The migration to cloud, either as a consequence or cause of digitalization, remains a significant aspect of the current business evolution journey. Cloud cybersecurity differs from on-prem cybersecurity, likely introducing new or modified stressors for CISOs.
A survey (PDF) by Salt Security, involving 300 international CISOs and CSOs, sought to explore the cybersecurity implications of digitalization. It’s noteworthy that nearly 90% of respondents voiced that digital transformation brings unanticipated risks.
The survey does not aim to encompass all security challenges but narrows its focus to those problems newly developed or extended by digitalization. These challenges can be broadly grouped into functional, personal, direct cybersecurity, and general.
The most significant functional challenge lies in recruiting qualified personnel. The pre-existing skills gap gets magnified in the cloud. Conventional learning methods (which involve extensive time to research, write, publish, distribute, and learn from a new book) cannot keep pace with advancing technology. On the other hand, experience, the alternative to traditional learning, isn’t available for fresh technology.
“The introduction of new types of cybersecurity attacks by digital services necessitates new knowledge and skills, making the recruitment of qualified talent crucial,” the survey report points out. Ninety-one percent of those surveyed agreed that hiring skilled personnel is a significant challenge in business transformation.
The chief personal worries were “personal litigation arising from breaches (48%) and increased personal risk/liability (45%).” This is a growing concern for all CISOs, exacerbated further with digital transformation. The root issue, central to almost all challenges, is the escalating need for speed accompanying business transformation. The swifter you proceed, the higher the likelihood of errors.
In May 2023, Joe Sullivan, former Uber CSO, received a three-year probation sentence for concealing a 2016 data breach. CISOs have always understood that they could be made scapegoats for security failures in their organizations. However, there’s growing apprehension over legal liabilities beyond just company responsibility.
Michelle McLean, Salt Security’s VP of Marketing, proposes a possible link with one of the respondents’ primary cybersecurity worries: API security. “We have discussed Shadow IT for years. Now we have Shadow APIs,” she told SecurityWeek. “Services are being developed without necessarily following the best practices. So, I do believe that concerns over personal litigation are heightened in a world concentrating on digital initiatives as these services and products being developed involve sharing sensitive data.”
The top three cybersecurity challenges stemming from digitalization are supply chain (38%), APIs (37%), and cloud adoption (35%). “As the delivery mechanism for data sharing across digital services and applications, APIs are a key component of digital transformation,” the report states. “APIs also play a vital role in the first and third concerns of CISOs – supply chain/third-party vendors and cloud adoption.”
Regardless of how we perceive it, API security remains a significant cybersecurity concern. Partially, the issue again lies in the need for speed. Digitalization is a business decision, and businesses demand immediate results from the process. No developer intentionally creates insecure code, but the urgency to develop the code quickly means that mistakes or oversights are likely to occur.
McLean identifies an additional problem for the CISO. “Most of the time when we build a new app, we alter the attack surface, not the attacks themselves.” The arrival of Kubernetes didn’t alter the nature of the attacks, just the attack surface to be defended.
“A lot of what you would search for as a security gap in a cloud configuration container is deeply rooted in the structure of what you built,” she added. “APIs are different. It is in the operation of the APIs. It is in the adjustment of the calls and manipulation of the process. Can I exploit it this way and extract different information? You can’t test for that. You can’t look at the code and spot that gap. It’s all rooted in a business logic flaw – and that’s what makes API security so challenging.”
The main general challenges identified by the respondent CISOs include the rapid emergence of AI (94%), macro-economic uncertainty, and geopolitical climate (both at 92%). There isn’t much that can be done about the last two, but the CISO can use defensive AI to counter adversarial AI.
This is particularly crucial in defending APIs. “Attackers will utilize AI to find logic flaws in APIs long before there is an actual breach – so defenders need to recognize that reconnaissance phase. This can only be done with defensive AI. “There’s no way for humans to keep up – there’s simply too much traffic to parse,” she continued. “So yes, AI will be used as a weapon. And yes, AI also needs to be used as a defense.”
The report’s primary takeaway is that CISOs should not embark on a digitalization process assuming that it’s just business as usual. Digitalization presents new challenges, concerns, and threats. One of the biggest dangers is that business leaders might consider the project purely as a business initiative. As they already have a CISO, a security team, and a security budget, they may easily assume that security is already taken care of. Both business and security must acknowledge that this is unfamiliar territory and should not, in any sense, be deemed just ‘business as usual’.