- Latest Cybersecurity Insights
- Cybersecurity Initiatives
- Resources for Cybersecurity Leaders
- Conferences for Cybersecurity Leaders
Cybersecurity is the practice of deploying people, policies, processes and technologies to protect organizations, their critical systems and sensitive information from digital attacks.
Cybersecurity is a business problem that has been presented as such in boardrooms for years, and yet accountability still lies primarily with IT leaders.
In the 2022 Gartner Board of Directors Survey, 88% of board members classified cybersecurity as a business risk; just 12% called it a technology risk. Still, a 2021 survey showed that the CIO, the chief information security officer (CISO) or their equivalent were held accountable for cybersecurity at 85% of organizations.
Organizations have become far more vulnerable to cyberthreats because digital information and technology are now so heavily integrated into day-to-day work. But the attacks themselves, which target both information and critical infrastructure, are also becoming far more sophisticated.
Cyber-risk incidents can have operational, financial, reputational and strategic consequences for an organization, all of which come at significant costs. This has made existing measures less effective, and it means that most organizations need to up their cybersecurity game.
The Russian invasion of Ukraine is marked by both military and destructive malware attacks. As the invasion expands, the threat of attacks to critical infrastructure — and the potential for fatal outages — grows. No business is immune.
Many organizations already face a range of lurking security failures, but now, it’s especially important to rely on threat intelligence tailored for your organization and to watch for guidance from your government contacts around how to prepare for attacks you may not be ready to handle.
As the C-suite strategizes its response to the Russian invasion of Ukraine, prioritize cybersecurity planning. Focus on what you can control. Make sure your incident response plans are current. Increase awareness and vigilance to detect and prevent potential increased threats, but be mindful of the added stress and pressure your organization is feeling. A human error due to these forces may have a greater impact on your organization than an actual cyber attack.
Critical infrastructure sectors include energy production and transmission, water and wastewater, healthcare, and food and agriculture. In many countries, critical infrastructure is state-owned, while in others, like the U.S., private industry owns and operates a much larger portion of it.
Not only are each of these sectors critical to the appropriate functioning of modern societies, but they are also interdependent, and a cyberattack on one can have a direct impact on others. Attackers are increasingly choosing to deploy attacks on cyber-physical systems (CPS).
The risks were very real even before Russia invaded Ukraine. Attacks on organizations in critical infrastructure sectors rose from less than 10 in 2013 to almost 400 in 2020, a 3,900% increase. It’s not surprising, then, that governments worldwide are mandating more security controls for mission-critical CPS.
The Russian invasion of Ukraine increases the threat of cyberattacks for all organizations. You need to develop a holistic, coordinated CPS security strategy while also incorporating into governance emerging security directives for critical infrastructure. The U.S. “National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems,” for example, is prioritizing the electricity and natural gas pipeline sectors, followed by the water/wastewater and chemical sectors.
The crux of the problem is that traditional network-centric, point-solution security tools are no longer sufficient to combat the speed and complexity of today’s cyberattacks. This is particularly the case as operational technology (OT), which connects, monitors and secures industrial operations (machines), continues to converge with the technology backbone that processes organization’s information technology (IT).
Conduct a complete inventory of OT/Internet of Things (IoT) security solutions in use within your organization. Also perform an evaluation of standalone or multifunction platform-based security options to further accelerate CPS security stack convergence.
The most common and notable types of cybersecurity attacks include:
Cyber attackers deploy DDoS attacks by using a network of devices to overwhelm enterprise systems. While this form of cyber attack is capable of shutting down service, most attacks are actually designed to cause disruption rather than interrupt service completely.
Thousands of DDoS attacks are now reported each day, and most are mitigated as a normal course of business with no special attention warranted. But cyber attackers are capable of increasing the scope of the attack — and DDoS attacks continue to rise in complexity, volume and frequency. This presents a growing threat to the network security of even the smallest enterprises.
DDos attacks also increasingly target applications directly. Successful and cost-effective defense against this type of threat therefore requires a multilayered approach:
DDoS mitigation requires skills distinct from those required to defend against other types of cyberattacks, so most organizations will need to augment their capabilities with third-party solutions.
A range of IT and information system control areas form the technical line of defense against cyberattacks. These include:
Technology controls aren’t the only line of defense against cyberattacks. Leading organizations critically examine their cyber-risk culture and relevant functions’ maturity to expand their cyber defense. This includes building employee awareness and secure behaviors.
Simply put, cybersecurity fails because of a lack of adequate controls. No organization is 100% secure, and organizations cannot control threats or bad actors. Organizations only control priorities and investments in security readiness.
To decide where, when and how to invest in IT controls and cyber defense, benchmark your security capabilities — for people, process and technology — and identify gaps to fill and priorities to target.
Notably, the human element features heavily in cybersecurity risks. Cybercriminals have become experts at social engineering, and they use increasingly sophisticated techniques to trick employees into clicking on malicious links. Making sure employees have the information and know-how to better defend against these attacks is critical.
The environment itself is evolving in several key ways:
Cybersecurity is interconnected with many other forms of enterprise risk, and the threats and technologies are evolving quickly. Given this, multiple stakeholders must work together to ensure the right level of security and guard against blind spots. But despite the growing view that cybersecurity is a business risk, accountability for cybersecurity still falls mostly on the shoulders of IT leaders.
A 2021 Gartner survey found that the CIO, CISO or their equivalent were held accountable for cybersecurity at 85% of organizations. Non-IT senior managers held accountability in only 10% of organizations surveyed, and only 12% of boards have a dedicated board-level cybersecurity committee.
To ensure adequate security, CIOs should work with their boards to ensure that responsibility, accountability and governance are shared by all stakeholders who make business decisions that affect enterprise security.
Most cybersecurity metrics used today are trailing indicators of factors the organization does not control (e.g., “How many times were we attacked last week?”). Instead, focus on metrics related to specific outcomes that prove your cybersecurity program is credible and defensible.
Gartner expects that by 2024, 80% of the magnitude of fines regulators impose after a cybersecurity breach will result from failures to prove the duty of due care was met, as opposed to the impact of the breach.
Gartner advocates the “CARE” model of outcome-driven metrics (ODMs):
Consistency metrics assess whether controls are working consistently over time across an organization.
Adequacy metrics assess whether controls are satisfactory and acceptable in line with business needs.
Reasonableness metrics assess whether the controls are appropriate, fair and moderate.
Effectiveness metrics assess whether the controls are successful and/or efficient in producing a desired or intended outcome.
The amount you spend on cybersecurity does not reflect your level of protection, nor does what others spend inform your level of protection compared to theirs.
Most monetary representations of risk and security readiness (i.e., “Is that a $5 million risk or a $50 million risk?”) are neither credible nor defensible, and, even when they are credible, they do not support daily decision making related to priorities and investments in security.
Use outcome-driven metrics to enable more effective governance over cybersecurity priorities and investments. ODMs don’t measure, report or influence investments by threat type; it is outside your control to align spending to address ransomware, attacks or hacking. Rather, align investments to the controls that address those threats.
For example, an organization cannot control whether it suffers a ransomware attack, but it can align investments to three critical controls: back up and restore, business continuity and phishing training. The ODMs of these three controls reflect how well the organization is protected against ransomware and what that level of protection costs — a business-based analysis that tells a compelling story for the board and other senior leaders.
Note that a control can be any combination of people, process and technology that you own, manage and deploy to create a level of protection for the organization. Take a cost optimization approach to evaluate the cost (investment), value (benefit) and the level of risk managed for each control. Generally, better protection (less risk) will be more expensive.
Join your peers for the unveiling of the latest insights at Gartner conferences.