When you think about cybersecurity, it shares many similarities with strategic board games such as Risk, where players try to conquer enemies’ territories. To win, good players define their strategic assets, anticipate opponents’ moves, and create safe areas with limited access that allow further expansion.
The same can be said about companies and institutions trying to survive and thrive in the world of fast-evolving cyber threats, according to guest speaker Madelein van der Hout, a senior analyst from Forrester, a leading global market research company.
“Winning is everything. If you end up being second, you are actually being the first of the losers,” said Mrs. van der Hout during her presentation, hinting at potentially menacing outcomes of a data breach in a real-world scenario.
Using the popular game Risk as a metaphor for the cyber threat landscape, Mrs. van der Hout presented her insights into building a prevention-first approach in cybersecurity at the ESET WORLD 24 conference. After her session, she also kindly answered a few of ESET’s questions.
Strategic assets
Considering the current level of automation, cloudification, and remote working, there are numerous assets that institutions and companies need to protect, such as employees’ devices, customers’ data, or even IT Admin credentials, to name just a few.
But there are also other risk factors that are not directly caused by cyber-attacks. We are talking about pressure on both CISOs and security admins who bear responsibility for their organisation’s cybersecurity and face a huge number of challenges including the financial consequences of cyberattacks.
For example, 97 percent of boards are expecting CISOs to deliver business value and 31 percent of boards will fire CISOs in case of a breach, according to Forrester’s research. This kind of pressure often results in high levels of stress and burnout.
Challenges faced by CISOs in 2024:
- Changing/evolving nature of threats
- Geopolitics
- Regulations
- Hybrid workforce
- Economic pressure & cost savings
- Integrating cybersecurity with business strategy
- Complexity of IT environment
- Lack of visibility
- Talent shortage
- Lack of comprehensive vulnerability and exposure management
Dealing with these challenges, 66 percent of employees working in cybersecurity stated that they are experiencing significant stress levels. Mrs. van der Hout took it a step further, surprising the audience with survey results revealing that among these highly stressed employees, 51 percent take prescription medicine and 19 percent drink three or more alcoholic beverages per day to cope with these challenges.
“We cannot meditate ourselves from (out of) cybersecurity burnout,” said Mrs. van der Hout, adding that there are some measures that companies can take immediately such as automated alert management or providing mental health support to employees.
But considering the current talent shortage, which exceeds 4 million unoccupied job positions worldwide, more measures will need to be taken.
Don’t dwell on the past
Be it a board game or real-world cybersecurity, adopting a prevention-first strategy relies on anticipating the opponents’ moves. But what Forrester analysts often see are companies making decisions based on what has happened before – i.e., using a rearview mirror. They set their priorities, create incident plans, and adjust their budgets, but when a data breach occurs, all this planning goes out the window.
“[Just like] how I flip the board [over] when I am about to lose a game, that’s how they flip their priorities for the upcoming year. Their investment profiles change,” said Mrs. van der Hout.
For example, in 2023, CISOs recognised the importance of the human factor in cybersecurity and increased budgets accordingly, but in 2024 their focus has shifted back to technological solutions.
And the situation has become serious. Within the last 12 months, 78 percent of surveyed organisations reported one or more incidents potentially compromising sensitive data. The estimated cumulative loss of those data breaches is on the rise in both the US and Europe and is now exceeding $1 million per company, according to Forrester.
How others play their cards
When moving to improve one’s game, it is often useful to see how others play their cards. To face current cybersecurity challenges, organisations need to follow current trends and learn from others.
For example, AI and machine learning help cybercriminals create more sophisticated threats, but legitimate security organisations can also harness this technology to build more effective cybersecurity tools and processes. Moreover, identity protection is no longer strictly about protecting the identity of employees, but also of partners, customers, and even non-human identities, thus the term: “everything identity.”
Current trends in cybersecurity:
- AI and machine learning
- Quantum computing and blockchain technology
- Expansion of OT&IoT
- Zero trust
- Everything identity
- Increasing regulations and geopolitics
New legislation has also been adopted around the world, but Mrs. van der Hout pointed out that following legislation is not only about checking compliance boxes but also about helping companies to build stronger defences. Therefore, security solution providers should retain trusted advisors, and governments should educate companies and citizens to achieve the desired level of resilience.
“Governments need to be clearer about what organisations need to do to comply with new regulations instead of having really vague articles,” Mrs. van der Hout said.
When learning from others, organisations should look at the strategic and tactical priorities of other players on the market.
Strategic priorities:
- Boost cloud security strategy
- Improve the ability to detect and respond to threats
- Enhance identity and access management for employees, partners, and customers
Tactical priorities:
- Improve application security and/or product security
- Improve access management and policies for employees and partners
- Improve security operations’ effectiveness
Building a proactive defence strategy
Taking all this information into account, let’s build some proactive defence strategies.
First, determine business-relevant elements of your strategy and consider that board members will expect it to deliver some value. Business and cyber security need to work together to shape a strong security posture to persuade both partners and customers, who are increasingly taking a proactive interest in their own security.
With a business strategy set, look at possible risks and keep in mind that this should be an ongoing process. While doing this, make sure that you have proper data from cyber intelligence and advanced security technologies.
“And that’s not only about data collection. It’s also about action and response,” Mrs. van der Hout said.
Next step is to create a strong security culture within an organisation as current Forrester predictions say that 90 percent of all data breaches will still include a human element.
“Looking at one cybersecurity awareness video while multitasking isn’t changing anyone’s behaviour. So, when addressing awareness, please, move beyond videos. Make sure that your employees understand the importance of awareness and make security part of your organisation’s culture,” Mrs. van der Hout said.
The final aspect of a proactive defence strategy is continuous improvement and adaptation. Instead of adopting one solution, and then setting and forgetting, organisations should review their defences, close gaps, make adjustments, and ask for help if needed.
You are not alone
It is always nice to talk about the latest cybersecurity solutions and proactive defence but there are smaller companies or non-profit organisations that don’t have a budget for CISOs and high-end technologies.
When asked about this, Mrs. van der Hout remained in her winning mood, pointing out that even small companies can analyse their threat surface and set priorities. And what is more, the “good guys” in IT environments can help each other.
“We are operating in ecosystems where larger enterprises and SMBs are working together. We need to partner with each other to make sure that we are secure. Security should travel beyond just contractual agreements,” she said.