Worldr CEO, Max Buchan explains the growing need for zero trust security on Sky News

3 priorities for CISOs navigating a complex threat landscape

CISOs face a myriad of challenges in the wake of an increasingly sophisticated threat landscape in which billions of new threat events occur each day.

May 25, 2022

Information security is no longer the sole domain of the IT department. Consequently, the role of the CISO is no longer a purely technical position where the only responsibility is to protect an organization’s information assets. Today’s CISOs must become champions of innovation by finding ways to deploy new technology in a way that does not increase risk. They must lead by example and foster an organization-wide culture of accountability and security by design.

Security leaders face two major challenges, which have largely become inseparable. In order to stay relevant, businesses must adopt accessible technology that facilitates better customer experiences. At the same time, increasingly disparate technology environments have led to a dramatic proliferation of cyberthreats. Attacks surfaces are broader than ever, and increasing reliance on cloud-hosted platforms can potentially become attack vectors for social engineering scammers.

Addressing these challenges requires a consolidated approach. CISOs cannot simply say no to new technology as they might once have done. To stay relevant, they need to focus on how to safely adopt new innovations, and that requires close attention to several key priorities.

Achieving digital sovereignty

Digital sovereignty is the concept that represents the power of an individual, organization, or government has over their digital assets. This includes where data is stored and who ultimately has control over it.

With the world’s largest tech giants having control over the vast majority of the world’s data, the need for digital sovereignty is greater than ever. Almost all data exchanged in the western world is facilitated by companies headquartered in the US, which has pushed governments to introduce new laws regulating how and where data is collected, shared, and stored.

Take Microsoft Teams, for example. All data shared across or stored by the platform ultimately falls under the control of Microsoft and US federal jurisdiction. If Microsoft were to receive a subpoena demanding the release of data belonging to a private individual or company, then they could be legally compelled to comply, even if the data is physically stored outside the US.

To achieve full control over their data and meet the demands of local regulations, CISOs need to have the final say in who has access to their digital assets. This is why digital sovereignty is a top priority, especially in the EU.

Owning your encryption keys

Certain types of data, such as patient health information (PHI), must be stored within the same jurisdiction as the people it pertains to. Other types of data, such as financial records, must be communicated via official channels in order for regulators to have access to them. However, with most consumer-grade channels, security measures like encryption are handled remotely by the platform’s owner. This leaves companies unable to supervise their communications to the standards demanded by regulators.

Even where data localization might not be possible, digital sovereignty may still be achieved by creating and storing encryption keys locally. In other words, encryption is handled not by a third party like Microsoft or Slack for example, but by the owner of the data themselves. This ensures full ownership of encryption keys, thus helping security leaders achieve digital sovereignty and compliance with regulations. Owning your encryption keys must be a top priority when deploying any new communications or collaboration platform, whether internally or externally facing, for business purposes.

Mitigating third-party threats

An increasing number of data breaches specifically exploit third-party risks that lie somewhere along an organization’s supply chain. After all, it is usually much easier to find a point of entry in a poorly secured third-party system than it is to target the company’s so-called crown jewels directly. Third party risk is the primary factor behind the rapid expansion of attack surfaces, as modern companies often work with dozens or even hundreds of technology vendors. A few years ago, hackers even managed to break into the high roller database of a Las Vegas casino via an internet-connected fish tank.

The only true, tried and tested way to effectively address third-party risk is to adopt the zero trust security model along with the principle of least privilege. Zero trust holds that all identities should be continuously verified through multiple authentication factors, while the principle of least privilege holds that no individual, device, or application should have access to data that they do not explicitly need to perform their role. More than ever, these two frameworks must be hard-baked into every process and application your organization uses.

Worldr’s secure messaging solutions help CISOs protect their communications by enforcing data localization, encryption key ownership, and digital sovereignty in the age of the cloud. Book your demo today to see how it works.

Follow usTwitterLinkedIn