Perhaps the most important lesson in the field of cybersecurity is that there’s always more to learn – not just about the threats companies and organizations face and ways to manage them, but also about how to work effectively within an organization that is not primarily focused on cybersecurity. And when it comes to finding resources to learn from, successful chief information security offers (CISOs) offer an unmatched understanding of how to work across departments to build an effective, collaborative approach to cybersecurity.
With that in mind, we recently held our third CISO roundtable discussion, bringing together top cybersecurity minds from leading companies to share useful insights on the state of the industry today, the directions we should expect it to go in the future, and the latest trends affecting CISOs. This session was chaired by VJ Viswanathan, a veteran global technology executive and founding partner at CYFORIX, a global cybersecurity research, advisory, and strategy firm. It followed our first two CISO roundtable discussions, which we held in February and early March. Whereas those sessions focused on CISOs in the U.K. and the Northeastern U.S., the most recent roundtable focused on those working in the Midwestern and Western regions of the U.S. More importantly, the third roundtable placed more emphasis on the cybersecurity needs of companies in the insurance space – especially healthcare and insurance providers.
Part of what makes these sessions so useful for cybersecurity professionals is that they give CISOs a forum to share the hard-won lessons they have gleaned in the past 18 months or so, as they have been forced to adapt to the fallout of the COVID-19 outbreak.
So, what did we learn from our third CISO roundtable discussion? Here are some of the key takeaways that cybersecurity professionals can learn from:
Since the roundtable discussion brought together CISOs and other cybersecurity professionals from large-scale companies, it makes sense that these businesses face a very different cyber threat landscape than smaller companies would. Yet, as our conversation highlighted, that landscape isn’t just affected by the companies’ scale, but also by the variety of jurisdictions in which they operate.
Given the various legal systems and other factors differentiating between regions, these companies must take extra steps to ensure legal compliance wherever they are active. While the field of cybersecurity does not generally allow for 100% guarantees, one strategy our panelists discussed is approaching each geographic region somewhat individually – aiming to keep the company’s risk of falling victim to the most likely and most serious threats in each region to a sufficiently low level.
One related topic that came up repeatedly in our conversation is how to address the cybersecurity challenges that stem from relying on software from third-party vendors. Given the vast numbers of third-party programs that today’s businesses and organizations typically rely on, a company’s relationships with vendors can complicate its CISO’s role. And, much like the issues that come with operating across various jurisdictions, the challenges stemming from a company’s use of third-party software have become more significant in light of the privacy legislation passed in states and countries around the world in recent years.
Some important parts of our conversation focused on the ways CISOs interact with other top executives, including CEOs. As executive boards become increasingly aware of the importance of cyber threat intelligence, some of them are taking a more active role, including through the formation and operation of cybersecurity committees. Many top-level executives also want to be kept apprised of their company’s big-picture cyber threat intelligence, and our discussion highlighted their increasing focus on cybersecurity as a competitive differentiator enabling them to do more business.
Our panelists also discussed the importance of sharing cyber threat intelligence (such as the findings of threat hunts) internally within their companies. And, more generally, they touched on some of the reasons healthcare and insurance providers are uniquely impacted by cybersecurity and cyber threat intelligence. For instance, patient privacy is a fundamental concern for healthcare providers – not least of all because of the Health Insurance Portability and Accountability Act (HIPAA). And having a clear sense of the cyber threat landscape can help companies manage the challenge of figuring out how to estimate and manage their risk exposure, which can be especially important for insurance providers.
But, as our panelists pointed out, healthcare companies have a far more serious reason to value cyber threat intelligence than simply to protect patients’ privacy. In fact, when these companies protect themselves from cyberattacks, they are effectively protecting their ability to offer their clients the necessary medical care. Given that recent years have seen ransomware attacks hobble companies by encrypting their files, the protection of medical records is an essential factor ensuring that medical staff have the information they need to care for their patients.
Aside from the medical advances that drive the field of healthcare forward, healthcare providers have been moving towards digital transformation and cloud computing for years. Unsurprisingly, these trends make cybersecurity more important for these companies – as it enables them to enjoy the efficiency, reliability, and convenience of cutting-edge technologies while minimizing the risk that they could fall victim to a costly cyberattack.
But, as our discussion highlighted, the fallout of the coronavirus outbreak seriously raised both the pace of innovation and the level of risk healthcare providers face from possible cyber threats. At the heart of this innovation stands the trend of working from home. Although many medical professionals have professional responsibilities preventing them from working remotely as frequently as those in other fields do, the COVID-19 era has still pushed healthcare companies to accept the idea of working from home in an unprecedented way. That has made it especially important for these companies to make sure their employees have secure computing environments, no matter where they’re located.
How should we expect the relationship between healthcare companies and cybersecurity to change in the future, as the coronavirus outbreak hopefully recedes around the world? One possible vision of the future of work that came up in our roundtable discussion is a hybrid of on-site and at-home work.
One of the main challenges that our panelists discussed was keeping up with the volume of data they need to analyze in order to optimize their cyber defenses. Specifically, these companies need to rapidly take industry data, interpret it, and find patterns they can use to identify (or even to predict) cyberattacks. As our roundtable discussion pointed out, automation can help these companies to address this risk.
More generally, the conversation highlighted the tension between old and new within the field of insurance. Although it is still common for insurance providers to rely on mainframe systems, the field has changed drastically in recent years – and that change continues. Much of it is focused on the transition from legacy to cloud-based systems, which makes cybersecurity especially important. And, as our panelists highlighted, there is a trend towards providing the necessary guardrails through automated controls – although these participants also emphasized the role that individuals’ professional skills play in making the transition to cloud-based systems a safe and secure one.
Looking to gain more useful insights on the state of cyber threat intelligence, the challenges facing today’s CISOs, and how they’re finding success? Our series of roundtable discussions bringing together expert CISOs is ongoing, and we’re eager to help cybersecurity professionals learn from each other. We invite you to keep an eye out for more useful insights here on the Cybersixgill blog. Better yet, if you’re a cybersecurity professional, sign up today to participate in a future roundtable discussion.