Every year since 2003, October has been recognized as National Cyber Security Awareness Month (NCSAM). This effort was brought to life through a collaboration between the U.S. Department of Homeland Security and the National Cyber Security Alliance. NCSAM is meant to raise awareness about digital security and empower everyone to protect their personal data from digital forms of crime.

The month is dedicated to creating resources and communications for organizations to talk to their employees and customers about staying safe online.

Now in its 19th year, National Cybersecurity Awareness Month continues to build momentum and impact, and this year, it has an overarching theme for 2022: "It's Easy to Stay Safe Online - See Yourself in Cyber."

Below, several tech experts have analyzed the importance of a robust security strategy, and best practices to better protect their sensitive data from cyberthreats.

##

Rick McElroy, Principal Cybersecurity Strategist, VMware

"Between Log4j, cyberattacks on Ukraine, and ransomware hitting hospitals and major school districts, it's more evident than ever before that cybersecurity is no longer just a focus for defenders, but for society at large.

As cybercriminals evolve their tactics, we all must recognize the role we play in cyber and view it as everyone's responsibility. For security professionals and their organizations, this means evolving defense strategies and updating training curriculum to address emerging threats. For example, training on how to spot and avoid audio and video deepfakes is not part of most security awareness training programs, despite two-thirds of defenders witnessing a deepfake attack over the past year. 

Defense strategies should also factor in lateral movement, when an attacker gains control of one asset and moves on to others within the same network. Employees should remain extremely vigilant on business communications platforms, like instant messaging services, text or email, which can be used as a means for hackers to rummage inside networks and compromise an entire organization. Defense must continuously evolve in order to stay one step ahead of today's sophisticated attackers."

+++

Michelle Killian, Senior Director, Information Security, Code42

"The cybersecurity industry, from a talent diversification standpoint, is doing better than it was even five years ago - but there's still a long way to go. For years we've been saying that the industry needs to "rethink job hiring," yet many continue to list out the countless certifications they expect candidates to have when applying for an open role. If we really want to make a change, we need to actually rethink hiring practices. There's 3.5 million unfilled job openings in cybersecurity - we can't continue to ask for a master's degree and a decade of experience for each and every opening. Curiosity and a willingness to learn are key traits we want in candidates, and these skills are harder to train on, so let's build job roles off of those skills instead. We also need to look for people with diverse backgrounds and diverse leadership styles so we can tap their varied experiences and elevate problem-solving in our industry.

In the year ahead, I hope that we can bring more awareness to truly hiring based on some of these intangibles, rather than purely on security skill set, while also placing more of a focus on retaining existing talent. The cost of replacing security talent is incredibly high - both from an investment standpoint and a knowledge basis. It can take months, maybe even a year, for security folks to fully get up to speed on how a security team operates and its many tools. However, with the current job market, it's increasingly difficult to retain security talent and reduce turnover. While there's no silver bullet to combat this, organizations should promote opportunities for growth and development to attract and retain the very curious individuals that make security teams strong and diverse."

+++

Bec McKeown, Director of Human Science, Immersive Labs

"The theme of this year's Cybersecurity Awareness Month, "See Yourself in Cyber," is particularly meaningful as it emphasizes the power that all people have in their organization's cybersecurity efforts. An organization can have all the latest technology and tools in place, but without a cyber resilient workforce, its security posture can be entirely unsuccessful or faulty. That's because, at its foundation, successful cybersecurity is about people. 

Business leaders should ask themselves: are we ready for the next cyber attack, and how do we know? The current capabilities of their organization and work to strengthen them. From a psychological perspective, leaders should tap into the four pillars from the Robertson Cooper Model: purposefulness, social support, growing self-efficacy, and adaptability, to inspire change and commitment to strengthening cybersecurity skills throughout their organizations. Leaders also need to be able to prove cyber readiness of the individuals and teams throughout the organization. 

