Looking to the future: A CISOs biggest challenges
The world of information security is dynamic. Threat actors constantly explore new ways to infiltrate networks and adapt existing strategies to reflect prevailing IT trends. Chief information security officers (CISOs) always need to look to the future to ensure adequate security measures that mitigate against both today’s and tomorrow’s threats. This article explores some of the most significant future challenges CISOs need to consider.
FREE role-guided training plans
The continuing skills shortage
A 2021 survey found that over 57% of organizations continue to feel the impacts of an ongoing cybersecurity skills shortage. The same survey found that 95% of respondents think the skills shortage hasn’t improved at all over the last few years.
CISOs know that proper security risk management depends as much on the right people as having the latest tools and technologies. There are no easy answers for navigating this skills shortage over the coming years, but CISOs do have some options, such as:
- Leverage automation: security automation can help close gaps in skills shortages by replacing tasks normally performed by human analysts with computers. Good candidates for automation include triaging alerts based on risk and severity, pushing out software updates, and provisioning user access to different accounts.
- Outsource security tasks: third-party managed security services provide organizations with a way to access the skills they lack more cost-effectively. Organizations can choose from fully outsourced security operations centers to project-based options such as penetration testing and compliance monitoring.
- Invest in security training: part of the security skills shortage stems from existing security professionals not maintaining or advancing their skillsets through structured training programs. Organizations willing to invest in better training and provide upskilling opportunities for other business professionals stand better at addressing the skills shortage.
Credential stuffing attacks
Threat actors continue to exploit poor password hygiene with alarming regularity. Quite apart from the security skills shortage, CISOs need to contend with the issue of a basic lack of security awareness that permeates many organizations. The blame for this lack of awareness starts with organizations not adopting a culture that prioritizes security.
One particular type of attack that takes advantage of poor password hygiene is credential stuffing. When data breaches occur, threat actors steal and sell lists of stolen username and passwords combinations on the dark web.
Opportunistic hackers know that people reuse the same passwords across different systems. In a credential stuffing attack, hackers use lists of compromised credentials and attempt to access accounts and services with those same credentials.
According to Salt Security, some ways that CISOs can help their companies defend against credential stuffing include multifactor authentication (MFA), CAPTCHAs and behavioral analytics.
Hybrid workforces
The almost overnight change to remote working driven by the global pandemic exemplified the rapidly evolving dynamics of the information security landscape. CISOs quickly had to account for new potential risks from remote access technologies and poor visibility into end-user activity on remote endpoints.
Many employees welcomed the flexibility provided by remote working. Cross-industry demand for remote work arrangements looks set to continue for the foreseeable future. Some employees will want to return to the office, but others will undoubtedly prefer to work from home. This new hybrid work landscape creates security challenges that CISOs need to address.
Connecting to unsecured Wi-Fi networks, downloading malicious email attachments or losing devices with sensitive company data represent a small sample of the issues CISOs need to consider in the hybrid workforce of the future. Securing the post-pandemic hybrid workforce calls for a rethink in budget allocation towards zero-trust and endpoint visibility solutions. CISOs also need to consider insider threats emerging from lax security policy enforcement by remote workers.
Advanced Detection and Response
As hackers evolve their techniques, more advanced threats bypass perimeter-level security controls, such as firewalls or endpoint antivirus solutions. Once these initial controls have been breached, organizations have trouble detecting and responding to threats on their network. Hackers can move laterally through the network and eventually inflict severe damage with ransomware or data exfiltration.
It’s prudent to consider more advanced detection and response solutions that detect threats lurking inside the network already. These solutions should facilitate faster response times to those threats by not inundating security teams with high volumes of low-level alerts. Ideally, CISOs should plan to adopt solutions that leverage advanced machine learning capabilities that can match these more advanced network threats.
FREE role-guided training plans
Closing thoughts
Balancing business and security risk management is a tricky act that ultimately defines CISO’s success in their roles. CISOs need to wear many hats if they want to effectively deal with tomorrow’s cybersecurity threat landscape in a business-aware way. In practice, this means being aware of the main technical, process and people-related challenges at their organizations and finding ways to deal with those challenges effectively.
In this Series
- Looking to the future: A CISOs biggest challenges
- ISC2 certifications explained: Overview of every ISC2 certification
- Top-paying cybersecurity jobs and salary trends for 2024
- The importance of IT certifications in boosting your career
- Understanding the role of a network engineer in IT
- The role of the chief information officer (CIO) in cybersecurity
- What is a network engineer and how to become one?
- What does a system administrator do and how to become one?
- Cyber security hiring: Tips and best practices
- Cybersecurity soft skills: Career benefits of public speaking
- CompTIA Data+ certification: Opening doors to new careers
- Surviving cybersecurity burnout: Tips from industry experts
- How to make a mid-career change to cybersecurity
- 7 top security certifications you should have in 2024
- The Changing Role of the Modern SOC
- Discover the top 5 information security management certifications
- CySA+ versus CASP+: Is the CySA+ good enough for a career in cybersecurity?
- The best cybersecurity jobs in 2023: Trends, roles and salaries
- Top 10 penetration testing certifications for security professionals (2023)
- How to land an entry-level cybersecurity job: Essential skills and certifications
- 133 cyber security training courses you can take now — for free
- Breaking down barriers: How to make cybersecurity more inclusive and diverse
- Computer forensics interview questions
- The digital security forensic analyst salary guide
- Applying linguistics to cybersecurity: The journey of Jade Brown, a 2022 Infosec Scholarship winner
- The Path to “Career 4.0”: Amy Bonus leverages humanities, FinTech experience to bring Cybersecurity to the layperson
- Security engineer: Degree vs. certification
- Cybersecurity engineer: CyberSeek
- Infosec Accelerate Scholarship winner highlights essential qualities of a successful cybersecurity professional
- Career skills, imposter syndrome and intelligence-led pentesting | From the Cyber Work desk
- Cloud security engineer interview questions and answers
- Prior preparation results in a big payoff for Jason Mondragon, an Army veteran transitioning into cybersecurity
- Infosec scholarship winner Kandice Kucharczyk salutes her mentors as she sets her sights high
- Which CompTIA cert is right for you: Security+, PenTest+, CySA+ or CASP+? [updated 2023]
- How VetsInTech and Infosec Laid the Path to Gaurav Panta’s New IT Career
- Infosec 2022 scholarship winner Anthony Torres: Bringing the Marine Corps ethos to the cyber domain
- Infosec Scholarship winner Chris Chisholm knows the power of service and diversity in cybersecurity
- Betta Lyon Delsordo, Infosec scholarship 2022 winner, is a true life-long learner
- A veteran transitions from military medical logistics to multi-national security analyst
- An Army National Guard member fast tracks his cybersecurity career transition with VetsinTech
- How a career harnessing Navy nuclear energy can power a transition to a Security+ certification
- What is a cloud administrator? Essential roles and skills
- Security control mapping: Connecting MITRE ATT&CK to NIST 800-53
- Should you take the CCSP/SSCP before the CISSP? [updated 2022]
- CCSP vs. Cloud+ [updated 2022]
- Data architect: The ultimate career guide
- The ultimate guide to ISACA certifications: Overview & career paths [updated 2022]
- I failed IAPP’s CIPP/C certification. Here’s how I recovered
- How learning to be "Always Flexible" helped a Marine in earning the Security+ certification
- How to learn and pass your next certification exam
- Mission accomplished: How one army veteran turned neurobiologist moved into cybersecurity
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, ISC2, Cisco, Microsoft and more!
Professional development
ISC2 certifications explained: Overview of every ISC2 certification
Professional development
Professional development
Professional development