The evolution of cyber-threats and the confluence of new systems and legacy systems are the most significant current challenges for security teams, according to a panel of CISOs speaking during a virtual event organized by HP Wolf Security.

Moderated by Ed Amoroso, chief executive officer of TAG Cyber LLC, the session began with a simple question to the CISOs: why are we still getting hacked? Deneen DeFiore, vice president and CISO at United Airlines, noted that in 2021 “there was so much evolution in the kinds of threats we saw.” This included attackers frequently finding new ways to breach organizations; for example, discovering new zero-day vulnerabilities. DeFiore added that the growing innovation of attackers means “it is becoming commonplace for organizations to have vulnerability responses and be concurrently running their operations.”

The increasingly professionalized approach taken by threat actors was highlighted by Kurt John, CISO at Siemens US. He said it is important to recognize that most attackers are motivated by financial gain and have adopted innovative practices to maximize their revenue opportunities. “They innovate and collaborate and share the spoils,” he explained. “These are really business-minded folks in it for money for the most part.” This factor is driving the evolution in attack techniques, making life harder for security teams.

John also highlighted the security challenges posed by the “intricacies” of IT and OT convergence. This has led to a “confluence of older and newer hardware and software.” To undertake modernization programs securely, he advised organizations to “have a joint IT/OT strategy so that decisions that are being made in those spaces are not being made in a vacuum, but they’re being woven together so they are better integrated.”

Joanna Burkey, Global CISO HP Inc., described the impact of supply chain attacks, which has completely changed the traditional one-to-one attacker-victim dichotomy. Incidents like SolarWinds have shown this can be turned into “one-too-many.” Here, “the attacker got efficient and they realized we don’t need to go one-to-one all the time, we can find a commonality between 100s or even 1000s of victims – let’s compromise that commonality.” Therefore, all organizations have to consider how they may “unwittingly” be a part of this equation and avoid that.