Check out invaluable cloud security insights and recommendations from the “Tenable Cloud Risk Report 2024.” Plus, a PwC study says increased collaboration between CISOs and fellow CxOs boosts cyber resilience. Meanwhile, a report finds the top cyber skills gaps are in cloud security and AI. And get the latest on SBOMs; CIS Benchmarks; and cyber pros’ stress triggers.

Dive into six things that are top of mind for the week ending Oct. 18.

1 – Tenable: Riskiest cloud workloads present in 38% of orgs

Almost 40% of global organizations have cloud workloads that put them at the highest risk of attack — an alarmingly high percentage. That’s according to the new “Tenable Cloud Risk Report 2024,” which is based on an analysis of billions of cloud resources scanned through the Tenable Cloud Security platform. 

Specifically, 38% of organizations have at least one cloud workload that suffers from the “toxic triad” of cloud risks: publicly exposed; critically vulnerable; and highly privileged. Those are the three major vectors that organizations must take into account in order to properly assess a cloud workload’s risk level and potential vulnerability impact.

“Securing cloud workloads is about much more than scanning for vulnerabilities,” reads the report, whose telemetry data was collected during the first six months of 2024.

^{(Source: “Tenable Cloud Risk Report 2024,” October 2024)}

Cloud workloads with the “toxic triad” represent “a perfect storm of exposure for cyberattackers to target,” according to a Tenable statement.

“When bad actors exploit these exposures, incidents commonly include application disruptions, full system takeovers, and DDoS attacks that are often associated with ransomware,” the statement reads.

Other key findings include:

• 84% of organizations have risky access keys
• 23% of cloud identities have critical or high severity excessive permissions
• 80% of cloud workloads have an unremediated critical CVE
• 74% of organizations have publicly exposed cloud storage

The 28-page report also offers mitigation guidance aimed at helping organizations limit their cloud exposures.

To get more details, check out:

2 – PwC: C-suite disconnect hurting cyber resilience

For global enterprises to boost their cyber resilience, CISOs and their C-suite peers need to collaborate more closely, and CISOs should be more looped into their organizations’ business strategy.

That is a key takeaway from PwC’s “2025 Global Digital Trust Insights” survey, which polled about 4,000 business and tech executives from 77 countries between May and July of this year.

“To safeguard their organisations, executives should treat cybersecurity as a standing item on the business agenda, embedding it into every strategic decision and demanding C-suite collaboration,” reads a report summary.

Among the barriers to cyber resilience identified in the report are:

• Only 2% of respondents said their organization has adopted cyber resilience measures across all areas included in the survey.
• Organizations feel most vulnerable to the threats that worry them the most, including cloud risks, hack-and-leak attacks and third-party breaches.
• Less than 50% of respondents say their organizations’ CISOs are involved “to a large extent” with strategic planning, reporting to the board and overseeing tech deployments.
• Only 15% of surveyed organizations are able to comprehensively measure the financial impact of cyber risks.

“All of this points to the need for better C-suite collaboration and strategic investment to strengthen cyber resilience,” reads the report summary.

For their part, CISOs can contribute by providing “tech-enabled insights” and by explaining cybersecurity priorities using business metrics, such as costs, opportunities and risk.

For more information about CISO trends:

3 – Report: Biggest cyber skills gaps are in cloud sec, AI threats

When it comes to hiring cybersecurity professionals, it’s particularly difficult to find qualified candidates skilled in securing cloud environments and in mitigating risks introduced by AI usage.

That’s one major finding in O’Reilly’s “2024 State of Security Survey,” which polled about 1,300 tech professionals, including 419 members of security teams, in August of this year.

As companies ramped up their cloud adoption, many downplayed the need to beef up their cloud security expertise. “That’s finally changed, and as a result, we’re seeing a serious shortage of experts in cloud security,” the report reads.

A similar thing has happened with AI, except more abruptly, after the release of OpenAI’s ChatGPT in late 2022. “Everyone, including the security community, was blindsided — both by the possibilities and by the risks,” the report reads.

“Our global survey underscores a security landscape in flux, with critical skills gaps emerging in AI and cloud security,” said Laura Baldwin, president of O’Reilly, in a statement. 

Given this reality, organizations must amp up “continuous, high-quality training,” seeing it as essential, not optional. “Organizations must prioritize ongoing upskilling to stay ahead of evolving risks and build robust defenses,” Baldwin said.

