Check out invaluable cloud security insights and recommendations from the “Tenable Cloud Risk Report 2024.” Plus, a PwC study says increased collaboration between CISOs and fellow CxOs boosts cyber resilience. Meanwhile, a report finds the top cyber skills gaps are in cloud security and AI. And get the latest on SBOMs; CIS Benchmarks; and cyber pros’ stress triggers.
Dive into six things that are top of mind for the week ending Oct. 18.
Almost 40% of global organizations have cloud workloads that put them at the highest risk of attack — an alarmingly high percentage. That’s according to the new “Tenable Cloud Risk Report 2024,” which is based on an analysis of billions of cloud resources scanned through the Tenable Cloud Security platform.
Specifically, 38% of organizations have at least one cloud workload that suffers from the “toxic triad” of cloud risks: publicly exposed; critically vulnerable; and highly privileged. Those are the three major vectors that organizations must take into account in order to properly assess a cloud workload’s risk level and potential vulnerability impact.
“Securing cloud workloads is about much more than scanning for vulnerabilities,” reads the report, whose telemetry data was collected during the first six months of 2024.
(Source: “Tenable Cloud Risk Report 2024,” October 2024)
Cloud workloads with the “toxic triad” represent “a perfect storm of exposure for cyberattackers to target,” according to a Tenable statement.
“When bad actors exploit these exposures, incidents commonly include application disruptions, full system takeovers, and DDoS attacks that are often associated with ransomware,” the statement reads.
Other key findings include:
The 28-page report also offers mitigation guidance aimed at helping organizations limit their cloud exposures.
To get more details, check out:
For global enterprises to boost their cyber resilience, CISOs and their C-suite peers need to collaborate more closely, and CISOs should be more looped into their organizations’ business strategy, according to PwC’s “2025 Global Digital Trust Insights” global survey, which polled about 4,000 business and tech executives.
“To safeguard their organisations, executives should treat cybersecurity as a standing item on the business agenda, embedding it into every strategic decision and demanding C-suite collaboration,” reads a report summary.
Among the barriers to cyber resilience identified in the report are:
“All of this points to the need for better C-suite collaboration and strategic investment to strengthen cyber resilience,” reads the report summary.
For their part, CISOs can contribute by providing “tech-enabled insights” and by explaining cybersecurity priorities using business metrics, such as costs, opportunities and risk.
For more information about CISO trends:
When it comes to hiring cybersecurity professionals, it’s particularly difficult to find qualified candidates skilled in securing cloud environments and in mitigating risks introduced by AI usage.
That’s one major finding in O’Reilly’s “2024 State of Security Survey,” which polled about 1,300 tech professionals, including 419 members of security teams, in August of this year.
As companies ramped up their cloud adoption, many downplayed the need to beef up their cloud security expertise. “That’s finally changed, and as a result, we’re seeing a serious shortage of experts in cloud security,” the report reads.
A similar thing has happened with AI, except more abruptly, after the release of OpenAI’s ChatGPT in late 2022. “Everyone, including the security community, was blindsided — both by the possibilities and by the risks,” the report reads.
“Our global survey underscores a security landscape in flux, with critical skills gaps emerging in AI and cloud security,” said Laura Baldwin, president of O’Reilly, in a statement.
Given this reality, organizations must amp up “continuous, high-quality training,” seeing it as essential, not optional. “Organizations must prioritize ongoing upskilling to stay ahead of evolving risks and build robust defenses,” Baldwin said.
Top security skills shortages (as cited by percentage of security team members)
(Source: O’Reilly’s “2024 State of Security Survey,” October 2024)
Other findings from the 36-page report include:
To get more details, read:
For more information about recruiting cybersecurity professionals:
Cybersecurity professionals are collectively getting older and feeling heightened pressure at work, as they grapple with an increase in the number and sophistication of cyberattacks, according to ISACA’s “State of Cybersecurity 2024” report, based on a survey of about 1,800 cybersecurity professionals.
Specifically, this is the first time in the report’s 10-year history that the majority of respondents (34%) are between the ages of 45 and 54. The percentage of respondents under the age of 34 stayed the same as last year.
“The current cybersecurity practitioners are aging, and the efforts to increase staffing with younger professionals are making little progress. Left unchecked, this situation will create business continuity issues in the future,” the report reads.
Meanwhile, 66% of respondents said they’re more stressed out at work today than they were five years ago. They attributed the growing work aggravation to various factors, including:
Regarding attack frequency, 55% of surveyed organizations reported suffering more attacks than a year prior, a jump of 7 percentage points over last year’s report. The most common types of attacks were social engineering; malware; denial of service; and compromise of unpatched systems.
Year-over-Year Comparison of Cybersecurity Attack Reporting
(Source: ISACA’s “State of Cybersecurity 2024” report, October 2024)
When asked to list the security skills their organizations need the most, these ranked as the top five:
To get more details, check out:
For more information about helping cybersecurity pros manage work-related stress:
If you’re looking to learn more about software bills of materials (SBOMs), CISA has just updated a document that offers foundational guidance about these software inventories, such as what they are and how to implement them.
The document, titled “Framing Software Component Transparency,” was last updated in 2021. This new version revises and expands the topic of SBOM attributes, which are used to identify SBOM components.
In theory, SBOMs help boost your software supply chain security by listing all ingredients in a software product, such as an application. Their purpose is to provide granular visibility into all software components in your environment. Thus, an SBOM should help you locate all instances of a component with a newly disclosed flaw, such as a critical vulnerability — as happened with the Log4j utility in late 2021.
However, the software industry is still working through complex SBOM-related challenges in areas including standards, data comprehensiveness, and interoperability.
The new edition of “Framing Software Component Transparency” zeroes in on the challenge of “universally identifying and defining certain aspects of software components.”
Specifically, the CISA guidance states the need to:
“This document establishes a minimum expectation for creating a baseline SBOM that outlines the minimum amount of information required to support basic and essential features,” the guidance reads.
For more information about SBOMs:
VIDEOS
Building and Scaling SBOM Programs: Navigating the Challenges for Effective Risk Management (SANS)
An SBOM Primer (The Linux Foundation)
AWS Foundations. Google Kubernetes Engine. Microsoft Azure Foundations. Those are some of the CIS Benchmarks updated in September by the Center for Internet Security.
Specifically, these CIS Benchmarks were updated:
In addition, CIS added a new Benchmark for IBM AIX 7.
The CIS Benchmarks’ secure-configuration guidelines are intended to help you harden products against attacks. Currently, CIS offers more than 100 Benchmarks for 25-plus vendor product families. There are CIS Benchmarks for cloud platforms; databases; desktop and server software; mobile devices; operating systems; and more.
To get more details, read the CIS blog “CIS Benchmarks October 2024 Update.” For more information about the CIS Benchmarks list, check out its home page, as well as:
Juan has been writing about IT since the mid-1990s, first as a reporter and editor, and now as a content marketer. He spent the bulk of his journalism career at International Data Group’s IDG News Service, a tech news wire service where he held various positions over the years, including Senior Editor and News Editor. His content marketing journey began at Qualys, with stops at Moogsoft and JFrog. As a content marketer, he's helped plan, write and edit the whole gamut of content assets, including blog posts, case studies, e-books, product briefs and white papers, while supporting a wide variety of teams, including product marketing, demand generation, corporate communications, and events.