Sharing his on his list what organisations must pay attention to when it comes to their security, Kandji’s VP of Security and Trust, Dom Lombardi, details how organizations can stay one step ahead of this year’s risks, threats and potential attacks.
M.R. Rangaswami: With the higher risk of infrastructure attacks, what will be the biggest thing to stay ahead of to avoid a concerted effort of attacks against organizations?
Dom Lombardi: Attackers will continue to become more creative in their pursuits. It has been reported that about 25% of all data breaches involve phishing and 82% of breaches involve a human element. Many of the security controls we put in place earlier are at risk of being bypassed due to human error. Financially motivated cybercriminals will concentrate on corporate entities, where they will try to derive personal identifiable information (PII) or customer payment card information.
Further, “strategic viability” attacks against critical infrastructure systems will continue to increase. Think oil pipelines, power generation, rail systems, electricity production, or industrial manufacturing. There is still the possibility that key government or corporate services could be targeted — something tied to global tensions.
M.R. Why is it important for companies to prioritize Zero Trust in their cybersecurity
Dom: Security teams have been talking about the zero-trust cybersecurity approach for a few years. It used to be “trust, but verify.” The new zero trust — in a workplace filled with multiple teams, multiple devices, and multiple locations — is “check, check again, then trust in order to verify.”
Organizations continue to play a cat-and-mouse game with hackers, attackers, and bad actors. Only 6% of enterprise organizations have fully implemented zero trust, according to a 2022 Forrester Research study.
The complex and disparate workplace environments that are so common now make it difficult to adopt zero trust — at least all at once. If you are using AWS, Azure, and GCP with an on-premise instance along with a private cloud where you are running virtualization through VMware — that will take
some time to uniformly roll everything out.
As we all continue to embark on the zero trust journey, we will see new solutions for complex problems companies are experiencing on premise and in public and private clouds. By mastering basic IT (and security) hygiene, updating and communicating your risk register (a manual that outlines current and potential security risks and how they could impact the organization), and working steadily toward a zero-trust security model, you’ll be one step ahead of most other organizations — and hopefully two steps ahead of the hackers!
M.R.: As companies continue to build their security plans, how will the role of the CISO
expand at organizations?
Dom: The CISO can also (continuously) champion the risk register to ensure they receive needed resources to remediate and reduce risk on an ongoing basis. Keep in mind that new threats, risks, and updates will always populate your risk register. It is critical to actively work to remediate against this list to prevent risks from escalating and becoming even more complicated.
Additionally, to prevent miscommunication and promote total transparency, any CISO who does not report directly to the CEO should demand that they do — immediately. Organizations need to take a risk-conscious approach to developing their security program and risk mitigation strategies.
A CISO must report to the CEO to ensure direct lines of communication regarding risk scenarios and potential loss events. CEOs are ultimately accountable for the course of action they set the organization on, and CISOs provide the CEO with the direction and guidance to make informed, risk-conscious decisions.
To set themselves up for success, CISOs should ensure that the general counsel at their organization is in their “peer set.” This relationship with your general counsel is integral to a unified approach to legal and security risk mitigation. The organization’s general counsel and CISO share a common goal: to keep the company, their customers, and the organization’s leaders safe.
M.R. Rangaswami is the Co-Founder of Sandhill.com