The cybersecurity landscape is dynamic and evolving, with new threats continuously emerging. Adversaries with sophisticated tools have kept the cybersecurity industry on the back foot for years, and companies know that to combat modern threats, staying informed about the latest risks, vulnerabilities and defensive strategies is key.

TechCentral and Trend Micro held a round-table discussion recently that brought industry experts together to unpack several critical domains in the cybersecurity spectrum.

This discussion, themed “Building cyber resilience to combat modern threats”, provided valuable insights into the current state of the threat landscape and delved into effective security strategies, and how to address evolving dynamics in the cybersecurity space.

Common pain points

Delegates outlined several key pain points, including the challenge of integrating cybersecurity best practices into various types of industries; how to get and keep executive buy in, as well as demonstrate value and the cybersecurity skills deficit.

The discussion also looked at the importance of risk management and how organisations’ risk appetite affected its security decisions. Attendees explored the factors that had caused shifts in risk appetite in recent years, as well as how cybersecurity risks have shifted, even in a post-Covid world. Although minor shifts were expected as technology changed, more human-based security initiatives are being favoured.

Quantifying risk

Attendees agreed that quantifying cybersecurity risk with meaningful metrics and using these to adjust security efforts effectively was needed. These metrics included gathering insight from other players in the same industry to give a fair evaluation of where they are in their cyber journey in comparison with other businesses.

The shift to quantitative measurement also allowed the discussion to centre around how to speak about value ROI in the case of tools and staffing. The real importance of security awareness and strategies for fostering it among employees also came up.

Elements discussed touched on the cybersecurity culture – the carrot and stick versus stick and stick approach. Can we ensure HR action to get people to complete security awareness?

The discussion addressed the significance of cybersecurity statistics and metrics, mulling over whether they are useful, or if they sometimes contribute to the smoke and mirrors of a secure risk environment.

One of the delegates spoke about the fact that in the eventuality of the “human firewall” not working, would the entire business and its operations stop with one click? From this the conversation shifted to zero-trust and defence in-depth frameworks and how to implement these for different companies and situations.

Future experts

Creating a security-first culture within such an organisation is no small feat especially in the light of “academic freedom and expression”. Experts discussed the challenges and strategies for bringing about cultural change and the role of leadership in this transformation. Can we get executive buy-in? How much time are we getting in front of the executive or board? What needs to change?

The shortage of cybersecurity skills inevitably emerged, and the discussion swung to how to start adding security awareness into current curricula. A massive gap was identified between the age and learning rate for technology vs the degrees and higher education certificates that are producing future cyber experts.

There was amazing insight from academic experts who spoke around how universities and institutions of higher education work with a different core operating strategy. How would you secure 300 000 endpoints when the users are mainly students? For these types of businesses their critical systems are the students and lecturers.

They debated whether it is better to train from high-school level, and how private and public sectors can work together to refine the current educational system to address the lack of skilled cybersecurity professionals.

AI in cybersecurity

Delegates also concluded that while AI is a hot topic and plays a significant role in cybersecurity, it is not a silver bullet. They explored the dangers of relying too heavily on AI and the importance of human expertise, which spun the talk back into how to control usage, instances where tools such as chat GPT can be used, and how to ensure security does not get in the way of technological advancements.

A few delegates spoke around the different number of AI tools that are making it harder to decipher what the true value of a cyber toolset can be, and how organisations can derive value from their cybersecurity investments. They stressed the need to align security with business goals.

The complexities of managing third-party risks also came up, and the experts discussed effective strategies for extending security practices to third-party vendors.

These discussions centred around what should be outlined as adequate response steps for them, what we should start asking for from a security culture and awareness in context.