Why CISOs are continuing to face increasing pressure

Government-led digital transformation initiatives are catalysing the adoption of cybersecurity in both public and private sectors. For example, the UAE recently updated its National Cybersecurity Strategy with 5 pillars and 60 initiatives to mobilise the country’s cybersecurity ecosystem.

The region’s rapid adoption of advanced technology, such as hybrid cloud, mobility, and the Internet of Things, is driving the digital business on a large scale, but in the meantime expanding the cyberattack surface. In Q1 2019, for example, Trend Micro blocked more than 7.4 million email threats and 402,780 malware threats; and over 1.7 million malicious URLs were accessed, in the UAE alone.

While GCC boardrooms are knowledgeable about cybersecurity, the cyber skills gap is holding them back. In the UAE, for example, one recent report shows that 52% of organisations struggle to find quality hires. This IT and cybersecurity skills shortage is not limited to the UAE. Another recent global report shows that 80% of employees do not have the skills for their current and future careers.

Numerous organisations from the public and private sectors are digitally transforming. For example, organisations are increasingly moving to the cloud to optimise IT costs, maintain business continuity, scale up as their business grows, and foster new levels of collaboration and communication. However, moving to the cloud presents its own set of cybersecurity challenges, which require cloud-based security solutions.

Few GCC organisations know how to protect their cloud infrastructure, which is different from securing physical servers. Regional organisations are increasingly moving to hybrid cloud environments, which requires that they protect both on-premise and cloud infrastructures simultaneously. Securing data migration can be a complicated process. Researchers predict that cloud misconfiguration in data migration could lead to more data breaches in 2019.

Digital transformation comes down to three key factors: security efficacy, operational efficiency, and business enablement.

CISOs need to monitor and communicate cyber risks and implement technical controls and countermeasures. CISOs also need to put together the right personnel, skills, and processes. Organisations should eliminate process bottlenecks and ensure they can operate at peak performance. Organisations often connect their IT systems with third party systems to boost productivity. CISOs need real-time visibility to monitor business complexity and mitigate risk.

In discussions with CISOs, their biggest challenges include: empowering staff while mitigating risk; automating security processes to enhance incident response; increased regulatory pressure; an endless shortage of cybersecurity skillsets; technology vendor consolidation; and the rise in shadow IT expanding the threat landscape.

Organisations should focus on hiring CISOs who can stop cybercriminals by closing the gaps in the IT infrastructure. This requires CISOs to have experience, to be diplomatic, know how to hire and build teams, understand the business, and stay ahead of the curve.

CISOs need to set the cybersecurity strategy for the organisation. While some tasks can be offloaded to an external cybersecurity vendor, such as detection and response responsibilities, CISOs do need to understand the latest threats and trends out there, and also keep themselves updated on the newest technologies and how to integrate them into the existing IT infrastructure.

As GCC organisations undergo digital transformation, they are facing the reality that modern hybrid datacentre architectures, cloud adoption, evolving endpoints, and mobility, along with employees and third parties connecting to their network, will demand a lot more from IT security teams in 2019 and beyond. The most pressing cyber threat challenges require a deep understanding of the issues.

Phishing attacks will also markedly increase in 2019, along with a decrease in exploit kit activity. The successful exploit-based attacks will involve vulnerabilities for which patches have been available for weeks or even months but have not been applied yet. Meanwhile, in response to security vendor technologies, specifically the renewed interest in machine learning for cybersecurity, cybercriminals will use more malicious tactics to blend in.

As more enterprises migrate to the cloud, we will see cloud infrastructure vulnerability, especially as the open-source community digs deeper into cloud software. Modern hybrid datacentre architectures, endpoint end-user access, and mobility, will demand a lot more from IT security teams. The IT security skillset shortage will become more pronounced, with intelligent, efficient, and multilayered security becoming more critical. As the IT environment becomes more complex, an organisation’s security stash can grow bloated.

A typical organisation has an average of 15-20 cybersecurity solutions in place, and many of them are from different vendors. This has led to issues like visibility and management nightmare. Today, we are already seeing a bevy of organisations starting to request for integration – for these solutions to talk to each other and exchange threat information. In the near future, we will continue to see this happen not only in UAE, but also globally.

In today’s complex cyberthreat landscape, GCC organisations often use a variety of security products to protect against the onslaught of threats that are no longer one-to-many, but highly targeted. Managing the complexity and volume of disparate security solutions that typically do not integrate can become a daunting task.

As a result, threats are growing across organisations’ networks that may remain undetected. GCC organisations are looking for a different security approach that encompasses endpoint, network, and hybrid cloud security.

Fabio Picoli, Managing Director GCC, Trend Micro.

Key takeaways

  • A typical organisation has an average of 15-20 cybersecurity solutions in place, many from different vendors.
  • Organisations should focus on hiring CISOs who can stop cybercriminals by closing gaps in IT infrastructure.
  • Digital transformation comes down to three factors: security efficacy, operational efficiency, business enablement.
  • Managing the complexity of disparate security solutions that do not integrate can become a daunting task.
  • Few GCC organisations know how to protect cloud infrastructure, which is different from securing physical servers.
  • Researchers predict that cloud misconfiguration in data migration could lead to more data breaches in 2019.
  • Government-led digital transformation initiatives are catalysing adoption of cybersecurity in both public and private sectors.
  • While GCC boardrooms are knowledgeable, the cyber skills gap is holding them back.
  • As the IT environment becomes more complex, an organisation’s security stash can grow bloated.
  • GCC organisations are looking for a different security approach that encompasses endpoint, network, hybrid cloud security.

Managing the complexity and volume of disparate security solutions that do not integrate can become a daunting task.