The difference that individuals and teams can make in strengthening or weakening cybersecurity efforts, regardless of job title or role, is remarkable. It's time for leaders to lean into their employees' capabilities with a new level of rigor. By tapping into the people-centric approach leveraging real-life cybersecurity simulations that span from executives down to the most technical teams, organizations will be better able to unlock new levels of cyber resilience and preparedness." 

+++

Kathy Ahuja, Vice President of Information Security, Qumulo

"Often, business leaders believe that a heavy security posture is the only way to communicate to your customer that you are protecting their organization from a data breach. But that's not necessarily true. It's not a matter of if, but when they're going to be breached. Of course, having strong security practices like increased visibility into workloads and being able to detect threats is essential, but what good are these functions if you're not able to ask your customer: Do you trust us to protect your workloads? Trust and transparency are the most critical underpinnings of the data protection relationship with your customer.  Do you trust us to make the right decisions when things inevitably go wrong? Industry-standard security certifications are critical, but trust is earned through the conversations you have and the relationships you've built with your customers."

+++

David Friend, co-founder and CEO of Wasabi Technologies

"Time and money are the two biggest resources spent on preventing ransomware and other malicious cyber attacks for companies in every industry, yet we still continue to see these schools, hospitals, businesses and more shutting down, losing money, and struggling to recover after paying millions to hackers. 

The smartest companies operate under the assumption that an attack will happen at some point, but cybersecurity doesn't have to be scary. In fact, avoiding ransomware attacks and protecting data can be done easily if businesses take a couple of easy measures.  First, it's important to have multiple copies of data as backups so not all of their eggs are placed in one basket, so to speak. Adopting a 3-2-1 backup approach will ensure three copies of data are made, with two stored onsite and one off-premise, or in the cloud. This prevents hackers from accessing data stored in each location, allowing businesses to continue operating during an attack, preventing downtime. Another important step is for companies to protect their data by leveraging object-level immutability, which ensures certain files cannot be modified or deleted by anyone. This helps keep files safe against disruption, and helps prevent ransomware attacks from the start, where bad actors attempt to encrypt the data."

+++

Gustavo Palazolo, Staff Threat Research Engineer, Netskope

"Attackers are always looking for loopholes to infect networks and steal a valuable asset: your data. Ransomware-as-a-Service (RaaS) groups often exploit basic flaws in security policies and network architecture to infect as many devices as possible, stealing and encrypting data to extort organizations and individuals. 

Basic steps can be taken to prevent attacks, such as using Microsoft LAPS to generate unique passwords for local administrator accounts and implementing a security policy to enforce multi-factor authentication and strong passwords for domain accounts. Also, avoiding using default passwords for new accounts and implementing a Zero-Trust model can minimize possibilities for lateral movements within the network."

+++

Clive Fuentebella, Threat Research Engineer, Netskope

"Being our first line of defense, passwords should not be taken for granted. We must always take proper password hygiene into consideration in our daily lives. Use strong passwords. Ensure that you are not using the same one for different accounts or different applications. If you are worried about the burden of remembering multiple credentials at once, installing password managers is always a big help. These steps, albeit simple, already contribute largely to securing your online information."

+++

Jeff Martin, VP of Product, Mend

"Some organizations view security as an "I'll fix it later" problem, versus prioritizing mitigation of the issue in the first place. That's a risky, expensive mentality - ransomware payment amounts are up 12.7% from just two years ago, with an all-time high average cost of a data breach estimated at $4.35M. Further, putting security on the backburner inevitably creates a backlog of issues that will need resolving eventually, leaving engineers in an endless cycle of fixing. There is too much emphasis on detecting (acting reactively) and not enough time spent remediating (acting proactively). This Cybersecurity Awareness Month is an opportunity for organizations and teams to understand and prioritize remediation, which can transform your business from an easy target to a well-oiled machine, ready to thwart any potential threat."

