Cybersecurity Snapshot: CISOs Say Breaches Are Down, but Staffing Remains Difficult

Find out what’s working well for CISOs – and what could be better. Plus, why you should pay attention to the FTC’s investigation into ChatGPT-maker OpenAI. Also, check out a primer for C-level execs on adopting generative AI. Plus, the free cloud security tools CISA recommends you use. And much more!

Dive into six things that are top of mind for the week ending July 21.

1 – What’s good and not-so-good in the CISO world

Wondering how things are going in the land where CISOs roam? Here’s the skinny: CISOs feel that their world is getting better, but there’s plenty of room for improvement. That’s according to the annual “Information Security Maturity Report” report from ClubCISO, a private forum of over 800 cybersecurity leaders.

Here are some encouraging trends:

• Material cyber incidents and breaches are down: 68% of CISOs stated no such incidents occurred in their organizations this past year, compared with 54% in 2022.

• Leadership support ranked as the top factor for improving security culture, as CISOs reported improved alignment between top management and security teams. 

• A large majority of CISOs – 80% – said their organization’s security culture has improved, which boosts cross-team collaboration on cyber issues.

Which of the following have been most effective at fostering a better security culture over the last 12 months within your organization?

^{(Source: “Information Security Maturity Report 2023” report from ClubCISO, June 2023)}

On the flip side, significant challenges include:

• Cyber budgets increased at about half of organizations surveyed, but the bumps were smaller than last year’s. Budgets stayed flat for 35% of respondents, and dropped for 13% of them. Factors driving up budgets include keeping pace with the evolving threat landscape, while economic pressures contributed to budget reductions.

• Insufficient staffing represents the biggest obstacle to CISOs’ goals, as organizations continue to struggle with a shortage of qualified candidates for cybersecurity jobs.

• Although security cultures have improved, they still get negatively impacted by factors such as too many competing priorities and insufficient security resources.

• While the security team is well-aligned with the executive, IT operations and risk teams, it’s not as well synced with the engineering, IoT, manufacturing and facilities teams.

Check out this chart for a detailed look at CISOs’ tech investment priorities.

Which of the following are your highest technology investment priorities?

^{(Source: “Information Security Maturity Report 2023” report from ClubCISO, June 2023)}

ClubCISO, which is backed by Australian tech services provider Telstra Purple, surveyed 182 global CISOs in March 2023. The report covers four main areas that impact organizations’ security posture: culture, technology, risk and people. 

To get all the details, download the full report.

For more information about the current state of the CISO world:

• “As Budgets Get Tighter, Cybersecurity Must Get Smarter” (Boston Consulting Group)
• “How CISOs can mitigate the risks of generative AI” (Tenable)
• “CISO stress levels are out of control” (SC Magazine)
• “Supply Chain and APIs Top Security Concerns, CISO Survey Shows” (Infosecurity Magazine)
• “CISO job satisfaction hits 3-year high” (Tenable)

2 – Why the FTC’s OpenAI investigation matters to you

As enterprises rush to adopt artificial intelligence to boost business, CISOs and fellow C-level honchos should track closely the new laws and regulations emerging globally to curb AI abuses and excesses.

Take for example the 20-page letter the U.S. Federal Trade Commission (FTC) fired off recently to OpenAI. In the letter, the FTC informs Open AI that it’s investigating whether the company, through its large language model (LLM) products such as ChatGPT, has engaged in “unfair or deceptive” privacy or data security practices or in practices that could harm consumers via, for example, reputational harm. Ouch.

The letter includes almost 50 questions, most of which have multiple sub-questions, and it also requests a variety of supporting documents. You can read the missive in full thanks to The Washington Post, which published it on its website last week.

Bottom line: The global legal and regulatory landscape that’ll rule the use of AI is now emerging. Businesses should track it with the same level of interest they’re showing when assessing the undeniable benefits and opportunities of tools like ChatGPT.

For more information about the FTC’s investigation, check out coverage from The Washington Post, which broke the story, The Conversation, The Verge, TechCrunch and CNBC, as well as these video reports:

OpenAI under FTC investigation (ABC News)

FTC investigating OpenAI over potential risks (Reuters)

3 – A C-suite guide for generative AI adoption

And speaking of whether, how or when a business should deploy AI tools, here’s an overview from McKinsey on generative AI adoption. Aimed at C-level executives, it touches on the promise and risk of tools like ChatGPT.

Titled “What every CEO should know about generative AI,” the 17-page article aims to help CEOs and their teams understand generative AI technology, assess its potential benefits and downsides, and establish a plan for moving forward.

“Companies will also have to assess whether they have the necessary technical expertise, technology and data architecture, operating model, and risk management processes that some of the more transformative implementations of generative AI will require,” the article reads.

The scope of potential risks from developing, deploying and using generative AI is broad, the authors say, and includes:

• Algorithmic bias that results in unfair treatment of users
• Intellectual property violations caused by illegal ingestion by the tool of materials that are copyrighted, trademarked, patented and the like
• Privacy violations, if personal and/or incorrect information about individuals is disclosed by the tool
• Security incidents, if attackers manipulate the tool to generate malicious outputs or use it to power cyberattacks

To get all the details, read the article. 

For more information about the challenges and opportunities of adopting generative AI tools, check out these Tenable blogs:

• “Cloud Security Alliance unpacks ChatGPT for security folks”
• “Building Your Own ChatGPT? Learn How To Avoid Security Risks of AI Models”
• “Employees: I want my ChatGPT”
• “How Enterprise Cyber Leaders Can Tame the ChatGPT Beast”
• “A ChatGPT Special Edition About What Matters Most to Cyber Pros”

4 – CISA: Use these free tools for cloud security

Looking to beef up your cloud security stack? The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has some ideas for you in its “Free Tools for Cloud Environments” factsheet, published this week. The document offers details about a handful of free, open source security tools for protecting data and assets in cloud or hybrid environments, including CISA’s Cybersecurity Evaluation Tool, SCuBAGear and Decider.

Aimed at network defenders and incident responders, the document also discusses cloud security methods and best practices. “These tools assist in hardening network environments/infrastructure, preventing malicious compromise, detecting malicious activity, mapping potential threat vectors, and identifying malicious activity post compromise,” the factsheet reads.

To get all the details, check out CISA’s announcement and the document itself.

For more information about cloud security, check out these Tenable resources:

• “The Role of Open Source in Cloud Security: A Case Study with Terrascan by Tenable” (blog)
• “Five Core Principles for Hybrid Cloud Security” (blog)
• “5 Must-Haves for Hybrid Cloud Security” (on-demand webinar)

VIDEOS

Prevent Cloud Misconfigurations by Securing Your Code

The Cloud Shared Responsibility Model

5 – NSA and CISA offer security guidance for 5G network slicing

As the rollouts of 5G networks continue globally, security can’t be overlooked, which is why the National Security Agency (NSA) and CISA published this week their second paper specifically on the topic of network slicing.

5G networks, which provide faster downloads and uploads, as well as lower latency and other benefits, can be divided into independent, virtual networks using the slicing architecture, which requires specific security safeguards.

The paper, aimed at 5G mobile service providers, hardware manufacturers, software developers, and system integrators, outlines slicing threat vectors, details industry best practices and explains risk management strategies.

“This document marks an initial stride in capturing the current, but evolving, landscape of network slicing,” Lauren Wyble, Technical Director for Network Infrastructure Security at the NSA, said in a statement.

The 48-page paper, titled “5G Network Slicing: Security Considerations for Design, Deployment, and Maintenance,” is aimed at 5G mobile service providers, hardware manufacturers, software developers and system integrators.

To get all the details, read the NSA announcement, the CISA alert and the full paper, as well as the first paper titled “Potential Threats to 5G Network Slicing.”

6 – White House releases implementation plan for cyber strategy

Several months after publishing its National Cybersecurity Strategy, the White House has now released an implementation roadmap for it, outlining more than 65 initiatives, some of which are already in progress.

The White House describes the implementation plan as “a living document” that’ll be updated annually, as new initiatives are added in response to evolving cyber threats and others are removed upon completion.

The National Cybersecurity Strategy was released in March, calling for system operators, software vendors and technology providers to shoulder more of the responsibility for cyberdefense.

The strategy establishes five cybersecurity pillars for the U.S. “digital ecosystem”:

• Defend critical infrastructure
• Disrupt and dismantle threat actors
• Shape market forces to drive security and resilience
• Invest in a resilient future
• Forge international partnerships

To get more details, read the National Cybersecurity Strategy and the National Cybersecurity Strategy Implementation Plan.