Managing the cybersecurity of just one hotel is a challenge, but when the threats from cyberspace are growing at an unprecedented rate, how are Chief Information Security Officers (CISOs) supposed to oversee the security of hotels located all over the world?
With every business and type of industry now increasingly relying on technology and the Internet, a CISO now has to consider all areas of the business, from the supply chain to marketing to accounts and much more.
Getting and maintaining a clear oversight of your organisation’s security is a challenge that most CISOs struggle with. You’re often up against budget restrictions, board interference as well as the global cyber skills shortage.
If your organisation has sites all over the world, how can you keep a constant eye on their security? You can’t be everywhere at once. Employees will make costly cybersecurity mistakes – it’s human nature, but in a multinational business the implications can be dire. A person in London could open a malware-infected email that then spreads throughout the business’s network. Before long, the entire global network could be impacted with all the negative repercussions that entails.
With cybercriminals constantly coming up with new attack strategies and as businesses increasingly do their dealings online, many organisations are being overwhelmed as they try to keep up. CISOs are at the frontline of this and are expected to ensure a business’s security often with limited resources and budgets.
Convincing the board to invest in cybersecurity resources is tough enough in any organisation but when it comes to multinationals the challenge is amplified.
CISOs often lack influence in the boardroom and are under pressure to justify the budgets needed to adequately defend the organisation. Even with the number of cyber risks growing, getting the right budget is impeded as the CISO can’t guarantee a clear return on investment. (Not being attacked and suffering the financial implications that go with it would be enough in an ideal world).
In a recent survey published by Kaspersky – What it takes to be a CISO: Success and leadership in corporate IT, 36% of CISOs surveyed said that they were unable to secure the budgets they need because they cannot promise the board that the cost will guarantee 100% protection against attacks.
As any cybersecurity professional will tell you, there is no such thing as 100% protection. If they do make such a claim, run for the hills!
Getting buy-in from the right stakeholders is critical to defending an organisation, and without them leading the way and setting an example to other employees, it’s less likely they will take security as seriously as they should.
Even if the CISO can convince the board to invest, they will then need to convince them that cybersecurity is an ongoing effort and in an international business scenario, this becomes both more difficult and complex.
The organisation’s employees also need to be considered a potential vulnerability and with locations all over the world, a breach could occur in any them.
The Kaspersky survey revealed that 29% of questioned CISOs see the insider threat as the biggest threat to their organisations.
Getting buy-in to roll out a cybersecurity awareness and education plan is crucial as is the creation of security policies and incident response plans that the entire organisation needs to follow.
Insider threats are incredibly difficult to defend against, namely due to their nature. Often disgruntled employees may seek vengeance on the business or simply want to cause mischief. Then there are those employees who create security breaches by accidentally clicking on something they shouldn’t.
According to David Carroll, CEO at XQ Cyber, “I think the link between insider / human threat and maintaining a well patched/configured network (inside and out) is often missed. Staff will behave badly (either intentionally or unwittingly) at some point so maintaining your network mitigates this threat by limiting the damage (e.g. when someone is phished). You’re 100% vulnerable to insider threats. I can guarantee that the insider threat will hurt you at some point. However, looking after your basic cyber hygiene, will limit the damage.”
What can you do?
Whilst being a CISO is often stressful and at times overwhelming, there is hope in the form of new technologies and the increased use of managed service providers (MSPs).
By allowing such services to take care of the day-to-day stuff such as patching, automation frees up a CISOs time to focus on the things that really matter. With automated security tools, a CISO can clearly demonstrate to a board what needs to be focused on and how well the organisation is performing.
Tools can help by:
- Giving an evidence-based Risk Score on demand
- Generating board-level reports outlining the organisation’s security posture, vulnerabilities and a Get-Well plan
- Automating the bulk work of pen testing and making it affordable and rapid
- Continuously tracking security posture, vulnerabilities, remediations and score
- Tracking cyber risks across supply chains and third parties without the need for consultants or questionnaires
- Dramatically reduce the cost and improve the quality of compliance penetration testing