By Rob Rashotte
VP for Global Training & Technical Field Enablement at Fortinet
CISOs are facing a perfect storm when it comes to securing their networks. Cyber attacks are becoming increasingly sophisticated just as corporate networks are becoming more distributed and complex – all while security talent becomes harder to find and security strategy best practices evolve.
In the midst of this turmoil, CISOs are now forced to wrestle with how to prioritize the often-limited time and resources available to them to most effectively secure their networks.
This complex, multi-point challenge is explored in the Forbes Insights survey Making Tough Choices: How CISOs Manage Escalating Threats and Limited Resources, conducted in association with Fortinet. Surveying more than 200 CISOs about their priorities, the report illuminates the challenges CISOs currently face, including a lack of security budget and the belief that the capabilities of cyber criminals are outpacing their network protection abilities.
The survey examines what contributes to these challenges and then explores ways CISOs can effectively address them. While a number of actions CISOs can take are outlined in the report, one of the most clear moves they can take to improve their organization’s overall security posture is to prioritize employee training and create a proactive cybersecurity culture as part of their overall security strategy.
Cybersecurity Challenges at the Employee Level
According to findings from the report, 35% of CISOs cite the lack of a centralized cybersecurity strategy and the lack of support from senior management as top constraints to effective security. But when examining the reasons behind the lack of central strategy, many of the issues seem to start at the employee layer – both among IT employees as well as general employees across the various lines of business.
First, CISOs are dealing with the effects of the ongoing cybersecurity skills gap. According to the Center for Strategic and International Studies, 82% of employers claim that they are currently suffering from a shortage of cybersecurity professionals within their organization. This shortage has hindered their ability to develop a more strategic approach to their cybersecurity programs, as well as in their ability to keep pace with new threats.
Because the skills shortage prevents IT and security teams from shifting away from their threat-prevention based security strategy to one focused on detection and response, their security teams end up staying focused on tasks aimed at preventing existing threats, rather than using threat intelligence and advanced tools to identify and respond to unknown vulnerabilities and zero days.
But that is only part of the challenge. Cybersecurity cannot be the sole responsibility of the IT team. Even if they had adequate resources, IT and security teams still cannot effectively move beyond a tactical approach without buy-in and participation from the executive suite or from the various lines of business.
One of the biggest challenges that occur inside the network perimeter is insider threats. When looking at priorities that CISOs list among various security initiatives, the prevention, detection, and response to insider threats were consistently listed among their top-tier priorities. Managing insider threats and risks, especially unintentional events – like clicking on a phishing link, using weak passwords, or exposing the network to an unsecured device – eat up a lot of the time and resources of the security team, whose time could be better spent managing threats from external sources. To address this, employees across departments must take a more active role in cybersecurity by learning to avoid common attack tactics and assisting security teams in developing an approach to cybersecurity that will be effective without limiting productivity.
Putting Your Employees at the Center of Your Cybersecurity Strategy
By putting employee development at the center of their cybersecurity strategy, CISOs enable their teams to work more efficiently while taking a holistic, strategic approach to network protection.
There are a few key ways this can be done:
As the skills gap persists, CISOs should ensure their security team has regular opportunities for further education in deploying, configuring, and managing advanced security tools, as well as identifying and addressing new emerging threats. This is especially crucial to enable them to switch from a focus on prevention to a focus on threat detection and remediation. Proficiency in these types of integrated tools provides IT teams with enhanced visibility into how data is used and moved through the network, in addition to simplified management and analytics abilities. This is crucial as networks become more distributed and detection and remediation become increasingly important.
Additionally, the skills gap means organizations are less likely to hire new people with extensive field experience, which means they will have to focus on developing the skillsets of their existing team. To make this easier, Fortinet customers have access to our in-depth, hands-on training on our product suite as well as fundamental security principles through the Fortinet Network Security Expert (NSE) program. The NSE program offers eight course levels, beginning with understanding the threat landscape and the evolution of cybersecurity, through to the ability to configure, install, and troubleshoot a comprehensive security solution. Investing in security training like this enables CISOs to ensure that a strong internal candidate is ready when a position becomes available, as well as assisting in employee retention for essential security staff.
Another way CISOs can help increase the productivity of their limited security teams is by giving them back time to focus on strategy. One way to do this is to deploy security solutions that make extensive use of automation through AI and machine learning. Cyberattacks are happening at machine speed – meaning that your security team cannot keep up with threat correlation, or even basic remediation efforts, on their own. Automated solutions can work to respond to anomalous activity and known threats attempting to breach the network – allowing security teams time to focus on strategy and remediation efforts. For example, rather than having security teams working around the clock to detect potential internal threats, they can use machine learning to understand what normal behavior for employees looks like, and then react when behavior deviates. They can also be assigned menial tasks such as inventory management and patching, freeing up human resources to focus on higher-order activities.
Develop a Cyber-Aware Culture
The top answer given by CISOs when asked about security priorities over the next five years, was to “create a culture of security.” This involves training employees across lines of business in good cyber-hygiene. Beyond making sure that employees can identify phishing attacks or know how to update their applications on a regular basis, CISOs should also foster collaboration between departments and the security team. This will reduce instances of inadvertent internal threats, and increase overall buy-in for the security program. Ensuring that lines of business are aware of security strategy, and are happy to work with IT teams to ensure security policies, ensures buy-in across the organization.
By focusing on training and enabling employees to perform basic security tasks such as updating devices, identifying suspicious behaviors, and practicing safe cyber behavior across teams, CISOs can begin to establish a holistic security strategy that can stand up to today’s advanced threats.
CISOs are in a challenging position of having to secure increasingly distributed networks from advanced threats with limited resources. By focusing on employee development, enablement, and buy-in, CISOs can create a centralized security strategy that builds collaboration and reallocates security teams away from tactical, reactive work to more proactive and strategic efforts.