On average, organizations have 20 to 200 vendors in their tech ecosystems. As the supply chain expands and the ecosystem evolves, bad actors find a way to adapt, resulting in the never-ending challenge of securing an organization’s tech ecosystem.
Because all organizations have different tech stacks and business requirements, a one-size-fits-all security solution doesn’t exist, but embracing, rather than fighting, change can give teams a defensive edge. While it can be daunting to phase out traditional approaches for mitigating risk, organizations that learn to adapt will be more successful in approaching new cyber challenges and defending themselves against threats.
Understanding the top challenges today’s security teams face in the modern threat landscape and how they can evolve helps create solid security strategies and implement meaningful tactics to have greater visibility into the risk of these ecosystems.
Tackling the tech ecosystem: fast-moving bad actors cause burnout
Bad actors are always seeking new and innovative attack methods to throw off security teams and break into tech ecosystems without detection. The reality is that numerous active threats move quickly through digital ecosystems every day, so they’re difficult to monitor, especially if they haven’t been seen before. Case in point: the Cybersecurity and Infrastructure Security Agency (CISA) published 557 new CVEs in 2022 alone.
Today, bad actors most commonly execute successful breaches through social engineering, zero-day exploits and targeted phishing campaigns. Monitoring the entire threat landscape for emerging threats is taxing on teams and can often feel like a fruitless endeavor.
The relentless search for threats is a real challenge; it can be a huge time investment because threats don’t sleep. Ultimately, the need for a constant watchful eye can cause burnout among team members, leaving them disengaged and unproductive.
The supply chain is expanding, but security teams remain the same size
Organizations depend on third-party vendors, partners and tools to keep business in motion. While supply chains have grown exponentially in the past few years and have introduced a significant onslaught of risk, security teams have stayed the same size or even scaled down. In fact, last year, 86% of companies experienced a shortfall of skilled IT security staff due to issues with finding and hiring qualified talent.
This shrinkage stresses the workload for security teams, especially since too many rely on manual processes. These outdated practices, such as email questionnaires to evaluate the security protocols of vendors, present a big challenge to security teams as their time is already stretched thin.
The goal is to ensure that the risk measures in place meet the organization’s standards, but the lack of departmental resources can make this a difficult and time-consuming task rather than a helpful one.
The unpredictable cost of human error
Cloud environments are transient by nature; they can be spun up and broken down instantly. While beneficial for productivity, cloud work cycles have accelerated so quickly that security measures are unfortunately often left by the wayside. Even simple misconfigurations can expose sensitive data or resources to unauthorized users, resulting in devastating effects.
Unfortunately, a strong grasp of cybersecurity and third-party risk management doesn’t prevent individuals from making unintentional mistakes, which can be costly. Furthermore, if colleagues on non-security teams are not educated on best security practices, they become a liability when employees should, in fact, be an organization’s first line of defense.
Tips for adapting to the modern threat landscape
While each challenge has tactical solutions that can vary by team and organization, a few key recommendations can help from a holistic security perspective. Adding resilient processes to a cyber strategy, such as those that emphasize agility and flexibility, makes it easier to prevent financial fallout, streamline operations and keep a company secure in the face of evolving security challenges.
Organizations should take three critical steps to add resilience to their cyber strategy and successfully secure their shifting tech ecosystems.
Monitor cyber risk in real time
Unlike threat intelligence, cyber risk intelligence considers an organization’s unique goals and needs, including the risks it’s willing to tolerate and the risks it must avoid.
When security teams are equipped with real-time cyber risk intelligence, they can devote resources to monitoring and mitigating the risks that matter most to them and deprioritize those that don’t. This enables security teams to customize their security measures for success, gain contextualized insights that motivate better security decisions and monitor critical vendors.
To avoid getting drowned out by irrelevant data, security teams should identify the vendors critical to their main business functions and focus on gaining intelligence on them.
Perform a partner and vendor audit
One of the first steps organizations can take in identifying critical relationships is to perform an audit of all tools, partners and vendors. Questions should include:
- Who are you working with?
- Do they access your network?
- What data can they access?
- How significant would the impact be on business if this vendor was breached?
This audit should assess the potential concentration and cascading risks posed by different vendors. From there, security teams can focus their resources on the prioritized vendors that pose the biggest risk to their business and spend less time on vendors that present a lesser one.
There’s strength in numbers: don’t do it alone
Security teams don’t have to shoulder undue burdens in a volatile tech ecosystem. Introducing the right solutions can enable security professionals to maintain the safety of environments and the security of supply chains as they scale. Adapting to the dynamism of tech ecosystems often involves working smarter, not harder.
One way to work smarter is to find solutions that empower security strategy to be more resilient. These solutions should enable security teams to adapt to evolutions in the modern threat landscape, rather than rigidly fighting against them.
Though a dynamic tech landscape challenges security teams in many ways, there are plenty of methods for addressing and overcoming these obstacles. By shifting security strategies to be agile in the face of constant change, teams can outsmart malicious actors and proactively stay ahead of emerging threats.
Bob Maley is CISO of Black Kite. Bob has been involved in security for most of his career, initially in physical security as a law enforcement officer. In those years, Bob acquired a broad range of expertise and experience in all areas of security, including third-party security, risk assessment, architecture, design, policy development, deployment, incident response and investigation and enterprise solution deployments in areas including intrusion detection, data protection, compliance, and incident reporting and response.
Most recently, he was the Head of PayPal’s Global Third-Party Security & Inspections team, developing the program from the ground up into a state-of-the-art risk management program. In a previous role as Chief Information Security Officer for the Commonwealth of Pennsylvania, he led the Pennsylvania Information Security Architecture program to win the 2007 award for outstanding achievement in information technology by the National Association of State Chief Information Officers (NASCIO).