As per the findings of PwC’s recent annual CEO survey, CEOs across the globe have ranked cybersecurity risks as a bigger concern than the ongoing Covid-19 pandemic, economic volatility, or even climate change. The survey, covering 4,446 CEOs from 89 countries and territories has offered specific data points around Asia-Pacific, India, Mexico, Central, and Eastern Europe, Malaysia, among other countries. The increasing attention that cybersecurity is receiving comes in the backdrop of a steep rise in cyberattacks globally and in the countries mentioned above.
Rising cyber concerns are also underscoring the growing role of CISOs across sectors. With increasing geopolitical concerns in Ukraine, UAE, and in other parts of Asia, cybersecurity leaders and CISOs are also dealing with other challenges such as:
- Rising regulatory requirements
- Strained budgets
- Lack of resources
- Compartmentalization of security across organizational silos
- Talent shortages
- Specific Organizational cybersecurity posture concerns that are not on the Board’s radar
- Burn out and overwhelmed by the pandemic and the disruption caused by it
The role of CISOs has been evolving over the last few years with businesses giving them a larger say in the way businesses are run and a share of voice in the decisions of the board. However, in many institutions, the post of CISO has just been created or the role functions with many dependencies on other non-c-suite positions leading to a situation where the support they receive is not timely or is inadequate.
What can CISOs do to address such challenges?
- Democratize cybersecurity: run bug bounty programs and tabletop exercises by involving employees across the organization. Involve more stakeholders across decision-making layers and teams in all cybersecurity programs
- Pay attention to vulnerabilities: running vulnerability scans in a disciplined manner and taking prompt action on identified weaknesses and gaps can go a long way in increasing the distance between your assets and a cyber adversary. This should go with other measures such as micro segmenting networks, creating zones of digital priority, and maintaining an updated inventory of all assets and their functions.
- Promote a culture of pro-active compliance: many standards/frameworks proposed by (or that are part of) NIST, NERC-CIP, IEC 62443, and Zero Trust can be implemented with very little effort and by a simple rejig of operating processes, workflows, and inter-device interactions. Such measures can be taken up for immediate execution. (Check out our compliance kits for more information on how to get this done). Such measures should be taken up routinely and ingrained in the culture of the organization.
- Build and track cybersecurity checklists: across facilities and systems such as SCADA, PLC, industrial control systems, health and safety systems, remote management systems etc.
- Address institutional inertia: this is especially true of businesses that have been around for a while. Decisions taken to counter emerging threats to critical asserts may get stuck in layers of decision-making within the organization. By the time the decision is taken, it may be a case of too little too late.
- IT-OT and IT-IoT convergence zones or other such zones where different tech streams overlap should receive additional cybersecurity attention.
- Track API usage: while APIs help ease integration challenges, they are among the biggest sources for cyberattacks. Hackers have been known to use APIs as conduits to open target networks. See if APIs used by your organization are leaking data or access
- Clearly define tangible risks and provide solutions: CISOs have been doing this for a while. It is now time to take things to a different level. Identify scenarios that could harm institutional credibility and trust and link them to specific weaknesses or cybersecurity gaps and suggest solutions to address each gap
- See what your peers are up to: learn more about how they are dealing with similar challenges
- Watch out for regulatory advisories: in the last 3 weeks, there has been a flurry of advisories from various regulators connected with the ongoing Russia-Ukraine crisis. Such advisories can be passed on to all employees and used to generate cybersecurity awareness on the need to stay alert
- Study the cybersecurity practices of your vendors and supply chain partners: this may provide some fascinating insights into improving your cybersecurity posture while recommending ways to address gaps in the cybersecurity posture of your vendors and partners may help you earn more collaboration in the future when dealing with a cybersecurity event or for meeting a regulatory demand
- In sectors such as oil and gas, manufacturing, and utilities, cybersecurity audits should be done with the same level of diligence as that which goes into a health and safety and/or environment safety audit.
- Avoid burnout: delegate tasks beyond your immediate team. Identify cybersecurity champions from across teams and get them to help your team promote a cybersecurity culture of excellence and diligence
Try our rich IoT and OT-focused cyber threat intelligence feeds for free, here: IoT and OT Focused Cyber Threat Intelligence
Planning to upgrade your cybersecurity measures? Talk to our IoT and OT security experts here: Reach out to sectrio.
Visit our compliance center to advance your compliance measures to NIST and IEC standards: Compliance Center