2022 has certainly been a memorable year when it comes to cybersecurity as it has been propelled into the spotlight with the recent breaches.
In 2023, we will continue to see these types of threats arise as well as new challenges. Here are my top predictions for 2023.
Prediction #1: CISOs will be made more accountable (but they need the freedom to own their program)
Uber’s ex-CISO was convicted this year for covering up a breach that took place in 2016. The case brought the role and responsibilities of the CISO into the spotlight, and it will lead to changes in 2023 for businesses in general and for CISOs in particular.
According to Gartner, at least 50% of C-level executives will have cybersecurity risk performance requirements added into their employment contracts by 2026. This will make cyber security an issue that everyone across the business will concentrate on. Yet CISOs can only be as effective as the power they’re given, and even with great efforts hackers can still infiltrate a network with a simple phishing link clicked by an absent-minded employee.
In 2023 there will be a big shift as CISOs will have to measure and report their performance in terms of managing business risk as well as protecting IT assets. Chief Revenue Officers and Chief Marketing Officers already have KPIs around performance requirements, CISOs will have the same.
Prediction #2: Supporting neurodiversity is the key to lessening the skills gap crisis
There have been some improvements in diversity in the industry, but most of this conversation has addressed only gender and ethnicity. These topics are incredibly important, but one area that isn’t talked about enough is neurodiversity. This is something organisations need to start embracing more, as many people with neurodiversity tend to gravitate towards more technical, insular roles, often refusing career progressions because they don’t feel comfortable with a managerial position or the associated responsibilities of public speaking or stakeholder management.
Five years ago, a SOC team was behind closed doors, hidden away from the rest of the world. But the world has changed, and at present, the soft skills of the job are becoming almost as relevant as the technical side, sometimes even more so. Without adequate support, those neurodivergent people in technical roles will never be willing to progress to more senior positions, such as a CISO.
To change the current situation, it is essential to start addressing neurodiversity in organisations and have managers trained to understand the signs in order to support each team member properly. Without this, we risk having to hire CISOs who have the necessary soft skills, but none of the on-the-ground technical experience.
Prediction #3: Enterprises need to take the lead to reduce their supply chain risk
Supply chain security will still pose a significant risk to organisations in 2023, and far beyond. Third party tools and software components can be the weak points of any organisation, and even enterprises with multi-billion dollar security budgets can still be brought to their knees by a breach within one of their suppliers.
Organisations need to understand that their supply chain’s security posture is as important as their own, and that they need to support their suppliers to help them reach higher levels of protection. Not many companies have adopted this consultative and collaborative approach pro-actively, only choosing to get involved after an incident has occurred. Enterprises hold a massive amount of expertise, and they can share this with their key suppliers to benefit everyone over time. The only way to strengthen your weakest link is to act like a partner and share that expertise with your supply chain.
To make this happen, more companies will adopt software bill of materials to understand their components and track their vulnerabilities. However, this won’t be a case of only looking internally – instead, enterprises can manage back into their suppliers and ensure that they are updating and mitigating potential issues. This will be a cost of doing business for software companies going forward.
Prediction #4: Legislation against ransom payments is a step backwards, and will drive more breaches underground
Ransom demands should never be paid. Evidence suggests that paying the ransom doesn’t even mean you’ll recover your systems. And yet, many organisations still choose to pay.
According to Gartner, 30% of nation states will pass legislation regulating against ransomware payments by 2025. These actions are well-intentioned but won’t solve the problem. The focus should not be on penalising companies that have decided to pay, instead, it should be on mandating the right actions and measures that will help them never get to the point where they feel their only solution is to pay.
Legislating against ransom payments will only drive breaches further underground and foster a culture of secrecy that we have already worked so hard to overcome. The industry and regulations need to shift towards enabling a culture of openness, transparency and support.