Top security skills shortages (as cited by percentage of security team members)

^{(Source: O’Reilly’s “2024 State of Security Survey,” October 2024)}

Other findings from the 36-page report include:

• The top cybersecurity projects for the next year are the adoption of AI-enabled security tools, cited by 34%; and of security automation wares (28.8%).
• Phishing is respondents’ top security concern, cited by 55%, followed by network intrusion and ransomware.
• About 41% of security team members lack security certifications, although slightly they are an employment requirement in more than half of organizations surveyed.
• Security awareness training ranked as the most important factor for improving the security posture of an organization, topping increased staffing and better security tools.

To get more details, read:

For more information about recruiting cybersecurity professionals:

4 – ISACA: Cyber pros getting older, more stressed out

Cybersecurity professionals are collectively getting older and feeling heightened pressure at work, as they grapple with an increase in the number and sophistication of cyberattacks.

That’s according to ISACA’s “State of Cybersecurity 2024” report, based on a survey of about 1,800 cybersecurity professionals.

Specifically, this is the first time in the report’s 10-year history that the majority of respondents (34%) are between the ages of 45 and 54. The percentage of respondents under the age of 34 stayed the same as last year.

“The current cybersecurity practitioners are aging, and the efforts to increase staffing with younger professionals are making little progress. Left unchecked, this situation will create business continuity issues in the future,” the report reads.

Meanwhile, 66% of respondents said they’re more stressed out at work today than they were five years ago. They attributed the growing work aggravation to various factors, including:

• A more complex threat landscape, cited by 81%
• Insufficient budget (45%) and trained staff (45%)
• Increased difficulty hiring and retaining (45%)
• Improper prioritization of cyber risks (34%)

Regarding attack frequency, 55% of surveyed organizations reported suffering more attacks than a year prior, a jump of 7 percentage points over last year’s report. The most common types of attacks were social engineering; malware; denial of service; and compromise of unpatched systems.

Year-over-Year Comparison of Cybersecurity Attack Reporting

^{(Source: ISACA’s “State of Cybersecurity 2024” report, October 2024)}

When asked to list the security skills their organizations need the most, these ranked as the top five:

• Data protection (46%)
• Identity and access management (45%)
• Incident response (44%)
• Cloud computing (43%)
• Threat detection (31%)

To get more details, check out:

For more information about helping cybersecurity pros manage work-related stress:

5 – CISA updates SBOM guidance, clarifies SBOM attributes

If you’re looking to learn more about software bills of materials (SBOMs), CISA has just updated a document that offers foundational guidance about these software inventories, such as what they are and how to implement them.

The document, titled “Framing Software Component Transparency,” was last updated in 2021. This new version revises and expands the topic of SBOM attributes, which are used to identify SBOM components.

In theory, SBOMs help boost your software supply chain security by listing all ingredients in a software product, such as an application. Their purpose is to provide granular visibility into all your software components in your environment. Thus, an SBOM should help you locate all instances of a component with a newly disclosed flaw, such as a critical vulnerability — as happened with the Log4j utility in late 2021.

However, the software industry is still working through complex SBOM-related challenges in areas including standards, data comprehensiveness, and interoperability.

The new edition of “Framing Software Component Transparency” zeroes in on the challenge of “universally identifying and defining certain aspects of software components.”

Specifically, the CISA guidance states the need to:

• Establish a minimum set of baseline attributes for identifying components “with sufficient relative uniqueness.”
• Identify optional attributes beyond the baseline ones.
• Correlate SBOMs with third-party sources for analysis purposes.

“This document establishes a minimum expectation for creating a baseline SBOM that outlines the minimum amount of information required to support basic and essential features,” the guidance reads.

For more information about SBOMs:

VIDEOS

Building and Scaling SBOM Programs: Navigating the Challenges for Effective Risk Management (SANS)

An SBOM Primer (The Linux Foundation)

6 – CIS updates Benchmarks for AWS, Google and Microsoft products

AWS Foundations. Google Kubernetes Engine. Microsoft Azure Foundations. Those are some of the CIS Benchmarks updated in September by the Center for Internet Security.

Specifically, these CIS Benchmarks were updated:

In addition, CIS added a new Benchmark for IBM AIX 7.

The CIS Benchmarks’ secure-configuration guidelines are intended to help you harden products against attacks. Currently, CIS offers more than 100 Benchmarks for 25-plus vendor product families. There are CIS Benchmarks for cloud platforms; databases; desktop and server software; mobile devices; operating systems; and more.

To get more details, read the CIS blog “CIS Benchmarks October 2024 Update.” For more information about the CIS Benchmarks list, check out its home page, as well as: