Nobody puts CISO in a corner.

Posted 18 January 2022 by Laura

Like Patrick Swayze before us, this is our time to declare: nobody puts, er, CISO in a corner. Put down your watermelons, grab your dancing trousers and find out how to bring your business out of the shadows and back in to the spotlight.

The all-seeing eye
In the traditional office setup (which now feels like a distant memory to most), your chief information security officer or chief technology officer is just over there, in full view. You can see them – and they can see exactly what’s going on; who’s in the office on what days, who needs access to what and when, who’s using what devices and for what applications. The attack surface area was pretty big – but it was largely visible and therefore manageable. 

And then it all changed. The attack surface area grew. And it grew wild. Living rooms, bedrooms and kitchen tables became the office. Personal devices once used for sending the odd work email or checking your LinkedIn messages were suddenly being used to download a whole myriad of apps – for working, shopping, learning and, potentially, the ubiquitous online family quiz. Our entire lives blended together on one device, possibly (shudder) all under one identity.

Hello? Is anyone there?
So, it’s fair to say that in this new and changing world, our poor CISOs just don’t have the same visibility they once had; changing employee behaviour (9-5 is so old school) and the use of personal devices across home networks have culminated to create dark corners and blind spots. Providing attackers with the perfect secret battleground to commit their crimes.

"A fundamental shift in security"
A 2021 VMWare Global Security Insights survey of 3,542 CIOs, CTOs and CISOs, reported that there is “recognition of a fundamental shift in security”. And a shift at board-level is exactly what the industry needs. As Rick McElroy, Principal Cybersecurity Strategist at VMWare, puts it “One industry that has not been disrupted by COVID-19 is cybercrime.”

61% agree they need to view security differently now as the attack surface has expanded – and 63% know they need better visibility over data and apps to pre-empt attacks.

These stats might provide a ray of hope to those who have been concerned about the seemingly slow adoption of SMEs to secure their business in the cloud. 

If it feels like somebody has put you in the corner, here are some practical things you can do to bring your business back under the spotlight:

1. Increase visibility. Whether this means increased monitoring and reporting – or actual physical visibility as an educator and leader. Openness, education and communication are key – if employees can come to you for advice and support, the surface attack area will likely be reduced – simply because your people are listening.

2. Implement policies that will prevent users from downloading apps from untrusted sources. Third-party applications are the top cause of breaches so this is particularly important. Educating teams around downloading and using apps should form a part of any new starter process.

3. Regularly review policies and configurations. Situations change, people change…sometimes very quickly. Staying on top of these things as they happen will help prevent blind spots from appearing. Don’t wait for a major digital transformation project…small actions are good, too.

4. Use company-owned devices to put control around identity and access management back into your hands. Centrally managed devices also make the starter/leaver process much easier to manage. Easier and more secure. It’s win-win.

 

We regularly post content including tips on how to improve cyber security in Azure. Sign up for alerts so you never ever miss a new blog post.