There is no easy way to defend against an advanced persistent threat (APT), and it is crucial to get the company’s board on your side as you prepare a security plan.
We found CISOs share a few concerns, regardless of the organization’s size or industry:
Communication obstacles: Explaining the risk before an attack is always a challenge. CISOs want to be more proactive but they can’t get the board’s attention until after a disaster strikes. Then, when an incident occurs, they feel that a translator is needed to easily and quickly communicate the complex technical situation to a non-technical audience.
Instead, security needs to get ahead of a disaster by telling a story to the company’s leaders about risks, threats and solutions. The message should avoid tech jargon and convey the attack’s impact will be much worse the longer it continues.
Corporate board inertia: Some boards simply accept security gaps as the cost of doing business. For example, a board may believe spending money to fix a security issue will cost more than letting the problem continue. In other cases, boards follow a principle of acceptable loss. They’re willing to accept that the company loses a certain amount of money each quarter due to security gaps.
However, an attack has repercussions that go beyond fiscal damage. For example, a hack can severely damage a company’s reputation. Security teams need to show the board the larger business impacts of an attack.
Staff shortages: One topic that everyone mentioned was the lack of qualified security professionals. Security teams are struggling with tracking new threat vectors and are also overwhelmed by the number of alerts they’re receiving from the various security platforms they’ve deployed. The talent shortage is becoming more acute and CISOs said they are looking for ways to “do more with less” and simplify the work processes.
Automating detection and incident investigation is a great way to augment your security capabilities. Automating those steps also saves them time since they don’t have to build parsing rules and run manual investigations.
How to pick tools: Another challenge that came up in the discussion is the difficulties companies face when choosing the right solution from a multitude of options.
We recently discussed this topic with Forrester principal analyst Rick Holland. Rick noted that most of his customers find it very difficult to know what criteria to consider when evaluating next-generation security technologies to fight APTs.
Today, many socially-engineered attacks are coming from nation states and organized crime. Intellectual property theft, fraud and the desire to disrupt an organization are still the most common motives for an attack. These modern operations are especially difficult to defend against and security professionals are realizing they need to evolve at the pace of their adversaries.
This evolution requires accepting that motivated hackers will figure out how to breach an organization. Enterprises need to ramp up their automated detection and investigation capabilities to reveal the entire scope of an attack and stop it in its infancy.