Category: Blog
Cybersecurity risks, vulnerabilities, and exploits will continue to affect every user and organization in some form in 2023. Attack velocity, the complexity of the cyber-attack, and challenges with auto-remediation will have a cost and operational impact on organizations. Other trends include a threat to business confidence, employee mental health and turnover, technology vendor layoffs, security product breaches, and accessing the vCISO marketplace.
Technology Vendor Layoffs Creating Cyber Risk
Last year started with record highs in the US stock market, low unemployment and rapid growth for most of the tech companies. In addition, the year also started with a technology employment boom, however by the end of the year many of the big players including Meta, Microsoft and Amazon had started to pull back on hiring over concerns about the global economy, declining ad sales, inflation and rising interest rates. Cybersecurity, however, appeared immune to these trends. By year’s end, some reports put the number of open security positions at 700,000 in the U.S. alone.
At the time of this writing Cisco, Intel, and Salesforce.com have joined in adding to the growing number of organizations that are warning about reduced head count, revenue and earnings. The tech sector is critical in protecting all organizations, governments, and data. Companies that lay off valuable talent could place their products and services at risk for hackers to exploit and undermine their customer’s cybersecurity investments. Cyber-related threats against organizations announcing layouts will result from hackers mining social media for public disclosure of employee reduction.
Products are designed, built, and maintained by people. Artificial intelligence and adaptive AI are critical in product development and testing. However, it takes experienced people to create, program, and maintain AI-enabled systems. The risk of implementing machine learning and AI into cybersecurity products and solutions are severely at risk as the cost structures of many of the companies that are producing solutions that are leveraging next generation of technology will be severely impacted.
Human Capital Management and Mental Health
The mental health issue among tech industry workers will unfortunately still be present in 2023. Businesses should acknowledge its severity, create a conducive environment for workers to prevent new or exacerbated health issues, and offer support and flexibility to those seeking help.
Organizations facing employee retention from stress and other mental issues, recruitment, and competitive talent harvesting face an uncertain risk. Losing an important CTO or VP of development is a cybersecurity risk and setback for any organization.
The organization’s intellectual property will lose value if the company’s core technology, compliance, and financial personnel depart. While many organizations quickly promote, backfill, or purchase another company, losing key personnel creates an unaccepted risk. These uncertain business risks correlate with their ability to provide security protection, solutions, and services to their customers.
Security Breaches will Continue in 2023
More than 4,100 publicly disclosed data breaches occurred in 2022 equating to approximately 22 billion records being exposed. The global average cost of a data breach increased 2.6% from $4.24 million in 2021 to $4.35 million in 2022 — the highest it’s been in the history of IBM Security’s “The Cost of a Data Breach Report.”
Solar Winds made headlines by suffering a security breach in 2021 and along with OKTA in 2022. Many vendors in 2022, including Last Pass, Uber, Cisco, Veeam, and others, publicly acknowledge that either their client solution or cloud offering suffered a possible exploit, zero-day attack, or a customer data breach in 2022.
While the financial costs associated with a data breach are certainly high, the real impact on businesses run much deeper: reputational loss, legal liability and loss of business and consumer trust. Security Magazine suggests, “cyberattacks and data breaches are not going away — if anything, they are only increasing both in frequency and severity. It’s vital that organizations create and test incident response playbooks to increase cyber resilience.”
More Investment in Smart Automation
Adaptive AI and auto-remediation are expected to make improvements in 2023 across the entire cybersecurity landscape. Corporations and hackers continue to make investments in this technology capability as well, however. Hackers often target data sets before insertion into the various AI analytics tools. Data rationalization, projection, and classification are critical for organizations to protect against cyber intrusion and data manipulation.
More organizations plan to increase their investment in AI-enabled assets for data observability, automation of cybersecurity adaptive controls, and to provide a better customer experience. Several digital transformation strategies, including customer success, adopting a multi-cloud strategy, and universal identity management, carry a risk to the organizations. Without an increase in human capital resources, organizations will need to invest in automation to help reduce threat landscape risk.
Automation functionality allows organizations to execute more business functions without human interaction.
