Threat management is one of the main areas of expertise of cybersecurity, especially these days. Many businesses are working hard to protect their IT environments in an ever-changing and evolving digital world. Today, the situation is exponentially more complex with the availability of more SaaS tools and easy access by Artificial Intelligence (AI). Let’s look at three trends in threat protection that are radically changing how we approach our protection strategies.
-
Continuous Threat Exposure Management (CTEM) Programs
Every security professional learns early on that keeping software up to date to its latest version is a basic and paramount activity. This is the first path to eliminate vulnerabilities and reduce the attack surface. There is always a need for additional protection because software will have vulnerabilities unknown to the manufacturer and exploited by hackers, a zero-day attack. Thus, we conduct vulnerability scans and penetration testing to assess whether the environment is up-to-date and secure. But this approach is insufficient, as it only allows you to see the company’s security posture at a given time.
To address this situation, organizations need to adopt a continuous threat exposure management program (CTEM), which will implement processes to identify, measure, and reduce the company’s exposure to threats. These programs must use continuous monitoring along with threat intelligence and automated remediation tools, to provide a dynamic and complete view of the organization’s security posture. CTEM enables companies to prioritize and mitigate the most critical threats, reduce the attack surface, and improve their response to threats.
-
Identity Fabric Immunity
Another trend we see in the market is the adoption of identity fabric immunity, a new concept in identity and access management (IAM). Identity fabric immunity is based on the concept of zero trust, which assumes that no user, device, or network can be trusted by default, and requires continuous verification of their identity and context before granting access to resources. Identity fabric immunity, extends Zero Trust by using AI and machine learning (ML), therefore creating an environment with self-learning and self-healing capabilities, hence the name immunity, that automatically adapts to changing user behaviors, device states and environmental conditions.
Some benefits of Identity fabric immunity are:
– Enhanced user experience and productivity by providing seamless and secure access to resources across multiple devices and platforms.
– Reduced identity-related risks by detecting and preventing anomalous or malicious user activities, such as credential theft, account takeover, or insider threats.
– Simplified identity governance by automating identity lifecycle management, policy enforcement, and compliance reporting.
-
Human-Centric Security Design
The last trend we see is not related to technology itself. Human-centric security design, which could fall under an Organization Change Management practice together with Cybersecurity, is an approach that puts people at the center of security decisions and solutions.
Human-centric security design involves applying principles of user experience (UX), behavioral science, and gamification to security solutions, such as:
– Applying behavioral sciences and user-experience (UX) principles to design and implement controls that are easy to use, intuitive, and aligned with the employee’s goals and motivations.
– Creating engaging and interactive security awareness programs that use gamification, storytelling, and feedback to educate and influence employees to adopt secure behaviors.
– Involving employees in the co-creation of security policies and controls that reflect their needs, risk profile, preferences, and contexts.
– Reviewing past cybersecurity incidents to identify the major sources of cybersecurity-induced friction and determine where to ease the burden for employees or retire unnecessary controls.
Major benefits we see are:
– Increased user awareness, engagement, and trust in security solutions.
– Reduced user errors and negligence that may lead to security incidents.
Next steps for IT security leaders and executives
- Adopting a security-first mindset with executives
Since we know security is everyone’s responsibility and not only IT, but an effective security strategy must also start at the board and C-suite level. Security awareness program for executives must be put in place and executives must play an active role in security strategies across the whole organization. In today´s industry regulations, the board of directors, C-suite and security leaders are responsible for security breaches. Thus, it is critical these leaders work together to promote a security-first mindset at all levels of the organization.
- Driving threat management awareness across the company
When you learn Change Management frameworks like PROSCI, for example, you know that only making the technology available to users does not guarantee its use. The value is only realized when employees consume and adopt security technology solutions.
To adopt a security-first mindset, executives and IT leaders need to partner with their Organizational Change Management (OCM) Teams to build a permanent program based on Human-Centric Security Design to demonstrate the importance of threat management. The change in employees’ behavior is visible when they realize their leadership team is taking a proactive effort to drive security management for their employees and customers.
- Upskilling security knowledge
C-suite leaders should support and leverage upskilling opportunities to address skill gaps, increase employee productivity and retention so that employees are more aware of security trends and mitigation practices. When planning an upskilling strategy keep in mind to consider each employee skill gaps and their individual professional goals. Ensure training opportunities are available and easily accessible so that employees can set aside time to learn and retain new knowledge.
By João Labre, Modern Work & Security Director at Beyondsoft Brazil