R
Richard Archdeacon
Guest
As the majority of the global Covid fog finally started lifting in 2022, other events – and their associated risks – started to fill the headspace of C-level execs the world over. In my role, I regularly engage with CISOs in all kinds of sectors, representatives at industry bodies, and experts at analyst houses. This gives me an invaluable macroview not only of how the last 12 months have affected organizations and what CISOs are thinking about, but also how the upcoming year is shaping up.
Using this information, last year I wrote a blog summing up the nine top of mind issues I believed will most impact CISOs as we headed into 2022. Many of them still ring true now and will continue to do so, but some new concerns have risen up the agenda. Here are the topics that I think will be top of mind in 2023, and what CISOs can do to prepare.
One aspect that has come to the fore this year is the CISO’s position as ‘guardian of customers’ private data’ in the event of a breach, and their responsibilities over the level of disclosure they later provide. And here, we are not only talking about the legal duty to inform regulators, but the implicit moral duty to inform third parties, customers, etc. From my conversations this year, this whole area is getting CISOs thinking about their own personal liability more.
As a result of this, next year we could see CISOs tightening up the disclosure decision making process, focusing on quicker and greater clarity on breach impact, and even looking to include personal liability cover in cyber insurance contracts. CISOs will also likely be pushing more tabletop exercises with the executive leadership team to ask and answer questions around what is showed, to whom, and by whom.
Cyber insurance has become a newsworthy topic over the last 24 months, mainly due to the hardening of the market, as insurance products have become less profitable for underwriters and insurers’ costs have risen. But the topic will continue to be in focus as we move into 2023, with insurers demanding greater attribution – aka the science of identifying the perpetrator of a cybercrime by comparing the evidence gathered from an attack with evidence gathered from earlier attacks that have been attributed to known perpetrators to find similarities.
The need for greater attribution stems from the news that some insurers are announcing that they are not covering nation state attacks, including major marketplace for insurance and reinsurance, Lloyd’s – a topic I covered with colleague and co-author Martin Lee, in this blog earlier in the year.
Greater preparation and crystal-clear clarity of the extent to which attribution has taken place when negotiating contracts will be an essential element for CISOs going forward. For more practical advice on this topic, I also wrote a blog on some of the challenges and opportunities within the cyber liability insurance market back in June which you can read here.
Being a CISO has never been more complex. With more sophisticated attacks, scarcity of resources, the challenges of communicating effectively with the board, and more demanding regulatory drivers like the recently approved NIS2 in the EU, which includes a requirement to flag incidents that cause a significant financial implication or operational disruption to the service or to others within 24 hours.
With so much to consider, it is vital that CISOs have a clear understanding of the core elements of what they protect. Questions like ‘where is the data?’, ‘who is accessing it?’, ‘what applications is the organization using?’, ‘where and what is in the cloud?’ will continue to be asked, with an overarching need to make management of the security function more flexible and simpler for the user. This visibility will also inevitably help ease quicker decision making and less of an operational overhead when it comes to regulatory compliance, so the benefits of asking these questions are clear.
According to Forrester, the term Zero Trust was born in 2009. Since then, it has been used liberally by different cybersecurity vendors – with various degrees of accuracy. Zero Trust implementations, while being the most secure approach a firm can take, are long journeys that take multiple years for major enterprises to carry out, so it is vital that they start as they mean to go on. But it is clear from the interactions we have had that many CISOs still don’t know where to start, as we touched on in point #3.
However, that can be easier said than done in many cases, as the principles within Zero trust fundamentally turn traditional security methods on their head, from protecting from the outside in (guarding your company’s parameter from external threats) to protecting from in the inside out (guarding individual assets from all threats, both internal and external). This is particularly challenging for large enterprises with a multitude of different silos, stakeholders and business divisions to consider.
The key to success on a zero-trust journey is to set up the right governance mode with the relevant stakeholders and communicate all changes. It is also worth taking the opportunity to update their solutions via a tech refresh which has a multitude of benefits, as explained in our most recent Security Outcomes Study (volume 2).
