As we head into 2023, we look back at the last year and the focus will continue to be on reducing risk exposure and resilience. Organizations are strengthening their ransomware defense, security, and privacy approach to product development, cyberattack response, supply chain risk management and operational technology (OT) security and based on working with customers across industry sectors, here is a compilation of some trends we predict for 2023.
1. Critical Infrastructure and Public Sector will continue to become attractive targets.
As cyberattacks become more sophisticated, building collaborative communities between the public and private sectors will be crucial to synchronize operations and take preventative measures as a unified front to critical infrastructure threats. The public sector has become a favored target for cybercriminals. Armed with automated botnets, hackers rummage through computer systems to locate "soft targets." In recent years, US state and local government agencies have fallen prey to cyber-attacks.
Legacy security is proving ineffective against the growing legion of diverse, sophisticated, and confrontational cyber threats. Public agencies collect and store sensitive data. Like the private sector, government institutions have gone digital. The addition of cloud, mobile, and SaaS have expanded an organization's attack surface, and it further illuminates that your cyber security is only as strong as your weakest point.
2. OT attack patterns will become more prevalent.
IT and OT teams must find common ground to eliminate the substantial risk factors of planned and accidental IT/OT convergence. But the mission does not end there. OT security solutions that work in conjunction with IT security solutions can be the catalyst that not only provides the visibility, security, and control needed to thwart new cyber threats but also brings these once separate teams together for the common security of every manufacturing, critical infrastructure and industrial organization will need to fulfill its core mission efficiently and securely.
The rising demand for improved connectivity of systems, faster maintenance of equipment, and better insights into the utilization of resources has given rise to internet-enabled OT systems, which include industrial control systems (ICS) and others such as supervisory control and data acquisition (SCADA) systems, distributed control systems (DCSs), remote terminal units (RTUs), and programmable logic controllers (PLCs). With everything becoming internet-facing and cloud-managed, the manufacturing and critical infrastructure sector (i.e., healthcare, pharma, chemicals, power generation, oil production, transportation, defense, mining, food, and agriculture) are becoming exposed to threats that may be more profound than data breaches. In the coming years, OT attacks will become more prevalent and be used in cyber warfare.
3. Privacy will start getting more attention within the US.
We are going to see more states pass laws with a focus on privacy. Data privacy laws in the United States have been primarily sector-based, with different data privacy laws applying to other sectors of the economy. For example, HIPAA for health care, FERPA for education, GLBA for finance, etc. While this approach has allowed laws to be tailored to specific contexts, it has also resulted in many businesses being exempt from meaningful data privacy regulation.
Recognizing these gaps, these state consumer data privacy laws will seek to establish a comprehensive framework for controlling and processing personal data by many businesses currently exempt from other regulatory schemes. While the state laws vary somewhat, they share a few common principles around establishing standards and responsibilities regarding a business's collection of personal data from consumers; granting consumers certain individual rights concerning their data, such as the rights to access, correct, delete, and obtain a copy of the personal data a business holds about them; and establishing an enforcement mechanism allows state governments to hold businesses accountable for law violations.
4. Culture of resilience and safety versus compliance and prevention of breaches.
Resilience means more than bouncing back from a fall at a moment of significantly increased threats. When addressing resilience, it's vital to focus on long-term goals instead of short-term benefits. Resilience in the cybersecurity context should resist, absorb, recover, and adapt to business disruptions. Cyber resiliency can't be accomplished overnight. For the longest time, the conversation around getting the cybersecurity message across at the board level has revolved around the business language.
Businesses cannot afford to treat cybersecurity as anything but a systemic issue. While the board tends to strategize about managing business risks, cybersecurity professionals tend to concentrate their efforts at the technical, organizational, and operational levels. According to the World Economic Forum, 95% of cybersecurity breaches are caused by human error.
Unfortunately, many businesses still mistakenly believe that cyber-resilience means investing in bleeding-edge technologies while paying scant heed to the human factor. Fixing human vulnerabilities start with culture. Business leaders must reassure staff that it's okay to develop questioning attitudes and challenge high-risk requests, such as emailing sensitive information or processing payments.
5. Strengthening of fundamentals- Vulnerability and patch management, risk reduction, and Managed Extended Detection and Response (MXDR).
As digital transformation initiatives accelerate, CSOs require a deep and accurate understanding of their organization's cyber risk. Understanding the details of your risk, what should be prioritized, and how it can be effectively reduced is the best foundation for building a holistic plan for managing threats across the organization—priorities for cyber resilience now and into 2023.
This will be the year for MXDR with a unified platform that automates incident investigation such as enrichment, analysis, classification, and response rather than relying on an overworked security Organizations will look for MXDR to include 24/7 monitoring, critical alerting, root cause analysis and around-the-clock "eyes on glass" support.
6. Growth of cybersecurity as a service – Security at scale and not a roadblock!
With budgets tightening across the board and competition for a limited pool of IT and security talent growing fiercer, cyber as a service provider will continue to become an optimal solution for many companies. Internal security teams can concentrate on their core missions because they can count on their partners to focus on specific vectors. Cyber Security as a Service (CSaaS) allows the services utilized to change over time and be periodically realigned to ensure the customer's business needs are met.
7. CISO –role change and mindset of the future, the impact of burnout and blame game.
The future is here and now, with digital transformation driving organizations rapidly. Today the role of a Chief Information Security Officer (CISO) within organizations has become transformational. The CISO leads cross-functional teams to match the speed and boldness of digital transformations with agile, forward-thinking security and privacy strategies, investments, and plans.
The operational leader and master tacticians are tech-savvy and business-savvy CISOs. They can deliver consistent system performance, with security and privacy throughout the organization and its ecosystem amid constant and changing threats. It's time to stop repeating how things can't be done (on security grounds). Instead, we need to preach from the business transformation book and explain how they can be.
We must stop operating out of silos and build relationships with all business players, embedding 'scenario thinking' and responsiveness into organizational cyber functioning. But just as importantly, to address the first part, the board needs to plan and prepare for a cyber-crisis proactively; only by understanding the risks can the business be in the right strategic place to combat them successfully.
8. Security mesh, Zero Trust and SASE- Consolidation and optimization.
As 2023 planning kicks off, it would be interesting to look at how many Zero Trust initiatives have surfaced during budget discussions, how many product investments are tied to this initiative, and, more importantly, which are real Zero Trust or ones just seeking a budget home? Organizations in the early strategy stages for Zero Trust need to think of this as a multi-year plan which is probably starting to take shape, but it's not the playbook you need to make today's priority calls. Many teams will struggle to move an emerging Zero Trust strategy to practical implementation. The need will arise further for approaches that can help with practical implementation and accelerate Zero Trust data initiatives.
9. Board with more cyber knowledge and investment.
Business and cybersecurity success go hand in hand. As the board's role in cyber-risk oversight evolves, the importance of robust dialogue with the cyber influencers within an organization cannot be overestimated. Without close communication between boards and the cyber/risk team, the organization could be at even greater risk. If this sounds like a cybersecurity grooming exercise, that's because it is. Preparing cybersecurity practitioners with business acumen for the board to act as the voice of educated reason isn't such a bad idea.
The best businesses thrive because they have people at the very top who can exert control based on informed decision-making when a crisis looms. Leaving cybersecurity out of this success equation in 2023 is a risky game. Cybersecurity teams should equip the board with the following as a starting point.
- A clear articulation of the current cyber risks facing all aspects of the business (not just IT); and
- A summary of recent cyber incidents, how they were handled, and lessons learned.
- Short- and long-term road maps outlining how the company will continue to evolve its cyber capabilities to address new and expanded threats, including the related accountabilities in place to ensure progress; and
- Meaningful metrics that provide supporting essential performance and risk indicators of successful management of top-priority cyber risks that are being managed
10. Skills shortages and product silos exacerbate the situation.
There's no question that cybersecurity should be a number one focus for businesses that want to keep growing. But improving and scaling cybersecurity efforts in a constantly changing environment is challenging, with new threats and technologies continually being developed. To make things worse, the cybersecurity labor crisis is going to intensify.
A saturation of cybersecurity products with umpteen features is a desperate cry for consolidation, and the future is about cyber platforms and not siloed feature sets. The focus should not just be on finding issues but instead on remediation. There is going to be a need to demonstrate speed to value. We need technology that shows immediate value with simple implementation. Everyone talks about tech spending but forgets to include all the labor to roll out and maintain the technology platforms and the reason to consider cyber as a service.
Our current global landscape is testing resiliency. As organizations continue to digitally transform it has created new and heightened cyber risk concerns. Protecting these digital connections needs to stay top of mind for leaders looking to help their organizations adapt to these changes while continuing to innovate.