krimson-tech-group

Forbes - Cybersecurity Is a Business Risk

Tue, 05 Sep 2023 05:48:55 GMT

Forbes - Cybersecurity Is a Business Risk

Once the domain of the IT department, cybersecurity now encompasses the entire organization. From increasingly sophisticated cybercriminals and an exploding attack surface to heightened financial consequences of successful attacks and new cyber regulations, cyber risk is business risk—making cybersecurity a central element of board governance.

Emphasizing the importance of board involvement in cybersecurity, the U.S. Securities and Exchange Commission (SEC) proposed new rules in 2022 for public companies that, among other things, would require disclosure about the cybersecurity expertise of board members as well as the "board's oversight of cybersecurity risk and management's role and expertise in assessing and managing cybersecurity risk and implementing the registrant's cybersecurity policies, procedures and strategies."

What's more, the cost of a data breach has skyrocketed. According to a 2022 IBM report , the average cost of a data breach in the U.S. is more than $9 million. If that's not troublesome enough, cyberattacks also can result in data loss, downtime, a damaged reputation and customer churn—all of which affect a company's ability to operate as well as its bottom line.

Given this confluence of factors, many boards are navigating unfamiliar territory as they work to find directors with cyber experience who can help manage risk. Here are a few suggestions to help companies' board directors and C-suite along their journey of security and resilience.

Shift Your Mindset

For too long, boards and members of senior leadership have generally dismissed cybersecurity because many of them viewed it as a cost center and business inhibitor rather than a business enabler. It comes down to educating the board and senior leadership on the inherent risks of being cyber complacent.

Companies adopting this mindset typically do what is required to check the box on the compliance front but fail to put security and resilience strategies in place until they're forced into action by a cyber incident. By then, it's too late.

Similar to other data loss events such as hurricanes and data center outages, cyberattacks are a predictable problem. It's no longer a matter of if a business will be hit but when. In this new reality, board members need to view cybersecurity through a new lens. A strong cybersecurity posture is a powerful way to ensure business resilience in the face of any type of data loss event.

Identify The Crown Jewels

With this new mindset, the organization can start getting proactive about cybersecurity and resilience. However, it's important to note that the attack surface of a company has grown considerably with the cloud, bring-your-own-device trend, work-from-home movement and other digital transformation initiatives that it's now impossible to protect everything within an organization.

To make things more manageable, board members should work with IT and security teams to identify the assets—data, systems and processes—that cybercriminals are most likely to target, allowing the organization to focus on protecting those first.

Put A Plan In Place

With a newfound understanding of the most critical assets, board members can determine their appetite for risk and work with senior leadership as well as the IT and security teams to implement security and resilience strategies accordingly.

Plans should be based on the company's current IT and business landscape. They should include processes to address weak points in the organization's security posture as well as basic technologies such as identity controls, multifactor authentication, vulnerability management, anti-malware, patching, encryption, application whitelisting, monitoring, network segmentation and data loss prevention.

The more processes a company has in place, the greater the risk. Threat actors rely on organizations not keeping tabs on the sometimes hundreds of processes that go unchecked and unmanaged, making them a gateway into an organization.

Enforce Governance

Ensure security teams implement monitoring and benchmarks in order to keep tabs on how cybersecurity and resilience plans are performing, how they may need to be adjusted to align with changing business demands and security threats and how they are enabling the business with secure operations.

Learn From Every Incident

Even with strong cybersecurity and resilience plans in place, no company is immune from cyber risk. If a cyber incident happens, instead of playing the blame game, take it as an opportunity to improve the business. Gather all stakeholders involved, assess what went wrong and determine strategies to prevent it from happening again. Every incident, good or bad, should be a part of your incident response playbook.

Cyber risk is a business risk that board members can't afford to take. From evolving the way leaders view cybersecurity to ensuring IT and security remain integrated with the business to providing oversight on tools and processes that will mitigate risk, boards have the opportunity to pave a path of resilience. When a company is able to stand up to any cyber event, security transforms into a business driver—and growth is the ultimate goal of every board.

