CISO Corner: Deep Dive Into SecOps, Insurance, & CISOs' Evolving Role

10 months ago 72
News Banner

Looking for an Interim or Fractional CTO to support your business?

Read more

The word CISO against a stylized computer backdrop

Source: Panther Media GmbH via Alamy Stock Photo

Welcome to CISO Corner, Dark Reading's weekly digest of articles tailored specifically to security operations readers and security leaders. Every week, we'll offer articles gleaned from across our news operation, The Edge, DR Tech, DR Global, and our Commentary section. We're committed to bringing you a diverse set of perspectives to support the job of operationalizing cybersecurity strategies, for leaders at organizations of all shapes and sizes.

In this issue:

  1. CISOs Struggle for C-Suite Status Even as Expectations Skyrocket

  2. With Attacks on the Upswing, Cyber-Insurance Premiums Poised to Rise Too

  3. DR Global: Missing the Cybersecurity Mark With the Essential 8

  4. Your Cybersecurity Budget Is a Horse's Rear End

  5. First Step in Securing AI/ML Tools Is Locating Them

  6. Top 3 Priorities for CISOs in 2024

  7. CISA's Water Sector Guide Puts Incident Response Front & Center

CISOs Struggle for C-Suite Status Even as Expectations Skyrocket

By Jai Vijayan, Dark Reading Contributing Writer

An IANS survey shows that CISOs shoulder more and more legal and regulatory liability for data breaches, but few are getting the recognition or support they need.

CISOs are increasingly being asked to assume the responsibilities of what would normally be considered a C-suite role, but without being regarded or treated as such at many organizations.

An IANS survey found that a full 75% of CISOs are looking for a job change, as expectations for the CISO role have changed dramatically at public and private sector organizations because of new regulations and growing demands for accountability for security breaches.

But while more than 63% of CISOs have a vice president or director-level position, only 20% are at the C-suite level despite having "chief" in their title. In the case of organizations with revenues of more than $1 billion, that number is even smaller, at 15%.

Why most CISOs lack job satisfaction: CISOs Struggle for C-Suite Status Even as Expectations Skyrocket

Related: The CISO Role Undergoes a Major Evolution

With Attacks on the Upswing, Cyber-Insurance Premiums Poised to Rise Too

By Robert Lemos, Dark Reading Contributing Writer

Insurers doubled premiums in late 2021 to offset losses from ransomware claims. With attacks rising again, organizations can anticipate a new round of increases.

While premium costs fell by 6% in the third quarter of 2023 compared with the same quarter in 2022, even as ransomware- and privacy-related claims had already skyrocketed from the previous year.

Kickstarted by the pandemic and ransomware growth, cyber-insurance claims surged from 2020 on, leading to a dramatic increase in policy pricing. But the cyber-insurance industry is only getting bigger, with the value of direct written premiums growing to $5.1 billion in 2023, an increase of 62% year-over-year, according to Fitch Ratings.

Going forward, there are more players, less comprehensive policies (and therefore insurer risk), and greater competition — all resulting in a softening of prices for coverage. Even so, some predict a rise in premium costs in the next 12-18 months.

Find out what to expect: With Attacks on the Upswing, Cyber-Insurance Premiums Poised to Rise Too

Related: War or Cost of Doing Business? Cyber Insurers Hashing Out Exclusions

DR Global: Missing the Cybersecurity Mark With the Essential Eight

Commentary by Arye Zacks, Senior Technical Researcher, Adaptive Shield

Australia's Essential Eight Maturity Model still doesn't address key factors needed to protect today's cloud and SaaS environments.

The Essential Eight, the Aussie government's main cybersecurity risk-management framework for businesses, was established in 2010 and, while updated yearly, it has failed to modernize with the pace of digital transformation: SaaS applications comprise 70% of all software used by businesses, but the phrase "SaaS" appears nowhere in the document.

Specifically, it's missing four key cloud-centric security directives: configuration management, identity security, third-party app integration management, and resource control. This article delves into these omissions and what modern businesses need to incorporate into their cybersecurity frameworks.

Read more here: Missing the Cybersecurity Mark with the Essential Eight

Related: Time to Secure Cloud-Native Apps Is Now

Your Cybersecurity Budget Is a Horse's Rear End

Commentary by Ira Winkler, Field CISO & Vice President, CYE

Are historical budget constraints limiting your cybersecurity program? Don't let old saws hold you back. It's time to revisit your budget with revolutionary future needs front of mind.

Inevitably a current security budget is based on the previous year's budget, which is based on the prior budget, which is based on the prior budget, and so on. The current budget may therefore be fundamentally based on a budget from more than a decade ago — in the same way that modern passenger trains might owe a debt to the size of the horse drawing a Roman chariot.

Here's how to break out of that limiting cycle: Your Cybersecurity Budget Is a Horse's Rear End

Related: Chertoff Group Affiliate Completes Trustwave Acquisition

First Step in Securing AI/ML Tools Is Locating Them

By Fahmida Y. Rashid, Managing Editor, Features, Dark Reading

Security teams need to start factoring for these tools when thinking about the software supply chain. After all, they can't protect what they don't know they have.

The growing number of applications incorporating artificial intelligence (AI) capabilities and tools that make it easier to work with machine learning (ML) models have created new software supply chain headaches for organizations, whose security teams now have to assess and manage the risks posed by these AI components.

Plus, security teams are often not informed when these tools are brought into the organization by employees, and the lack of visibility means they aren't able to manage them or protect the data being used.

Here's how to find the AI/ML lurking in the tools and applications being used — even the shadow ones.

Read more here: First Step in Securing AI/ML Tools Is Locating Them

Related: AI Gives Defenders the Advantage in Enterprise Defense

Top 3 Priorities for CISOs in 2024

By Stephen Lawton, Dark Reading Contributing Writer

A changing regulatory and enforcement environment means the smart CISO might need to shift how they work this year.

As CISOs gather with their security teams and corporate management to scope out top priorities for 2024, the personal and legal responsibility for data breaches the SEC has placed on CISOs could be the most challenging in the new year.

In turn, changes in cyber insurance also affect cyber risk management. When it comes to privacy breaches in 2024, cyber insurance underwriters are expected to harden regulations on how organizations implement security on private data and privileged accounts, including service accounts, which tend to be overprivileged and often have not had their passwords changed in years.

Find out how forward-thinking visionaries are approaching breach risk (and emerging supply chain threats): Top 3 Priorities for CISOs in 2024

Related: Is the vCISO Model Right for Your Organization?

CISA's Water Sector Guide Puts Incident Response Front & Center

By Robert Lemos, Dark Reading Contributing Writer

As cyberattackers increasingly target water suppliers and wastewater utilities, the US federal government wants to help limit the impact of destructive attacks.

Water and wastewater utilities last week received new guidance for improving their response to cyberattacks from the US Cybersecurity and Infrastructure Security Agency (CISA), following a greater number of attacks by nation-state groups and cybercriminals targeting the underserved critical infrastructure.

The document comes as cybersecurity efforts for the water and wastewater sector (WWS), however, have been hampered by resource constraints. CISA's 27-page guide offers detailed advice for the water utility arena on how to create an effective incident response playbook, given the sector's unique challenges.

Here are the main takeaways: CISA's Water Sector Guide Puts Incident Response Front & Center

Related: Move Over, APTs: Cybercriminals Now Target Critical Infrastructure Too

Read Entire Article