Pretty much everything—including how to measure the actual security risks, who has access to the system and whether business partners can be trusted

It is a wonder that chief information officers and chief information security officers sleep at all.

Cybersecurity threats are relentless, they’re getting stronger, and they’re coming from more directions than ever. Just this past January, revelation of the Spectre and Meltdown computer-chip flaws exposed security weaknesses in the very foundations of computing infrastructure.

What’s more, the consequences of a breach can be disastrous, with staggering losses of customer data and corporate secrets—followed by huge costs to strengthen security, as well as the threat of regulatory scrutiny and lawsuits.

With that in mind, we asked CIOs and CISOs what keeps them up at night. Here’s what they had to say.

How exposed are we, anyway?

Companies have mountains of data about vulnerabilities and hack attempts, but probably the most fundamental question is the most difficult one to answer: How much danger do we really face? Quantifying the risks is crucial as companies make decisions about how to manage some risks. But it’s extremely hard to accomplish in a way that boards and top executives can understand.

One problem is that there aren’t widely accepted metrics for measuring the health of a company’s defenses. Guidance from bodies such as the National Institute of Standards and Technology can help, says Mathew Newfield, chief information security officer at Unisys Corp. But IT systems and business risks are different for each company, so all security executives have to come up with metrics that make sense for their particular companies.

[See SecureAuth Threat Detection]

Who can access what?

As cyberattacks proliferate, one of the biggest tech vulnerabilities is getting clearer: employees logging into corporate systems remotely, sometimes from their own devices.

Knowing that more employees are working outside the office, attackers are increasingly targeting vulnerable points beyond corporate walls. As such, controlling access to networks and managing user accounts is poised to become a “key cyber spending area for 2018 and beyond,” says Daniel Ives, chief strategy officer and head of technology research at GBH Insights, a technology market-research firm.

One approach is a strategy called zero trust, where users are given access to sections of apps or data, rather than entire networks, by going through strict identity-authentication measures.

Another security strategy seeing a lot of innovation is multifactor authentication, which uses biometrics, such as fingerprint scanners and facial-recognition tools, to recognize users, says Garrett Bekker, a security analyst at 451 Research. 

[See Adaptive Authentication and Visual Identity Suite]

Can we trust our partners?

It is tough enough for security executives to worry about security issues at their own companies. But very often they have to worry about safeguards at other firms, too. The vendors that provide a company with everything from heating and air-conditioning units to human-resources software in the cloud could give hackers an open door to corporate data.

About 36% of companies don’t apply the same or higher security standards to their partners as they use internally, according to a survey from Accenture published in April of 4,600 corporate-security professionals at companies with more than $1 billion in annual revenue.

Executives should negotiate the right to audit a vendor’s cybersecurity practices on a regular basis, says Ms. Pelletier of Expeditors International and ATN. When negotiating with third parties, companies should nail down “cures,” such as financial compensation should the vendor expose the company’s data, she says.

[See Core Access Assurance Suite]

Who’s attacking and why?

Threats from criminal groups, nation-states, activists and independent digital malcontents have converged, making it harder to tell who is going after a company’s data and what their motive is, says Jeanette Manfra, the top-ranking cybersecurity official at the Department of Homeland Security. Knowing who is involved in a cyberattack can help companies understand the breadth of systems affected by an incident, from where the next attack might come or what information attackers are seeking, all factors in providing better security.

Further complicating the picture: Foreign intelligence sources are suspected of collaborating with civilians to launch attacks, a worrisome model that is “more and more prevalent,” says John Brennan, former director of the Central Intelligence Agency, who recently joined the advisory board of cybersecurity companies SecureAuth Corp. and Core Security SDI Corp.

This makes understanding the intent of a cyberattack even more difficult, especially when a wide range of corporations, municipalities and government agencies may have been targeted, says Ms. Manfra, creating potentially incendiary situations between many different layers of governments and enterprises.

[See SecureAuth Threat Service, a layer of Adaptive Authentication]

Will the government give security clearance?

Businesses critical to the infrastructure of the U.S., such as finance, energy, oil and gas, need staff with government security clearances so they can view classified cyberthreat information from federal agencies. This, in turn, helps companies to be better prepared to fight attacks and able to collaborate in real time with government officials when an attack is under way.

But the timeline for getting a security clearance has more than doubled in the past three years, according to the U.S. Office of Personnel Management, which vets the applications. The backlog—which now stretches for over a year—partially stems from a security breach at OPM in 2015, which interrupted the clearance process.

The wait means that some companies are missing out on vital information that could help them defend against attacks, says Dave McCurdy, chief executive of the American Gas Association, a trade group for 200 gas-energy providers in the U.S.

Having even one staff member with a security clearance gives companies more in-depth information about attackers, such as what specific types of assets attackers are targeting at similar institutions and what kinds of classified methods they are using to launch attacks, says Mr. McCurdy.

What do we have to disclose?

The fear underlying data breaches is that information will get out involuntarily. Now directors and senior executives are wrestling with how much they have to tell each other and the investing public after new guidance from the Securities and Exchange Commission.

The SEC now expects companies to disclose more detail in their quarterly and annual financial statements about procedures and controls for managing cyberrisks. That includes descriptions of how they determine the severity of security gaps and incidents, and how senior executives and the board communicate about cybersecurity, as well as specifics about how the board handles its oversight of cyberrisk.

[See The Case for Disclosing Breaches]

This article is adapted and originally appeared here on Wall Street Journal on May 29th, 2018.