+++

Daniel Elkabes, Vulnerability Research Team Leader, Mend

"Developers are under a lot of pressure to get software, applications, and products out quickly. Expedited work timelines, increased demands, and simple human error can result in developers unintentionally using open source code that has malicious packages, opening the doors for threat actors to sneak in. Cybersecurity Awareness Month is an important time for organizations to re-examine the security training they offer to employees, particularly those whose team members are not part of the security team. For developers, organizations should prioritize hands-on, visual training so developers can see how quickly and easy it is for something to go wrong from a simple coding mistake. This will help reiterate the importance of regularly managing open source components and all their dependencies, and how this helps avoid putting the organization at risk. In addition, developers should proceed carefully and dedicate more time to ensure they're implementing the correct packages that are free of any malware or vulnerabilities. To do so, developers should view the package to ensure that it is safe."

+++

Alfredo Hickman, head of information security, Obsidian Security

"This year's Cybersecurity Awareness Month theme reminds us that it can be simple to browse the internet securely as long as we're good at the basics. At a minimum, that means using password managers, multi-factor authentication, browser security plugins (ad blockers, HTTPS everywhere, etc.), and keeping all of your software (browser, plugins, OS, apps) up to date to bolster your personal online security. Conduct regular security and privacy settings reviews for sensitive accounts such as financial, productivity, and social media while removing any unnecessary third-party app access to those accounts. And of course, don't share sensitive personal details such as travel plans, major purchases, or sensitive activities on social media. Less is more.

Going further, it's also important to be aware of the growing cyber threats that threaten individuals and organizations alike. When dealing with suspected social engineering attacks such as phishing for example, take a step back, assess the message, and don't respond. When it comes to suspicious account requests such as PayPal, e-commerce, or other scams, investigate the requests by going to the vendor's official website directly. In either case, never click on suspicious links or attachments; they are often malicious. These steps may sound simple, but consistent vigilance goes a long way towards staying safe online."

+++

Melissa Rhodes, Executive Director Human Resources at Raytheon Intelligence & Space

"It's time for the security industry to expand in more ways than one. Specifically, it will benefit from deliberate leaders who have the self-awareness to question hiring choices. Giving one job candidate an edge over the others because of "cultural fit" or "gut feel" can all be signs of unconscious bias creeping into those decisions. If the cyber industry doesn't recognize this, it will limit the creativity that goes into brainstorming, problem solving, and new ideas that are essential for fighting cybercrime. In fact, the business case for diversity is well-documented - a study conducted by the Boston Consulting Group indicates that diversity increases innovation, expanding ideas and ultimately impacting a company's bottom line. In response, the security industry as a whole must be committed to giving opportunities to grow and learn to all those who have unique backgrounds that could also lend themselves to a successful cyber career. Because cyber attacks don't discriminate, it will require a diverse thinking to counter them and protect our way of life.

Of course the demand for cyber talent is relevant now more than ever as the number of attacks increase and the skills gap grows wider. Interestingly enough, we find ourselves amidst a time called the "Great Resignation," a time when people across all workforces are reinventing themselves and outgrowing their current roles and professions. This market environment combined with the need for new talent in the security industry should push cyber employers to think outside the box and source hires from new places. With this comes a tremendous opportunity for not only the industry to benefit from greater diversity, but for people with all different experiences to find purpose within the cyber workforce."

+++

Mark Nunninkoven, Distinguished Cloud Strategist at Lacework

"Security is a top priority for any organization. For organizations moving to-or born in-the cloud, there is an opportunity to change how they view security. These organizations can modernize their approach to align their security practice with their business needs.

A common pitfall when organizations take this approach-and they should be taking this approach!-is that they oversimplify how their organization uses the cloud. The reality is, things are still messy, and accounting for cloud projects across an organization at varying phases of maturity is still really difficult. 

The core of the problem is that organizations aren't on just one journey. Every team that's building a solution is on its own journey, at its own pace - and that means a whole host of different threats to prioritize and manage, from data breaches to insecure interfaces and account hijacking. 

