We compiled a list of the top cybersecurity tips offered by CIOs, CTOs and other cyber leaders in 2023, ranging from zero-trust strategies to industry collaboration.
2023 was anything but a dull year in terms of cybersecurity. We saw various emerging technologies such as AI dominate the cybersecurity space, for better and for worse, and we witnessed several devastating cyberattacks that not only affected individual companies, but entire nations as well.
In Ireland, a recent report revealed that 60pc of businesses experienced a cyberattack in 2023. According to the same report, 32pc of respondents had not received any cybersecurity training in the past 12 months.
As 2024 rolls around, there is no indication that this year will be less turbulent – if anything, the importance of cybersecurity is going to intensify.
For the past year, SiliconRepublic.com has heard from top CIOs, CTOs and other IT and cybersecurity leaders as part of our Five-Minute CIO series. One question that we like to ask them is what strategies and tips they have to address current and developing issues in the cybersecurity space.
From tackling internal cyber strategies to addressing the current skills shortages in the space, here are some of the top tips we received.
Zero trust is a must
One area that cyber leaders thinks needs to be prioritised is the strategy of zero trust, which means that everything inside and outside of an organisation needs to be verified.
Alvina Antar, CIO of Okta, says that zero-trust strategies are needed to combat the new security challenges brought on by the advent of hybrid working and the cloud.
“Trust, and specifically zero trust, is fast becoming an entity’s most critical resource and one of the biggest differentiators for businesses,” she says. “Having a strategic approach to zero trust and identity is the key to making zero trust a reality.
“With this approach and the right tech partner, you can ensure the right people have the right access at the right time and for the right reason, such as just-in-time provisioning and removing admin access for most of the employees.”
The skills shortage must be addressed
A common issue pointed out by cybersecurity experts and leaders is the ongoing talent shortage affecting the cybersecurity industry. With the need for skilled cybersecurity professionals growing constantly, how can we solve this problem?
“Companies need to be flexible in what they offer,” says Linh Lam, CIO at Jamf. “The standard nine-to-five in the office doesn’t work for everybody, so offer flexible hours as well as hybrid and remote working. Furthermore, expand employee benefits – for example, offer competitive parental leave policies and childcare support.”
Puneet Kukreja, UK and Ireland cyber leader at EY, proposes that companies should also consider other methods to solve this issue, such as externally sourcing cyber talent.
“Collaborating with a team specialising in cyber advisory, cyber engineering and managed SOC [security operations centre] services presents a cost-efficient solution,” he says. “This approach enables the freeing up of technical personnel to optimise high-value technology initiatives, allowing leadership to centre its efforts on strategic decision-making.”
AI and automation can be used to improve practices
While we have seen some examples of bad actors using AI and automation to wreak havoc, cyber leaders have pointed out how it can also be used to benefit cyber defences.
Kayla Williams, CISO at Devo Technology, believes that AI and automation can be beneficial to cybersecurity professionals by helping them manage their workloads and prioritise the most important duties.
“By using AI-powered automation to flag false positives, analysts are able to avoid manual investigation of every alert and focus on the most high-risk items. This not only reduces their workload, but also increases their efficiency and effectiveness in detecting and mediating threats.”
This belief is also shared by Ginna Raahauge, CIO at Zayo, who says that AI and machine learning can be used to stay ahead of cyberattackers. “Innovation is key.”
“Automation is an organisation’s friend when it comes to security,” adds Sesh Tirumala, former CIO of PagerDuty. “Consider an employee who may have previously had top-level security clearance and access within an organisation who changed roles and no longer needs those same privileges.
“By leveraging automation, seemingly tedious (but nevertheless critical) processes such as provisioning and deprovisioning become more consistent and leave less room for operational error.”
Companies need to share tactics
With the importance of cybersecurity reaching practically every industry, some experts think that a strong defence strategy lies within the cooperation of companies that share industries.
“When multiple companies are dealing with the same issues, you’re able to talk about tactics and learnings, so the concept of an industry standing together and sharing becomes really important,” says PayPal’s CIO and executive VP, Archana (Archie) Deskus.
Des Morley, chief digital and technology officer at An Post, agrees. “The whole industry would benefit from stronger and more structured centralised security knowledge sharing, insights and expertise.
“Right now, its feels very much that most organisations are battling away on their own, in particular with regards to educating customers on issues such as phishing/smishing. A more collaborative approach would be more effective and efficient.”
Security needs to be prioritised at every level
One of the most common pieces of advice we documented is the need for robust knowledge and responsibility for strong security protocols in every area of a company instead of just those who work primarily in the security space.
“You need everyone within the business thinking about their role within security and how even the lowest employee within the chain could be the victim of a phishing attack that opens the door to a much larger attack,” says Tas Giakouminakis, CTO and co-founder of Rapid7.
“It’s crucial that we start building cultures where cybersecurity matters and senior decision-makers know where they are within the supply chain.”
Michelle Grover, CTO at Slalom, says: “Keeping employees educated, informed and actively thinking about how to keep our data secure is important, but we all know that anyone, with enough time and/or money, can surmount any defence.” James Hogan, CTO of Bundledocs, shares a similar view. “All companies should implement a cybersecurity awareness training programme to educate staff on the current cybersecurity threat landscape and how they as individuals can protect their organisation from the threats they will undoubtedly encounter.”
This idea of a strong security culture is emphasised by Rob Houghton, founder and CTO of Insightful Technology, who believes that the two major factors that cause security risks are people and policies.
“[People] are fallible and sometimes malicious. They lose devices and passwords, have them stolen or willingly do something they shouldn’t,” he says. “When it comes to policies, there’s often a lack of control or implementation.
“In my view, most security breaches could be stopped if we all took more personal responsibility.”
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.