External Threat Management

The CISO as a Security Intelligence Asset

Through 2020, the pace of digitalization has only increased as the global pandemic has forced businesses to accelerate the trend of moving assets online. However, as companies shift their infrastructure into the vast and poorly mapped territories of the web, hostile actors are looking to exploit vulnerabilities into company networks – often to devastating effect.

The responsibility of keeping an organization safe falls upon the CISO and their security team, but as the cybersecurity climate has worsened – and threats have grown more sophisticated – simply preventing an attack is no longer enough. CISOs must now act as an intelligence asset to their organization and contextualize attacks to the broader company. COVID-19 has brought together two tangents that have both exacerbated the risk posed to organizations online.

First, digitalization by its very nature widens a business's online attack surface – the web-facing company assets through which cybercriminals can trespass into the company network. Second, the world is on uncertain footing, and anxieties in the populace are a boon to those looking to exploit fear via social engineering attacks. Even with the public health crisis abating in some areas of the world, there are additional risks as previously distributed devices are brought back into the fold of the company network.

Since the heralding of general data protection regulation (GDPR) legislation, the paradigm surrounding cybersecurity has been changing from simply a maintenance cost to a defining feature of company operations.

Today, a high-profile cyberattack can exact devastation upon consumer confidence and a company's brand and earn the organization a hefty fine in the process. Amid the cybercrime pandemic, it should be clear to forward-thinking CEOs and board members that money saved on cybersecurity solutions may be lost tenfold in the case of a successful attack.

When the seriousness of the situation is understood by company leadership and the appropriate funds allocated to cybersecurity, the expectation then lies entirely on the CISO to guarantee the organization's safety online. More so than ever, they are their company's defenders in a shadowy war being fought across the nebulous boundaries of the web.

In this battle, the CISO must defend against nation-state funded threat actors conducting corporate espionage or sabotage against Western companies. In recent years, Western intelligence agencies have recognized countless attacks stemming from their perennial adversaries, China, Russia, and Iran. Amid the political point-scoring, online criminal syndicates are growing ever more sophisticated in targeting the valuable troves of data companies are tasked to safeguard.

The task of online protection was mammoth even before the global pandemic threw industries into disruption. Still, remote working scenarios have added another layer of complexity with which security teams have to contend. Rapidly stood up IT infrastructures have allowed bad actors a wealth of targets between vulnerable or misconfigured remote access points and cloud assets, as well as shadow IT stood up outside the purview of security teams.

When an attack occurs through these vectors, CISOs must be able to identify where it originated, who is responsible, and why the company was a target. Even more importantly, they must answer whether the company is still under attack or if more attacks are likely in the future.

From Prevention to Investigation

Given the scope of the security challenge, the onus is on CISOs to adapt their role to that of investigators. Company leadership will expect security teams to divulge the origin and nature of a threat, related indicators of compromise (IOCs) to prevent future targeting, and the motives behind an attack. These expectations must be upheld if the company has invested significant resources into its security teams.

The key to a successful investigation lies in recognizing the specific traces that can betray a cyberattack's identity. An attack on digital infrastructure will leave forensic clues in the domains, IP certificates, and other areas of the network. Upon these clues, a thesis can be built as to how an attack happened and why.

Building on forensic clues, a comprehensive cybersecurity investigation conducted by the CISO must go beyond security teams' remit. Although security teams are traditionally segmented from company operations, holistic knowledge of an organization's footing and trajectory can communicate, telling clues as to where an attack upon it might have originated.

A successful investigation may even have to break from the confines of the organization itself – hackers often attack multiple organizations in one swoop, and this information will build a whole picture towards the purpose of the attack.

A Collaborative Approach

As the cybercrime wave spurred by the pandemic has heightened the already perilous stakes of a CISOs role, they must be genuinely supported by their organization. A cyberattack can now threaten every aspect of a company, from day-to-day operations to consumer trust. It is upon the company leadership to invest in the security infrastructure required to equip the CISOs to keep the organization safe. It is upon the CISO to move deftly and effectively in attributing cyberattacks.

Read more on how threat intelligence can be an asset to the CISO, and visit RiskIQ's Threat Intelligence portal to get the intelligence you need to defend your unique organization.

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor