Cyberattacks are on the rise, and the predictive numbers aren't encouraging.
Half of all respondents to ISACA's 2018 State of Cybersecurity survey said they experienced an increase in the number of cyberattacks last year, with 80% saying they will likely or very likely experience an attack in 2018.
"You'll never be 100% secure, so there will always be those questions: Do I have a gap in my security [layers], how can I take a measure of where I am and how can I incrementally improve," said Rich Licato, the CISO at the Airlines Reporting Corp. (ARC) and a member of ISACA, an international professional association focused on IT governance.
Organizational risk and cybersecurity vulnerabilities will always exist in modern enterprises. But as the number of threats continues to rise, experts said that identifying and taking steps to close preventable security gaps represent real opportunities to strengthen enterprise defenses.
Filling these cybersecurity gaps has become a top-level concern in recent years, gaining more attention from CEOs and boards of directors, and with reason: Minerva Labs surveyed 600 security professionals and found that two-thirds doesn't believe their controls could prevent a significant malware attack on their endpoints; 75% doesn't think their existing malware solutions could stop any more than 70% of infections; and half worries that file-less or analysis evasion capabilities of malicious software could get past their security measures.
The 2018 Harvey Nash/KPMG CIO Survey found that improving cybersecurity is among the top business issues, with 49% of the responding 3,958 CIOs and technology leaders listing it as one of the top areas their boards want IT to address.
But cybersecurity experts said that CISOs who implement generically broad policies without considering their own unique organizational risk often miss critical vulnerabilities.
"We mainly see security gaps because most places aren't doing security holistically," said Mischel Kwon, founder and CEO of MKACyber Inc., a Fairfax, Va., company providing cybersecurity consulting services.
"They're doing compliance security: They're running down regulations and checking the box. Or they're shiny-object, security-methodology people: They see something shiny and they implement it. And when you're one of those two types, it's difficult not to have security gaps."
Kwon and others agreed that frameworks such as NIST 800-53 are instrumental to formulating solid cybersecurity strategies. However, these strategies still should be tailored to the organization based on the unique organizational risk of the business.
"If you tried to apply every single control, it would be an absurd effort," said Frank Downs, ISACA's director of cybersecurity practices. "The whole point of the guide is to see what's right for you; organizational discretion comes into play here."
Incorporate security early in dev process
Security professionals are feeling the effects of today's fast pace of change as they contend with constantly evolving privacy and security regulations, technologies and business strategies.
Tony BuffomanteU.S. leader for cybersecurity services, KPMG
"The pace is impacting security's ability to keep up," said Tony Buffomante, the U.S. leader for cybersecurity services at consulting firm KPMG.
However, it's not just the pace that can be an issue, Buffomante and others said; it's also a question of timing. Too often, organizations adopt mobile, IoT or AI initiatives without security personnel input in the early stages.
"There's a gap in what we think of as 'secure by design,'" Buffomante said, noting there has been a longstanding issue with business and technology moving first and then bringing security onto the project later. "Security needs to be on the front end."
Companies where the security leaders understand the enterprise business needs and associated organizational risk are able to close some of that gap, experts said.
For example, no company can fully prepare for a zero-day attack. But many companies suffer successful cyberattacks that exploit known vulnerabilities in their technology stack because they fell behind on patching or implementing security updates, Downs said.
Experts agreed that a static approach to security can create a number of gaps in enterprise defenses.
"View it as a continuous process program you set up," Licato said. "You're never done. You're always evaluating where you are and where you want to be, and you're constantly shifting that."
Licato conducts annual audits and regularly pursues external certification such as the ISO/IEC 27001 as part of his team's assessment of the company's cybersecurity defenses. He uses such reviews not only as a report on completed tasks, but as a starting point for future work.
"That is how we end up creating our strategic plan, what are we going to do this year and the next year. It's a continuous self-evaluation," he added.
Closing the cybersecurity gap
Most organizations have a growing number of tools meant to thwart attacks, but a large volume of security technologies spread across ever-more complex technology stacks also obscures potential cybersecurity vulnerabilities, Kwon said.
"They can have a gap in visibility, a gap in what's happening if they're not managing their security data well," she said.
She explained that enterprises find it challenging to ensure that content from the different systems (such as proxy and firewall details) match up to create a holistic view that can then be assessed for success against the organization's security needs.
To avoid blind spots, Adrian Asher, CISO of the London Stock Exchange Group, said security leaders must invest in detective, reactive and responsive technologies as well as protective layers. For instance, he said he added Morphisec for moving threat defense after identifying a vulnerability to that class of attack in his existing security layers.
Companies, too, must be ready to add those new layers as they emerge and as enterprise needs evolve, he said.
"You have to design flexibility into your architecture," Asher added, "because if something comes up, then you're able to react."