Locking down the cloud: How COVID-19 has elevated security to a board-level priority
Businesses around the world have dealt with a period of historic uncertainty over the last 12 months, but through the crisis it’s clear that digital innovation has been paramount for survival.
As noted in a recent Telstra study, the pandemic has turbocharged investments in digital transformation initiatives, with four in ten (40%) of business and IT decision-makers in EMEA saying COVID has triggered a need for new projects in their organisation, while 39% say existing projects have accelerated.
This trend has carried over to the realm of enterprise security, as the pandemic has underlined the importance of security-centric issues in the eyes of board members. That’s according to a new study from ClubCISO, which highlights the impact that the last year has had on security strategies.
According to the study, 77% of CISOs think their organisations see security as important as they do, with only 14% disagreeing. For the first time in years, organisations are also getting a grip on cloud security, with 60% of CISOs rating their cloud security maturity between 3 and 4 out of 5.
CISOs are also reporting that they are coping well with some of the major security challenges that have been prevalent this year, including managing supply chain risk, which have been a major thorn in the side of CISOs globally.
Board members are now fully recognising these efforts, and this is leading to more effective engagements with CISOs, allowing them to champion effective security practices and cultures that benefit the entire organisation.
What are the major areas of security investment?
Any CISO in the world will tell you that COVID has presented security teams with an array of difficult challenges to grapple with. As many organisations shifted to remote working models and borderless architecture, it’s no surprise to see zero-trust security practices accelerate over the course of the pandemic.
This was reflected in the ClubCISO report, with 41% of CISOs identifying zero-trust as an area of interest to their organisation. Many of the key technological investments that organisations have been making also support zero-trust frameworks and remote working practices.
Overall, CISOs highlight the following tactics as their top areas of accelerated investment:
- Endpoint protection (50%)
- Security awareness programmes (47%)
- Enabling remote access (40%)
It’s pleasing to see that the pandemic has been a trigger to increase investment across some of these key areas, as in many cases they would not have previously been such an immediate priority.
Managing COVID-inspired risks
With COVID inspiring a wider, more dispersed security perimeter and threat surface, CISOs have had their work cut out for them when it comes to managing the increased risk that this presents.
It’s undoubtable that cyberattacks have gotten more persistent and sophisticated over the last 12 months, as cybercriminals take advantage of more vulnerable organisations. According to our data, 32% of CISOs says they have experienced a cyber incident due to a malicious outsider/cybercriminal.
In positive news, 28% said they hadn’t experienced a material cybersecurity incident at all, with less incidents having occurred this year compared to 2020. This is an outstanding effort considering the challenges CISOs have encountered and the attacks that have been levied against organisations.
CISOs also seem to be maturing their strategies around supply chain risk management, which has been a topic of concern recently, as attacks like the SolarWinds campaign sent tremors through the industry.
On a scale of 1 to 4 (with 1 being the most immature), 62% of CISOs rated their supply chain risk maturity as either 3 (Defined) or 4 (Managed). This represents some decent progress, as only 42% gave a rating of 3 or 4 in 2020.
Overall, the most damaging attack vector over the last year has been social engineering, with 32% of CISOs saying this led to a breach, followed by compromised credentials (25%) and externally exposed misconfiguration (14%).
Why the board is taking notice
Of course, you can’t have increased investment without the approval of the board, and our study has revealed the extent to which board members are taking security more seriously.
Boards are having more positive and frequent engagements with CISOs and they’re making security more of a priority, with improved sentiment about CISOs ability to meet security objectives.
This is fantastic to see and it’s partially a result of the work CISOs have done over the past few years in building a positive security culture that transcends through all levels of the organisation. Indeed, 61% of CISOs say their security culture exemplifies best practice or is improving significantly.
More boards are also waking up to the need to balance prevention and response capabilities, as 55% of CISOs say having an approach that incorporates both is a priority for their broads, which is a healthy increase from 38% in 2020.
It’s important for this sentiment to persist through 2021 and beyond, which will require CISOs to continue their good work in championing effective security practices as we move into the new normal.
One concern is that 29% of boards still rely purely on compliance as a guide for their information security strategy, demonstrating that CISOs still have a bit of work to do in championing well-rounded strategies and the continued need to educate boards that security is more than just compliance.
Overall, though, it’s clear that CISOs have made an amazing amount of progress in escalating security as a priority over the COVID period.
While COVID may have made these conversations easier, it’s also important to recognise the sheer amount of effort that has been required over many years to get us to this point. Luckily, for everyone, it appears to be paying off.
To learn more about how CISOs are handling pandemic-related uncertainty and how they’re championing security best practices, download the 2021 ClubCISO Information Security report here.