The cybersecurity lessons learned that will shape 2023


By Bernard Montel, EMEA Technical Director and Security Strategist, Tenable.

With the dramatic rise of ransomware, nation state-sponsored threats and new zero-day vulnerabilities, cybersecurity teams are under siege. While it might seem an insurmountable battle, knowing the adversary goes a long way to raising defences.

How we got here

A company’s digital infrastructure is core to its business. While vital to function, the infrastructure that underpins organisations today is only vaguely recognisable from three years ago, especially pre-COVID. Remote work, previously the province of a select few road warriors and executives, has become ubiquitous. Cloud adoption has advanced rapidly. The result is a pervious perimeter with evolving devices all supported on hybrid infrastructure combined of on-prem and cloud.

I was lucky enough to be on a panel recently with Annabel Berry, CEO of Sapphire. Speaking about what she is seeing and hearing as a consultant, and also as a founder of the National Information Security Conference, she explained, “In 2020, the priority was to keep the lights on, to remain functional. Today we're still seeing a lot of organisations catching-up from a security perspective, in addition to other pressures, so having accurate visibility of their exposure to risk across infrastructures is key.”
When threat actors evaluate a company's attack surface, they're not thinking in terms of organisational silos. They're probing for the right combination of vulnerabilities, misconfigurations and identity privileges. Understanding the impact of cyber incidents requires business and security leaders to work in conjunction with each other. 

Security needs to understand the larger mission of the organisation and safeguard the tools and assets that enable staff to complete business-critical activity, while also ensuring important data is safe-guarded. Annabel adds, “It's almost impossible to make good decisions unless you have relevant information and context. Awareness of vulnerabilities or misconfigurations is important, but we need to understand what that impact might be and what does that in turn mean to our business?”

Cybersecurity today that defines our safe tomorrow

Traditional vulnerability management focuses on the act of enumerating flaws in software that could be exploited (CVEs). Exposure management extends beyond this by providing additional context like who is using the system, what they have access to, how it's configured, etc. This gives an organisation a complete picture of their environment and its weaknesses, helping to map the attack paths that exist across their attack surface and detailing the blast radius should a breach happen. This provides actionable intelligence that security teams can use to take the steps needed to address weaknesses through remediation or incident response workflows. This focuses efforts based on real versus theoretical risks, ensuring attack paths are closed off preventing compromise, malware infiltration, and/or exfiltration of data.

Adding her perspective, Annabel offered, “Today’s challenge is that, if something were to happen, it's not just about containing the event but also the impact to the business and how  quickly you can recover from it. We recommend performing regular business continuity exercises based on a variety of scenarios, regardless of whether or not you’re compliant to ISO27001. This is particularly important as we remain away from our physical offices. If our business systems were to be negatively impacted, how do we remain functional and what logistical challenges might we face in a hybrid working world? Beyond that, we also have to consider the security implications of home working and ensure we’re following the same good practices and procedures as we do in our offices.” 

Trusting the trusted advisor

The last twelve months has seen organisations’ face unprecedented economic pressures, particularly across EMEA, and looking ahead the picture doesn’t show signs of improving anytime soon. The combination of heightened threats with squeezed budgets leaves organisations in the impossible position of choosing whether cybersecurity investment is essential or even possible.

Speaking with Annabel, this is something she too has concerns around. Her view is that, “There are some hard decisions facing businesses and efficient spending is critical. We need visibility to be able to see what is non-negotiable and what is optional in terms of investment. It’s also about making sure you are getting as much as you can from what you already have.”

For those organisations facing budget constraints, or even workforce reduction, this is the time to lean on your trusted advisors to help address gaps in knowledge and expertise. Where cybersecurity investment is needed, this should be defined in the context of specific business needs in order to truly help organisations tackle the damaging effects of cyberattacks and demonstrate the positive impact of cybersecurity on business performance. 

Annabel concludes, “This is the time where trusted independent partners come to the forefront and offer constructive ideas, to define better security outcomes. What impact could that have on something else? How does that link in with what you already have? What are the frameworks that need to be considered? Context is everything. It might be that training is all you need, or just a more effective way of reviewing the data you have already collected. More doesn’t always mean better.”

Securing the modern attack surface requires a new approach. One that provides an understanding of all the conditions that matter in today’s complex and dynamic environments. 

Organisations that can anticipate cyber attacks and communicate those risks for decision support will be the ones best positioned to defend against emerging threats. Everyone else is blindly hoping they’ll be okay.

Add a Comment

No messages on this article yet

Editorial: +44 (0)1892 536363
Publisher: +44 (0)208 440 0372
Subscribe FREE to the weekly E-newsletter