The job of a CISO is to ensure there are controls and processes in place to help mitigate risk to the organization, and current global instability has upped the risk ante for all organizations. But how can organizations double down on cybersecurity to stay one step ahead of the curve? We spoke with Chaim Mazal, CISO at Kandji, an Apple device management (MDM) solution built exclusively for IT teams, and dove into what CISOs can do to fortify cyber defenses heading into 2023.
Cybercrime is “big business”, what are some of the latest stats and trends?
Fraudulent activities are impacting businesses and consumers globally. According to a PwC study, almost half of organizations have experienced cybercrime in the past two years, while the Federal Trade Commission reports that consumers lost more than $5.8 billion to fraud in 2021 which is an increase of over 70 percent. And recent research from IBM and the Ponemon Institute reveal that 83% of surveyed organizations have experienced more than one data breach in their lifetime. It's prevalent across all industries and should be top of mind for every organization.
What can today’s CISO do to help alleviate fraud and cybercrime? Where does a Risk Register fit in?
The modern day chief information security officer (CISO) balances IT and corporate security by shaping the framework of newly emerging threats through analyzing, prioritizing, and communicating these threats to the C-level table. Risk Register is vital for the security framework because it serves as the “what-if” manual – the up-to-date guide to potential security risks and how they can impact your organization.
A lot has been said about the importance of Zero Trust. Where do you see it presently landing with its level of importance to the security team?
Historically, Zero Trust was always looked at as “trust, but verify.” However, with the changing work environments, security teams need to bring this mindset for the new Zero Trust - “check, check again, then trust in order to verify.” No device should be trusted as a default. With the remote and hybrid work spaces, critical infrastructure for security teams will rely on CISOs proving device safety first, then trust and access for employees.
What about business continuity in the face of an attack, how can CISOs best plan for this?
As CISOs build their risk register plans, there are specific risks and disasters they need to keep in mind. Securing data is a company-wide responsibility.— from the CEO to the IT team to the intern — everyone has to be aware of the dangers that can arise from a lack of security. A CISO must ensure corporate data is well encrypted to prevent sensitive data from getting into the wrong hands. Some methods to add additional barriers of protection would be to implement multi-factor authentication into an application or device.
Remote work is obviously here to stay, what are its effects?
With the increase in remote work and hybrid options, the rise of shadow IT can lead to vulnerabilities outside your control. Shadow IT comes from devices, software, and services that employees adopt without IT department approval. Employee choice for work devices can introduce security vulnerabilities in the way of data leaks, compliance violations, and more. It’s important for CISO’s to have continuous conversations with employees and create policies that open a dialogue between IT and workers.
We haven’t even yet discussed compliance, what does the global landscape look like with ever-changing global regulations?
Global standards and regulations are constantly changing and every country, state, and region can ask for specific mandates that not all will hold. With so many different examples being practiced, CISOs can build a plan that’s more globally aware by taking bits and pieces from different guidelines and weave them throughout your company’s framework. This way your data regulations can adhere to the highest levels while supporting a global base.
###