For the past year, chief information security officers (the  CISO of a company) have had to add a global pandemic and a mass shift to remote working into their budgets.

Many businesses were forced into rapid digital transformation projects that created additional security headaches for CISOs. Chani Simms, MD of Meta Defence Labs and founder of SHe CISO Exec, is an advisory CISO to multiple companies. Her clients had to face “challenges” and “unexpected costs” when governments first introduced lockdowns.

“A lot of them had to get further budgets to make sure that their remote networks and devices were protected,” she said, speaking at a roundtable run by Finnish cybersecurity company F-Secure.

One client had invested in new desktops pre-Covid but soon found itself racking up the unexpected cost of having to buy laptops for its entire workforce as well. However, other clients working in software development “thrived” in the remote working environment because they were already set up to work in that way.

But Marc Ashworth, CISO at First Bank, said it “didn’t really affect the budget too much”, in large part because it had already embraced remote working. Most of the CISOs he has spoken with said they “had the capability but it was a case of ramping it up.”

“We’ve made some slight adjustments to the budget but they were things that we were going to do anyway so there was really not much of a difference,” he added.

A crucial part of a CISO’s role is making the business case for investing in cybersecurity to ensure organisations stay ahead of cybercriminals. A report by F-Secure, published last week, found that 69% of surveyed CISOs believe their adversaries have improved their attack capabilities in the past 12 to 18 months. Similarly, 72% CISOs said cybercriminals have moved at a faster pace than their own organisations.

Criminal hacking groups are able to buy off-the-shelf tools on underground marketplaces that make it easy to operate at a scale. This, combined with resource and intelligence sharing among cybercriminals, increasingly strain the often-limited resources at the disposal of CISOs.

The report, titled The CISO’s new dawn, is based on interviews with 28 senior information security officers across the US, UK and Europe. It found that CISOs are reporting a rise in “security debt” where vulnerabilities and weaknesses accumulate and compound over time.

Of the CISOs interviewed for the report, which included Simms and Ashworth, 56% reported a rise in the number of cyber incidents their organisation has defended itself against. Phishing, ransomware and business emails being compromised were cited as the top three threats.

Cybersecurity: Risk mitigation or critical business enabler?

For many organisations, cybersecurity is still considered an afterthought. One of the issues discussed at the roundtable was whether security should be considered solely as risk mitigation, or as a critical enabler for business strategy.

According to Ashworth, cybersecurity investment is about “building trust for the organisation” so customers know it is a safe place to do business.

Simms said when it comes to compliance and regulatory requirements that cybersecurity investment is an “enabler rather than just a cost” as it can help secure future business.

F-Secure CISO Erka Koivunen agreed, adding: “Compliance for me actually has been a great vehicle to drive home to the business, and down to the last member of the staff, the need for doing something that would give evidence of your good security posture.”

Koivunen has built his own security team to contrast compliance teams with “threat hunters and incident response people so that nobody gets too cocky and we remind ourselves that nothing is perfect”.

CISOs must determine the best way to allocate their security budget whether that’s on tools, personnel or employee training.

Amid the pandemic this should still be “about measuring the risk and the cost-benefit,” said Ashworth, to ensure the “best bang for your buck”.

He also advised re-evaluating security tools when subscriptions come up for renewal and not being afraid to drop tools that aren’t giving adequate benefits.

For Simms, choosing security products should be the “last stage” of the process for CISOs. Organisations should first ensure employees are properly trained first before assessing whether new tools are needed.

Cybercriminals have always targeted the human element in a company’s cybersecurity. Expensive firewalls can be made redundant because one employee enter their credentials into a fake website.

This human factor remains a high priority for CISOs, with 71% citing human fallibility as one of their most pressing security concerns.

“People are your biggest asset,” said Simms. “You should treat them like your firewall. If you don’t train people to do the right thing, then that’s where a lot of breaches happen.”

The pandemic has added another dynamic to this attack vector, according to Simms – mental health.

“As the lockdown continued, I noticed everyone was struggling. Mental health was another problem for CISOs,” she said. Simms believes CISOs should prioritise ensuring employees are in the right frame of mind to avoid making costly security mistakes.

“It’s as important as the technology side of things because if [employees] are not in the right mindset, they can go and click all sorts of things and do all sorts of wrong things.”

The good news is that the CISOs interviewed reported their organisations were able to successfully fend off more attacks, even as the number of cyber incidents remained steady.

“Despite pervasive ‘security debt’ and reporting a rising number of cyberattacks, CISOs say that the number of incidents, which includes a breach or unauthorised access to a system, they faced remained pretty much the same,” said Michael Greaves, security advisor for managed detection and response at F-Secure. “This could be because CISOs have made the right investments. However, it is the incidents that haven’t been discovered which worry us most.

“Because of the sophisticated nature of some of these attacks, organisations may not have the technology or people to identify they are in the middle of a compromise that, for example, may result in a ransomware deployment months down the road.”