To be effective, security teams need to be able to address each of these threats in a manner that works for every team in the organization, regardless of their maturity level. That's a tall order, but it's one that can be filled. The first step is understanding these maturity levels and beginning to work through a Cloud Adoption Framework. The output of this effort is business-wide mapping that determines key stakeholders and teams across the company and identifies how the security practice can support their work, while also keeping the organization safe."

+++

Heather Crosley, People Operations Leader at NetSPI

"With over 700K positions that currently need to be filled, the cybersecurity industry is facing a massive shortage of talent as companies are struggling to keep up with an ever increasing number of threats. Technology cannot solve our greatest cybersecurity challenges - at least, not alone. People are our greatest asset in providing security for individuals, organizations, and the nation. Cybersecurity Awareness Month is a great time to reflect on our cybersecurity hiring and education practices - particularly the areas of improvement. These practices are instrumental in addressing the lack of skilled talent in the industry and easing barriers to entry. Organizations that invest heavily in entry-level training programs that offer mentorship, growth opportunities, and hands-on experience in the field will see greater retention rates. Investing in the next generation of cybersecurity professionals provides an advantage over today's sophisticated threats."

+++

Chad Skipper, Global Security Technologist, VMware

"As the industry encourages actions such as enabling MFA and recognizing phishing this Cybersecurity Awareness Month, it's also worth noting just why these key steps are so important to protecting our global digital ecosystem. Once attackers gain a foothold within the environment, their next step is to then move laterally within the organization. An analysis by VMware Contexa found that 44% of intrusions include lateral movement. Attackers will target high-value data and systems as they hop across the network, exfiltrate that data, and then deploy ransomware. With nearly 60% of defenders witnessing ransomware attacks over the past year, it's more imperative than ever for security and networking teams to have full visibility across workloads, devices, users and networks to detect, protect, and respond to these threats."

+++

Alex Tosheff, Chief Security Officer, VMware

"Cybersecurity Awareness Month shines a light on why a strong public-private sector collaboration is paramount to improving the broader security ecosystem and defending cyberspace. As a founding member of CISA's JCDC, VMware is actively aligned with a global network of industry and public sector organizations focused on helping to combat cyberattacks, protect critical infrastructure, and build resilience. Cybersecurity is a shared responsibility." 

+++

David Richardson, VP of Product Management at Lookout

“For nearly 20 years, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA) have recognized October as Cybersecurity Awareness Month. This observance is a collaborative effort between the public and private sector to draw attention to the dangers of cyberattacks that threaten individual consumers, businesses, government agencies and our critical infrastructure and essential services. This year’s chosen theme – “See Yourself in Cyber” – underscores the role that everyone plays in improving cybersecurity practices.

As part of this theme, CISA and NCA recommend several key actions individuals can take to protect their online information and privacy. One of these steps – recognize and report phishing – is perhaps one of the most powerful tactics we have to combat bad actors. Most cyberattacks or data breaches start with phishing, and the number of phishing attempts continues to rise each year. According to Lookout data, exposure to phishing increased 127% between Q4 2020 to Q1 2021. When phishing is used to steal login credentials, it opens up a world of possibilities for the cybercriminals, and a world of hurt for the impacted individual or business. With one set of credentials, bad actors can then try to log in to a number of common cloud-based services such as Office 365, Google Workspace, AWS, Salesforce, etc. Once they’ve successfully logged in to one of these accounts, they can move laterally within an organization and find highly sensitive and valuable information to either encrypt for ransom or exfiltrate to sell on the dark web. Same is true for individual consumers, especially since it’s so common for people to use the same passwords across multiple accounts.

