External Threat Management

In This New Era of Cybersecurity, CISOs Who Can’t Investigate Threats Won’t Last

In 2020, threat prevention alone won't be enough. The COVID-19 pandemic has revealed cybersecurity cracks in thousands of companies, which won't go away now that the world—and the way we work—has changed forever.

The recent surge in cyberattacks in the wake of the COVID-19 pandemic exploit global anxiety around the pandemic and the patchwork work-from-home setups of suddenly-remote staff to hack organizations, infect them with ransomware, and attack their customers. 

This unprecedented increase in opportunity for digital criminals has ushered in a new era of security, responsibility, and expectations for technical leaders. With breaches and other security incidents causing multi-million dollar losses, digital intelligence and cybersecurity have evolved from something of a maintenance cost into a full-fledged business input. CEOs and boards must know how their security postures affect their companies' trajectories. 

CISOs now find themselves as acting generals in a new kind of war, one in which the digital revolution—and the coronavirus that has sent it into overdrive—have created a surge of new combatants. Advanced nation-state actors are prowling digital attack surfaces of western businesses. Iran's cyberattacks in response to U.S. strikes, Russia's ongoing digital intrusions, and China's ever-looming digital armies—American companies lose more than $57 billion per year as a result of Chinese attacks—are just a few examples. Meanwhile, large organized cyber syndicates, more about making money than gathering intelligence or stealing IP, are growing in scale and sophistication and continually probe businesses for weakness. 

These bad actors work from home, too, and they are more than happy to take advantage of vulnerable or misconfigured remote access points and cloud assets, as well as shadow IT stood up outside the purview of security teams. To win this war and act as valuable assets to their companies, CISOs must become more proactive about threat detection and incident investigation—and be able to explain much more than the time and date of the attack. Even when intrusions are fended off, CISOs must also be able to tell where the attack came from, who was responsible, and why the company was a target. Most importantly, they must know whether they're still under attack. 

Investigations that reveal the cause and nature of attacks, related indicators to prevent future attacks, and, when possible, the actors behind them have become critical. CISOs who can't provide this essential context likely won't overcome the pandemic threat landscape, let alone that of the next ten years. By investing in new talent and technologies, tech officers can build the arsenal they need to respond quickly to threats, avoid becoming a future target, and steer their companies in the right direction. 

Leveraging Cyber Infrastructure Attribution Into Business Intelligence

Every attack leaves a trail, and every potential attack builds momentum before the strike occurs. Cyberinfrastructure attribution, the identification of actors responsible for cyberattacks and the infrastructure they use (domains, IPs, certificates, etc.), provides critical information for security teams to formulate appropriate responses when targeted.

CISOs should dedicate more resources toward this attribution. However, they must first break down the old ways of thinking that currently hold them back. 

Right now, most security teams operate in siloed departments. Company leaders deal with these teams infrequently unless under active threat. Security departments rarely report to broader business intelligence teams. When they do, their inputs are sometimes treated as afterthoughts, partly because they have not been trained to see themselves as valuable assets in times of peace.

Security teams cannot help companies grow when they are not responsible for understanding and sharing specifics. Instead of simplistic cause-and-effect reports, security teams should start asking bigger questions. Why did the attackers choose this company? What made this business such an attractive target in terms of value and vulnerability? Who identified those vulnerabilities first, and how did they see it before the company's employees could patch the hole? In most cases, hackers target multiple organizations at once, so security teams should compare their situations to those of others.

Looking ahead, expectations for CISOs and their security teams will evolve quickly. Cyberwarfare moves fast, and CEOs recognize both the potential danger of attacks and the immense value of reliable protection. As more breaches hit the headlines, more boards will want reassurance about their companies' abilities to prevent and respond to attempted invasions.

Acting Quickly in Crisis

Technical leaders should act immediately to protect their companies from threats of opportunity in the COVID-19 crisis. Before the pandemic ends, savvy leaders will:

  • Create a continuously updated inventory of all remote connections to sensitive data.
  • Purge access points that pose undue threats.
  • Provide employees with the necessary resources and workflows to protect company intelligence.
  • Identify and secure non-local data assets.
  • Weed out configuration errors caused by accelerated remote workforce rollouts.
  • Develop regular cybersecurity checks and updates for everyone connected to the network.
  • Educate employees on their role in threat prevention.
  • Build and practice a threat response plan.

When the pandemic finally ends, leaders who use this opportunity to strengthen their defenses will find themselves far better prepared for the new digital future than their competitors.

Changes on Three Sides

While CISOs attempt to establish themselves as reliable leaders in cyber attribution, other actors influence their decisions. On one side, CISOs and their teams attempt to improve their ability to investigate, attribute, and respond to threats. On another side, other leaders within businesses begin to view security as a business input instead of an expense (and adjust their expectations accordingly). Beyond company walls, regulators play a significant role in influencing how security leaders develop their infrastructures.

GDPR and California's new laws regarding consumer data protection both affect how companies must view the potential consequences of breaches. Great CISOs in the 2020s will not prove their value only by avoiding substantial fees, however. Real breaches carry real costs — in fines, in stock prices via lost investor confidence, and in the IP and actual data lost. By improving attack attribution methods and proactive hunting and investigations, CISOs can turn defense into offense and provide demonstrable value to their boards.

Circumstantial evidence will no longer suffice. The era of investigating attacks and providing accurate attribution has begun. As more businesses grapple with cyber threats, the CISOs leading the way will be the ones who understand their roles not just as protectors but as providers. 

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor