By: Edgar Dias, Managing Director, ServiceNow India
Major data breaches are headline news. When criminals steal corporate data or personally identifiable information (PII), it can create a public relations nightmare with long-lasting business consequences. But well-publicized breaches are only the tip of the iceberg. The fallout from an event can undermine a brand’s reputation and financial standing, the Facebook and Cambridge leak being the most recent example of this.
According to the recently released ‘Internet Security Threat Report’ by Symantec, India has emerged as the third most vulnerable country in terms of risk of cyber threats, such as spam, malware and ransomware, in 2017.
The average cost for a serious breach has climbed to $4 million, and the risks are only growing. Ransomware attacks on companies increased by 35% last year and spear phishing increased by 55%.
In this environment, the work of Chief Information Security Officers (CISOs) is ever more important and complicated. They must protect their organizations from an evolving variety of threats, while under scrutiny from across the C-suite and their boards to better mitigate risk.
In a study to find out more about how and why breaches happen, we found that efficient vulnerability response processes are critical because timely patching is the single most important tactic companies employed in avoiding security breaches. Yet organizations struggle with patching because they use manual processes and can’t prioritize what needs to be patched first.
According to a recent global research report by ServiceNow, attackers armed with artificial intelligence and machine learning are outpacing organizations. The report goes on to state that more than 50% of the companies that have suffered breaches agree that they were infiltrated because of a known vulnerability – a software security flaw for which a patch was already available.
We’re calling this confluence of trends the “patching paradox” – hiring more people alone does not equal better security. While security teams plan to hire more staffing resources for vulnerability response – and may need to do so – they won’t improve their security posture if they don’t fix broken patching processes first.
Job site Indeed reports that demand for cybersecurity talent far outstrips interest, with only 6.67 clicks for every 10 cybersecurity jobs posted in the US – meaning that at least one-third of postings get no views at all. That number drops as low as 3.50 clicks in Germany and 3.16 clicks in the UK. Against this backdrop, organizations will find it extremely difficult to secure the resources they need. Similarly, in India, there is a demand for cybersecurity professionals at both the leadership level and at lower levels. It has shot up further in just the last one year, in light of the spate of attacks as breaches are now considered a board level issue.
The last one year has also seen a spurt in cyber-attacks on government bodies and Indian companies in India. Debit cards of some 3.2 million users were compromised, enabling fraudsters to steal funds. The worst affected banks included Axis Bank, SBI, HDFC, ICICI and Yes Bank. The debit card breach originated in malware introduced in systems of Hitachi Payment Services, which was detected almost six months later.
Restaurant app Zomato, too suffered a major security breach in May 2017 when data of some 17 million users was stolen. Hackeread.com claimed data of some 17 million registered Zomato users on was on sale on the darkweb marketplace. Zomato eventually acknowledged the breach, but claimed that no payment information or credit card data was stolen.
But adding cybersecurity talent may not be practical. According to ISACA, a global non-profit IT advocacy group, the global shortage of cybersecurity professionals will reach 2 million by 2019. Further, Gartner Inc. forecasts worldwide enterprise security spending to total $96.3 billion in 2018 because of regulations, shifting buyer mindset, awareness of emerging threats and the evolution to a digital business strategy.
Since CISOs can’t completely prevent the threats, they need to refocus their teams and peers on strengthening their response to security risks. This strategy requires a three-pronged approach: increase investment in automation; focus on prioritizing threats based on business criticality; and make better use of talent.
Step 1: Automate More
Breach rates are already extraordinarily high, and emerging AI-fueled threats are likely to increase the volume, speed, and effectiveness of cyberattacks even further. Organizations can’t rely solely on hiring amidst a talent shortage to get work done.
Many organizations rely on manual, decentralized systems for tracking security incidents. In fact, 28% of CISOs in our survey say manual processes are a barrier to effective security. But processes could look different in the near future: While just one-third of our respondents automate more than 40% of their security processes today, two-thirds plan to automate that amount in three years. And the tasks being automated are increasingly sophisticated as well. To improve their ability to respond to threats in a timely manner, CISOs should work to orchestrate processes and automate response and remediation tasks. By working off a common platform with IT and other functions, security operations could automate faster and smarter, enabling for a smooth prioritization process.
Step 2: Leverage Automation to Prioritize
Automation helps organizations prioritize and respond to threats in real time, yet 70% of organizations surveyed say it is difficult to prioritize security alerts based on the importance of the data under attack. This failure to prioritize can paralyze organizations that try to address all threats equally, given that they can be hit by thousands of cyberattacks daily. CISOs recognize the problem: a large majority of CISOs (84%) say that prioritizing security alerts in the context of the larger business is critical to the success of their security function. These results echo Enterprise Strategy Group (ESG), which reported that nearly 75% of executives surveyed said that incident response tends to be based upon informal processes.
Step 3: Allow Humans to Focus on Complex Tasks
By prioritizing threats through automation, CISOs can deploy their limited human resources to make better decisions, respond more quickly to threats and breaches, and anticipate future dangers. This is the job these professionals were hired to do rather than cataloguing hundreds of suspicious emails. Optimizing the talent at hand critical since there is a shortage of skilled security workers. Currently, though, few companies have enough skilled security professionals who understand their company’s strategic operations and the broader threat environment in a way that allows them to prioritize security threats—just 7% of CISOs say this skill is highly developed.
By refocusing on how to best respond to security threats, CISOs can bolster the success of their companies. Automating routine processes and taking care of basic hygiene items, security teams can significantly reduce the risk of a breach. This doesn’t mean automating everything related to vulnerabilities and patching end-to-end. Instead, creating a structured process for vulnerability response gives security teams the opportunity to look for repetitive tasks within that process that are ripe for automation. With a pragmatic roadmap, better results are within reach of any organization, offering hope for a more secure future.