Phishing attacks have continued to evolve in techniques and sophistication, but the basic approach of trying to create a sense of urgency or impersonating a figure of trust or authority has remained pretty constant. When contacted in this manner, it’s important to take a step back, evaluate the situation and find alternative ways to validate the request. It’s also critical for organizations to implement proper security controls across mobile devices, cloud services and on-prem and private apps, and to enforce Zero Trust across the infrastructure.”

+++

Patrick Harr, CEO at SlashNext

“We have seen phishing grow from targeted email attacks into a widespread multi-channel problem that has become the top security threat for both organizations and individuals. In a phishing attack, the bad guys use emails, social media posts, or direct messages to trick people into clicking on a bad link or downloading a malicious attachment. When a phishing attack succeeds, the cybercriminals capture private data and personal information, or they may even install malware directly onto the device to facilitate ongoing attacks.
 
These phishing attacks keep evolving with ever-more sophisticated techniques to hack humans, such as through rogue browser extensions, social engineering ploys, and malicious webpages hidden on legitimate infrastructure. In fact, 50,000 new spear-phishing sites go online every day, with many appearing on legitimate infrastructure such as Adobe.com or Dropbox.com. We have also seen a big increase in cyber threats hosted on legitimate Microsoft services that deliver phishing campaigns through Microsoft Teams, OneDrive, SharePoint, and OneNote.
 
The best defense to protect against phishing is to remain aware of the problem. It is critical for users to pause for a few seconds to consider the legitimacy of any email or text message before clicking on a link or downloading an attachment.
Over the past decade, phishing has evolved from a general nuisance into a grave security threat that costs large U.S. businesses $14.8 million annually on average in financial losses and lost productivity. Organizations should adopt automated security systems to identify and isolate phishing attacks before they can cause harm, while also training employees to recognize when they are being targeted by phishing attacks.”

+++

Phil Neray, VP of Cyber Defense Strategy at CardinalOps

"The dynamic nature of technology and data sources feeding the SOC is as diverse and ever-changing as the threat landscape itself. This requires SOC infrastructure and processes to be equally dynamic. This presents a clear opportunity for AI and automation to make the SOC more efficient and effective by enabling teams to more quickly and accurately identify detection coverage gaps and blindspots in their environment. Combining AI with the MITRE ATT&CK framework can also be used to provide organizations with real-time visibility into their level of preparedness for the top APT groups targeting them, gain a better understanding of current SOC detection posture for their crown-jewel assets, and help prioritize how to improve and extend their detection coverage over time."

+++

Jason Stirland, CTO at DeltaNet International
 
"According to a recent study by Interisle, phishing attacks rose by 61% in 2022 to more than one million attacks. What’s clear is that cyber-attacks, such as phishing, aren’t disappearing anytime soon and they won’t be. Phishing attacks are increasingly becoming sophisticated, with cybercriminals finding more creative ways to catch people out. IT professionals must work with their HR teams to prioritise training employees on cybersecurity awareness issues, from understanding how to spot phishing attempts to preventing data breaches.
 
“Educating employees on cybersecurity awareness training should be refreshed yearly and shouldn’t wait until a data breach has occurred. Unfortunately, research from the World Economic Forum revealed that 59% of cyber leaders said they would find it challenging to respond to a cybersecurity incident due to the skills shortage within their team. With the skills gap in cybersecurity, it’s evident that organisations remain at risk in protecting their infrastructures. While businesses should have robust security systems in place, a compliant culture should exist throughout the company to reduce risk. It shouldn’t just depend on an organisation’s IT or security professionals to protect the company against cyber threats. Cybersecurity requires accountability from all employees, and the workers will only understand this if they are trained on its importance and know how to act.
 
“Over the past year, organisations across the globe have been dealing with employees returning to the workplace, navigating office-based, remote and hybrid workers. Unfortunately, many businesses forget the importance of training their hybrid and remote workers about cybersecurity best practices – weakening the organisation’s resilience to any security breaches. IT professionals should identify any skills gaps in the organisation and ensure all employees understand their role in safeguarding the organisation’s infrastructure and protecting its data."

