on when studying the history of when and why cybersecurity and digital trust were fused together,” says Kory Daniels, CISO at Trustwave.

In 2022, organizations across multiple industries have increased their security budgets. Still, they’ve also realized that investments “can be a paper tigerif security teams do not truly demonstrate how they can help protect a business, Daniels adds.

While everyone has their own way of analyzing the year and reflecting upon what happened, this exercise could provide valuable knowledge for the future, so we asked CISOs to share the most relevant lessons they’ve learned this year.

“If companies are not going to learn these lessons and mature their security practices, we will see increased scrutiny in audits and third-party risk assessments, and this may have a financial, reputational, operational, or even compliance impact on their business,” says Sohail Iqbal, CISO at Veracode.

1. Don’t wait for a geopolitical conflict to boost your security

Russia’s full-scale invasion of Ukraine spurred nationalist and criminal organizations to take sides and forced businesses to embrace government-issued guidance created to help them heighten their security posture. This includes the US Cybersecurity and Infrastructure Security Agency’s (CISA) Shields Up and the UK National Cyber Security Centre’s (NCSC) Technology Assurance. “The conflict prompted many organizations to ask questions about their cyber resilience readiness to either deter these threat actors or defeat an attack,” Daniels says.

These questions should have been asked years ago. “Don’t wait for a global conflict between countries with capable offensive cybersecurity teams to be the reason you assess if your organization’s security posture can reasonably withstand commodity threats and attacks,” says Taylor Lehmann, director in the Office of the CISO at Google Cloud.

Businesses and agencies often need years to address the gaps found in those assessments and implement the suggested controls, so asking questions early on can be beneficial. “We need to acknowledge that it takes time (sometimes decades) and effort to be in a position to protect an organization from advanced security threats,” Lehmann adds.

2. The population of threat actors has exploded, and their services have become dirt cheap 

Ransomware gangs kept retiring and rebranding in 2022, according to ENISA, and threat groups exhibited “an increasing capability in supply chain attacks and attacks against managed services providers.” Also, the hacker-as-a-service business model has continued to gain traction.

“Everyone can be a criminal now, and skills are not required,” says Mike Hamilton, former CISO of Seattle and CISO of cybersecurity firm Critical Insight. “The affiliate and as-a-service business model employed by criminal gangs have lowered the bar to entry, and it shows in the number and nature of the bait messages that are being received.”

For instance, premium access to the C2aaS platform Dark Utilities was only €9.99. The platform offered several services, including remote system access, DDoS capabilities, and cryptocurrency mining.

3. Untrained employees can cost a company millions of dollars

Ransomware attacks have increased in 2022, with companies and government entities among the most prominent targets. Nvidia, Toyota, SpiceJet, Optus, Medibank, the city of Palermo, Italy, and government agencies in Costa Rica, Argentina, and the Dominican Republic were among the victims in 2022, a year in which the lines between financially and politically motivated ransomware groups continued to be blurred.

A critical piece of any organization’s defense strategy should be employee awareness and training because “employees continue to be targeted in threat actor strategies through phishing and other social engineering means,” says Gary Brickhouse, CISO at GuidePoint Security.

Still, one positive development this year was that board members and executives have started to pay more attention to ransomware because they’ve seen the operational impact these attacks can have.

4. Governments are legislating more aggressively for cybersecurity 

The United States, the United Kingdom, and the European Union have strengthened their legislation to better protect themselves against cyber incidents. “Key risks are being identified, and we’re seeing a continued trend towards legislative intervention,” says Lawrence Munro, group CISO of NCC Group.

In the US, changes have happened at the federal and state levels. Government agencies are now required to implement security training and follow security policies, standards, and practices. They also need to report security incidents and have response plans.

Munro adds that his perspective has changed in terms of how proactive he should be in being ready for upcoming regulations. “I already have a strategy to monitor this, but I will further develop the automated elements to ensure I’m prepared for any changes well in advance,” he says.

Organizations need to pay attention to the fact that data privacy and security rules keep evolving. “Understanding the differences between and equipping your organization to meet data residency, data sovereignty, and data localization requirements is a critical business imperative now and will continue to grow in complexity,” says Lehmann.

5. Organizations should keep better track of open-source software

The Log4j crisis that surfaced at the end of 2021 continued throughout 2022 affecting tens of thousands of organizations globally. This vulnerability involving remote code execution will continue to pose “significant risks” in the future because it “will remain in systems for many years to come, perhaps a decade or longer,” according to a recent report by CISA.

“The Log4j vulnerability was a wake-up call for a lot of people in the industry,” says Chip Gibbons, CISO at Thrive. “Many organizations didn’t know that the software was even being used within some systems as they are really focusing on their internet-facing devices.”

While this security issue created chaos, it also provided learning opportunities. “Log4j was a curse and a blessing,” says George Gerchow, CSO and SVP of IT at Sumo Logic. “It made us better when it comes to incident response and asset tracking.”

Companies started to put more effort into keeping track of open-source software because they saw that “placing unverified trust into the provenance and quality of software they are using has resulted in harm,” says Lehmann.

6. More effort should be put into identifying vulnerabilities

Organizations should also do more to keep up with vulnerabilities in both open- and closed-source software. However, this is no easy task since thousands of bugs surface yearly. Vulnerability management tools can help identify and prioritize vulnerabilities found in operating systems applications. “We need to know vulnerabilities in our first-party code and have an inventory of vulnerabilities and appropriate measures to manage risks in our third-party code,” Iqbal says.

