CISOs face a confidence gap when it comes to identity security, says Amita Potnis, director of brand and thought leadership, at the cyber firm CyberArk.
The CISO’s role has evolved from its humble origins as a technical expert to an executive risk manager, informed by an involved understanding of the organisation’s revenue, mission, risk, and costs. This evolution parallels the importance that cybersecurity has taken on in every business, as the risks and costs from cyber threats rise. CISOs now face managing compliance and industry security standards, alongside the company’s tech infrastructure.
So, it’s interesting now to see what tactics CISOs are turning to in the face of increasingly complex threats. Our latest research on the state of the Identity Security market indicates that 81 per cent of organisations are aiming to spend more on identity security as part of their cybersecurity budget. Of course, the juicy data is always in the details – and by separating out how different roles view this move, on both the technical and business sides, we have found a perception gap.
C-level executives showed an abnormally high degree of confidence in how these investments contribute to mitigating Identity Security-related risks in comparison to their technical counterparts, who have a deeper understanding of the complexities of their IT environments. 69pc of C-level executives believe that they are making the right decisions on identity security, versus only 52pc of other staff, including security practitioners. Similar perception gaps exist across multiple facets of identity security, such as identifying anomalous behaviour, reducing security incident response time, and mitigating threats before damage can occur.
Why does this perception gap matter? Well, it’s comforting to believe that right decisions are made, but the data also showed that those same organisations have suffered a successful attack in the last year. Unfortunately, cybersecurity is not an area where you can ‘fake it until you make it’, and in many cases, the c-suite lacks understanding of what a strong identity security strategy means beyond throwing money at the problem. While it certainly helps to have the right tools, they need to be properly integrated, and other steps need to be taken, such as implementing automation and continuous threat detection and response according to a business’ requirements.
Experiencing an identity-related cyberattack can really set an organisation on its back foot. Alongside products and services being immediately impacted, significant working hours and staff are taken from other projects, causing longer term delays. This can lead to poor customer experience, lost profit, and worst case scenario, even compliance fines and audits instructed to take place. To top it all off, 27pc of organisations attacked will go on to experience another attack.
So what are the risk factors? It might seem obvious, but insufficient cybersecurity staff and inadequate in-house expertise play a huge role in falling prey to successful attacks. Perhaps a more obscure risk factor for organisations is lacking a specific line item in their budgets.
Bridging the gap
In the spirit of narrowing the confidence gap, I’ll leave you with the four foundational tenets of identity security. These are key to ensuring that any cyber security investments actually deliver on reducing risk and increasing resilience.
•Identity Security tools span management, privileged controls, governance, authentication and authorisation for all human and machine identities.
•Integration of identity security tools across IT and security solutions is a must to secure access to all corporate assets and the entire IT estate.
•Automation ensures continuous compliance with policies, industry standards and regulations, enabling rapid responses to high-volume routine and anomalous events.
•Continuous threat detection and response provides organisations with a solid understanding of baseline identity behaviours to better react to anomalous activity.
A holistic identity security strategy will involve integrating these four tenets alongside providing sufficient resources for your cybersecurity team. While it can be tempting to equate investment to efficacy, CISOs should be mindful of this confidence gap when preparing their cybersecurity strategies, to truly maximise the impact of their investments.