+++

Cam Roberson, Vice President, Beachhead Solutions

"Cybersecurity Awareness Month is a perfect opportunity to remind businesses to maintain a holistic security strategy with awareness for all reasonable security threats they can/will come up against. Ransomware horror stories-capturing the imagination with vivid fears of losing access to crucial data and being forced to directly negotiate with the bad guys-give many organizations tunnel vision when it comes to security. Ransomware fears are justified, and effective protections must be a priority. But ransomware is just a small area of the broad threat landscape. Security awareness must go far beyond that and, too often right now, it doesn't. Organizations eagerly adopt antivirus and EDR/XDR tools, which focus mostly on protections against ransomware, when their strategies need to include protections against all risks.

The reality is that unsafe employee behavior and poor security hygiene remain the top dangers to an organization's systems and data. A rigorous and continuous security training regimen is required to ensure employees will see through phishing attacks, properly safeguard login credentials, stick to secured connections, and won't share devices or leave credentialed sessions unattended. Insider threats must be addressed with effective governance, as well as activity logging and reporting that can also demonstrate protections in the face of potential regulatory audits. Risks of devices being lost or stolen should be met with encryption and advanced remote access control protections, able to automatically eliminate data access (or in some cases the data itself) in response to risks in real-time. By implementing a comprehensive layered cybersecurity strategy, businesses protect themselves not just against ransomware but also the myriad lower profile but just as devastating dangers out there."

+++

"This Cybersecurity Awareness Month, security and IT teams should pause and take inventory of whether their security posture is actually built for the industry-specific systems they need to secure. One size does not fit all, and having that line of cybersecurity thinking can (and does) result in big trouble when things go awry.

A glaring example we're particularly familiar with is the Internet of Medical Things (IoMT), which demands a security approach that stretches well beyond the confines of the type of IoT security that might be utilized for connected consumer devices or on factory floors. More specifically, hospitals, pharmaceutical companies, and other healthcare systems implementing generalized IoT security strategies struggle to understand how to locate and prioritize the device vulnerabilities that can do the most damage. Since IoMT devices are used in a very different context than traditional endpoints or consumer IoT devices, the vulnerabilities and threats that pose the highest risk to them are not the same as those other devices. Without that IoMT-specific knowledge, IoMT anomaly detection, and IoMT forensic analysis, cybersecurity strategies in this industry are incomplete and vulnerable-and riskier by the day as more IoMT devices and equipment come online."

+++

Shahar Binyamin, CEO and co-founder, Inigo

"Many enterprises are now seeing similar security challenges with GraphQL that they've undergone with Kubernetes over the past few years. Developers charged full-steam-ahead into the container orchestration platform, but security was far too often an afterthought. That in turn led to a slew of headline-creating breaches as enterprise security and IT teams struggled to catch up. Developers, of course, will always gravitate toward the tools and technologies that can make their jobs easier. That's not going to change. But the lesson here is that security needs to keep pace and not be a bolt-on. This is now playing out with GraphQL, the increasingly-popular, developer-driven replacement for REST API. GraphQL is great and the future of API development, but it comes with security responsibilities that tend to be-at least initially-put on the backburner. (We've seen the GraphQL security problem first hand, as engineers, and it's why we started a company this year to address it.) It's far, far easier to put proper developer-tool security practices into place as soon as they touch your organization, rather than once they've begun to scale. And with something as critical to business as GraphQL, enterprises can't afford to take security chances."

Tom Bridge, Principal Product Manager, Apple Technologies, JumpCloud

"It's good that Cybersecurity Awareness Month comes just as the market is typically flooded with the newest devices as it's a helpful reminder for those of us tasked with securing things that a yearly audit of security practices and policies should be paramount. As more organizations move toward BYOD environments, or at least toward environments where employees have choices, establishing systems to manage use becomes critical. IT teams need to determine how best to secure devices and resources without infringing on employee privacy. Good policy is clear about approved devices and operating systems and is able to accommodate and add new options as needed. It also makes very transparent what an organization can and can't do with each device as well as spelling out what device users are responsible for when accessing company data. Lastly, good policy should determine parameters around file and document transfers to personal devices and explicitly communicate how lost or stolen devices will be handled."

