CISOs Still Tend to Ignore Supply Chain Risks: Study
While securing the remote workforce remains a top concern for CISOs as they continue to tackle it, supply chains still represent an underestimated risk after a year of dragging high-profile breaches including SolarWinds, Kaseya, and Log4j.
A new study that surveyed CISOs and cybersecurity leaders has proven that while in 2021 supply chain attacks dominated the headlines, with the Kaseya and SolarWinds attacks at the forefront and sophisticated attackers seek to exploit vulnerabilities in pipelines and packages (such as log4j) to compromise organizations further down the supply chain, security managers tend to ignore the same.
Instead, as businesses moved remotely in 2020, 94% of CISOs indicated that securing their remote workforce was a “top priority” or a “priority.” To do this, cybersecurity leaders are turning to automation and risk-based approaches to overcome threats and vulnerabilities. In fact, researchers found it surprising that only 49% of cybersecurity leaders consider supply chain risk assessment a priority. In an ideal world, this should be a key part of any organization’s due diligence practices.
Good news though, while in 2021 cybersecurity teams scrambled to secure users who left perimeter security while moving remotely, in 2022 78% of CISOs consider securing the workforce remote work as a priority, making it the top priority for the second year operation.
While it can be assumed that CISOs have dealt with the initial impact of these cohorts starting to work from home, remote workers remain an ongoing concern. In hybrid working models, devices moving in and out of perimeter defenses present new challenges and vulnerabilities.
Ricardo Villadiego, Founder and CEO of Lumu, told CXOToday, “While it’s no surprise that securing the remote workforce remains both a concern and a top priority for CISOs, we have found a 16% drop from last year’s survey, indicating that many organizations have made progress over the past year, but the fact that more than three-quarters of respondents (78 %) still consider it their most pressing priority shows that much more needs to be done to keep workers and data safe as we learn to adapt to an increasingly hybrid work model.
“The uncertainty and longevity of the pandemic has also helped threat actors open up new avenues of attack over the past year and that unease was reflected in this year’s investigation. In particular, there was great concern about supply chain vulnerabilities following the disclosure of several high-profile supply chain attacks such as the Kaseya and Solar Winds exploits as well as the recent Log4j zero vulnerability. day last December,” he says.
The study also revealed that in 2022, many top priorities relate to the ease of cybersecurity operations. Automating threat detection and response (78%) and unifying threat visibility across all assets (62%) are among our respondents’ top priorities. These metrics indicate that tools that make the work of the SOC team more automated and efficient are becoming a priority. The demand for cybersecurity talent is only increasing. Efforts that help operators with their daily tasks not only get the most out of an expensive resource, but also improve staff retention.
Improving the cybersecurity posture as a whole is at the forefront of CISO concerns. Improving cybersecurity testing beyond penetration testing (63%) and measuring the effectiveness of the cybersecurity ecosystem (62%) are priorities in 2022. With so many tools, projects and methodologies from which to choose, subjectively testing the system and its components is essential. . CISOs seek to spend their budgets wisely and obtain evidence of their performance that they can report to their board of directors.
The study also revealed that CISOs are the least interested in outsourcing cybersecurity operations (17%). Small businesses without a CISO or cybersecurity staff can get help from a third party. However, organizations with mature information security stacks recognize the reality that cybersecurity is not just bought but operated. CISOs are committed to continuously measuring and improving their cybersecurity operations.
Villadiego concludes that all of this means that security leaders find themselves fighting battles on multiple fronts and are therefore looking to invest in new technologies and partnerships that help them gain greater visibility and become more proactive in how they identify and respond to threats.