Build Cyber Resiliency With These Security Threat-Mitigation Considerations

CISOs need to define their risk tolerance, identify specific critical data, and make changes based on strategic business goals.

Steve Durbin, CEO, Information Security Forum

February 15, 2023

4 Min Read
Source: Yuliya Volkovska via Alamy Stock Photo

The past few years have been a bumpy ride all around. 2022 was supposed to be a breather for CISOs as the uncertainty surrounding the pandemic largely subsided. Sadly, they found themselves coming to terms with the new "never normal" instead.

A soaring cost of living, geopolitical conflicts, catastrophic climate crisis, and a rapidly evolving regulatory environment all will shape the cybersecurity landscape this year. Newer threats have emerged and older ones have evolved. Critical infrastructure, public service delivery, and people's privacy all seem to be in the line of fire. And with ongoing digital transformation initiatives, exponential data growth, limited funds, and an ongoing skills shortage, CISOs and their teams, it seems, are barely holding it together.

Waypoints on Path to Action

Keeping up with emerging threats and challenges in 2023 can help organizations get on the path to developing a coherent security strategy.

1. Cyberattacks increase, tactics evolve: Ransomware incidents dropped by 34% earlier in 2022, only to roar back with a vengeance. Ransomware has evolved to double and triple extortion with data theft and denial of service. We'll see an uptick in stolen data being sold on Dark Web forums and later being used in highly targeted phishing attacks.

The underground cybercrime landscape is also shifting from cybercrime-as-a-service to cyber mercenaries for hire. Expect cybercriminals and nation-state actors to hire highly skilled cyber mercenaries for granular tasks that can lead to major attacks and breaches. These attacks will be very impactful but near impossible to trace.

2. Supply chain risks balloon: Supply chain security risks quickly bleed into the business side of operations, often bringing them to a halt. These risks will likely balloon this year as businesses outsource the infrastructure, applications, and services they need to multiple cloud and software-as-a-service (SaaS) vendors. With so many external providers and partners, attackers will target the most vulnerable ones to gain easy access.

3. Data-well poisoning attacks emerge: Artificial intelligence-powered systems depend on the integrity of the data they're fed to make sound decisions. As businesses get real with AI in 2023, data will become an invaluable asset as well as a liability. Cybercriminals will be targeting data wells to manipulate systems into making rogue decisions. Beyond confidentiality and availability, data integrity is now at risk.

4. Tech, threat, and regulatory environments continually change: Threats are evolving, and so is the regulatory landscape. General and country-specific regulations will compel organizations to ensure ethical data collection, storage, and use. These changes will likely keep CISOs on their toes, trying to preserve all the good pieces of the security pie while also ensuring enough flexibility to accommodate new changes.

Creating a Business-Based Security Strategy

Here's what organizations in general need to focus on to create a security strategy that can steer them through what appears will be a challenging year for security, economy, and trade.

1. Aligning security with business strategy: CISOs are responsible for assuring business executives that cybersecurity is a business risk, not just an IT issue. As boards determine a business's strategic direction, CISOs must incorporate security into that process. To do that, addressing cyber-risks should frequently be on the agenda for board meetings.

A CISO who appreciates the business tactic of developing a security strategy that supports the organization's goals probably won't have to chase after the board for security funds and resources.

2. Building cyber resiliency: Cyber resiliency is an organization's preparedness to deal with the impact of threats that can't be predicted or prevented. The first step to achieving cyber resilience is to adopt a governance framework for monitoring cyber activities, including partner collaborations and relevant regulatory changes. Organizations must also develop cyber situational awareness through cyber threat intelligence gathering, analysis, and sharing.

Next, they should identify and prioritize critical assets and continually evaluate them as their value changes. Based on the insights they gather, they need to plan and rehearse for just-in-case scenarios. Rehearsed incident-response plans can cut down the cost of a data breach almost by half.

Building cyber resilience is an ongoing process because threats evolve, businesses mature, and the value of different assets changes. Keeping up with the process, organizations can prevent, detect, and respond to emerging threats and their aftermath immediately and effectively.

3. Determining cyber-risk tolerance: Organizations need to determine and define their risk tolerance regarding cyber-loss incidents. And that involves evaluating the dependencies, stability, and security of external partners and providers as well. Monitoring and protecting assets and data is not about boiling the ocean. It's about starting small, being very specific in identifying critical data elements, and then ensuring their security and integrity at all stages of the data life cycle.

A similar, selective approach should work for addressing changes in regulatory and compliance requirements, too. Organizations don't have the time or resources to do it all. They must identify what matters and make changes selectively based on their strategic business goals.

Addressing cyber-risks isn't a static process. Security teams know it, and the boards must realize it. The world of work is changing, and policies and procedures will have to reflect that. This rapidly evolving work and security environment can cause cyber fatigue and mental health challenges. Organizations must prioritize employees' education, satisfaction, and mental health. Otherwise, we'll also be witnessing a surge in insider threats on top of everything else.

About the Author(s)

Steve Durbin

CEO, Information Security Forum

Steve Durbin is CEO of the Information Security Forum, an independent, not-for-profit organization dedicated to investigating, clarifying, and resolving key issues in information security and risk management by developing best-practice methodologies, processes, and solutions that meet the business needs of its members. He is a frequent speaker on the board's role in cybersecurity and technology.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights