CISOs should not bear the sole responsibility for ‘People Security’

Cybersecurity is no longer just the responsibility of the chief information security officer (CISO). In the ever-changing cybersecurity scenario, this is no longer a viable approach. Every liable person in the organization needs to be involved in protecting the company’s data and systems. Cybersecurity is everyone’s responsibility. Everyone in the organization, from the CEO to the front-line employee, needs to be involved in protecting the company’s data and systems. This means being aware of the latest cyber threats, following security best practices, and reporting suspicious activity. At Threatcop, we take care of all these cybersecurity needs under People Security Management (PSM).

The recent, 2023 Voice of the CISO report, reveals that a significant majority, 62% of CISOs express concerns about potential personal liability due to increased focus on incident response and governance. Additionally, an alarming statistic shows that three out of every five CISOs have experienced burnout in the past year. These findings underscore the mounting pressures and challenges faced by CISOs in their roles, highlighting the need for support and measures to alleviate the burden they carry.

The increased vulnerability of organizations to cyber threats can be attributed to the expanding attack surface caused by trends like remote work, cloud computing, and mobile devices. Additionally, the dynamic nature of these threats renders reliance on a single security solution inadequate. Consequently, there arises a necessity for a fresh PSM approach that encompasses the participation of every individual within the organization. In this blog, we will discuss the recent concerns of CISOs around the world and also the 5 step approach they suggest for effective people security.

Changing Landscape of the Cyber Threat

With never-before-seen attacks and tactics, recent studies demonstrate that as information security becomes more complex, CISOs are facing many challenges and burdens in their work. The recent study by Nominet– “Life Inside the Perimeter: Understanding the Modern CISO” shows that around 70% of CISOs have discovered malware hidden on their networks for an unknown period of time. 

CISOs have a more negative outlook on cybersecurity in 2023. They are less likely to think that their organizations are ready to defend against a targeted attack and more likely to think that they are vulnerable to cyberattacks. The 2023 Voice of the CISO report shows that CISOs are more concerned about cyberattacks than they were a year ago. Almost 68% of CISOs feel that their organizations are at risk of a material cyberattack, up from 48% in 2022. A most strange revelation is that 3 in 5 CISOs said their organizations are unprepared to cope with a targeted attack, up from 50% in 2022.

Artificial intelligence (AI)–powered phishing has become a major problem in the current era of cyber threats. Hackers are using sophisticated AI methods to design complex phishing attacks that may trick even the most observant consumers. Because they can result in data breaches, financial losses, and reputational harm, these attacks offer a serious threat to both organizations and individuals. AI can, however, also be used as a defense mechanism. Additionally, CISOs are quickly realizing how crucial it is to use AI and other cutting-edge methods to improve their cybersecurity skills and keep up with changing threats. 

Ensure Cybersecurity Culture and Employee Awareness

Any organization that wants to safeguard its assets- humans must have a security-conscious culture. As a result, everyone working for the company—from the CEO to the entry-level employee—must be aware of their role in maintaining security.

If we look at the recent surveys, they all direct towards a lack of cyber security culture.

• Research by IBM found that 95% of cyber security vulnerabilities are due to human mistakes. In other words, 19 out of 20 cyber breaches might not have happened at all if human error were completely eradicated. 
• 70% of organizations do not have a comprehensive cybersecurity plan in place.

These data show that cybersecurity is not just a technical issue. It is also a cultural issue. 

According to the 2019 report from the National Centre for Cyber Security, the data paints a concerning picture. It reveals that “123456” continues to be the most commonly used password globally, which poses a significant security risk. Furthermore, the report indicates that a staggering 45% of individuals reuse their main email account password for other online services. 

These findings underscore the critical need for increased awareness and education regarding password security to mitigate the potential vulnerabilities associated with weak passwords and password reuse. Organizations need to create a culture of security awareness where everyone is responsible for protecting the organization’s data and systems. This means that everyone needs to be trained on security best practices and that the organization needs to have a comprehensive security plan in place. Employees who lack basic steps or knowledge of cybersecurity measures at the organization can lead to an easily targeted cyber attack such as the Coinbase data breach. When everyone in the organization follows cybersecurity as a norm it can never be a burden on the organization. 

Read More- Top 5 Cyber Attacks and Security Breaches Due to Human Error

CISO suggests 5 step approaches to stay ahead

Speaking at a cybersecurity fest conducted by The Economic Times, Dr. Saurabh Gupta, Joint Secretary, National Intelligence Grid, Ministry of Home Affairs, Government of India talked about the proactive approach to Cybersecurity. He said organizations need to think beyond the traditional threat intelligence approach to stay two steps ahead of the threat actors. 

Build a threat-hunting program

Setting up a proactive threat-hunting program means looking for risks in your environment actively rather than just relying on standard security technologies. Organizations can identify and manage risks before they do harm by analyzing network traffic, log data, and indicators of compromise. With this strategy, the emphasis is shifted from reactive to proactive cybersecurity, enabling early detection and risk mitigation.

Utilize automation and machine learning

For larger organizations, in particular, threat intelligence can be overwhelming. By utilizing automation and machinery, dangers may be identified and dealt with more promptly and correctly. For instance, you can automate the vulnerability patching process or use machine learning to find trends and abnormalities that might point to danger.

Work together with colleagues and business partners

Cybercriminals frequently target numerous organizations within the same sector or area. You may exchange threat intelligence and better plan your reactions to attacks by working with colleagues and business partners. Identifying threat indicators, best practices, and incident response plans are a few examples of this.

Keep up with new threats

Since cyber threats are continuously changing, businesses must keep abreast of the newest methods that hackers are employing. This entails frequently analyzing threat intelligence feeds, going to business conferences and events, and engaging in cybersecurity forums and communities.

Monitor and update your defenses

Staying ahead of cybercriminals requires constant monitoring and updating of your defenses. Threat intelligence is a continual process. This entails doing routine security assessments, evaluating and updating your security rules, and staying current with threat intelligence.

Ways to Build a Culture of Security

Educate employees about security best practices. Educating employees about phishing attacks, social engineering, and other common threats. Threatcop Phishing Incident Response (TPIR) empowers employees to your people to report suspicious emails and helps the security team take the necessary actions against email-based threats.

Encourage employees to report suspicious activity. Organizations should promote reporting of any cyber threat or suspicious activities faced by the employees. Employees should know that they will not be punished for reporting security problems.

Implement a security awareness training program. This program should be regularly updated to reflect the latest security threats. Use a security awareness tool like Threatcop Security Awareness and Training (TSAT). This tool can help organizations assess their security awareness program and identify areas for improvement.

Also Read: 3 Best Email Security Practices For CISOs

One of the most significant aspects of effective cyber security is People Security Management.  Through People Security Management you can implement an influential security culture as it encompasses the policies, procedures, and training. This is designed to help employees understand their security responsibilities and how to protect the organization’s assets as it consists of cyber security awareness training. This training teaches employees about the latest security threats, how to spot phishing emails, and how to create strong passwords. It is also important to encourage employees to report any suspicious activity to the security team. By taking steps to build a culture of security, organizations can help to protect their assets and mitigate the risk of a cyberattack.

Key stages in reducing the dangers of cyber threats are creating a strong cybersecurity culture and raising staff knowledge. Organizations can enable their staff to actively contribute to safeguarding essential assets by acknowledging that cybersecurity is a shared responsibility.