Automation causes further questions related to humanity. Job elimination is the most apparent concern, but the lack of a personalized touch that many small businesses leverage to strengthen their customer affiliations is another. How do MSSPs differentiate themselves from each other using the same automation systems? Something to think about in 2023.
The Expanding Role of MSSPs in 2023
Organizations that want to stay ahead of the continuous increases in cybersecurity attacks while coping with human capital challenges may want to re-visit their strategy to leverage managed services providers (MSSP). We don’t do commercials in our blog posts so we’ll keep this brief and focused on an organization’s benefits from leveraging the technologies, people and processes an MSSP can offer.
MSSP vendors continue to expand the capabilities and services to assist all organizations with SecOps, compliance, and data protection. These MSSPs span email security, multi-cloud data protection, identity management, and risk governance solutions. One of the critical values MSSPs deliver is leveraging their global access to talent to serve their clients 24 x 7 x 365.
Gartner suggests that MSSP’s are defined as follows, MSSP’s provide organizations with a variety of management and operational services specific to security technologies and business outcomes for security. Capabilities include security monitoring, detection and response, exposure assessment and management as well as security consulting and security technology implementation. Services are delivered in a variety of modes, in the providers’ cloud infrastructure, as consultative engagements or through staff augmentation and on-premises. MSSP’s offer a variety of different engagement models. These include heavily customized and consultancy-led models and commoditized technology management-driven experiences.
Gartner further suggests that by 2023, 75% of organizations will restructure risk and security governance to address the widespread adoption of advanced technologies, an increase from fewer than 15% today. By the way, 15% was in 2017 so we can’t wait to see how close Gartner is in its prediction when they release their report early this year.
Is the vCISO Role in 2023 Gaining or Losing Importance?
Small-to-mediums face similar cybersecurity attacks as larger organizations. Email phishing attacks, brute-force attacks, ransomware attacks, denial-of-service, and data exfiltration affect every organization regardless of market segment and size. Many smaller firms will engage a virtual chief security officer or (vCISO) to provide a fill-in leadership role on a per-contract basis to help with security strategy, best practices, and insight into vendor solutions. The vCISO brings experience and expertise at a lower cost than hiring a full-time security executive.
The vCISO has proven valuable to small and medium companies. However, cybersecurity requires full-time leadership to organize threat monitoring, incident response, and threat hunting.
Organizations face new compliance and security mandates every year. A vCISO or CISO is critical for an organization to understand the risk and implications of these new privacy and security mandates.
Privacy laws like Law 25 in Canada, which we discussed in our last two-part blog post, Law 25 – Changing Privacy Compliance In Quebec, CCPA in California, and GDPR in Europe establish organizational mandates for data access, protection, replication, and removal of personal data. vCISOs help organizations understand these mandates and provide the much-needed leadership to maintain compliance.
The Risk of the vCISO
If the vCISO contract becomes complete, organizations may get a different security executive if the organization requires additional services later. One vCISO may have expertise in compliance; others may have experience in SecOps and incident response. Rarely is there a handoff between vCISOs. Organizations must consider this potential risk when investing in a vCISO strategy instead of hiring a full-time executive.
Conclusion
As the calendar flips to 2023, cybersecurity experts and industry watchers are keeping an eye on several trends that have the potential to affect tech and security pros over the next year and impact how they approach their jobs and career aspirations. We’ve covered many of the trends that you will likely see grow in 2023 however, with the financial damages from cyber threats expected to top $10.5 trillion annually by 2025, according to one report, organizations of all sizes must invest more in technology and expertise to fend off more sophisticated attacks.
Further, economic, and geopolitical uncertainty will add to the risks organizations face. It means CISOs and other security leaders must adjust their plans to meet security challenges and threats to their infrastructure and data over the next 12 months, said Lucia Milică, global resident CISO at security firm Proofpoint.
“The growing complexity of our interconnected digital systems, combined with the economic downturn has created a new type of worldwide systemic risk,” Milică told Dice.
These cybersecurity trends in 2023 are bound to increase the fear in organizations to add to their security defense investments. It is expected that organizations will spend more than ever with $100+ billion on protecting their assets alone this year. As a matter of fact, according to Gartner, organizations will spend a collective $188.3 billion on information security and risk management products and services in 2023 on three transitionary megatrends: remote work, zero trust network access, and the cloud.