Recently published research, The CISOs Report, Perspectives, Challenges and Plans for 2022 and Beyond, reveals that Chief Information Security Officers (CISOs) are grappling with a wide range of risks and challenges, especially linked to accelerating utilization of technologies like cloud-based applications and the use of Application Programming Interfaces (APIs).
The report is based on a survey of more than 400 Chief Information Security Officers (CISOs) working across a broad set of companies and industry sectors in the US, Canada and other select nations.
Recent shifts in the IT landscape have resulted from the dramatic escalation of remote work, cloud adoption, BYOD and changing development practices. The security impacts of those changes are reflected in where CISOs see the most need to strengthen their defenses.
CISOs rate their organization’s IT components most needing security improvement as:
APIs – 42%
Cloud applications (SaaS) – 41%
Cloud infrastructure (IaaS) – 38%
Industry use of API technology has exploded over the last few years due to the shift to component-based microservices architecture used extensively in modern applications, and the growing adoption of cloud services. Not to be overshadowed, too, are web applications in general, which are proving to be particularly susceptible to a wide variety of client-side attacks (e.g., formjacking, Magecart).
Here is what industry experts had to say about the findings:
Michelle McLean, Vice President at Salt Security, a Palo Alto, Calif.-based provider of API security:
It should come as no surprise that APIs ranked as the #1 IT component most in need of security improvement, according to the recent report, The CISOs Report, Perspectives, Challenges and Plans for 2022 and Beyond. APIs have been built specifically to share highly sensitive data with customers, partners and employees, making them attractive targets for attackers, as we’ve seen with high-profile attacks against Experian, Facebook, Peloton and others. At the same time, traditional security solutions are often ineffective against detection and remediation because API attacks employ unique paths and slower reconnaissance activities, which can occur over days or weeks or even longer.
For truly secure APIs, CISOs need to consider the three pillars of API security: complete visibility into API traffic; continuous and dynamic analysis of APIs in runtime; and access to remediation insights to identify risks before they become exploited. To gain all of those insights, organizations need a breadth of context into all of their APIs and API behaviors. so that they can correlate activities across them and provide real-time analysis of all that data.
Adam Gavish, Co-Founder and CEO at DoControl, a New York City-based provider of automated SaaS security:
A key driver for both enabling and sustaining remote working environments can be attributed to the explosive growth of SaaS applications and SaaS data, which is accessible anywhere. However, with the flexibility that it brings, it also carries with it a near limitless ability to open the floodgates to the world. Controlling not only network access, but also access to sensitive company data at scale is so often overlooked, and should be a top priority.
Making the necessary changes to support employees in response to the pandemic was done almost overnight. A big security challenge that faces organizations in the short term, is to tighten down the security of the many new solutions that were put in place to support these rapid changes. Most businesses were well underway in their journey to migrating to the cloud – in all areas of as a Service offerings. The tracks in the ‘journey to the cloud’ were greased by the pandemic, so it's critical to assess and reassess these areas that were adjusted to support business continuity.
For the longer term, attackers have also understood that remote and hybrid environments are there to stay. So it's important to maintain a “think like an attacker mindset,” as there is an entirely new threat landscape that attackers are looking to exploit. We’ve seen this in Ransomware attacks, where SaaS and web applications are now targeted as a means to gain direct access to a company's most critical data stores. As remote working environments evolve, so do the security risks. Finding the right combination of tools and technologies is paramount to mitigate both the short and long term risks.