What are cybersecurity leaders focused on going into 2025? To find out, IT Brew asked a number of CISOs what they thought the biggest oversights and failures of 2024 were.
Their answers varied, but there was one point of overwhelming agreement: With an explosion in use of software-as-a-service (SaaS) apps and the related increase in the complexity of defending all possible entry points, external risk has gotten out of hand.
Third-party risk
Beyond high-profile incidents last year like the MOVEit breach or the wave of attacks hitting healthcare vendors like payment processor Change Healthcare, there’s ample data to back the assertion.
Vendor-driven claims became the “fastest-growing cause of loss” for cyber insurer Resilience as of August 2024. Research by SecurityScorecard in 2023 found at least 29% of breaches involved some kind of third-party breach, and the global attack surface is increasingly concentrated across a relatively miniscule number of vendors.
“Some people have played down the whole concept of effectively managing TPR [third-party risk], and they think of it as doing assessments of who your vendors are,” Patrick Joyce, resident CISO at security firm Proofpoint, told IT Brew. He added, however, that supply-chain risks extend beyond direct partners to subcontractors, suppliers, and parties connected to mergers, acquisitions, and divestiture.
Theo Zafirakos, former CISO of Fortra’s Terranova Security and current lead on its professional services team, told IT Brew he witnessed numerous business disruptions that originated at a supplier or service provider this year.
“Organizations have come to outsource a lot more than [they] did in the past, for speed of delivery,” Zafirakos said, which has led many to “underestimate the risks that these suppliers bring to their organization.”
Brian Jack, CISO and data protection officer at security training firm KnowBe4, said many vendors still treat basic safeguards like multi-factor authentication (MFA) as premium features—let alone more advanced methods.
“We’re still coming across vendors, even vendors in the security space, who are charging you for the basic standard stuff that you should be implementing,” like phishing-resistant MFA, Jack said. “It’s very rare to find a SaaS-based platform, outside of your main authentication platforms, that will accept a FIDO, a YubiKey or something like that as your MFA.”
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
What to do differently
Zafirakos told IT Brew many organizations are reactive to third-party risk. The only way to deal with it effectively, he warned, is to gauge risk before incorporating vendors in the first place.
“You have to have a proper risk assessment—having those requirements in the contracts, having clear SLAs [service level agreements] with third-party providers, identifying what are the recovery time objectives and recovery point objectives, setting clear expectations,” Zafirakos said. “But it doesn’t stop there.”
For example, Zafirakos added, many organizations currently don’t effectively account for third parties during testing and simulations, and he advised finding a long-term solution for monitoring and/or auditing them.
Merritt Baer, a cloud security consultant and CISO at security firm Reco AI, warned the proliferation of SaaS tools requires a renewed focus on staff security.
“Bad actors are gonna come in through the front door using valid credentials,” Baer said.
“For everything you do, have a repeatable, defensible, testable practice,” she added. “The point is not to gamify your metrics.”
Get legal in the room
Randy Gross, the CISO of vendor-certifying trade association CompTIA, had one other takeaway from 2024—cybersecurity departments need to work hand-in-hand with legal departments. According to Gross, both sides often see each other as monoliths, contributing to incidents like compliance breaches and exposing companies to unnecessary liability risk.
“If legal doesn’t see cybersecurity as an ally, and cybersecurity/info security doesn’t see [legal] as allies, you actually end up losing some really good perspectives,” Gross told IT Brew. “How you respond to an incident is a dance, in a sense.”
Breaches often involve litigation and criminal components, Gross said, as well as requirements to preserve evidence. On the flip side, he added cybersecurity departments provide irreplaceable insight into where risk originates.
“It’s not just [legal] being involved,” Gross concluded. “It’s making sure that it’s quarterbacked correctly…It’s who’s ordering reports, who’s making sure something’s working with external firms, who’s working with forensics, and on and on.”