About half of CISOs say that their organisation is unprepared to cope with a coordinated attack. So they’re investing heavily to manage the risk. Deloitte reported that firms spend over 10% of their annual IT budget on cybersecurity. That works out at about $2-5 million per year for a typical enterprise.
The cybersecurity industry is very good at selling tools to help prevent an attack. According to research from Dynatrace, 75% of CISOs are worried are concerned about application vulnerabilities. Every product has to be licensed of course, but also managed – which means additional headcount, training, tuning and integration – all at a time when CISOs are struggling to find the qualified staff they need.
Most damning of all is that this huge investment in cybersecurity hasn’t paid off. The fact that two-thirds of CISOs say that they expect to suffer a ransomware attack at least once in the next 12 months is ample evidence of this. More galling still – of those forced to pay the ransom when their defences weren’t able to prevent the attack, 92% aren’t able to recover their data.
It’s time to admit that prevention isn’t infallible
We need to change the way we approach cybersecurity. The ‘assume breach’, or at least develop a ‘breach-ready’ mentality, adopted by our clients isn’t defeatist, it’s common sense. Forward-thinking CISOs have learned that the shortest time to value in reducing security risk from a security investment isn’t preventing an attack, it’s minimising its impact.
Let’s take a step back. The cause of successful breaches like ransomware is poor resiliency:
Failing to reduce the number of vulnerabilities across the attack surface.
An inability to respond efficiently, effectively and quickly.
So what happens in a ‘prevent’-oriented business when the moat is crossed, the wall is scaled and system security is compromised?
The security team identifies the attack and logs a ticket with the IT department who restore a backup – assuming that also hasn’t also been rendered unusable by the attacker. Unfortunately, the backup still contains the vulnerability leveraged by the attacker, or even worse, it retains artefacts from the attack like the administrative accounts the attacker created to exploit code.
Enterprises and government agencies need a more integrated and iterative approach where backups actually provide incident responders with a digital forensics timeline of events taken by the attackers. Vulnerabilities can be hunted for and recovered to bring the systems back up without fear of further downtime or double extortion.
With traditional exfiltration-orientated cyber attacks, CISOs were largely concerned with the impact of secondary losses: reputation, regulatory fines, and litigation. Unless you caught the incident in progress, these were largely a sunk cost. The damage had already been done – albeit the more negligent you were in handling response, the more litigation you could suffer.
With ransomware, the CISO is now responsible for primary losses: the inability of the organisation to deliver its primary mission and service its customers. Now, every second counts as money fails to flow into the business, as critical services aren’t provided by a hospital, as a whole downstream supply chain is impacted. Sophisticated security teams detect and prevent what they can, managing the attack surface, understanding their adversaries and responding to high-fidelity, high-confidence alerts. But more and more resources are being diverted into tools that help them recover quickly from attacks.
Digital transformation is good for security
Many organizations are undergoing a massive journey moving their data and apps to the cloud, and many of their tools are transitioning to software-as-a-service (SaaS) subscription models. Some CISOs have been content to stand by and watch, with security deemed too strategically important to cede any control. This is a mistake and a lost opportunity.
First, the cloud provides a much better understanding of what we’re protecting, with context of the assets often being captured at instantiation. Contrast this with the process of deploying a physical server, networking and a software stack when asset registers can be sketchy and incomplete.
More important, the cloud will do a better job of securing many elements of the estate, as long as the right process and governance is in place around the architecture and configuration of those platforms. Economies of scale mean that service providers can invest in the kinds of defences that individual enterprises can neither afford nor service.
This means a shift in focus. We’ve entered an era of shared responsibility, where CISOs must determine who should be accountable for what. Where appropriate assets should always remain under the organisation’s direct control. Here CISOs will encompass devising policies and training users, as well as implementing and managing the security stack.
Information Security leaders will need to spend more time performing due diligence on service providers, understanding their role in the shared responsibility model before trusting security responsibility to the service provider and verifying the appropriate measures are in place.
Cybersecurity vendors have long spun a narrative focused on ‘prevent and detect.’ CISOs may struggle to relinquish control to third parties potentially shrinking their teams and budgets – it’s a question of how you, and the business, judge yourself. Is it the size of your span of control and spend, or running an effective and efficient capability that aligns with the business?
But change is inevitable. An unwieldy stack of too-similar tools is not only inefficient, it’s failing.
Enterprises must adopt a Zero Trust, ‘assume breach’ mindset, and learn how best to minimise impact. CISOs need to embrace digital transformation and share responsibility for securing the estate. The result will be a more efficient security operation and a more resilient business.
To learn more about building a cyber resilient data security strategy and how to prepare a rock-solid ransomware recovery plan, download our “The Best Defence Against Cyber Threats” guide here.