- Stop plugging these 7 devices into extension cords - even if they sound like a good idea
- I changed these 6 Samsung TV settings to give the picture quality an instant boost
- I tested a 9,000,000mAh battery pack from eBay that cost $10 - here's my verdict
- The 3 most Windows-like Linux distros to try because change is hard
- This 'unlimited battery' GPS tracker is an integral part of my hikes - and it's on sale
CIO Balancing Act: Managing Cyber Risk Amidst Talent, Regulatory and Attack Surface Challenges
These are challenging times to be a CIO. It was all talk about digital transformation to drive post-pandemic business recovery a few months ago. Now, the goalposts have shifted thanks to rising inflation, geopolitical uncertainty and the Great Resignation. Meeting these challenges requires IT leaders to ruthlessly prioritize: taking action to mitigate escalating cyber and compliance risks by managing their attack surface more effectively amidst continued skills shortages.
For many, the key lies in choosing the right platform to drive visibility and control across the endpoint estate.
The ever-growing attack surface
That pandemic-era digital spending was certainly necessary to support hybrid working, drive process efficiencies and create new customer experiences. But it also left behind an unwelcomed legacy as corporate attack surfaces expanded significantly.
An explosion in potentially unmanaged home working endpoints and distributed cloud assets have added opacity at a time when CIOs desperately need visibility. Two-fifths of global organizations admit that their digital attack surface is “spiraling out of control.” Some organizations also exacerbate their challenges in this regard by rushing products to market, incurring heavy technical debt in the process.
Attack surface challenges are especially acute in industries like manufacturing, which became the most targeted sector in 2021. The convergence of IT and OT in smart factories is helping these organizations to become more efficient and productive, but it’s also exposing them to increased risk as legacy equipment is made to be connected.
Nearly half (47%) of all attacks on the sector last year were caused by vulnerabilities that the victim had yet to or could not patch. Like their counterparts in almost every sector, manufacturing CIOs are also kept awake at night by supply chain risk. An October 2021 report claimed that 93% of global organizations have suffered a direct breach due to weaknesses in their supply chains over the previous year.
Managing this risk effectively will require rigorous and continuous third-party auditing based on asset visibility and best practice cyber hygiene checks. The same approach can also help drive visibility at a time when supply chains are still under tremendous strain from the continued impact of COVID-19 in Asia and new geopolitical uncertainty.
Threat actors are ruthlessly exploiting visibility and control gaps wherever they can find them, most notably via ransomware. The average ransom payment rose 78% year-on-year in 2021, with some vendors detecting a record-breaking volume of attacks. Most are down to a combination of phishing, exploited software vulnerabilities, and misconfigured endpoints, particularly RDP servers left exposed without strong authentication.
Missing talent
In fact, misconfiguration is one of the biggest sources of cyber risk today perpetuated by talent shortages and digital transformation, the latter creating new and complex IT environments which become more challenging to manage securely. The talent shortfall cuts across multiple sectors and is most acute in cyber with a gap of over 2.7 million professionals globally, including 402,000 in North America. The Great Resignation and workplace stress continue to take their toll. Nearly two-thirds (64%) of SOC analysts claim they’ll change jobs next year.
With talent in such short supplies and commanding such a high price, it becomes even more important to deploy it as efficiently as possible. Technology should be the CIO’s friend, yet a proliferation of IT and security point solutions is undermining productivity, not enhancing it. Our research shows that the average organization runs over 40 discrete IT security and management tools. They not only add licensing costs and significant administrative overheads but can also create visibility gaps that threat actors are primed to exploit.
Tool bloat is even more likely in the public sector, where CIOs often lack a common security governance framework to guide purchasing strategies. Government IT leaders are also weighed down by the significant financial burden of license under utilization as they often lack the ability to discover, manage and measure their software assets.
The regulatory landscape continues to evolve
As if these challenges weren’t enough, CIOs must also prioritize compliance risk management. The EU’s GDPR set in motion a domino effect of copycat legislation around the world, which has raised the stakes for corporate data protection and privacy. But the landscape is also shifting in other ways.
No longer is regulation solely for large organizations in healthcare, manufacturing or financial services sectors. New rules and policies are being drawn up and older ones are expanding in scope. Once the preserve of financial institutions, Sarbanes-Oxley will apply to all businesses that handle credit, beginning in December 2022. That means organizations as diverse as car dealerships, furniture sellers and retail stores will need to get SOX-compliant or face potentially significant financial consequences.
Start with visibility and control
As CIOs look to prioritize while economic headwinds gather strength, managing IT risk becomes even more critical. This is where best practice cyber hygiene can play an important role. It sounds simple in theory but can be challenging to achieve in practice.
Cyber hygiene is built on comprehensive visibility of the endpoint IT estate. That means understanding everything the organization is running and what is running on those endpoints at all times—whether it’s an on-prem server, a cloud container, a virtual machine or a home working laptop.
It’s especially challenging, and critical, in dynamic and ephemeral cloud environments, which change second by second. Once this visibility has been achieved, organizations need technology that empowers them to run continuous scans and automated remediation activities to find and fix any vulnerabilities or misconfigurations—and to rapidly detect and investigate emerging threats.
This endpoint insight will not just help to mitigate risk but also optimize software license utilization and enhance regulatory compliance. Delivered from a single platform, it should help stretched IT teams do more with less and maximize their productivity.
The hard work starts now.
Learn how to get complete endpoint visibility and control here.