Taking a defensive approach to cybersecurity isn’t working for keeping the bad guys out. The volume and level of sophistication with cyber attacks has continued to rise dramatically.
In 2016, one-third of all businesses globally were breached, according to PwC. And while millions of attacks are being launched on a daily basis, industry experts say that billions of botnets may be lurking undetected in corporate and government networks around the world.
Further fanning the flames are the severe skill shortages that cybersecurity teams will continue to face into the foreseeable future. Taken together, Chief Information Security Officers (CISOs) need to take a more aggressive approach in order to stay ahead of cyber criminals.
“We know that the number of attacks that are occurring are enormous, but what’s more worrisome is the growing sophistication of the attacks,” said Larry Clinton, President of the Internet Security Alliance. Clinton will be one of the keynote speakers at the 2017 Chicago CISO Executive Leadership Summit on June 20, 2017.
“If your organization is using tools and techniques that may have worked yesterday, then you’re really behind the eight ball,” said John Iannarelli, Former Senior Executive Advisor for the FBI, who will also be speaking at the Chicago Summit. “Being a victim means losing your reputation and likely losing your livelihood.”
Cyber criminals have become incredibly cunning with their tactics. Clinton points to how many cyber criminals are entering corporate networks and cleaning out any malware that exists to give the false impression that the network is uncontaminated. “If they can do that and go dormant for a while, then they can go back in and steal data after penetration testing has been completed,” said Clinton.
Decision-makers are also beginning to realize that they can’t address cybersecurity strictly from an IT perspective. “It’s an enterprise-wide risk management problem that requires a need to focus on people, business partnerships, customer relationships in a much broader context,” said Clinton.
A solid best practice that CISOs are beginning to embrace is the importance of networking with fellow CISOs and other cyber experts to increase awareness around emerging threats and effective strategies. “By connecting with other CISOs, you’ve got an extra set of eyes and resources to help protect your organization,” said Iannarelli.
To strengthen their cyber defenses, a growing number of organizations are also shifting away from the concept of perimeter security. “With the Internet become increasingly porous, companies need to begin looking inward,” said Clinton. For instance, Clinton said that forensic experts are using tools to identify when organizational data “is behaving funny” and to determine when a cyber attacker has penetrated the network.
“If you can find the cyber attacker inside the network, you can often determine how they are trying to send the data out and potentially block the external exit,” added Clinton.
CISOs also need to work harder at getting members of the C-suite more engaged with cybersecurity. “The C-suite needs to have a seat the table so they know what’s going on and so that others will become more engaged,” said Iannarelli.
He also recommends that companies invest more time and resources into training. This includes mixing up training scenarios and keeping employees aware of new and emerging threats.
“It can’t be the same type of training scenario each time because it’s not the same attack every time,” said Iannarelli. “Make it interesting and offer a reward for achieving the highest score on a simulated test or for developing the most creative cyber attack scenario.”
To hear more thought leadership from Larry Clinton, John Iannarelli, and other cybersecurity practitioners at the Chicago CISO Summit, click here.