Top Threats and Mitigation Tactics for Managing Security in a Hybrid Cloud World

April 25, 2023

Have you heard the expression in the cybersecurity community that CISOs do not sleep well at night? In fact, we sleep like babies — waking up every few hours. CISOs have a lot to worry about: the latest incident; end of life technology in their environment; breaches in the news; insecure users and vendors; social engineering; budget and resources; and the latest vulnerability report. Everything from delayed projects to mergers and acquisitions can become a CISO's nightmare, and if we don’t care or have enough passion for our job to worry, we could be held legally accountable for negligence.


It's no wonder we joke about losing sleep at night. Let’s take a look at the top five threats that have been known to keep CISOs awake at night and the top mitigation strategies that can help you reclaim that much-needed shuteye.



What are the top five threats keeping most CISOs awake at night?

Poor CISO performance can be an end-game event for many businesses, which serves as an added challenge because many responsibilities of a CISO are dependent on the threat landscape and the security posture of others. As an example, consider these top five threats my peers and I are worried about:


  1. Did a vendor leak credentials or allow inappropriate access into our environment?

  2. What assets and resources are not following established on-premise policies and, more importantly, in the cloud for identity, privileged, vulnerability and patch management?

  3. Are employees adhering to security best practices and learning how to identify social engineering attacks?

  4. What shadow IT exists in the cloud and on-premise?

  5. Where are my sensitive data and assets, who has access to them and when?



What are the top five strategies that can help mitigate the risk of these threats?

Here are my personal recommendations for mitigating the threats that are simply out of your control (but you have strong influence over).


1. Enable a team approach
Despite what the industry might think, a CISO can rarely operate and be successful on their own. Security has its best strength in a team approach. Having team members that you can trust to make difficult decisions with confidence and composure when needed makes a CISO’s job much more manageable — especially when the team knows you have their back if something goes sideways.


2. Asset and data inventory
Remember cybersecurity 101, where you were taught to inventory everything — all assets, resources, geolocations, owners and data as best as you can and to do your best to keep it up to date. For data, ensure you do a data discovery and have a data map to outline the process and storage for all sensitive information. The worst surprise for a CISO is having an incident on an unidentified, unmanaged and undocumented asset. Incidents are going to happen. However, knowing they have happened on established asset inventory helps you manage the incident, control the situation and prevent it from happening again on similar resources.


3. Diversification of tools
For any risk mitigation, it’s good practice to avoid putting all your eggs in one basket. While it is a well-established business practice to consolidate vendors, it is not a good security best practice to rely on one technology to mitigate all the threats from an attack vector. Instead, rely on layering technologies to manage risk. For example, you would never use antivirus alone as your only endpoint security solution. You need a variety of tools to manage endpoint security threats, ranging from anti-virus, endpoint privilege management, application control, endpoint detection and response and more. If you can combine many of these use cases into a single vendor solution, then you have an effective mitigation strategy with potentially overlapping layers for protection. Also remember that a CISO doesn't only protect an organization through technology; the importance of training end-users on cybersecurity awareness is still your best line of defense. It is also another example of how you can distribute your security posture for maximum coverage.


4. Manage, monitor and report
The inability to gain visibility into an organization's security posture is among the primary concerns for a CISO. No matter what plans you put in place, if you cannot manage, monitor and report on the effectiveness or ineffectiveness of your strategy, your level of cyber resiliency puts the organization at risk. If there is no visibility, there is no refinement of plans. And if plans are not adequate and adapting, then an incident will occur.


5. Plan and test, test and plan
In cybersecurity, every day is a different game as you face off against the growing field of threat actors. Being adequately prepared for an incident doesn’t just mean having a plan; it also means testing standard operating procedures, practicing crisis management plans and revising and optimizing plans to be efficient when a security event occurs. It’s not if an attack happens, it’s when. If you’ve planed for that incident, tested your response, trained and practiced thoroughly, and documented your game plan, you should be able to sleep at night knowing you are prepared.



Conclusion: The most effective way to reclaim your night’s sleep

Being aware of the top five worries and planning for them by following these recommendations is the most effective way I’ve found to avoid losing sleep at night. I know what I can know, trust in my teams, have layers of defense, have visibility, and have planned and tested for all reasonable scenarios. Being reactionary as a CISO is what causes stress and sleeplessness. Planning and trusting will help you realize you prepared well for your position.

Morey J. Haber
Chief Security Officer | BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit