Looking to automation, engaging offensive security, and making the business case for building a robust cybersecurity strategy will help security leaders mature their programs.
By Robert Herjavec, CEO of Cyderes
The cybersecurity threat landscape is vast, complex and ever-changing. It remains a certainty that the so-called attack surface – corporate networks, data, wireless systems and critical business processes – will continue to expand without letup at public and private companies alike. But for every measure there is a countermeasure, and so the deadly serious cat-and-mouse game continues.
The one thing that has not changed is the need to embrace constant change across the threat landscape. We are well into 2023 and already seeing shifts within cybersecurity and the economic landscape that affect security leaders.
We saw several predictions come to fruition in 2022:
Continued proliferation of identities: The complexity of digitally transformed enterprise environments – including a diverse set of endpoints, identities and internal and third-party access points – have created more vulnerabilities and opportunities for threat actors. Identity compromise continues to be adversaries’ primary mode of attack.
Increasingly sophisticated attack techniques: From big game hunting (BGH) to the growth of ransomware-as-a-service (RaaS) and data leak sites (DLS), data extortion threat actors continue to innovate and evolve their tactics. New tactics such as Exmatter, discovered last year by the Cyderes special operations team, indicate that threat actors are actively in the process of staging and developing the capability to outright destroy rather than encrypt data.
An overwhelming amount of security alerts and talent challenges: Increased sophistication and frequency of cyber-attacks has created an unmanageable deluge of alerts. Coupled with the continued talent shortage, more enterprises are turning to outside providers to manage these alerts, and those providers are consolidating to provide more comprehensive cybersecurity support for their customers.
Then there are some events in 2022 that simply could not have been predicted. For instance, the Russian invasion of Ukraine placed cybersecurity at the forefront of global conversations as concerns of cyber warfare and attacks on critical infrastructure spread across Europe and beyond. Business leaders also began to speculate whether threat actors would be emboldened to attack targets with greater force and frequency amid the chaos.
Later in the year when Joe Sullivan, former CSO of Uber, was found guilty of obstruction of justice and concealment of a felony, there was a new precedent set for security leaders. Suddenly, CISOs faced the added consequence that they could be held personally responsible for breaches.
In fact, there is an increasing number of laws coming out that aim to add extra layers of governance and oversight of cyber risk. For example, the SEC proposed last year that it would require public companies to disclose a breach within four days. And the White House is doubling down on regulation for industries considered critical to national security.
We were already starting to see the perception of cybersecurity shift at enterprises of all sizes, with leaders embracing security initiatives at the board level rather than confining them to IT. But the events of 2022 and increased governance has expedited this shift. In fact, the National Association of Corporate Directors (NACD) now recommends that boards of directors include at least one member with an information technology background.
The reality is that security leaders are no longer siloed — they now have a very important seat at the table. But to truly drive impact within their organization, they must evolve to take a security-oriented approach to the business, focus resources more strategically, and make it a priority to connect with leaders from across the organization.
The Cyderes 2023 Cybersecurity Conversations Report is dedicated to the discussions recommended you have with your executive teams to do just that, helping you to mature your security program and stay ahead of the evolving threat landscape:
Look towards automation to modernize your SOC and focus resources on more strategic efforts: Continued digital transformation and mass cloud adoption have created a modern business environment centered around incredible amounts of data. This has created a challenging environment for information security professionals as they attempt to stay on top of threats in the midst of so much added noise. Embracing automation can drive several key outcomes for your organization. When your security team isn’t bogged down trying to manage an ever-increasing number of alerts, they are able to focus on higher-order tasks that deliver huge outcomes.
Engage offensive security to identify your greatest risks and map your security strategy: In the year ahead, expect to see increased demand for penetration testing and red/purple team offensive security services. This comes as more organizations recognize the need to pivot to proactive and continuous methods for defending their attack surface from advanced threats. Offensive Security allows enterprises to better prepare and protect enterprise IT infrastructure by closing gaps, improving controls and reducing risk. It also enables better quantification of risk, which is essential to determining the value of cybersecurity spending and managing its costs.
Make the business case for building a robust security program to your executive leaders: The first step in building your case for any investment in your cybersecurity program is to assess your current posture and identify what areas are in most critical need of improvement. Identify where you are today, what vulnerabilities exist, what your greatest risks are and what you need to do to mitigate those high-risk areas. Next, quantify the top risks likely to impact your organization. When you can put actual dollar values against the potential impact of specific risks in the event of a breach, your board will better understand how these initiatives add value to the organization.
Last year proved to be another year full of unexpected challenges and increased pressure on security leaders, but the events of the past year are putting us on the path to an even more secure, cyber-focused future.
Here’s to a (cyber) safe 2023.
About the Author
Robert Herjavec is CEO of Cyderes. He is a globally recognized motivational, business, and cybersecurity leader. For the past 14 years, Robert has been well known as one of the Sharks and executive producer of the Emmy-award winning hit show, Shark Tank. He is a successful, best-selling author and has appeared on stage with crowds from 50 to 20,000 people and with luminaries such as Tony Robbins and Oprah. For more information about Cyderes, go to https://www.cyderes.com/