Today’s security strategies are failing to make organisations more secure and CISOs are feeling the strain. Despite more people working in cyber security, more security tools available than ever, and more money being spent, cyber-attacks continue to increase in frequency and intensity.

Being responsible for the cyber security of an entire organisation with an ever-growing attack surface is a huge burden, but many CISOs don’t often feel that they have enough control over their domain.

Managing security for complex and ever-growing IT estates is a very challenging job. Traditional security strategies are usually built to defend the perimeters of the business, are typically tool-centric, reactive and focus on a set of defined actions. While this may have worked in the past, it no longer gives businesses the best chance of successfully defending themselves.

Yesterday’s approaches struggle to adapt and scale when the organisation changes, and are too slow to keep up with today’s agile, fast-moving threat actors, especially those empowered by artificial intelligence (AI) tools.

A modern security strategy needs to proactively focus on vulnerabilities, identity, cloud and data, be agile and flexible enough to meet constant changes. Importantly, it must also prioritise outcomes rather than tick off items in a checklist.

Furthermore, there’s often a chasm between what the CISO knows about the cyber threats and the potential impact to the business, and what the board of directors know. To make things trickier, they often speak different languages. Cyber risk is one of the major business risks that organisations need to manage and minimise – and the board of directors should be accountable for it.

It’s not a matter of if but when any organisation will experience a cyber-attack, so CISOs need to have the budget and the backing from the board in order to achieve their security objectives. But security isn’t about ticking off a list of tasks.

With over a decade’s experience of defending hundreds of private, public, and not-for-profit sector organisations from cyber-attacks, Quorum Cyber’s team has observed numerous ‘checkbox security’ traps that organisations of all sizes in all industries have fallen for. Here are ten to be on guard for which are now inadequate in today’s threat landscape:

1. Buying too many security tools Instead of solving problems: Investing in multiple ‘best of breed’ tools, which aren’t connected to each other, and switching them on doesn’t making an organisation more secure. A single-stack security system, however, will give CISOs a vastly superior chance of defending against fast, sophisticated cyber-attacks
2. Over-reliance on compliance: Passing compliance checks on paper doesn’t guarantee security
3. Using alert volume as a measure of success: The number of alerts and tickets closed each month doesn’t improve a business’s security posture over time
4. Endpoint-centric thinking: Over-investing in endpoints, but underinvesting in cloud, identity, and threat mitigation is a major risk
5. ‘Set and Forget’ security controls: Security controls need to be continuously configured, tuned, and optimised to be up to date and work effectively
6. Collecting security data without purpose: Ingesting masses of telemetry for the sake of it is a costly, pointless exercise
7. Reactive-only SOC operations: Continuous vulnerability management and threat hunting is a more effective way to minimise risk
8. Ignoring business context: Aligning security to the impact of protecting the crown jewels is crucial
9. Over-reliance on automation without oversight: Human oversight and critical thinking are essential when defending against skilful threat actors
10. Assuming ‘covered’ means ‘secure’: Simply putting controls in place across the estate is not enough.

What CISOs can do today

Ten years ago, reacting to cyber security incidents might have worked well, but today, prevention really is better than a cure. Planning and preparation require time, knowledge, strategy, teamwork, and the budget to build resilience. But plans on paper are insufficient. Organisations need to practice their tabletop exercises, ideally under as realistic conditions as possible, to help the team prepare for the worst-case scenario.

Securing a trust managed services partner equipped with incident response capabilities, one that can help the organisation prepare thoroughly in advance, and be ready to assist on the worst day, is invaluable.

Although the cost of reacting, rather than preparing for a cyber-attack, isn’t possible to quantify in advance, as we’ve seen too many times after a cyber-attack, organisations often lose the trust and confidence of their customers, business partners, regulators and insurers, and even their employees. All this on top of the financial costs involved to contain the incident, eradicate the threat actor, and safely return the enterprise to a state of running the business as usual.

Our guide, Modern MDR, Made Clear, offers CISOs a way to pragmatically rethink their security strategy, backed by CISO-relevant frameworks.​ The paper provides ten questions that every CISO should ask to plan and build a modern cyber security strategy, and find the most appropriate partner to help safeguard its IT estate and data from harm.

Download the guide today to see how leading security teams are redefining their approach – and how CISOs can lead the evolution.​