A Question of Doubt – Cyber Defense Magazine

The cyber security crisis of confidence amongst CISOs and CIOs — and how to overcome it.

By Gary Penolver, Chief Technology Officer at Quod Orbis

I’ve worked closely with CISOs and CIOs throughout my career. As a result, I’ve gained a strong understanding of the specific challenges they face in their organisations and I think I’ve become pretty good at gauging their collective state of mind. And what I’m picking up concerns me.

In general, I’ve noted a crisis of confidence amongst CISOs and CIOs. By which I mean, a lack of confidence in their organisation having sufficient defences against cyber attacks — be that because of a lack of budget for the required tools, existing tooling being configured ineffectively, a lack of control and visibility of their assets, human errors and lapses or a combination of all of these things and more.

Of course there are numerous factors that, in recent years, have heaped pressure on IT departments and those responsible for ensuring that IT systems and digitally connected assets are at once accessible and secure.

The partial transition to the cloud means that organisations are wrestling with hybrid architectures that mix cloud-based systems and both legacy and more recent on-premise systems. Added to this, there’s the need to service a hybrid working model — a model accelerated by the Covid pandemic, and that has grown out of a desire from board-level to offer flexible working as a benefit.

It’s all a massive responsibility, so no wonder it weighs heavy on CISO and CIO minds and shoulders; and no wonder confidence levels are low.

The most common challenges

Let me give some specific examples:

CISO/CIO’s worry about their IT colleagues turning off critical defences in order to fix something for someone. Of course, they are trying to do the right thing in the context of their remit. But how long will those defences be down? Have other stakeholders been consulted and advised? Will these defences be turned on again? Will they be reinstated correctly? Will all this be documented and findings shared?

Then there are common cloud computing conundrums: SaaS product behaviours are changing all the time. Take Microsoft’s O365 for instance. Organisations think they have secured it once, but then a raft of changes/improvements are released. And these changes come on a regular basis, of course, because that is one of the advertised ‘benefits’ of applications in the cloud. Unless you keep on top of all this, new holes and vulnerabilities will keep appearing, and that previous ‘hardening’ work you did could be undone.

The cumulative effect is that CISOs and CIOs are deeply concerned about their organisation’s ability to stay one step ahead of potential cyber security breaches.

If this all sounds like the adage ‘swimming against the tide’— well, that’s because it is for the many organisations that do not yet have an effective solution.

The core issues.

If one had to distil everything down to one root cause, it’s this: a dramatically increased attack surface.

This brings difficult choices. Do you need more budget, more people and more tools to secure it all? Or do you have to choose what to secure properly? Or is there another solution, maybe?

But there’s an even bigger, underlying problem in that most organisations already struggle to do the basics correctly. By the basics, I mean not only patching, backups, vulnerability management and so forth, but also defining and ring-fencing their assets as a whole or their ‘Crown Jewels’ (and note that this isn’t yet about “protecting” assets, but simply “defining”). As CISOs and CIOs know only too well, this isn’t a trivial matter.

Added to which, the situation isn’t helped in ‘big enterprise’ where M&A activity further extends the sprawl of technology and pitches together differing approaches, processes and controls.

Also, the speed at which an organisation needs to digitise its business or accelerate that digital transformation leaves cyber/security playing catchup. Despite all the good talk about DevSecOps and introducing security earlier in the software development life cycle, there still isn’t enough focus on ‘baking in’ security from the get go.

Increased cyber security confidence with Continuous Controls Monitoring

So what’s the solution for increased security and confidence? In short, three words:

Continuous Controls Monitoring (or CCM).

CCM is a Gartner-recognised solution that, if selected wisely, can provide complete controls visibility for an organisation in a single source of truth.

The point of CCM, is that it can pull all of your assets together, so all your controls — and that single source of truth — can be monitored in a single source of truth with consistent, reliable reporting that can be pushed up to the board and easily understood.

The CISOs and CIOs I speak to are genuinely concerned by what one could describe as a pincer movement. On one front there is increasing alarm about how easily cyber criminals are accessing corporate systems these days; and on the other front there is an increasing fear about how complex their hybrid of corporate systems and controls has become and how difficult it is to manage and control it all with often limited resources and scarce skills.

CCM is the strategic solution that many see as the means of winning these battles. As I said, it’s about pulling everything together into a single version of the truth.

The crisis of confidence to which I refer in this article is entrenched. But it doesn’t have to be this way.

CISOs and CIOs, and others whose jobs involve guarding against cyber attacks and related vulnerabilities, clearly need greater visibility of their assets and greater confidence in the technologies and the processes they are using to achieve their aims.

About the Author

Gary Penolver is CTO of Quod Orbis.  He has over 15 years’ experience in senior technology roles, and has been closely involved in starting and taking two technology companies to market. Gary can be reached online at gary.penolver@quodorbis.com and at our company website https://www.quodorbis.com.