CISOs expand purview

In a sign of what may be a larger trend, a survey of 126 cybersecurity leaders in the retail and hospitality sector finds they are assuming more responsibility for a wider range of functions, including data management and loss prevention (71%) and business continuity and disaster recovery (50%).

Conducted by the non-profit Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC), the survey also finds 81% of respondents also responsible for application security, with 60% driving adoption of best DevSecOps practices to better secure software supply chains.

It’s probable similar shifts are occurring in other vertical industries. In fact, it’s already been established that cybersecurity spending is either increasing or, at the very least, remaining flat in 2023. Less clear is to what degree are budget rising because cybersecurity teams are taking on additional responsibilities versus actually spending more on additional cybersecurity tools and platforms. Odds are, it’s a mix of both.

These two shifts have been a long time in coming. IT operations teams used to be largely responsible for everything involving backup and recovery. However, with the rise of ransomware, responsibility for protecting data has become a might higher priority. In fact, the RH-ISAC survey identifies ransomware and data loss prevention as the top two risks organizations face.

Meanwhile, application security (50%) now ranks fifth in terms of key initiatives for 2023, following vulnerability management (64%), security for cloud and on-premises IT environments (56%), ransomware planning (54%) and zero-trust architecture (52%), the survey finds.

Previously, application security did not get the attention it deserved largely because cybersecurity teams and application developers each thought the other was mainly responsible for it. As a result, no one tended to focus on it as much as they should have. It wasn’t until there was a series of breaches starting with the infamous SolarWinds breach in 2020, that attitudes began to change. Even then, it took a zero-day Log4jShell vulnerability and executive order issued last September by the Biden administration requiring Federal agencies to lock down their software supply chains to get things rolling. Based on the RH-ISAC survey results, it appears enterprise IT organizations are paying similar heed.

Application security generally spans two distinct tasks. The first is a relatively straightforward effort involving the locking down of the run time environment. Cybercriminals have no shortage of techniques they regularly employ to target these environments. The more difficult challenge is eliminating vulnerabilities in applications before they are deployed. Organizations large and small are revisiting application development processes that historically have, from a cybersecurity perspective, been deeply flawed. Developers with little to no cybersecurity expertise have for many years now been reusing software components they download from various repositories with little regard for how vulnerable that software might be. Not surprisingly, almost a day does not go by now when some new vulnerability in an application isn’t discovered.

Cybersecurity teams are now filling that void by working closely with application development teams to implement best DevSecOps practices that span everything from tools that scan code for known vulnerabilities to authentication tools that make it much harder for cybercriminals to inject malware into application development environments. The easiest vulnerability to remediate is the one that never existed in the first place.

These transitions collectively bode well for the future of cybersecurity. The only real issue now is making sure they come to fruition much sooner than later.