Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Cybersecurity Snapshot: CISOs Are Happier, but Dev Teams Still Lack Secure Coding Skills

CISOs Are Happier but Dev Teams Still Lack Secure Coding Skills

Learn all about the spike in CISO job satisfaction. Plus, NIST mulls major makeover of its Cybersecurity Framework. Also, the struggle to develop secure apps is real. Then check out how Uncle Sam plans to use AI and ML to boost cybersecurity. And much more!

Dive into six things that are top of mind for the week ending Jan. 20.

1 - CISO job satisfaction hits 3-year high

Don’t count CISOs among those who can’t get no satisfaction.

A survey of 520 CISOs found that job satisfaction grew in 2022, with 74% of respondents feeling “somewhat” or “very” satisfied, up from 69% in 2021 and from 45% in 2020.

The “2022 State of the CISO Report” from IANS Research and Artico Search also found that, despite the boost in job satisfaction, 44% are mulling changing jobs “in the near future.”

CISO job satisfaction hits 3-year high

(Source: “2022 State of the CISO Report” from IANS Research and Artico Search, January 2023)

So what are the pillars of CISO job satisfaction? 

  • Compensation
  • Security budget
  • Career development
  • Executive visibility
  • Organizational support

Among these 5 elements, the ones with the lowest satisfaction scores were the ones most closely linked to money: budget and compensation.

“There is still a cohort of CISOs whose businesses haven’t fully woken up to the criticality of security and, consequently, aren’t yet caught up to market-level compensation and budgetary levels, leaving their CISOs less satisfied,” Artico Search Founder Steve Martano said in a blog.

For more information about how to retain CISOs and other top cybersecurity pros:

2 - Insecure software continues flowing out of many dev pipelines

The continuous release of unsafe software riddled with vulnerabilities, misconfigurations and other security flaws is a critical problem, caused in large part by widespread ignorance among developers about secure coding.

This week we got another reminder about this issue from research firm Enterprise Management Associates (EMA), which just released a report titled "Secure Coding Practices - Growing Success or Zero-Day Epidemic?"

After surveying 129 software developers, EMA found that a majority are struggling to develop secure software, and are thus consistently rolling out unsafe applications that offer plenty of low-hanging fruit for attackers.

Insecure software continues flowing out of many dev pipelines
 

Here are key findings from the report:

  • Over half of surveyed organizations haven’t fully integrated security into their software development lifecycle (SDLC).
  • Almost 70% of organizations' SDLCs are missing critical security processes.
  • Only 25% are adopting a “shift-left” strategy to embed security earlier into the development process.

A key recommendation from the report: Organizations should provide security training for their developers, most of whom receive little to no instruction on secure coding while in school.

For more information about secure software development:

VIDEOS

Secure Software Development Framework: An Industry and Public Sector Approach (RSA Conference)

New Guidelines for Enhancing Software Supply Chain Security Under EO 14028 (RSA Conference)

3 - CISA updates MITRE ATT&CK framework mapping

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has revised its “Best Practices for MITRE ATT&CK Mapping” guide, adding information about new platforms, expanding coverage of Linux and macOS, and redefining data sources and detections.

The guide, first published in mid-2021, now also establishes more parity between the matrices for industrial control systems, mobile and enterprise, and addresses analytical biases and mapping mistakes.

CISA updates MITRE ATT&CK framework mapping

So whether you’ve been using it already or haven’t gotten around to checking it out, now’s a good time to take a look at CISA’s “Best Practices for MITRE ATT&CK Mapping.” The guide aims to help security analysts map adversary behavior to the framework, which is a knowledge base of attacker tactics and techniques.

Through “clear guidance and examples,” the guide shows network defenders how to use the MITRE ATT&CK framework in “both analysis of raw data and finished reporting more fully,” CISA said in a blog post announcing the guide in June 2021.

For more information:

VIDEOS

MITRE ATT&CK Framework (MITRE)

What is Threat-Informed Defense? (MITRE)

MITRE ATT&CK: Benefits and Challenges (TechTarget)

4 - Business and cyber leaders still struggle to communicate

What we've got here is failure to communicate.

According to the World Economic Forum’s “Global Cybersecurity Outlook 2023” report, security leaders must do a better job explaining to their business peers the cyberthreats faced by their organizations, because unclear communications hampers efforts to reduce cyber risk.