+++

"As we head into Cybersecurity Awareness Month, we're at an inflection point. The Biden administration's Cybersecurity Executive Order and recent memorandum citing specific responsibilities of agencies in protecting the software supply chain, along with existing regulations from various industries and geographies, are motivating software suppliers to focus on creating a formally structured and machine-readable software bill of materials (SBOM). A growing number of software companies expect that this SBOM contains the open source, third-party, and commercial software found within their applications-regardless of where they originated, inside or outside the organization.

We've seen a marked uptick in interest in SBOM tools, especially those that unify all SBOMs into a single, actionable view. When the next high-profile vulnerability hits, suppliers that have this unified data at their fingertips will quickly uncover exposures wherever they exist across their portfolio of applications so they can expediently fix the problems-no matter if the code was developed internally or outside of the organization."

+++

Lance Hayden, Ph.D., Vice President and Chief Information Security Strategist at Vericast

"Having served as a Chief Information Security Officer and a Chief Privacy Officer, I know well how the concepts and practices of data privacy and information security can overlap. "What's the difference?" is a question I was used to hearing. As with many closely interrelated disciplines, the answer can be a matter of perspective.

At their core, both privacy and security address how we manage, process, and protect information. But perspectives differ. Simply put, a privacy perspective tends to focus on ownership, permissions, and consent. It's like a property right, concerning itself with who owns the information, driving what others may or may not do with it. In today's world, increasingly focused on personal information, that conversation is often about individuals such as consumers or citizens of a particular region. Security addresses how information is used, controlled, and protected, either by its owner or someone to whom it is provided. Many of today's evolving privacy laws seek to ensure that if you lend someone your property, they are obligated to take care of it and not to use it in ways you wouldn't approve.

I often find that privacy tends to be viewed through a legal lens, and security a technological one. But the truth is both are deeply dependent on intertwined legal, policy, and technology infrastructures. As part of this year's Cyber Security Awareness Month, security and privacy professionals should appreciate how tightly coupled their fields have become and take a moment to consider both perspectives."

+++

"Fortifying cybersecurity practices, communicating them to all employees, and ensuring compliance is a leading priority for every business today that has a digital footprint. However, what we're seeing in this report is a large discrepancy between who in the enterprise should be responsible for cybersecurity efforts and who is actually responsible. Business leaders must close this gap by fostering even greater collaboration between IT and the rest of the organization and putting the onus of cybersecurity on all employees, not just the IT department."

+++

Justin Henkel, VP, Security at OneTrust

“CISOs know they’re operating in a “not if, but when” incident environment. The cost and magnitude of risk have escalated in frequency, complexity, and time to resolve, often consuming already stretched resources. How are security leaders reinforcing their risk programs to match? In many companies, the broader security systems have struggled to keep pace with fast-evolving business operations. Organizations are operating across increasingly complex ecosystems. Security leaders face challenges like visibility across the IT and data assets, understanding the full scope of where they are, who is in the best position to act and own the risk, and how to prioritize program investment to integrate risk and security into the business further.

CISOs and security leaders need a scalable foundation to manage IT and data assets, risks, controls, and policies to make better, risk-informed decisions and gain visibility into their IT ecosystems. An integrated strategy to assess and treat risk at the source allows InfoSec teams to measure the success of their programs and proactively address the risk to the business. By centralizing key data points and mitigation efforts, organizations can evaluate risk across their current IT ecosystem, effectively prioritize action to protect the organization, and strategically collaborate with the business to help the company meet objectives without sacrificing security.”

