Read more from CISOs:
The cybersecurity sector continues to face enormous challenges amid surging attacks, reliance on digital tech, advancements in AI and the cyber skills gap. Unsurprisingly, these issues are widely discussed in the industry, while stories of major breaches and attacks emerge every week.
However, it is important to recognize there are plenty of successes in cybersecurity too, with significant advancements being made in the tools available to defenders, and in the development of this relatively young industry.
From a series of interviews conducted by Infosecurity, a range of high-profile CISOs and cybersecurity professionals gave their responses to the question ‘What are the biggest successes that you think the cybersecurity industry is experiencing today?’
Threat Intelligence Sharing
Jason Lau, CISO, Crypto.com
"The cybersecurity industry has seen remarkable progress in several key areas. Over the years, through big data and machine learning, the industry has made substantial advancements in developing sophisticated detection and response mechanisms, fundamentally altering how we manage and respond to security incidents.
We’ve seen a dramatic increase in threat intelligence sharing. This increased collaboration strengthens our collective capacity to counteract and respond to threats, improving the overall resilience of our digital ecosystems.
Equally noteworthy is the growing awareness and recognition of cybersecurity's importance at the board and executive level at companies. This signifies a considerable shift in mindset, as cybersecurity is now acknowledged as a critical business issue, not merely a technical one. This paradigm shift has had a profound impact, ensuring strategic decision-making and resource allocation are in alignment with cybersecurity best practices, enhancing the overall security posture of organizations.”
Support from Management
Tal Arad, former CISO & now CTO, Carlsberg
“Two things come to mind with this question. First, the change with which we get support from management had been significant. I've been doing this for a long time, and I still remember basically begging for scraps of money to get traditional antivirus or very basic tools.
I think now we have gotten so much more positive attention. Management understands that there is a threat and I think since 2017 probably that’s been a big paradigm shift. It’s not just a tick-box exercise.
It’s been fantastic from my perspective because I’ve gotten everything I’ve asked for, as long as I’m being reasonable. One thing that happened for the first time in my career was when I first presented my budget to the CFO at Carlsberg, and the CFO told me “you need to ask for more money.” That was quite a new, interesting experience.
On the technology side I think one thing that has been very good is that we have a much better ecosystem in terms of tools. The various technologies that we are using can talk with each other. Almost all the solutions I’m using today have some sort of interface between one another.”
Adoption of Two-Factor Authentication
Fredrick “Flee” Lee, CISO, Reddit
“This ladders back to my security philosophies, specifically the idea of making security loveable and enabling humans to have great experiences. One of the biggest successes has been the adoption of two-factor authentication, which has become much more user-friendly and secure over the years. There are now multiple options available to individuals and organizations that are not a pain to use, and that makes good security much more approachable.
In a similar vein, the widespread availability of password managers has been a huge win for security. These tools have made it easier for people to remember and choose strong passwords. While it might be a simple change, these developments encourage people to improve their own security by making it easier to do so, and that is what security should be about.”
Pushing the Envelope in New Technology
Tim Brown, CISO, SolarWinds
“We’ve actually done very well in a lot of places that we don’t always give ourselves credit for. We’ve got to a really good point in the identity world of a common identity being used for many places.
With our network controls and sharing of threat intel and tactics, techniques and procedures (TTPs), we’ve done a really good job of not making that proprietary and sharing across the industry.
I see a lot of advances. We’re still going and we’ve got a great community of small and large security vendors that are helping to push the envelope in new technology and new ways to do things. We’re not being passive in implementation. If you just look at the last few weeks – we’re getting more quantum ready, so we’re becoming more proactive in how we look at security.”
Collaboration
Sam Watling, Head of Critical Asset Security, TUI Group
“I think one thing that's positive is the collaboration between our industry peers. It's phenomenally good in the cybersecurity industry. No matter what competitive differences there are, we will share best practices to help protect the crown jewels for each of our individual companies. I only see that increasing.”
Resiliency of People in Cyber
Marene Allison, former Global CISO, Johnson & Johnson
“What I love and am so thrilled about in cybersecurity is the innovation and how quickly innovation is keeping up with the threat. Now I don’t see the other side [threat actors] so I don’t know what they have but I am amazed at the cybersecurity technologies out there. Companies like Rubrik who are able to air-gap back-ups that create resiliency that stops ransomware from being effective.
Now, there's a lot of companies and state agencies and hospitals that don't use those type of technologies, but the technology is out there.
Also, the amount and resiliency of people in cyber or IT security to be able to learn and grow. For cyber people I'm just amazed at their agility, the resilience, and their leaning into innovation, and learning ‘how can I combat this next threat?’. They're doing it very, very well.”
Government Action
Josh Lemos, CISO, GitLab
“We've recently done much better with multi-factor authentication, which has become a more accepted practice, and device attestation.
It's greatly because of protocols like FIDO2 and WebAuthn becoming more ubiquitous.
To get back to malware and ransomware, I think governments are also doing a better job of targeting and taking down malware actors and ransomware groups.”
Diversity in Cybersecurity
Ollie Whitehouse, CTO, UK National Cyber Security Centre
“Look at how diverse cybersecurity has become. Once upon a time, the industry was nearly only made of white male people. It’s no longer entirely white male, and that’s great. Diversity of people means diversity of thoughts, which our industry critically needs.
On the technological front, I’m particularly buoyed by the conversation we’re having both around quantum and AI.
And we’ve had them quite early on – we’ve not waited for those technologies to become endemic and then worried about how to secure them.
I’ll give you one example, most AI vendors have set up internal AI red teams, they’ve not waited to be outed for having systemic vulnerabilities.
It shows that we’ve broken the traditional cycle of releasing a product and only starting to secure it once it’s been broken into – and I’d say it has something to do with initiatives like Secure by Design and Secure by Default being efficient.”
Security by Design
Heather Lowrie, CISO, The University of Manchester
I'm a huge fan of security architecture and that's security by design – being able to build that kind of thinking into the design and development of new products or projects that are being managed internally.
I think there has been a real mindset shift in a lot of organizations towards engaging with security architecture and professional security practitioners more generally. That is really helping to shift the dial in terms of security and also the quality of services that are being developed.