The coming year in cybersecurity will be less about new cyber defense tools and more about education, compliance and process maturity.
On December 14, 2018, I had the pleasure to moderate a chief information security officer (CISO) panel discussion at the winter meeting of the Delaware Valley chapter of the Information Systems Security Association (ISSA). Four CISOs from leading Philadelphia-area institutions discussed their challenges in 2018 and their focus for 2019. Panelists included Steven Naphy, Senior Director of Information Security and Compliance at Morgan Lewis; Eugene Davydov, CISO at Lincoln Investment; Frank Piscitello, CISO at West Chester University; and Josh Sosnin, CISO at Ellucian.
All four panelists agree that phishing (fraudulently obtaining sensitive information by posing as a trusted entity) was a major challenge throughout 2018. It had been a challenge for some time, but in 2018 the sophistication of phishing attacks rose dramatically. In many cases, Office 365 exposure and the lack of multifactor authentication (MFA) made phishing even more difficult to combat.
In the fight against phishing, CISOs employed many tried and true techniques, as well as a few unique ones. All four panelists emphasized the need for education. They stressed the importance of enlisting end users, from HR to office staff to sales, to become advocates and messengers for security to help spread the word and increase awareness. In addition, they deployed technical measures such as email tagging, filtering of executive emails, buying similar domain names, and monthly phishing tests.
MFA has become a must-have, given the exposure present in Office 365 when MFA is not employed (account takeovers become trivial). All four panelists either had MFA or were in the process of rolling it out.
New regulations also presented a challenge in 2018, and it doesn’t appear they will be going away this year. The General Data Protection Regulation (GDPR), the Russian Federal Law on Personal Data, China’s Cyber Security Law, and the California Privacy Act, among many others, have all increased security compliance risk, added additional security and data-handling requirements, and heightened board awareness and angst. One of the CISOs on our panel now has regular and direct communications with the board because of the increased visibility of security compliance risk. These new regulations are also forcing greater cooperation between security, legal and compliance. Cyber risk is no longer viewed as just the CISO’s problem.
Regarding board communications, all panelists agree that telling stories has proven to be an effective communication method. Rather than overwhelm board members with dry data and technical jargon, CISOs create stories about the cyber risks they face, relate them to recent events, and present them in a way that is engaging and easy to understand, and has relevance to the organization. Several of the CISOs have provided the NACD Director’s Handbook on Cyber Risk Oversight to their board members to help them better understand the risks.
Looking ahead, the CISOs on our panel are largely aligned on their priorities and investments for 2019. Mr. Naphy of Morgan Lewis stated he was actually reducing capital expenditure spending and focusing resources on making the tools he already has and investments he already made more effective and mature. As an example, he is focused on making threat hunting a formal process. Naphy is also hiring data scientists to provide a fresh perspective on security. He believes security has a lot of useful data that could be put to effective use.
Mr. Naphy and his colleagues all agree they will be focused on blocking and tackling in 2019 – things like patching, upgrades and maturing key processes. Finally, while they plan to work on all three fronts – people, process and technology – they place technology last for a reason, indicating it has been the main focus for too long. Maturing cybersecurity processes, education and awareness are likely to receive much more attention in 2019.