+++

Balaji Ganesan, CEO and Co-Founder, Privacera

"Data security should be part of an overall cyber security strategy - from day one. Security professionals tend to focus on cyber security and infosec, which is critical, but how does your organization minimize risk? What happens when bad actors gain access to analytical and data systems through phishing or other attacks using employee credentials? The solution is a comprehensive strategy that includes fine-grained data security for analytical and data systems, a comprehensive audit, and reporting capabilities.

Businesses need to think about the entire security lifecycle when it comes to data and to execute on an enterprise data security strategy a Unified Data Security Platform is required, which includes:

• Sensitive data discovery and classification
• Comprehensive data audit and reporting
• Consistent and automated implementation of data access policies across all your data sources
• Integrated data masking and encryption capabilities
• Ability to create policies for data regulations, such as GDPR or CCPA, once, apply consistently across all data sources, and when regulations change, modify once and instantly apply across the enterprise
  

Good data security governance enables broad, effective and secure data collaboration across all teams and disciplines in small and larger organizations while increasing the overall security posture with ease. This is particularly critical as balancing the need for data sharing with regulatory requirements and compliance are increasingly becoming front and center for data-driven businesses."

+++

Eric Noonan, CyberSheath CEO and former BAE Systems CISO

"No matter where you fall in your cybersecurity journey, there are three major components that factor into your effectiveness - security, regulatory, and IT requirements. If you cover each of these areas, you will have a strategy that is less reactive and threat driven and instead delivers proactive and resilient outcomes. To ensure you are covering the right ground across each of these areas, select a framework like the NIST Cybersecurity Framework or a control set like "The 18 CIS Critical Security Controls" and use either of these as your prioritized list of things to get done. Addressing the controls in either of these documents can be a force multiplier for your cybersecurity efforts and each allows controls to be prioritized according to risk profile and your available resources. Ultimately, having a roadmap like NIST or the CIS controls allows you to follow a thoughtful and methodical process so that your cybersecurity efforts are both documented and measurable, in perpetuity. If your strategy isn't grounded in a framework, your program will likely overspend your budget and under-secure your business."

+++

Kayla Williams, CISO, Devo
 
"In today’s post-GDPR & CCPA, post-solar winds, and post-log4j world it is more important than ever for privacy and security teams to collaborate on their organization’s approach to security objectives. Whilst there remain fundamental differences between the two topics; it is imperative for security and legal leaders work together towards achieving technical privacy compliance.
 
The internal attack surface is growing exponentially; companies spin up and down cloud assets daily, introduce new IoT technologies, and bring in third parties and partners, all of which expose them to security and privacy risk. The threat landscape is becoming more complex by the day, with bad actors performing more sophisticated attacks and taking advantage of new technology vulnerabilities. How can organizations ensure they’re meeting the privacy laws and regulations that apply to them if they cannot keep up with the momentum of external and internal change? Establishing a partnership between legal and security teams allows both organizations to: 

1. Understand how, why, and what aspects of privacy laws and regulations apply to their business processes.
2. Based on that legal opinion, the risk of noncompliance can be prioritized by performing a joint review of those processes (including data privacy impact assessment and data flows), the technical and security controls already in place (including access management, patching, anti-virus, mobile device management, network segmentation, etc.), as well as the amount of investment (money, level of effort, resources, etc.) that may be required to implement new or better processes.
3. Legal and security teams can work together to ensure all business stakeholders understand their requirements and help them implement continuous monitoring and security controls necessary to continue to meet requirements.
4. Emerging risks such as pending laws/regulations, litigation (such as Shrems II), and even new customer requirements can be collaborated on between security and legal to determine how to implement change with the least amount of impact on business operations while still achieving compliance with the organization’s legal opinion, laws/regulations, and security requirements.
5. Collaborating on the creation of a technical privacy framework that includes a technical privacy/privacy by design policy and the security standards that need to be considered and implemented would benefit the organization, as well."
   

##