In our series of Q&A discussions with senior security leaders, we spoke to Chris Smith, Information Security Leader at MassMutual - a major life insurance specialist based in the U.S.
Q - What are the biggest areas of concern for CISOs in the next 6-12 months?
A - From the CISO’s point of view, defense is a complex issue in that you have to protect systems while keeping performance at a high level from a business perspective. Clearly, ransomware is top of mind from an adversarial perspective, not the least because it is one of the most profitable tactics cybercriminals currently pursue.
What is becoming increasingly important is that end user education becomes more granular and bespoke for different roles, responsibilities and the technical expertise of each member of the team. A developer’s security persona is generally very different from that of someone who works in marketing, for example. Effective training will focus on adding value for each group and consistently guiding the user on smart decision making.
Looking more broadly at issues such as technology infrastructure, businesses are at different stages of their digital adoption journey. Many organizations are operating hybrid strategies, which can be challenging because these technologies must integrate effectively on a functional level, allowing flexibility and agility to support the business which adds to the difficulty of managing security vulnerabilities across traditional and modern cloud based environments.
Q - Looking specifically at the issues around cyber hygiene, how has this evolved as companies learn more about its importance?
A - In many organizations, the understanding of what cyber hygiene represents needs to evolve to meet rapidly changing technologies. In particular, it must focus on aligning threats to the actual business risk, not just the quantifiable technology residual risk. It’s a real challenge to scale employee training and culture to meet every single need or area of risk, so users and their leaders must be empowered to own their security responsibility and be an active participant in delivering security to the organization regardless of role or title.
Q - Does cybersecurity get sufficient buy-in from the boardroom?
A - This depends very much on the industry niche in question, though overall, the attention has grown over the years due to the detrimental impact cyber attacks have had across all industries. To a significant degree, money follows money - meaning that organizations that are protecting financial assets historically have a more focused leadership perspective on the importance of cybersecurity as it is directly aligned to theft and fraud. In the aerospace & defense sectors, regulation drives security investment as the business has to balance profitability and contract competitiveness and in other sectors, such as manufacturing, it’s sometimes the case that a breach will prompt leadership to take more effective action.
In general, boardrooms need to focus on continuous improvement and learn from their peers about protection priorities, cyber control evolution and focusing on translating cybersecurity investment into business perspectives that support the enterprise objectives.
Q - To what extent do the major, headline-making incidents such as Solarwinds, Kaseya, Colonial, the Biden Executive Order and new legislation have a practical impact on the way CISOs approach security strategy?
A - This also varies on the industry in question, the size of each business and the emphasis they place on cybersecurity. Financial institutions, for instance, generally aim for an approach which is “better than compliant” by design. However, taken together, these changes are certainly driving more conversations and changes about security at all levels of business, and that can only be a good thing.
Q - If money was no object, where should organizations in general be increasing their cybersecurity investments?
A - We need to continue to place greater emphasis on protecting identities, not least because they are the core objective for adversaries. They need to be, well designed and resilient as possible and remove decade old weaknesses, like passwords. I’m enthusiastic about intelligent technologies that draw on intelligent-based interactions around what’s known about users, applications, assets and their behaviors, allowing Cyber teams and controls to dynamically adapt to threats without interruption of business.
Q - If you had one or two tips for organizations looking to improve their security posture, what would you share?
A - Circling back to the issue of effective cyber hygiene, this area is where there’s room for improvement in many organizations today. This includes properly defining cyber hygiene beyond the typical data center and physical assets. Merging your vulnerability assessment and remediation processes to include the modern cloud and edge environments will allow better prioritization aligned to the top risks to an enterprise. It’s also part of that process where there are some relatively quick wins and that’s vital in a world where the level and sophistication of threats is growing all the time.