Cybersecurity is one of the biggest concerns in business, with 48% of CEOs worried that their company might experience a devastating digital attack in the next year (PwC, 2022). This puts the spotlight on CISOs and cybersecurity leaders, who are under pressure to deliver information security management procedures that keep data safe.
In a changing cybersecurity landscape, that’s harder than it sounds. New threats and exploits emerge daily, while hackers keep attempting new strategies. Not only that, but corporate IT infrastructures are also evolving, and new technology always means new vulnerabilities.
Top 3 Information Security Management Challenges of 2022
CISOs and Infosec leaders have to maintain a fine balancing act. On the one hand, you must keep data safe and prevent attacks—but you also have to support growth and innovation, allowing your organization to flourish.
Balancing these competing requirements can lead to serious challenges. To get information security management right in 2022, you must:
1. Support diversified networks
The typical corporate data infrastructure has changed a lot in the past ten years, and that change has only accelerated during the Covid-19 pandemic.
Three of the biggest changes with implications for information security management are:
- Working from home: 58% of Americans now have the opportunity to work from home at least once per week (Dua, et al., 2022), and globally, 52% of employees work from home at least once per week (Simovic, 2022). Remote work may involve relying on an unsecured device, such as a personal laptop, or connecting via an unsecured network, such as home or public Wi-Fi.
- BYOD policies: 82% of companies in the U.S. have some form of a Bring Your Own Device (BYOD) policy, which allows users to access internal systems from a personal device (Schulze, 2022). BYOD policies can cover devices such as laptops, phones, and tablets. Such devices are typically dual-purpose (business and personal use).
- Third-party ID: Enterprise cloud services often allow users to sign in with a third-party ID, such as Apple ID or Google accounts. Organizations can choose whether to use managed accounts on these services or to allow employees to use their personal IDs.
These changes reflect our current reality, where most people have access to powerful personal electronics, including phones, laptops, and high-speed home internet connections. It’s convenient to allow people to use these devices, especially if they’re working remotely.
However, this means that corporate networks now have a vastly increased number of endpoints, each of which is vulnerable to attack. Managed devices can reduce the associated risk, but most people would prefer the option to use their own devices.
Ultimately, it’s a trade-off between security and ease of use. When organizations choose convenience, it makes information security management that much harder.
2. Safeguard cloud services
Cloud services are almost ubiquitous now, with 89% of enterprises employing a multi-cloud strategy (Flexera, 2022).
This indicates that many businesses trust cloud providers to provide secure services and ensure data availability and integrity. In a 2022 survey of information security management concerns, most CISOs did not list provider-side issues as a primary concern. (Cloud Security Alliance, 2022).
Instead, most IT leaders are worried about vulnerabilities such as:
- Credential management: Many organizations take a role-based security approach to ensure that individuals can only access data if they have a legitimate business need. The challenge is to keep credential management systems up to date so that everyone has the appropriate level of access.
- Configuration and integration: Information Security Management experts often have to deal with complicated tech stacks with multiple cloud platforms. Individual cloud service providers can help find the optimal security configuration, but things quickly get complex when cross-platform integrations are involved. This level of complexity increases the risk of something going wrong, possibly exposing data.
- Insider threats: Cloud services give users a lot of power, as they can easily access sensitive data from their personal devices. This raises the threat of malicious actions—such as when someone downloads customer data and saves it to another device—and threats arising from poor security practices, like when a user leaves their laptop unattended in a public place.
The information security management challenge here is not the fault of the cloud services themselves. Instead, it’s an issue of the security architecture on your side. This includes the kind of software and processes attached to your cloud services and the best practices you teach users.
3. Protect digital assets
For many organizations, data is now their most valuable asset. Data powers customer relationships, provides insights through analytics, and allows internal processes to run smoothly.
Unfortunately, if you have any valuable assets, someone will try to steal them. Businesses are learning to think about data as an asset that requires safeguarding in the same way you protect physical assets like stock and equipment.
The Dark Web is home to a thriving market for stolen digital assets (Ruffio, 2022), which can include:
- Financial data: Money is the main motivation for cybercrime, with 86% of hackers seeking a financial advantage (Verizon, 2020). This includes anything that can be used to steal money, such as credit card numbers, banking logins, and access to payment services.
- Login credentials: Hackers also want to access individual accounts, so usernames and passwords are highly sought-after. Even if the login details don’t lead to a valuable account, the hackers might gain access to personal data that will help them commit identity theft.
- Personal information: Any personal data can be highly valuable, whether it belongs to your customers or employees. Names, addresses, emails, phone numbers, dates of birth, and Social Security Numbers can all help to commit identity fraud or break into other secure accounts.
- Proprietary information: Hackers will also seek valuable proprietary data, which can include intellectual property, confidential documents, and product design. This kind of digital asset can often lead to espionage or blackmail.
Ransomware attacks often take these digital assets hostage, with criminals promising the data’s safe return when the victim pays a ransom.
However, many data breaches happen quietly. In some cases, hackers will identify a weakness and continue to harvest data until the organization identifies and repairs the breach. That’s why it’s so important to have the right approach to Information Security Management.
Get Ready for the Information Security Management Challenges Ahead
It’s hard to predict the future, but we know two things for sure: IT infrastructures will keep getting more complicated, and hackers will keep looking for vulnerabilities.
That’s why every organization needs an InfoSec leader ready for the challenges ahead. If you’re working towards the CISO role in your organization, you can take a step forward with the Certified Chief Information Security Officer (C|CISO) program from EC-Council. This certification builds on your existing knowledge of cybersecurity management and teaches you what you’ll need to know to succeed in executive leadership.
The C|CISO program was developed by seasoned CISOs to help you deliver the right cybersecurity management strategy for your company. Find out more about how CISO certification can help you on your journey to the C-Suite.
PwC. (2022, January 17). PwC’s 25th annual global ceo survey: reimagining the outcomes that matter. https://www.pwc.com/gx/en/ceo-agenda/ceosurvey/2022.html
Dua, A., Ellingrud, K., Kirschner, P., Kwok, A., Luby, R., Palter, R., & Pemberton, S. (2022). Americans are embracing flexible work and they want more of it. McKinsey & Co. https://www.mckinsey.com/industries/real-estate/our-insights/americans-are-embracing-flexible-work-and-they-want-more-of-it.
Flexera. (2022) State of the cloud report. https://info.flexera.com/CM-REPORT-State-of-the-Cloud
Cloud Security Alliance. (2022, June 6). Top threats to cloud computing. https://cloudsecurityalliance.org/artifacts/top-threats-to-cloud-computing-pandemic-eleven/
Ruffio, P. (2022, July 7). Dark web price index 2022. Privacy Affairs. https://www.privacyaffairs.com/dark-web-price-index-2022/
Schulze, H. (2022). 2021 BYOD security report. Bitglass. https://pages.bitglass.com/rs/418-ZAL-815/images/CDFY21Q2BYOD2021.pdf
Simovic, D. (2022, February 4). The ultimate list of remote work statistics – 2022 edition. SmallBizGenius. https://www.smallbizgenius.net/by-the-numbers/remote-work-statistics/#:~:text=Globally%2C%2052%25%20of%20workers%20work%20from%20home%20at,
Verizon. (2020, May 19). Money still makes the cyber-crime world go round – Verizon business 2020 data breach investigations report is live. https://www.globenewswire.com/news-release/2020/05/19/2035340/0/en/Money-still-makes-the-cyber-crime-world-go-round-Verizon-Business-2020-Data-Breach-Investigations-Report-is-live.html