CISA’s Roadmap for Artificial Intelligence

Tue, 05 Sep 2023 05:47:58 GMT

CISA’s Roadmap for ARTIFICIAL Intelligence

The security challenges associated with AI parallel cybersecurity challenges associated with previous generations of software that manufacturers did not build to be secure by design , putting the burden of security on the customer. Although AI software systems might differ from traditional forms of software, fundamental security practices still apply.

As noted in the landmark Executive Order 14110, “Safe, Secure, And Trustworthy Development and Use of Artificial Intelligence (AI),” signed by the President on October 30, 2023, “AI must be safe and secure.” As the nation’s cyber defense agency and the national coordinator for critical infrastructure security and resilience, CISA will play a key role in addressing and managing risks at the nexus of AI, cybersecurity, and critical infrastructure.

CISA’s Roadmap for Artificial Intelligence

CISA has developed a Roadmap for Artificial Intelligence, which is a whole-of-agency plan aligned with national AI strategy, to address our efforts to: promote the beneficial uses of AI to enhance cybersecurity capabilities, ensure AI systems are protected from cyber-based threats, and deter the malicious use of AI capabilities to threaten the critical infrastructure Americans rely on every day.

CISA will implement the Roadmap through five lines of effort:

CompTIA’s State of Cybersecurity Report 2024

Tue, 05 Sep 2023 05:47:38 GMT

State of cybersecurity

Cybersecurity is a constant balancing act. For years, the tug-of-war has been framed as a contest between security and convenience. Today, a new challenge is emerging.

The conflict is not so much with convenience as it is with progress. As organizations go through digital transformation and tie technology initiatives tighter to business success, excessive cybersecurity efforts can hinder overall progress. CompTIA’s 2024 State of Cybersecurity report explores the many variables that must be considered in balancing the cybersecurity equation.

Market Overview: The Current State

The simplest way to describe both the corporate stakes for cybersecurity and the challenges involved in crafting cybersecurity policy is to say that the scale has grown dramatically.

From a threat landscape perspective, companies can see that the number of cybercriminals is skyrocketing, their organizational ability is growing and the potential damage from a cyberattack can be catastrophic.
From an information security perspective, there is far more data being captured, with both privacy implications for customers and operational risk for internal workflows.
From a product perspective, generative artificial intelligence (AI) is accelerating capabilities, often making the skill gaps at organizations even wider.

Our approach to defending cyberspace is changing – and we’re starting to see these changes having an effect:

In 2022, only 25% of survey respondents felt that the overall state of cybersecurity in the economy was improving dramatically. In 2023, that number increased to 27%.
In 2022, only 24% of respondents said their organization’s cybersecurity was completely satisfactory. In 2023, that number grew to 28%.

But information technology (IT) staff and cybersecurity professionals have a different perspective than executive stakeholders:

More than 4 in 10 executives report being completely satisfied.
But just 25% of IT staff and 21% of business staff share that sentiment.

Even with small gains in satisfaction, there is still plenty of room for improvement. The next stage of maturity involves establishing and refining cybersecurity operations, using strategic policy and processes to drive tactical actions around people and products.

Policy: Risk Management Is the Driving Force Behind Cybersecurity

Risk management is becoming the primary method for solving one of our greatest challenges: The connection between cybersecurity strategy and business operations.

When cybersecurity professionals:

Identify various risks
Assign the probability of cyber incidents
Determine potential cost
Propose incident response plans

The link between cybersecurity spending and desired outcomes gets stronger.

Do You Need a Formal Risk Management Framework? See what our respondents are doing:

One of the best reasons to use a formal framework is to help identify areas that may lie outside traditional IT system architecture.

Beyond technical topics, thorough risk analysis also examines policies and processes that may have little to do with the IT team.

Process: Cybersecurity Processes Drive a Wide Range of Decision-Making

Following a comprehensive risk management discipline, both building cybersecurity processes and integrating cybersecurity into business workflows drives many functional decisions.

1. Cybersecurity is becoming a primary factor when evaluating new technology.

Fifty-eight percent of companies view cybersecurity as a main consideration when assessing new initiatives. But firms are still treating cybersecurity as a secondary factor, or even an afterthought, opening the ecosystem to vulnerabilities and cyber risk and cybersecurity incidents.

2. Cybersecurity is impacting other business activities.

We see this happening in a few ways:

Threat intelligence now includes new types of cyber threats like social engineering and ransomware attacks that highlight the intersection of technology and reality.
The web of regulatory issues and government agencies overseeing digital business is driving organizations to become more cognizant of how they conduct business.
As remote and hybrid work continues, the responsibility of the individual employee to maintain secure practices, via workforce education , has never been higher.

3. The goal of a cybersecurity process is to align with the principles of a zero trust framework.

Although only 28% of firms identify a zero trust framework as part of their cybersecurity strategy, there are more firms following individual practices that are commonly included in a zero trust approach.

People: Talent Pipelines Get Stronger as Firms Build Skill Resilience

The cybersecurity workforce is growing. There were 660,000+ cybersecurity-related job openings in the United States between May 2022 and April 2023 – a 28% increase from the same time period in 2020 during the pandemic.

What’s Your Biggest Cybersecurity Challenge? See what our respondents said:

The top challenge in pursuing cybersecurity initiatives is now cybersecurity skill gaps. One strong option for bridging that gap is to bring in less experienced cybersecurity professionals who continue building their skills while becoming familiar with your corporate culture and objectives.

Regardless of the hiring pathway, there are bound to be some skill gaps that remain when new individuals are brought into an organization or when internal employees transition to cybersecurity from a previous role.

Developing a regular skill assessment regimen based on industry expertise and best practices is a key step in understanding the exact nature of the gaps that need to be filled.

What About Using Third Parties? See what our respondents are doing:

Today, organizations are taking a more comprehensive approach to selecting providers to protect their critical infrastructure. End users are looking for outside firms who understand modern cybersecurity threats, endpoint mitigation and have access to threat intelligence.

Product: AI Drives the Cybersecurity Product Set to New Heights

Generative artificial intelligence (AI) has been the buzz. Many believe this new wave of AI is the biggest tech paradigm shift in decades. But many companies have been using AI for some time:

56% of respondents indicate they already work with AI and machine learning (ML).
36% say they have not worked with AI or ML but are exploring the possibilities.

What Are the AI Possibilities for Cybersecurity? See what our respondents said:

Of course, AI is like other emerging technologies. It’s not a standalone product by itself, but rather an embedded component of other products:

Our cybersecurity resources have been steadily expanding over the past few years, and now the challenge of managing a wide variety of cybersecurity tools is compounded by weaving AI capability into each one.

Download the full report

Methodology

This quantitative study consisted of an online survey fielded to business and IT professionals involved in cybersecurity during Q2 2023. A total of 511 professionals based in the United States participated in the survey, yielding an overall margin of sampling error at 95% confidence of +/- 4.4 percentage points. For international regions (ANZ, ASEAN, Benelux, DACH and UK/Ireland), a total of 125 professionals in each region participated in the survey, yielding an overall margin of sampling error at 95% confidence of +/- 8.9%. Sampling error is larger for subgroups of the data.

As with any survey, sampling error is only one source of possible error. While non-sampling error cannot be accurately calculated, precautionary steps were taken in all phases of the survey design, collection and processing of the data to minimize its influence.

CompTIA is responsible for all content and analysis. Any questions regarding the study should be directed to CompTIA Research and Market Intelligence staff at research@comptia.org.

CompTIA is a member of the market research industry’s Insights Association and adheres to its internationally respected Code of Standards and Ethics.

About CompTIA

The Computing Technology Industry Association (CompTIA) is a leading voice and advocate for the $5 trillion global information technology ecosystem and the estimated 75 million industry and tech professionals who design, implement, manage and safeguard the technology that powers the world’s economy. Through education, training, certifications, advocacy, philanthropy and market research, CompTIA is the hub for advancing the tech industry and its workforce.

CompTIA is the world’s leading vendor-neutral IT certifying body with more than 3 million certifications awarded based on the passage of rigorous, performance-based exams. CompTIA sets the standard for preparing entry-level candidates through expert-level professionals to succeed at all stages of their career in technology. Through CompTIA’s philanthropic arm, CompTIA develops innovative on-ramps and career pathways to expand opportunities to populations that traditionally have been under-represented in the information technology workforce.