In 2022, we saw a large number of cyberattacks and breaches that affected both companies and countries, driven primarily by accelerating innovation by threat actors and continued diversification of the threat actor economy. While many technical responses have been proposed, the policy responses pose a more challenging issue, as companies will need to comply with public policy decisions despite challenging macroeconomic conditions and a persistent lack of skilled professionals to work on cybersecurity.
In short, 2023 will be the year of risk.
1. Anticipate org chart changes and more collaboration with the C-suite.
Pending regulatory changes require that the CISO be independent, and this independence will likely require organizational chart changes, as CISOs have historically reported to the CIO, CTO, or another senior executive with a background in technology.
This frequently creates an implicit conflict of interest when budgets and staffing considerations arise, as the incentives of the CIO or other senior executives do not necessarily align with the goals of the CISO. In 2023, CISOs should prepare to be adequately independent and have good visibility into the management of cyber-risk. Being independent includes the responsibility of setting staffing and budgets for approval by a committee, rather than providing a cybersecurity budget line item as part of another senior executive's larger budget for the year.
2. Be ready to answer more risk-related questions from the board …
Boards want to have more oversight of cyber-risk. In 2023, organizations should plan on inviting their CISO to a board meeting (and to be somewhat forgiving of that first meeting with those CISOs who come from a technical background). While not all board members need to understand cybersecurity, all CISOs (or CIOs, or whoever presents to the board) need to be able to speak to the board in the language of risk to effectively communicate status, learn about larger initiatives, and ask for assistance or perspective when needed. Although this will be a new requirement for publicly traded companies, privately held companies should strongly consider adopting this new change to reporting.
3. … and as a result, be more diligent about communicating risk.
Companies should track the risk of noncompliance and be able to describe their risk management plans associated with noncompliance. Depending on the specific regulatory body, civil and criminal penalties are potential outcomes, as well as congressional hearings or reputational damages.
Companies that have DFARS requirements — particularly those with CMMC level 2 control requirements — hold the dual risks of noncompliance leading to denial of future Department of Defense contracts as well as the potential of whistleblowers under the False Claims Act. As a result, CISOs will need to be consistent and persistent about communicating the status of their risk and compliance posture.
4. CISOs will need to invest in internal assessments as more security breaches hit the news.
Cybersecurity breaches were a hot topic in 2022, with several high-profile cases making national headlines. For example, the Federal Trade Commission (FTC) sought action against online alcohol marketplace Drizly — and its CEO, Cory Rellas — for cybersecurity failures affecting over 2.5 million consumers. Notably, the FTC specifically named and sanctioned Rellas — a new move for the governing body. This change in posture may indicate a larger shift toward enforcement at the FTC, particularly for organizations that don’t have adequate controls around the protection and disposition of consumer data.
One lesson carries across these stories: the importance of effective internal assessments, as they are critical tools to find weaknesses in your security program and assuring that those weaknesses are fixed. We predict a sharp increase in investigations with adversarial discovery in 2023 as companies watch these major news stories play out in real-time.
5. SMBs should consider increasing security control monitoring to avoid cyberattacks.
Smaller companies are more vulnerable to cyberattacks, but why? Simply put, they don’t have the budget or resources to combat ransomware attacks, which is why they are a high priority for threat actors.
More controls in place means more processes for maintaining those controls, which results in more manual processes that IT security professionals must handle. For example, SMBs will need to map out the GDPR compliance legalese to controls for breach notifications, or quickly finding CIS Control Group 3 to help with data disposal.
IT, security, and risk management professionals will need to better collect and organize their evidence in preparation for applications and renewals of their cyber insurance policies. They might also consider a tool that enables them to link risks to controls to decide how much coverage they actually need.
About the Author
Kayne McGladrey, CISSP, is the field CISO for Hyperproof and a senior member of the IEEE. He has over two decades of experience in cybersecurity and has served as a CISO and advisory board member, and focuses on the policy, social, and economic effects of cybersecurity lapses to individuals, companies, and the nation.