For more on where to start check out our eBook which explores the five phases to achieving zero trust, and if you have already embarked on the journey, read our recently published Guide to Zero Trust Maturity to help you find quick wins along the way.
As with last year, ransomware continues to be the main tactical issue and concern facing CISOs. More specifically, the uncertainty around when and how an attack could be launched against the organization is a constant threat.
Increased regulation on the payment of ransomware and declaring payments is predicted, on top of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), the Ransom Disclosure Act, but that doesn’t help alleviate ransomware worries, especially as this will again put the CISO in the firing line.
CISOs will continue to keep a focus on the core basics to prevent or limit the impact of an attack, and again have a closer look at how any ransomware payment may or may not be paid and who will authorize payment. For more on how executives can prepare for ransomware attacks, read this blog from Cisco Talos.
Traditionally CISOs have talked about the importance of improving security awareness which has resulted in the growth of those test phishing emails we all know and love so much. Joking aside, there is increased discussion now about the limited impact of this approach, including this in depth study from the computer science department of ETH Zurich.
The study, which was the largest both in terms of scale and length at time of publishing, revealed that ‘embedded training during simulated phishing exercises, as commonly deployed in the industry today, does not make employees more resilient to phishing, but instead it can have unexpected side effects that can make employees even more susceptible to phishing’.
For the most effective security awareness, culture is key. This means that everyone should see themselves as part of the security team, like the approach that has been taken when approaching the issue of safety in many high-risk industries. In 2023, CISOs will now be keen to bring about a change to a security culture by making security inclusive, looking to create security champions within the business unit, and finding new methods to communicate the security message.
Last year, we talked about preparing for the ‘great resignation’ and how to prevent staff leaving as WFH became a norm rather than an exception. In the past year, the conversations I have had have altered to focus on how to ensure recruitment and retention of key staff within the business by ensuring they work in an environment that supports their role.
Overly restrictive security practices, burdensome security with too many friction points, and limitations around what resources and tools can be used may deter the best talent from joining – or indeed staying – with an organization. And CISOs don’t need that extra worry of being the reason behind that kind of ‘brain drain’. So, security will need to focus on supporting the introduction of flexibility and the ease of user experience, such as passwordless or risk-based authentication.
Just when we thought it was safe to go back into the organization with MFA protecting us, along came methods of attack that rely on push-based authentication vulnerabilities including:
There has been a lot written about this kind of technique and how it works (including guidance from Duo) due to some recent high-profile cases. So, in the forthcoming year CISOs will look to update their solutions and introduce new ways to authenticate, along with increased communications to users on the topic.
This issue was highlighted again this year driven by regulations in different sectors such as the UK Telecoms (Security) Act which went live in the UK in November 2022 and the new EU regulation on digital operational resilience for financial services firms (DORA), which the European Parliament voted to adopt, also in November 2022. Both prompt greater focus on compliance, more reporting and understanding the dependency and interaction organizations have with the supply chain and other third parties.
CISOs will focus on obtaining reassurance from third parties as to their posture and will receive a lot of requests from others about where their organization stands, so it is crucial more robust insight into third parties is gained, documented, and communicated.
When writing this blog, and comparing it to last year’s, the 2023 top nine topics fit into three categories. Some themes make a reappearance, seem to repeat themselves such as the need to improve security’s interaction with users and the need to keep up to date with digital change. Others appear as almost incremental changes to current capabilities such as an adjusted approach to MFA to cope with push fatigue. But, perhaps one of the most striking differences to previous years is the new focus on the role of the CISO in the firing line and the personal impact that may have. We will of course continue to monitor all changes over the year and lend our viewpoint to give guidance. We wish you a secure and prosperous new year!
Continue reading...
Using this information, last year I wrote a blog summing up the nine top of mind issues I believed will most impact CISOs as we headed into 2022. Many of them still ring true now and will continue to do so, but some new concerns have risen up the agenda. Here are the topics that I think will be top of mind in 2023, and what CISOs can do to prepare.
- CISO in the firing line
One aspect that has come to the fore this year is the CISO’s position as ‘guardian of customers’ private data’ in the event of a breach, and their responsibilities over the level of disclosure they later provide. And here, we are not only talking about the legal duty to inform regulators, but the implicit moral duty to inform third parties, customers, etc. From my conversations this year, this whole area is getting CISOs thinking about their own personal liability more.
As a result of this, next year we could see CISOs tightening up the disclosure decision making process, focusing on quicker and greater clarity on breach impact, and even looking to include personal liability cover in cyber insurance contracts. CISOs will also likely be pushing more tabletop exercises with the executive leadership team to ask and answer questions around what is showed, to whom, and by whom.
- Increasing demands from insurers
Cyber insurance has become a newsworthy topic over the last 24 months, mainly due to the hardening of the market, as insurance products have become less profitable for underwriters and insurers’ costs have risen. But the topic will continue to be in focus as we move into 2023, with insurers demanding greater attribution – aka the science of identifying the perpetrator of a cybercrime by comparing the evidence gathered from an attack with evidence gathered from earlier attacks that have been attributed to known perpetrators to find similarities.
The need for greater attribution stems from the news that some insurers are announcing that they are not covering nation state attacks, including major marketplace for insurance and reinsurance, Lloyd’s – a topic I covered with colleague and co-author Martin Lee, in this blog earlier in the year.
Greater preparation and crystal-clear clarity of the extent to which attribution has taken place when negotiating contracts will be an essential element for CISOs going forward. For more practical advice on this topic, I also wrote a blog on some of the challenges and opportunities within the cyber liability insurance market back in June which you can read here.
- Getting the basics right
Being a CISO has never been more complex. With more sophisticated attacks, scarcity of resources, the challenges of communicating effectively with the board, and more demanding regulatory drivers like the recently approved NIS2 in the EU, which includes a requirement to flag incidents that cause a significant financial implication or operational disruption to the service or to others within 24 hours.
With so much to consider, it is vital that CISOs have a clear understanding of the core elements of what they protect. Questions like ‘where is the data?’, ‘who is accessing it?’, ‘what applications is the organization using?’, ‘where and what is in the cloud?’ will continue to be asked, with an overarching need to make management of the security function more flexible and simpler for the user. This visibility will also inevitably help ease quicker decision making and less of an operational overhead when it comes to regulatory compliance, so the benefits of asking these questions are clear.
- How Zero Trust will progress
According to Forrester, the term Zero Trust was born in 2009. Since then, it has been used liberally by different cybersecurity vendors – with various degrees of accuracy. Zero Trust implementations, while being the most secure approach a firm can take, are long journeys that take multiple years for major enterprises to carry out, so it is vital that they start as they mean to go on. But it is clear from the interactions we have had that many CISOs still don’t know where to start, as we touched on in point #3.
However, that can be easier said than done in many cases, as the principles within Zero trust fundamentally turn traditional security methods on their head, from protecting from the outside in (guarding your company’s parameter from external threats) to protecting from in the inside out (guarding individual assets from all threats, both internal and external). This is particularly challenging for large enterprises with a multitude of different silos, stakeholders and business divisions to consider.
The key to success on a zero-trust journey is to set up the right governance mode with the relevant stakeholders and communicate all changes. It is also worth taking the opportunity to update their solutions via a tech refresh which has a multitude of benefits, as explained in our most recent Security Outcomes Study (volume 2).
For more on where to start check out our eBook which explores the five phases to achieving zero trust, and if you have already embarked on the journey, read our recently published Guide to Zero Trust Maturity to help you find quick wins along the way.
- Ransomware and how to deal with it
As with last year, ransomware continues to be the main tactical issue and concern facing CISOs. More specifically, the uncertainty around when and how an attack could be launched against the organization is a constant threat.