While business executives are more aware now than a year ago of the importance of addressing cyberthreats, cybersecurity leaders “still struggle” to articulate the impact of cyber risks using “language that their business counterparts fully understand and can act upon,” the report reads. 

Business and cyber leaders still struggle to communicate

Specifically, cybersecurity leaders use language that’s too technical and jargony, and dispense too much data and not enough strategic insights, according to the report.

Recommendations for further bridging this communications gap include:

  • Adopt a “common language” that represents cybersecurity data using metrics that can be understood by and matter to business leaders, board members and other non-technical parties.
  • Implement organizational changes to “embed” discussions about cyber risks across the business and make these conversations more fluid and effective.
  • Make business leaders accountable for establishing operational cyber requirements and priorities that strengthen their organizations’ cybersecurity.

Other findings from the report, based on a survey of 151 global business and cyber leaders:

  • 43% of respondents deem it likely that a cyberattack will materially affect their own organization within the next two years.
  • Respondents ranked business continuity (67%) and reputational damage (65%) as their top two cyber-risk concerns.
  • A large majority of cyber leaders (93%) and business leaders (86%) believe it’s either “moderately” or “very” likely that a “catastrophic” cyber incident will occur in the next two years due to global geopolitical instability.

How likely is it that geopolitical instability will lead to a far-reaching, catastrophic cyber event in the next two years?

CEOs and CISOs still struggle to communicate

(Source: World Economic Forum’s “Global Cybersecurity Outlook 2023” report, January 2023)

For more information, check out the full report, highlights, commentary, recommendations and press conference from the World Economic Forum, as well as coverage from Modern Diplomacy, ComputerWeekly, Help Net Security and Infosecurity Magazine.

5 - CISA and DHS to tackle new cyberthreats with AI and ML

The U.S. government plans to develop a next-generation cybersecurity platform designed to more quickly and effectively analyze and defuse evolving cyberattacks via the use of artificial intelligence (AI) and machine learning (ML).

The project, called the CISA Advanced Analytics Platform for Machine Learning (CAP-M), will be carried out by CISA and the U.S. Department of Homeland Security (DHS).

CISA and DHS to tackle new cyberthreats with AI and ML

A version of the project, then known as CyLab, was first unveiled in 2021. When completed, CAP-M is expected to allow CISA users to better prepare for and respond to threats by:

  • Analyzing cyber data using advanced techniques
  • Addressing use cases and carrying out experiments that are currently out of reach

The plan includes the creation of a multi-cloud sandbox environment where CISA users will train and work on experiments, as well as conduct research on data analysis methods and tools with AI and ML capabilities.

“Although threats and hazards continue to evolve, CAP-M will provide CISA with the capabilities to continually innovate to prepare for and respond to them,” reads a project description published this month.

Lessons from CAP-M will be shared with other government agencies, academia and the private sector.

For more information:

CyLab: Advanced Analytics Environments to Protect Critical Infrastructure (CISA)

6 - NIST mulling bigger changes to its cybersecurity framework

The National Institute of Standards and Technology (NIST), which is in the process of updating its NIST Cybersecurity Framework (CSF), published this week the “CSF 2.0 Concept Paper,” outlining areas where it might make major changes to the framework, based on input it has received.

If your organization, like so many others, uses the CSF to help anchor and inform your cybersecurity processes and strategy, you might want to give this paper a read and send NIST any thoughts, questions and suggestions you may have. You have until March 3rd to submit your feedback.

For more information, check out coverage from CSO Online and NextGov, as well as these NIST resources:

VIDEOS

Journey to the NIST Cybersecurity Framework (CSF) 2.0 | Workshop #1

Treasury Outreach Event on NIST Cybersecurity Framework 2.0

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Tenable.io Web Application Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web Application Scanning trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.cs Cloud Security.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable.io Container Security

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try Tenable Lumin

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable.io Vulnerability Management, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable.cs

Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now.

Your Tenable.cs Cloud Security trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.io Web Application Scanning.

Contact a Sales Rep to Buy Tenable.cs

Contact a Sales Representative to learn more about Tenable.cs Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.

Try Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Promotional pricing extended until February 28th.
Buy a multi-year license and save more.

Add Support and Training