A CISO’s Observations on Today’s Rapidly Evolving Cybersecurity Landscape

There is a troublesome disconnect between many business leaders and their cybersecurity teams. The former still believes there is such a thing as 100% security. For obvious reasons, the latter understands that “100% security” is an oxymoron. 

Nevertheless, because companies push for and demand 100% security, security teams settle with a false sense of security so people can do their jobs. Everyone ends up pointing fingers when a breach inevitably occurs. Typically, no serious change occurs. 

Alternatively, business leaders must shift their thinking from totally nullifying risk (which is impossible) to managing it accordingly. For example, companies should focus on managing the blast radius – reducing the size and the amount of damage – and accelerating the time it takes teams to detect and remediate breaches. 

To that end, here are three best practices, including company-wide training, human-centered design, and cybersecurity-by-design, that businesses can adopt to achieve a more robust cybersecurity posture. 

Cybersecurity Training for the Entire Workforce 

Any technology available to businesses is also accessible to bad actors, and generative artificial intelligence (Gen AI) is no exception. By leveraging Gen AI, hackers can create sophisticated phishing emails and personalized social engineering traps, including malicious code and malware. 

Related:Data Center Disaster Recovery: Essential Measures for Business Continuity

Phishing attacks, for example, reached an all-time high at almost five million in 2023, according to the Anti-Phishing Working Group. Worse, cybersecurity talent is in short supply globally, putting pressure on understaffed teams to deal with this onslaught of advanced schemes.  

In light of these challenges, it is paramount that businesses train their general employees no differently than their security personnel. Today, general employees watch videos and take quizzes – hardly the training that could prepare them for these emerging threats. Instead, general staff should engage in the same training as security teams – notably, life-like rehearsals and exercises. 

Simply being aware of risks isn’t sufficient. But, role-relevant security simulations will empower the entire workforce to know what to do and how to act when they encounter malicious activity.  

Human-Centered Design: Build With People in Mind 

Security should be a smooth process, but it is often complicated. Recall the surge in phishing attacks: employees know not to click dubious links from unknown senders, but do they know how to verify if a link is safe or unsafe beyond their gut instinct? Is the employee aware that there is an official email verification tool? Do they even know how to use it? 

Related:CrowdStrike Blames Crash on Buggy Security Content Update

To ensure that employees will actually use security processes and tools, cybersecurity personnel and designers must incorporate human-centered design and its principles.   

Human-centered design is an approach to problem-solving that places people – particularly the person the process is for – at the heart of the solution. This approach considers the target users’ skills, knowledge, and capabilities to promote the highest adoption possible. 

Likewise, human-centered design is an iterative practice that continuously gathers feedback, validates and adjusts accordingly. Concerning a suspicious link, an ideal link-verification tool or solution shouldn’t be time-consuming or too complex; rather, it should be something employees see value in using.  

Cybersecurity-by-Design: Security is Not an Added-Feature 

It is not uncommon for business leaders to rush technology adoption, delaying security until later as an added feature bolted on afterward. When companies prioritize speed and scalability at the expense of security, data becomes more mobile and susceptible to attack, making it more difficult for security teams to ascertain the natural limitation of a blast radius. Businesses may also end up in security debt.

Related:Indonesia’s Biggest Cyber-Attack Prompts Data Center Audit

With the growing prevalence of Gen AI and the cloud (including the respective data and privacy concerns of both), companies must design their systems with security as a core business requirement. This concept of viewing security as something intrinsic to a system and not a nice-to-have feature is a fundamental tenet of cybersecurity-by-design. 

By applying this principle of cybersecurity-by-design, companies can enhance their ability to manage risk, reducing potential vulnerabilities and flaws while safeguarding sensitive and proprietary data.  

Prioritize Agility and Promote Alignment  

Technology continues to evolve at breakneck speed, and organizations must adapt their security strategy appropriately. As such, businesses should adopt a multifaceted, agile, and ever-evolving cybersecurity approach to managing risks. 

Moreover, business leaders and cybersecurity teams need to avoid miscommunication and ensure they align on security expectations and strategies.  

Sam Rehman is senior vice president and chief information security officer at EPAM Systems.