Increased regulation on the payment of ransomware and declaring payments is predicted, on top of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), the Ransom Disclosure Act, but that doesn’t help alleviate ransomware worries, especially as this will again put the CISO in the firing line.
CISOs will continue to keep a focus on the core basics to prevent or limit the impact of an attack, and again have a closer look at how any ransomware payment may or may not be paid and who will authorize payment. For more on how executives can prepare for ransomware attacks, read this blog from Cisco Talos.
- From Security Awareness to Culture Change
Traditionally CISOs have talked about the importance of improving security awareness which has resulted in the growth of those test phishing emails we all know and love so much. Joking aside, there is increased discussion now about the limited impact of this approach, including this in depth study from the computer science department of ETH Zurich.
The study, which was the largest both in terms of scale and length at time of publishing, revealed that ‘embedded training during simulated phishing exercises, as commonly deployed in the industry today, does not make employees more resilient to phishing, but instead it can have unexpected side effects that can make employees even more susceptible to phishing’.
For the most effective security awareness, culture is key. This means that everyone should see themselves as part of the security team, like the approach that has been taken when approaching the issue of safety in many high-risk industries. In 2023, CISOs will now be keen to bring about a change to a security culture by making security inclusive, looking to create security champions within the business unit, and finding new methods to communicate the security message.
- Resignations, recruitment and retention
Last year, we talked about preparing for the ‘great resignation’ and how to prevent staff leaving as WFH became a norm rather than an exception. In the past year, the conversations I have had have altered to focus on how to ensure recruitment and retention of key staff within the business by ensuring they work in an environment that supports their role.
Overly restrictive security practices, burdensome security with too many friction points, and limitations around what resources and tools can be used may deter the best talent from joining – or indeed staying – with an organization. And CISOs don’t need that extra worry of being the reason behind that kind of ‘brain drain’. So, security will need to focus on supporting the introduction of flexibility and the ease of user experience, such as passwordless or risk-based authentication.
- Don’t sleep on the impact of MFA Fatigue
Just when we thought it was safe to go back into the organization with MFA protecting us, along came methods of attack that rely on push-based authentication vulnerabilities including:
- Push Harassment – Multiple successive push notifications to bother a user into accepting a push for a fraudulent login attempt;
- Push Fatigue – Constant MFA means users pay less attention to the details of their login, causing a user to accept a push login without thinking.
There has been a lot written about this kind of technique and how it works (including guidance from Duo) due to some recent high-profile cases. So, in the forthcoming year CISOs will look to update their solutions and introduce new ways to authenticate, along with increased communications to users on the topic.
- Third party dependency
This issue was highlighted again this year driven by regulations in different sectors such as the UK Telecoms (Security) Act which went live in the UK in November 2022 and the new EU regulation on digital operational resilience for financial services firms (DORA), which the European Parliament voted to adopt, also in November 2022. Both prompt greater focus on compliance, more reporting and understanding the dependency and interaction organizations have with the supply chain and other third parties.
CISOs will focus on obtaining reassurance from third parties as to their posture and will receive a lot of requests from others about where their organization stands, so it is crucial more robust insight into third parties is gained, documented, and communicated.
When writing this blog, and comparing it to last year’s, the 2023 top nine topics fit into three categories. Some themes make a reappearance, seem to repeat themselves such as the need to improve security’s interaction with users and the need to keep up to date with digital change. Others appear as almost incremental changes to current capabilities such as an adjusted approach to MFA to cope with push fatigue. But, perhaps one of the most striking differences to previous years is the new focus on the role of the CISO in the firing line and the personal impact that may have. We will of course continue to monitor all changes over the year and lend our viewpoint to give guidance. We wish you a secure and prosperous new year!
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Instagram
Facebook
Twitter
LinkedIn
Cisco Secure Social Channels
LinkedIn
Continue reading...