CISO Corner: Gen Z Challenges, CISO Liability & Cathay Pacific Case Study

Welcome to CISO Corner, Dark Reading's weekly digest of articles tailored specifically to security operations readers and security leaders. Every week, we'll offer articles gleaned from across our news operation, The Edge, DR Technology, DR Global, and our Commentary section. We're committed to bringing you a diverse set of perspectives to support the job of operationalizing cybersecurity strategies, for leaders at organizations of all shapes and sizes.

In this issue:

The CISO Role Undergoes a Major Evolution

Commentary by Mark Bowling, CISO and Risk Officer, ExtraHop

Post-SolarWinds, it's no longer enough for chief information security officers to remain compliant and call it a day.

When CISOs are hired, they're often described as being responsible for implementing effective security, information security, and risk management frameworks at their organizations. But lately, some might say the CISO the job description should include "Fall guy in the face of a cyber incident" in the wake of Securities and Exchange Commission (SEC) charges against the SolarWinds CISO.

A CISO is an essential decision-maker regarding every security matter at an organization. But now, even though SolarWinds is trying to get the SEC suit dismissed, there's a precedent around personal legal responsibility for breaches and attacks, and some say that's created a deterrent for the CISO role at public companies.

With this new responsibility top of mind, it's a good time to talk about what it takes to be a good CISO — and where the job goes beyond the description. For instance, ensure you have a strong team around you. Assume that accountability rules could change at any time. And know that being "on" all the time is part of the role.

Get more insights on this: The CISO Role Undergoes a Major Evolution

Related: Soft Skills Every CISO Needs to Inspire Better Boardroom Relationships

Hook Younger Users With Cybersecurity Education Designed for Them

By Tatiana Walk-Morris, Dark Reading Contributing Writer

Security should not be treated as one-size-fits all, and that is doubly true when it comes to security awareness education. Training should be customized by age, learning styles, and preferred media if it is to be effective.

According to a Yubico and OnePoll survey of 2,000 US and UK consumers released in October, about 20% of Baby Boomers reuse their passwords across online services — but surprisingly, nearly half (47%) of millennials do, making them more vulnerable to cyberattacks.

The takeaway for businesses? Millennial and Gen Z Internet users might more frequently engage in poor cybersecurity practices and risky behavior — such as reusing passwords, not enabling multifactor authentication, and not securing their payments information — but it's not that younger Internet users haven't been taught online safety.

Rather, the training didn't resonate the way it should have. Different age demographics think about Internet safety in different ways, and this affects how organizations should approach user cyber-awareness training.

Here's how organizations can tailor their cybersecurity education programs to fit audiences across demographics, run training sessions more frequently, and promote awareness throughout the year to ensure security messages aren't being forgotten or ignored.

Read more: Hook Younger Users with Cybersecurity Education Designed for Them

Related: Why Gen Z Is the New Force Reshaping OT Security

Airline Gets SASE to Modernize Operations

By Karen D. Schwartz, Dark Reading Contributing Writer

Cathay, a travel lifestyle brand that includes the Cathay Pacific airline, had a growing cybersecurity problem made worse by its aging technology infrastructure. It solved part of the problem by replacing legacy technology with a modern one that has security built in.

Modern aviation is a mix of legacy and new technology, which creates a complex environment that is difficult to secure. Aviation systems rely heavily on machine learning and artificial intelligence, augmented reality, cloud technology, and the Internet of Things, all of which expand the attack surface.

Cathay Pacific, which has experienced a large data breach in recent years, has decided to replace its infrastructure with one that has cybersecurity built in: When fully operational, Cathay Pacific will be one of the first airlines to embrace secure access service edge (SASE).

It's the beginning of a trend. In November, Qatar Airways announced that it will add SASE to its technology stack; and United Airlines and Qantas also have indicated moving in the direction of SASE.

Read more on Cathay's case study: Airline Gets SASE to Modernize Operations

Related: TSA Issues Urgent Directive to Make Aviation More Cyber Resilient

Recognizing Security As a Strategic Component of Business

Commentary by Michael Armer, CISO, RingCentral

In today's environments, security can be a revenue enabler, not just a cost center. Organizations should take advantage of the opportunities.

Many organizations still often view security as a necessary expense and a cost center, but in reality, security teams are a strategic component that can provide services that are truly enabling for the business.

A new security service that enables customer self-service, for example, doesn't directly generate revenue, because there's no charge to the customer. But it does improve the customer experience, adding value for customers and enabling sales.

And, artificial intelligence (AI)-powered security stacks are helping security teams generate new revenue streams by bolstering customer trust, enhancing business continuity, and providing competitive differentiation.

There are other ways that IT and security can be more integral to operations, such as in crisis management. A lot of companies have business continuity and disaster recovery plans, but they lack a crisis management plan. Security may not own this area of focus, but it is a key stakeholder.

Discover more on security as a strategic asset: Recognizing Security as a Strategic Component of Business

Related: Security Is a Revenue Booster, Not a Cost Center

Global: South African Railways Lost Over $1M in Phishing Scam

By John Leyden, Dark Reading Contributing Writer

Just over half of the stolen funds have been recovered, as researchers determine "ghost accounts" to be to blame.

South Africa's railway agency lost some 30.6 million rand (US $1.6 million) after the transport network fell victim to a phishing scam.

Researchers believe that, based on the railway's report, the attack may be the work of an employee who created ghost accounts of employees to embezzle the money — illustrating that insider threats still pose a significant risk to organizations, affecting the integrity, confidentiality, and availability of their data, personnel, and facilities.

Digital banking fraud in the region is increasing, with a 30% increase in digital banking fraud cases compared with 2022, according to South African Banking Risk Information Centre (SABRIC).

Mind the (security) gap: South African Railways Lost Over $1M in Phishing Scam

Related: Rail Cybersecurity Is a Complex Environment

A Cyber Insurer's Perspective on How to Avoid Ransomware

By Tiago Henriques, Vice President of Research, Coalition

Insurance companies have a unique view of the ravages of ransomware, which lets us formulate lessons in how to avoid becoming a victim.

Coalition's Cyber Claims Report has found that due to big spikes in activity, ransomware was the largest driver of the overall increase in cyber-insurance claims frequency in the first half of 2023, accounting for 19% of all reported claims.

Ransomware claims severity also reached a record high, with an average loss of more than $365,000. This spike represents a 117% increase within one year. The average ransom demand in the first half was $1.62 million, a 74% increase over the past year.

Claims frequency increased for all revenue bands, but businesses with more than $100 million in revenue saw the largest increase at 20%. Businesses with more than $100 million in revenue were also hit the hardest, experiencing a 72% increase in claims severity.

Fortunately, there are crucial steps that businesses can take to minimize their exposure and prevent the financial impact of an attack.

Find out what to do: A Cyber Insurer's Perspective on How to Avoid Ransomware

Related: Johnson Controls Ransomware Cleanup Costs Top $27M & Counting