2017 saw an unprecedented rise in the list of cyber breaches and attacks. The data breach at Equifax resulted in hackers accessing Social Security numbers, driver’s licenses details of million Americans. The recent in the list of incidents is social media giant, Facebook, whose shares plunged by over $60 b$ in first two days, on account of misuse of personal data of 50 million Facebookers by British data analytics firm 'Cambridge Analytica’. In 2017, we saw an alarming level rise in Ransomware attacks and ransom payments hitting over $2 b$. WannaCry, NotPetya, Bad Rabbit Ransomware hit more than 500,000 machines globally necessitating some businesses to even suspend operations, or paying ransomware cases with cryptocurrencies being unavoidable in situations. The WannaCry infections were so bad that Microsoft had to release a patch overnight for Windows systems that it had long stopped supporting. The list of cyber-attacks and corresponding breaches continue to grow. These high-profile breaches are a wake-up call to boardrooms and businesses that security is a top-level item of priority. Analysts predict that Cyber-security spending for the year 2018 will be over 96 b$ up 8%.
The CISO needs to understand the new risks due to increased exposure, understand how cybercriminals are going to exploit and breach your systems. Adoption of disruptive technologies will be the common norm. From May 2018, General Data Protection Regulation (GDPR) will introduce severe penalties for noncompliance. CISOs would now need to prove that security practices are rock solid including their third parties. Merely eliminating security weaknesses and vulnerabilities will not be enough. We will need to simplify and automate processes intelligently and faster than the hacker does. Customer experience will be key to drive Business 4.0 interactions. The future security technology should align with this requirements. They would still need to defend against evolving and sophisticated threat landscape. Deploy appropriate Security Controls to protect applications, infrastructure, and services without compromising user experiences or privacy. Cryptocurrency is a catchphrase that may appear too abstract still, however, hackers and insiders may compromise organization’s assets for parasitic crypto-mining. Any organization that plans to accept cryptocurrencies as a disbursement method would need to understand the entire ecosystem of cryptocurrencies and the risks it poses to their organization.
CISOs would quantify risk in terms the business comprehends. Understand what will a breach cost? It is better you wed breach cost for accurate assessments of business at risk. Take full advantage of cyberinsurance. Invest in Cyberinsurance to cushion Breach Costs. Cyberinsurance does offer value but only when it's one of the many mitigation approaches of a larger security strategy. Shore up your security controls to identify, protect and detect. Also, plan and prepare for response and recovery, avoiding a situation where your response aggravates the situation. It's essential to note that while we are evaluating other organizations using metrics and cyber risk ratings, they too are using similar methods to assess our organization. Get deep risk insight and continually review one's cyber risk rating and prioritize projects that will improve it.
Make Compliance a habit as it now comes with severe penalties. As GDPR regulations kicks-in, organizations will face penalties up to 4% of global turnover for any violations. In addition to security technology, CISOs must emphasize on governance, processes, and human skills. The liability for failure lies with the business and we need to demonstrate accountability continually. Also, ensure, vendor solutions meet compliance needs.
Improve Customer Experience. Security professions often forget that customer needs and user experience are key for business 4.0, and jeopardizing experience costs money. One example is improving applications interacting with security technologies using Identity & Access Management solutions, web application firewalls etc. Use the new saying "trust but verify". Use Machine learning technologies, but with optimism and caution. Limit risks if the machine is wrong rather than trusting the machine as right. Ensure subtle shifts in application or data do not affect or result in disastrous implementations, and monitoring performance that could completely change outcomes. Machine learning powered technologies can have an inherent bias on the underlying dataset or the algorithm within.
Lastly, security is one of the top risks to business 4.0, the CISOs needs to operate on the same level as other C-level executives. Get consistent access to the board of directors.