CIO POV: Building resilience in a complex threat landscape

As a CIO, I often wish for a world where the threat landscape is less expansive and complicated than it is today. Unfortunately, the reality is quite different. This month, I find myself particularly focused on the idea that our digital business would come to a grinding halt without the technology ecosystem that supports it. However, this very ecosystem also presents significant risks.

This month, I’m thinking quite a bit about issues that pertain to the intricate web of potential vulnerabilities our collective digital ecosystem faces. The digital ecosystem brings several advantages, such as shifting the heavy lifting of the back-end infrastructure to a SaaS vendor, getting a best-in-class solution that you couldn’t develop yourself, and helping us focus on our mission-critical domains.

The same digital ecosystem also presents imminent downsides. The threats posed by your third-party providers are compounded by the risks their providers (your fourth parties) present. This creates an intricate, ever-expanding web of potential vulnerabilities. Each new technology brings additional layers of partners and added risks. Additionally, increasing cyber debt and persistent threats like ransomware are constant concerns.

New technologies: Uncovering the hidden risks and blind spots

As we navigate the complexities of our digital ecosystem, it becomes increasingly apparent that the innovations we embrace can also introduce new vulnerabilities. These are not just hypothetical risks; they are the tangible issues we’ve touched upon earlier, manifesting as third and fourth-party risks, cyber debt, and the persistent threat of ransomware.

In the spirit of addressing these challenges head-on, let’s further examine the specific areas that demand our vigilant focus:

1. Chain reaction risks in your digital system

If you’re already losing sleep over cybersecurity, you can be sure to lose even more over the risks your partner’s partners present. The deepening relationships with technology partners enable our digital businesses, but every new provider you integrate into your ecosystem exponentially increases your risk.

I’m confident that every third-party provider you onboard is vetted for risks. But do you apply the same scrutiny to your fourth parties (your third-party providers’ providers)? How many third- and fourth-party providers is your organization actively working with? Let me share some insights.

CyberArk’s 2024 Identity Security Threat Landscape Report indicates that 84% of organizations expect to employ three or more cloud service providers (CSPs), consistent with 85% last year. Moreover, our respondents anticipate an 89% increase in the number of software-as-a-service (SaaS) providers in the next 12 months, up from 67% in the 2023 report. Consider the footprint of your digital ecosystem. Your extended family of third-party providers includes service providers, integrators, hardware and infrastructure suppliers, business partners, distributors, resellers, and telecommunications providers. External to your organization, these entities are crucial for enabling your digital business.

Do you have visibility into all your third-party providers’ security practices? What about your fourth-party providers? Does your organization actively measure and mitigate the risks posed by your third- and fourth-party providers? It’s implied in these questions, but I’ll say it anyway: You should be doing all these things.

2. Cyber debt is real

You’ve probably heard of tech debt, which results from prioritizing speed to market over a robust and agile technology environment. In today’s landscape, tech debt is amplified by cyber debt. Consider the accumulated risks and vulnerabilities within your IT infrastructure due to neglected updates, lack of tools, or too many disparate tools, coupled with a shortage of skilled cybersecurity staff. It’s a recipe for disaster, and cybercriminals thrive on it.

The proof is in our survey findings. Breaches due to phishing and vishing attacks have impacted nine out of ten organizations. Nearly the same number of organizations were targeted by ransomware in 2024 (90%) as in 2023 (89%), with an increasing number reporting irretrievable data loss. With bad actors utilizing generative artificial intelligence (GenAI) to scale sophisticated attacks, we should anticipate that every organization will be breached in the coming years. This is a reality every CISO must brace for.

3. Ransomware is still a thing

Ransomware remains a significant threat, with no honor among thieves. Despite our hopes for a world free of ransomware, the truth is that old threats are enduring, and humans are the weakest link. Ransomware will continue to grow in volume and sophistication, especially with AI-enabled deepfakes. No amount of cybersecurity awareness training can completely prevent a user from clicking a malicious link or sharing a one-time password (OTP), compromising their identity and the organization’s data.

The damage caused by ransomware is severe. Our findings reveal that 75% of organizations impacted by ransomware paid the ransom but did not recover their data. However, protecting against ransomware doesn’t have to be as challenging as climbing Mount Everest. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) offers several no-cost resources to help you proactively protect your organization against ransomware. I highly recommend taking advantage of these resources

Building a resilient digital defense against emerging threats

Although a day in the life of a CISO may seem grim, it’s not all doom and gloom. My peers in the industry will agree that we successfully protect against threats frequently, but a single breach can leave a lasting mark. I advise everyone to thoroughly review their IT environments, scrutinizing gaps and prioritizing remediation. This process needs to be ongoing and methodical, performed at regular intervals.

While we must anticipate and mitigate the risks of new technologies like GenAI, we cannot ignore the persistent threats of traditional vulnerabilities. Simplistically, I recommend three actions:

  1. Audit and evaluate all legacy and new technologies across your environment. You must conduct an annual vendor assessment, which evaluates and prioritizes the critical vendors that might pose a high risk for your business. You can use specific tools for external security scoring and put specific liability phrases in the contracts. You should also ensure that access to your systems includes secure authentication and that the exposed data is only what is required.
  • Assess the risks these disparate tools pose versus the time and effort required to maintain them. I recommend a dedicated cadence for discussing cyber risk management and reviewing outcomes, including a toolset to reduce third-party risks.
  • Create a plan to consolidate your technology stack based on the right balance for your organization. Proceed slowly but surely. As a CIO, I can confidently say that the platformization movement is real. It’s not just a way to reduce overall costs but also a means to mitigate third-party risks. If you have a trusted vendor that you’re continuously reassessing from a cyber risk perspective, it will eventually get you to a more secure posture. Just don’t put all your eggs in one basket.

I am already implementing these strategies. Are you?

Omer Grossman is the global chief information officer at CyberArk. You can check out more content from Omer on CyberArk’s Security Matters | CIO Connections page.