As remote work grows, many organizations are managing a complex web of in-person, online, and hybrid work scenarios while also juggling cloud migrations to support their diversified workforces. For CISOs, this has created a variety of new challenges.
Based on our conversations with security leaders, Microsoft has identified the top three focus areas that CISOs are prioritizing today so you can understand what steps your organization should take to guard against ongoing cybersecurity threats.
1. Rapidly Shifting Threat Landscape and Attack Vectors
The new technologies required to facilitate stronger remote collaboration and productivity have opened up new vulnerabilities for cybercriminals to exploit. Based on a 2020 Microsoft study of CISOs, 55% of security leaders have detected an increase in phishing attacks since the beginning of the pandemic, and 88% say that phishing attacks have affected their organizations.
While news headlines are dominated by increasingly aggressive nation-state attacks and novel incidents like the Nobelium supply chain attack, even advanced threat actors tend to focus on low-cost, high-value attacks of opportunity. Take the uptick in password-spray attacks, for example. While large-scale attacks like the ones just mentioned aren’t an everyday occurrence, it is still important for security teams to be prepared in the event of a breach.
A healthy cybersecurity posture often comes down to a careful balance between managing risk and strengthening cyber hygiene practices. Microsoft estimates that basic security hygiene like multifactor authentication (MFA), patching, and vulnerability management can protect against 98% of attacks.
2. Rise in Increasingly Complex Supply Chain Risks
The global supply chain is also top-of-mind for CISOs, as many have been forced to expand their security perimeter outside of the security organization and IT. This focus makes sense given the 650% increase in supply-chain attacks from 2020 to 2021.
As security leaders continue outsourcing apps, infrastructure, and human capital, they’re also searching for more effective frameworks and tools to evaluate and mitigate their risk across suppliers. Traditional vetting methods can help reduce risk when choosing a new vendor, but they aren’t foolproof. Security teams also need a way to enforce compliance and mitigate risk in real time, not just during the selection process or a point-in-time review cycle.
One effective method for decreasing the impact of major supply chain attacks and improving the overall efficiency of supply chain operations is zero trust. Many security leaders rely on zero-trust principles, such as explicit verification, least privileged access, and assumed breach, to protect their supply chains and strengthen their cyber hygiene foundation. For example, attackers typically weaken the supply chain by exploiting gaps in explicit verification. They might target a highly privileged vendor account that isn’t protected with MFA or inject malicious code into a trusted application. Through zero trust, security teams can strengthen their verification methods and extend security policy requirements to third-party users, limit the impact of compromised resources, and increase threat detection and response times.
3. Creative Organizational Security Despite Talent Shortage
Finally, CISOs are focused on finding and retaining top talent as a result of the industry’s workforce shortage. The number of unfilled cybersecurity jobs grew by 350%, from 1 million positions in 2013 to 3.5 million in 2021. However, there’s also a push to make security everyone’s job — regardless of their positions within the organization or their level of knowledge about cybersecurity best practices.
To start, development teams, system administrators, and even end users should be familiar with the security policies that are relevant to them. Likewise, some CISOs have said they are deputizing employees outside of the security team by boosting and enhancing end-user knowledge of security threats. Employees and end users alike should know how to recognize common phishing techniques and the signs of more subtle cyberattacks. IT teams should also be kept in the loop and briefed on current security strategies. Focusing on automation and other proactive workflow and task management strategies is another easy way for CISOs to maximize their impact.
These three trends are only the tip of the iceberg when talking about where CISOs are prioritizing responsibilities; however, they paint a solid picture of the main concerns on their minds in today’s modern threat landscape. This is a great opportunity for organizations to reset and take a look at what they are prioritizing to determine whether they are properly protected.
Read more Partner Perspectives from Microsoft.