Managing Cyber Risk for CISOs Under Pressure
CISOs face a perfect storm of challenges. The enterprise shift to unbounded IT environments is driving the need for new cyber risk management approaches. So is the upsurge in generative AI. Multiplying threats seem to have unlimited scalability, but cybersecurity budgets and teams do not. And the C-suite and corporate boards are asking more questions about enterprise security posture than ever before.
It’s no surprise many CISOs say they’re overwhelmed by the expectations placed on them. How can they ease the strain while successfully managing threats, prioritizing risks, and raising the visibility of cybersecurity throughout their organizations?
Season 2 of Trend Micro’s #MondayMinutes video series aims to answer those questions and more, tackling the challenges faced by today’s security leaders. Each short, insightful video hosted by Trend Micro’s Andrew Philp looks at a different aspect of the security landscape, pulling in perspective from executive experts and special guests.
Here’s what you’ll find in Season 2:
E01: Aligning Risk Management to Cyber Risks and Exposures
Ransomware grabs headlines and provokes corporate anxieties but it’s hardly the only threat CISOs need to address. That’s why Trend Micro Global Chief Technology Strategy Officer David Chow advocates taking a holistic view of cyber risks.
Being holistic means looking at all potential vulnerabilities associated with people, processes, and technologies. The goal is to create alignment between an organization’s cybersecurity posture and its overall risk management approach, putting cybersecurity into strategic terms that boards and executives understand. Since no business has unlimited financial or human resources, David explains the holistic approach also requires smart use of tools to boost capacity and scale up cyber defenses.
E02: C-level Visibility Into Cyber Risks
Singapore’s ST Logistics has a significant government customer base, making reliable cybersecurity an absolute necessity. Eric Sim, the company’s Chief Technology Officer and Chief Information Officer, draws on ST Logistics’ lessons learned to shed light on how CISOs can make risks more visible, prioritize resources, and spread cybersecurity awareness throughout their organizations.
Learn about the company’s structured approach to classifying and prioritizing risks, and its emphasis on continual monitoring and reporting. If there’s one mantra inspired by this discussion, it’s visibility, visibility, visibility: the more that’s seen, the more can be shared—up to the highest levels of corporate decision-making.
E03 (Part 1): Impacts of Privacy Data Breaches
A single cybersecurity event involving private customer data can wreak havoc on a company’s brand reputation, damaging trust and credibility in ways that are enormously difficult to come back from.
Trend Micro’s David Chow discusses some of the bottom-line impacts of private data incidents including market share loss, stock price declines, and customer churn as buyers seek more reliable service elsewhere. That’s not to mention the regulatory fines that may be levied or the obligation, at least in the U.S., for breached companies to monitor potential harms to customers for two years—at their own expense.
E03 (Part 2): Impacts of Privacy Data Breaches – People, Process, Technology
David Chow shares his thoughts on what CISOs can do to mitigate the risk of privacy breaches, noting that with the right security tools and capabilities and a culture of cybersecurity awareness, businesses can prevent breaches from happening in the first place.
In this ‘people, process, technology’ approach, the people/culture piece requires training, reinforcement, and a commitment to accountability. Process-wise, it’s important to assess new capabilities before they are deployed and communicate transparently when issues occur. It’s also essential to have the right security technologies deployed to support a zero-trust framework.
E04: Zero Trust – Balancing Adoption and Practicality
Is zero trust realistic? Hani Arab, zero-trust PhD candidate and CIO of Australia’s Assetlink, says the answer is “yes”, explaining that zero trust does not insist on any one specific implementation but rather provides a strategy for organizations to follow—rooted in the principle, “Never trust, always verify.”
Hani runs through the five pillars of zero trust and talks about the ways each organization’s risk tolerance will color its specific zero-trust approach. Tailoring zero trust to a company’s unique needs requires assessment so that CISOs can base their decisions on complete knowledge of the assets they have to protect and the liabilities they face.
E05: Artificial Intelligence – Maximizing Potential, Minimizing Risk
Edwin Hernandez spends a lot of time thinking about AI in his role as Division Technology and Strategic Executive at MIT Lincoln Laboratory. He believes the healthcare sector is uniquely positioned to pioneer a truly global AI platform because of the worldwide scale of available datasets—but not without comprehensive cyber risk analysis and cybersecurity approaches to ensure data privacy.
AI cybersecurity starts right at the training stage, taking care to ensure a machine’s learning datasets don’t include private or sensitive data that could be exposed accidentally as it starts to generate outputs. Edwin recommends adopting a strong, well-defined, end-to-end cybersecurity framework for AI that aligns with industry standards and regulations.
E06: Sailing Through Economic Headwinds in Cybersecurity
Just as the weather doesn’t always respect couples’ wedding plans, global economic conditions aren’t always sympathetic to the need for cybersecurity. Mick McCluney, Trend Micro Technical Director for Australia and New Zealand, and David Chow discuss how modern, mature extended detection and response (XDR) technologies can help enterprises do more with less in times of ‘economic headwinds’, when pressures are high to control costs.
XDR’s data analytics, case management capabilities, and opportunities for automation speed up cybersecurity tasks and support unified cybersecurity approaches for much-needed cost efficiencies that are especially important given today’s cyber skills shortages. Strategic use of managed services can further help strike the right—and affordable—balance between automation and human expertise.
E07: Cybersecurity Risk Management: Balancing Risk and Finite Budgets
No organization has unlimited resources to dedicate to cybersecurity, but many today are feeling particularly crunched with finite budgets set against mounting vendor costs. Yet as returning guest Edwin Hernandez remarks: “You can’t afford to have a cybersecurity incident.”
What’s the solution? Hernandez and Trend Micro’s David Chow talk through the importance of having a clear risk-management framework understood throughout the entire organization, making cybersecurity a collective responsibility versus the job of one “cost center” alone. A framework also allows for smart prioritization—knowing which risks really matter, and where investments are most needed. Hernandez also underscores the need to structure organizational budgets so that cybersecurity is an overall priority because, at the end of the day, “You have to invest.”
Next steps
For more Trend Micro thought leadership on cyber risk, check out these other resources:
Read More HERE