According to Iqbal, a good AppSec program should be part of the software development life cycle. “If you are writing secure code to begin with and managing vulnerabilities up front, this will be significant in securing your organization,” Iqbal says. “Do not forget, at the end of day, everything is code. Your software, applications, firewalls, networks, and policies are all code, and because code changes so often, this has to happen on a continuous basis.”

7. Companies need to do more to protect against supply chain attacks 

Supply chain attacks have been a major cause of concern in cybersecurity in 2022, with several incidents making the headlines, including the hacks that targeted Okra, the GitHub OAuth tokens, and AccessPress. Protecting against these threats will continue to be a complex process in 2023. “I think the quick advancement in the supply chain risk space has confused a lot of organizations,” says Munro. “We’re seeing money thrown at technology to solve issues, with a lack of understanding of how those solutions fit into the existing ecosystem.

According to Munro, the software bill of materials (SBOM) has brought new frameworks and technologies. “There are tools to manage the aggregation of information, complementary frameworks such as supply-chain levels for software artifacts (SLSA) and technology standards such as vulnerability exploitability exchange or VEX,” Munro says. “This has all added to greater complexity and an increased challenge for defenders.”

Lehmann adds: “We should also be thinking about how our hardware supply chain could affect us if compromised, and what capabilities we have now or need to be prepared to trust (or not) the hardware powering the software we use.”

8. Zero trust should be a core philosophy

A zero-trust program is not only about the deployment of technology to manage identities or networks. “It is a discipline and culture of eliminating implied trust and replacing it with explicit trust at the time of digital transaction,” Iqbal says. “It is a simultaneous process that needs to be made across identities, endpoint devices, networks, application workloads, and data.”

Iqbal adds that every single product or service should support single sign-on (SSO)/multi-factor authentication (MFA) and corporate and non-production networks should be isolated from production environments. “It’s also important to certify endpoints for up-to-date security postures and use behavioral analytics for authentication, access, and authorization by correlating multiple signals,” he adds.

9. Cyber liability insurance requirements might continue to increase 

In recent years, cyber liability insurance has become a necessity, but premiums have increased. Also, organizations face more scrutiny from insurers to identify areas of risk. “This process is much more rigorous than in the past, increasing the timeline and effort to obtain cyber liability insurance,” says Brickhouse. “Organizations should treat this process almost like an audit – preparing in advance, having their security programs and controls well documented and ready to be validated.”

10. The “shift-left” approach to software testing is dated

Just looking for risk on the “left” is not enough, says Matt Rose, field CISO at ReversingLabs. While the concept of improving a product by testing it at the early stages makes sense, the developer is only one part of a comprehensive application security program. “There is risk in all phases of DevOps processes, so tooling and investigation have to shift everywhere within the process and not just the left,” he says. “If organizations only look for issues on the left, they will only find security risks on the left.”

A better approach, according to Rose, would be to increase security everywhere across the DevOps ecosystem, including the build system and the deployable artifact itself. “Supply Chain risk and security have become increasingly important, and I would argue impossible to find if you only look on the left,” he adds.

11. Using the wrong tool for the wrong asset will not fix the problem

A hammer is made for a nail and not a screw, says Steven Walbroehl, co-founder of Halborn, who also served as the startup’s CISO. His point? Chief information security officers need to look at nuances and find the right tool for the problem they want to fix. “A lesson learned here in 2022 is that developers or companies shouldn’t try to generalize security and treat it as a solution that can be used for all assets or resources,” he says. “We all should make a best effort to find cybersecurity solutions or services that adapt or work for the particular technology that needs to be protected.”

12. Organizations need help understanding their complete application architectures

The world of tech is increasing in complexity every year, and organizations must understand their entire application ecosystem to avoid major security flaws. “Applications are becoming more and more complicated with the explosive use of open source packages, APIs, internally developed code, third-party developed code, and microservices, all of which are tied to very fluid cloud-native development practices,” Rose says. “If you don’t know what type of risk to look for, how will you be able to find it?”

According to Rose, modern development practices focus on smaller and smaller blocks of responsibility so no one person can have a complete handle on every aspect of an application.

13. Security should be a continuous effort

Too many companies outside tech think that cybersecurity is an activity that you perform once, and then you’re safe. Technology, however, is dynamic, so protecting it should be “a continuous effort that requires a risk management approach,” Walbroehl says. “Companies should not attempt to treat cybersecurity as a goal that is pass/fail.”

Walbroehl recommends that organizations identify critical processes and assets. Then, they should determine what level of security exposure they are willing to accept. A good idea would be to prioritize the solutions or processes needed to reduce the risk to that level, he adds.

14. Have plans in place

In all likelihood, 2023 will be exhausting for CISOs. Once again, they will face challenges on every front: the war in Ukraine will continue, some countries might go through a recession, and technology as a field will continue to evolve. This is why they need to have plans in place for the situation in which an incident occurs. “Better to prepare now than in the heat of the moment,” says Gibbons.

Trustwave’s Daniels agrees. “One of the most important lessons we have learned this year is that taking a strictly reactive approach to cybersecurity can, in fact, slow down or put a business’ competitiveness, financial position, and market growth at risk,” he says. “Proactive and even predictive cybersecurity operations are becoming an important factor for security leaders, as well as creating procedures to effectively fuse security into the business.”