Cyberwar, ransomware, espionage, malicious intent, or simply accidents – there are a thousand reasons for a Chief Security Officer to view the slightest subject as a “trend”. But let’s play the game. In 2023, which subjects are likely to take most of our time? I consulted my floor team about this issue, and we identified five issues that, in our opinion, will be out in front for all companies that have a digital dimension… Which of course, means pretty much for all companies.
1. “Supplier Management”: the stone in your shoe!
Supplier management is becoming an issue of growing concern. Companies invest in protecting themselves from attacks and accidents – but what about their partners and other stakeholders? Have they acquired the same maturity? Are they aware of the risks? Are they going to open wide the doors that you put so much energy into closing?
Often, we just rely on the word of suppliers, though we might get them to complete questionnaires. But we don’t often carry out a complete factual audit. Of course if there is a problem, we all know where the fault lies. But by then, the damage is already done, and that damage can be very expensive.
In other words, for self-protection, imposing contractual requirements may be necessary, but it is not sufficient. The most effective technique remains assessing for yourself the risks that you are facing; and deploying security measures aimed at reducing those risks as much as possible. A genuinely complex subject.
2. Automation, against “Zero-day” attacks
In terms of security, automation not only has the virtue of optimizing operations, it is also strategic in the face of malicious acts.
Modern security teams today spend most of their time maintaining a reliable system in the present tense. This is basic for business – the guarantee of continuity of service.
But at the other end of the network, crackers are preparing the future, imagining attacks and vulnerabilities that do not exist yet. This is referred to as “zero day”, meaning attacks that take place when cybercriminals exploit vulnerabilities without giving developers time to correct the situation. And they don’t have that time because they have their noses to the grindstone of daily maintenance. The circle is complete.
To break this dangerous vicious circle, we must reduce time-consuming and error-prone repetitive tasks wherever possible, and push for automation instead. Teams can use the time that they save to innovate, anticipate, prepare for the future, and play on a more level playing field against the ‘dark side’.
Of course, automation generates new risks, but these risks are themselves manageable and measurable. It is therefore a conscious battle of risks that is being played out here, a skillful balance between present and future, maintenance and innovation.
3. Deploying “Awareness” becomes urgent
The big challenges in 2023 will be human, not just technological.
Raising employees’ awareness of security issues is about as much fun as a fire drill. In November. In the rain. Beyond the lack of interest, everyone thinks that everything will be fine, that the security team will take care of it, that there are backups and service providers whose job it is, and most important, “We have other things to do…”.
Big mistake. Information security is now everyone’s business, at all levels and at all times. An annual one-hour training session is not enough to make people understand the role that everyone has to play for their own future. When the company is affected, everyone is affected in return. Operations slowed down or stopped, delays in delivery, reputations damaged, turnover lessened, orders decreased, salaries frozen, even layoffs… This is not an exaggerated scenario, and it can all start from one small breach in security.
Two critical subjects emerge from the background: ransomware and phishing. Both are very often linked to human error, in spite of all upstream measures.
Consider ransomware: since companies do not generally want to admit their shortcomings, they tend to pay – and it can be very expensive. Ransomware has become a thriving business that often passes through doors left wide open … by under-prepared humans.
Consider phishing: and stop thinking that you are smarter than other people, that you can never be fooled by a message that has too many swear words, or too many mistakes, or sent from easily detectable addresses. That was then – this is now. ‘Black hats’ are now very inventive, and it only needs one distracted employee to let them break into the system.
To be effective, raising awareness notably involves the ability of security managers to adapt to the different businesses of the company, to understand their specific operations, expectations, needs, and limits – then to build strategy around those parameters. Security therefore stops being a constraint, and it becomes a business and operational advantage. It is what will maximize adoption and synergy with all stakeholders.
4. The ROI of security at the heart of the business
Historically, information security has been a highly technical profession, under the responsibility of the CIO or the CTO. Today, it is increasingly part of management, even top management. The global awareness of the importance of these subjects has enabled the CISO to gain legitimacy at the highest ranks of the corporation. As a direct result, we must now be accountable at this level. Security becomes subject to the same ROI (Return on Investment) requirement as any other operation. Companies now need to obtain a clear view of the costs and revenues generated by the measures deployed.
But when it comes to security, ROI is complex, because correlation is not always causation. Because we did what was needed, we reduced the attack surface, of course, and sometimes by a great deal. But just because we can’t identify an attack doesn’t necessarily mean that we did what was necessary. Maybe we haven’t been attacked yet? Or maybe we have been, but we are not even aware of it? How can we take credit for the fact that everything is going well or better?
It has therefore become essential for businesses to manage themselves using indicators that are relevant, measurable, and comparable. One of those indicators could for example be the percentage of corporate compliance with certain internationally known standards, such as ISO 27001, which has the merit of providing a security management framework for the various businesses in the organization.
5. The new gaps in remote work
Constrained by the pandemic, most companies have greatly developed their teleworking policies. More and more companies are giving flexibility to employees, letting them work in places they trust – at home, with family, in shared spaces, etc.
Of course, this new freedom makes it more complex to control the security framework. New ways to collaborate include remote connection, cohabitation of personal and professional equipment in mixed uses, networking, family members with access to computers and tablets, working from cafes or coworking spaces… With these new means, thousands of possible breaches can appear. They need to be taken into account very quickly.
Rigid security, which is almost impossible to maintain under these conditions, may no longer have a place in companies in 2023, giving way to Agility and new ways of assessing the notion of risk.
Among the thousand possible trends that coexist, we identify therefore a persistent pattern around the report of the behavior of employees in the face of cyberattacks. In 2023, we will need to train better so as to better understand the role of each stakeholder, internally and with partners; so as to better anticipate defects by devoting more time to innovation. In 2023, we will need to continuously measure and assess risks, so as to make “agile” decisions that adapt to the infinite imagination of cybercriminals. In 2023, we must embrace changes to the way we work, and acquire a better understanding of users and their jobs, so that security is viewed not as a constraint, but as an asset.