{"id":195,"date":"2024-09-11T06:00:00","date_gmt":"2024-09-11T06:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=195"},"modified":"2024-09-11T06:00:00","modified_gmt":"2024-09-11T06:00:00","slug":"immediate-threats-or-long-term-security-deciding-where-to-focus-is-the-modern-cisos-dilemma","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=195","title":{"rendered":"Immediate threats or long-term security? Deciding where to focus is the modern CISO\u2019s dilemma"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Cybersecurity has become a high-stakes balancing act \u2014 the modern CISO is under constant pressure to protect their organization from the latest threats,\u00a0including ransomware and phishing, while also developing long-term security strategies<\/a> and reporting to the C-suite and board.<\/p>\n

This means juggling immediate needs, such as patching vulnerabilities and responding to cyber incidents, with long-term goals, including adopting emerging technologies and developing a skilled cybersecurity team.<\/p>\n

This challenge is made worse by limited budgets and the need to justify the value of security investments to the business.<\/p>\n

Consequently, CISOs must figure out how to prioritize spending, allocate resources, and make data-driven decisions to meet both short-term and long-term security needs, which require a strategic balance between proactive and reactive approaches, Lisa Hall, CISO at SafeBase, tells CSO.<\/p>\n

Conducting thorough risk assessments to understand the likelihood and impact of potential threats is essential for this, she says.\u00a0This helps CISOs decide where to focus security efforts and ensure that spending on security aligns with their companies\u2019 goals.<\/p>\n

\u201cMoreover, investing in people is crucial; while tools and technologies are important, skilled personnel are necessary to implement, manage, and maintain these solutions \u2014 making human capital a pivotal element in a robust cybersecurity strategy,\u201d Hall says.<\/p>\n

Balancing immediate threat response with long-term vision<\/h2>\n

The rapid growth of new technology, such as AI,\u00a0along with complex laws,\u00a0global conflicts, and economic worries,\u00a0is making it difficult for companies to ensure they\u2019re protected from cyberattacks, says Harpreet Sidhu, Accenture\u2019s North America cybersecurity lead.<\/p>\n

\u201cAmidst this backdrop, CISOs must carefully balance addressing immediate threats, such as ransomware attacks, with long-term security needs, such as infrastructure upgrades,\u201d he says.<\/p>\n

To protect their companies from cyberattacks, IT security leaders should focus on the highest of risks, according to Sidhu.<\/p>\n

This means constantly checking the company\u2019s security, finding weaknesses, and prioritizing investments accordingly, he says. It\u2019s also important to work with other departments, such as IT and finance, to ensure that security initiatives help the entire company reach its goals.<\/p>\n

\u201cBy proactively addressing both immediate threats and long-term security needs, CISOs can effectively balance protecting their organizations from cyberattacks and ensure business continuity,\u201d Sidhu says.<\/p>\n

James Robinson, CISO at Netskope, says his strategy is based on a balanced approach that\u2019s tied to the annual planning process. The key is ensuring that the budget funds proactive security measures and quick responses to threats but also aligns with corporate goals.<\/p>\n

\u201cWhat this looks like is that we\u2019re prepared to address urgent threats like ransomware while simultaneously investing in governance and preventative measures to reduce our attack surface and incorporate emerging technologies,\u201d he says.<\/p>\n

For Robert Hughes, CISO of RSA Security, the key for any security team is balancing day-to-day tasks with long-term planning. The amount of time spent handling routine issues depends on the company\u2019s business and the security team\u2019s responsibilities.<\/p>\n

\u201cYou need to understand that and look for efficiencies because security leaders need to focus enough time to be diligent about strategic planning,\u201d Hughes adds.<\/p>\n

If a CISO is constantly putting out fires, they can\u2019t focus on strategic planning, Hughes says.<\/p>\n

\u201cAnd if a CISO is spending all their time firefighting, the question is are those really fires or can they wait awhile for you to put some of the right structure, documentation, and processes in place that reduce risk and get to the appropriate level of the security team\u2019s involvement,\u201d he says.<\/p>\n

Demonstrating security ROI for short- and long-term projects<\/h2>\n

Bryan Willett, CISO at Lexmark International, says that prioritizing security spending requires a delicate balancing act. \u201cWe must constantly assess the risk landscape, weighing the potential impact and likelihood of both immediate threats, [such as] ransomware and long-term vulnerabilities, [such as] outdated infrastructure,\u201d he says.<\/p>\n

It\u2019s often hard to get funding for security when the company hasn\u2019t suffered any cyberattacks because it feels abstract to decision-makers, Willett says.<\/p>\n

\u201cA key skill for any CISO is the ability to communicate effectively, turning technical terms into business language,\u201d he says.<\/p>\n

This involves explaining how a security issue could disrupt operations, harm the company\u2019s reputation, or cause financial losses, Willett says.<\/p>\n

\u201cUse examples of real incidents from the industry to make your point,\u201d he says. \u201cBy showing how security investments can prevent these risks, you can create a strong case for both short-term and long-term projects.\u201d<\/p>\n

Robinson says that the Log4J zero-day vulnerability<\/a> was an event that challenged him to balance that immediate threat with his long-term security investments because addressing it required a major initiative from his team to identify, respond to, and mitigate the threat quickly.<\/p>\n

\u201cTo do this effectively meant I had to reallocate resources from long-term projects,\u201d he says. \u201cThis experience really underscored for me the importance of dual focus in security investments that enhance overall resilience.\u201d<\/p>\n

Budget allocation: immediate vs long-term security<\/h2>\n

CISOs need to balance their budgets between immediate threat responses and long-term investments in cybersecurity infrastructure, says Eric O\u2019Neill, national security strategist at NeXasure and a former FBI operative who helped capture former FBI special agent Robert Hanssen, the most notorious spy in US history.<\/p>\n

While immediate threats require attention, CISOs should allocate part of their budgets to long-term planning measures, such as implementing multi-factor authentication and phased infrastructure upgrades, he says.<\/p>\n

\u201cThis balance often involves hiring incident response partners on retainer to handle breaches, thereby allowing internal teams to focus on prevention and detection,\u201d O\u2019Neill says. \u201cBy planning phased rollouts for larger projects, CISOs can spread costs over time while still addressing immediate vulnerabilities.\u201d<\/p>\n

Clare Mohr, US cyber intelligence lead at Deloitte, says a common approach is for CISOs to allocate 60 to 70% of their budgets to immediate threat response and the remainder to long-term initiatives \u2013although this varies from company to company.<\/p>\n

\u201cThis distribution should be flexible and reviewed annually based on evolving threats,\u201d she says. \u201cLonger term should be thought of like R&D \u2014 where in order to stay current on trends in threats and technology \u2014 time and money need to be invested to test and validate what new capabilities could provide a meaningful return on investments.\u201d<\/p>\n

Nicholas Kathmann, CISO at LogicGate, says that when resource planning, it\u2019s a good idea to have a certain percentage of staff time (30% is a good rule of thumb) dedicated to long-term projects vs the day-to-day work keeping the lights on. This makes it possible to respond to immediate threats effectively, with only minimal risk of impacting project timelines.<\/p>\n

\u201cMost immediate threat response involves config changes, patch management, compensating controls, etc., which don\u2019t require an immediate spend on new tooling or capabilities,\u201d he says. \u201cThat said, there should always be a percentage of the budget set aside for digital forensics and incident response, with the intention of tapping into cyber insurance for anything that exceeds that amount.\u201d<\/p>\n

A real-world example of balancing immediate threats and long-term security<\/h2>\n

\u201cI worked with a CISO of a midsize financial services company, who faced a challenging situation when a new, sophisticated phishing campaign began targeting their industry,\u201d says AJ Yawn, partner in charge of product and innovation at Armanino.<\/p>\n

This immediate threat required significant resources to bolster the company\u2019s email security and employee training programs, he says. However, they were also in the middle of a crucial long-term project to implement a zero-trust<\/a> architecture, which was essential for their overall security posture and future compliance needs.<\/p>\n

Yawn says that to balance these competing priorities, they decided the best approach was to:<\/p>\n

Conduct a rapid risk assessment to quantify the potential impact of the phishing threat vs the risks of delaying the zero-trust implementation.<\/p>\n

Implement a phased approach, allocating additional resources to immediate phishing defenses while continuing the zero-trust rust project at a slightly reduced pace.<\/p>\n

Negotiate with the company\u2019s email security vendor to obtain advanced anti-phishing tools at a discounted rate, bundled with commitments for other security solutions needed for the zero-trust architecture.<\/p>\n

Use a managed security service provider to temporarily augment security operations center capabilities, freeing up in-house employees to continue work on the zero-trust implementation.<\/p>\n

Communicate transparently with the board about the trade-offs and risks associated with this approach, securing a 15% budget increase to support both initiatives.<\/p>\n

Accelerate the implementation of multi-factor authentication across all systems as part of the zero-trust project, which served both immediate phishing defense and long-term security improvement goals.<\/p>\n

The result of implementing this approach to balancing immediate threats and long-term security was a 70% reduction in successful phishing attempts and a 40% improvement in overall security posture within six months, Yawn says.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Cybersecurity has become a high-stakes balancing act \u2014 the modern CISO is under constant pressure to protect their organization from the latest threats,\u00a0including ransomware and phishing, while also developing long-term security strategies and reporting to the C-suite and board. This means juggling immediate needs, such as patching vulnerabilities and responding to cyber incidents, with long-term […]<\/p>\n","protected":false},"author":0,"featured_media":192,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-195","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/195"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=195"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/195\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/192"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=195"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=195"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=195"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}