The pandemic has ushered in a new wave of cybersecurity attacks, adding to the complexity of the CSO\u2019s role and elevating the security conversation to the boardroom. Achieving greater resilience in their organisations is top of mind for IT leaders as they review their cyber risk strategies.\nAt a recent IDG roundtable event with BitSight, CSOs and CIOs discussed how they are tackling the threats that are emerging as companies move to hybrid working environments. Also present was IDC Asia Pacific associate research director Cathy Huang, who provided insights into what organisations are dealing with across the region.\nSince COVID-19 there has been a huge rise in ransomware and phishing attacks as cybercriminals target those now forced to work from home. According to various security lab reports, there have been over 1880 malicious domains using the words \u2018corona\u2019 or \u2018covid\u2019 in their names, since the pandemic began.\n\u201cCOVID-19 is expanding the attack surface, and the number one priority for the enterprise is security solutions to ensure remote working doesn\u2019t compromise the organisation, this is followed by security management in the hybrid\/multi-cloud environment,\u201d Huang says.\nThe focus on security isn\u2019t new, as Huang notes in the past three years the General Data Protection Regulation (GDPR) in Europe has influenced regulation in Asia Pacific, but what is changing is the level of investment and corresponding interest from senior business leaders.\n\u201cIDC\u2019s 2019 CEO survey showed that digital trust programs are the most important agenda item in the next five years. What the pandemic has done is fast-track these programs,\u201d Huang says.\nUnderstand the expanding attack surface\nBitSight co-founder and CTO Stephen Boyer says the attack surface that CSOs are dealing with is expanding, this is due to risks associated with working from home as well as third party risk and supply chain risk.\n\u201cWe\u2019re finding that compared to \u2018traditional\u2019 corporate networks, work-from-home networks are 3.5 times more like to have malware present, and 7.5 times more likely to have large numbers of malware families present,\u201d he says.\nBoyer says it\u2019s important for CSOs have visibility into the security approach of the organisation\u2019s vendors and partners.\n\u201cDigital resiliency is achieved by continuous measurement and improvement; this is true not only for your own organisation but also your third-party ecosystem. We\u2019ve seen organisations have a lot of success engaging and collaborating with third parties to improve their security,\u201d he says.\nHuang echoes this view, noting that digital resiliency is an enterprise\u2019s ability to quickly adapt to future disruptions while maintaining continuous business operations and safeguarding its people, as well as its business customers and suppliers. She highlights three interlocking capabilities that enterprises need to focus on \u2014 resilient infrastructure and operations, resilient workforce, and resilient relationships.\nCSOs and CIOs attending the roundtable noted that being honest and transparent about their own experiences with cybersecurity can help lead to better conversations with vendors and partners.\nJustice Health and Forensic Mental Health Network CIO Fred Lusk says that in Australia the size of the market enables closer interaction on security at the network level. \u201cWith Telstra, Optus and TPG being the only wholesalers of data links in Australia, that I am aware of, we are very much across the security controls and response capabilities of the providers,\u201d he says.\n\u201cThe ISPs as retailers rely fundamentally on the cyber security capabilities of the telcos. New South Wales Government works closely with the wholesalers leveraging their capabilities and knowledge to mitigate some of the cyber security risks associated with home-based networks.\u201d\nDeploying a resilient and sustainable cyber risk strategy\nHuang says an effective cyber risk strategy should focus on detection and mitigation, as well as prevention. This involves continuous monitoring and undertaking regular cyber drills. Employees need to be constantly made aware of cybersecurity risks and this can take the form of enterprise-wide awareness training and boardroom education on cyber risks.\nRoundtable participants noted that good cybersecurity practice involves effective user education and having an understanding that it is about creating a business culture that cares about cybersecurity. Lusk says that the information his organisation holds, the health records of prisoners, is highly sensitive. \u201cI\u2019m struck by how much the people in this organisation care about our clients, and that extends to taking cyber security extremely seriously,\u201d he says.\nIn addition to creating a better cybersecurity culture, CSOs can also take advantage of security innovation, says Huang.\n\u201cLast but not least, from a technology perspective, CSOs can embrace innovative solutions. The financial services sector in particular has been an early adopter of many security innovations, such as DevSecOps, and AI and machine learning-driven security, which have boosted the maturity and efficacy of this vertical,\u201d she says.\nCommunicating with senior management on cybersecurity\nHuang says IT leaders such as CSOs and CIOs have always been key members of their business teams \u201cbut the continuing onslaught of global disruptions, coupled with the rapid digitisation of business and markets have cast their role in a new light, that of key business makers.\u201d\nLusk is part of his organisations executive team, and he says this makes it easier to get across the importance of investing in cybersecurity to senior management. While others attending the Roundtable noted an increase in interest in security from senior leaders, there could sometimes be a reluctance to match that with investment.\nBoyer says CSOs and CIOs that effectively communicate their program and can justify their budgets \u2014 especially in the current economic climate \u2014 are the most likely to succeed. \u201cUse your resources wisely, the era of the unending budget is over.\u201d\nBenchmarking your organisation\u2019s cybersecurity investment and profile with industry peers can also be useful when communicating with non-technical business leaders. Roundtable participants noted that IT sector analysts can be valuable in presenting an independent view of the sector.\nBuilding an effective digital trust program\nIDC defines trust as the ability of two or more entities to achieve a level of confidence in their interactions that allows for transparency as well as the acceptance of uncertainty.\n\u201cTrust is an up-levelling of the security conversation to include attributes such as risk, compliance, privacy, social responsibility, and even business ethics. These elements transform the conversation from what \u201cmust\u201d a company do to prevent negative outcomes to what \u201cshould\u201d a company do,\u201d Huang says.\nIn addition to trusted governance which mitigates enterprise risk and the trusted ecosystem which manages collective risk, there is trust-enabled commerce. Huang says this third sphere of trust \u201cempowers companies to drive revenue by delivering highly differentiated experiences.\u201d\nBoyer says BitSight\u2019s customers globally are keenly aware that their cybersecurity reputation is critical. It isn\u2019t only senior management and the board taking an interest \u2014 customers, investors and business partners are also taking note, and CSOs that communicate their program effectively are driving better business outcomes.\n\u201cBeing able to represent your cybersecurity performance to internal and external stakeholders is critical to building trust within your organisation\u2019s ecosystem,\u201d Boyer says.