Rational Cybersecurity New Year Update
Updating the public on cybersecurity trends is not a trivial matter. At least to me, it is a vast potential topic space. Let’s outline it here and communicate further in the New Year.
My World and Rational Cybersecurity
After a bit of a sabbatical, I popped my head up and noticed: WOW – 104,000 “accesses” to my Rational Cybersecurity book. By this measure, my open source approach has been a success! Please download the book if you haven’t already. I plan to continue my efforts to get it (“The Security Leaders‘ Guide to Business Alignment”) out to those who need it and that includes security architects, managers, and strategists as well as CISOs. Most of us need to be leaders at some point.
Trend Space #1: Expanding Scope
The expanding scope of cybersecurity is itself a trend. With Digital Transformation, all sorts of things take on information risk. War, finance, politics, commerce all have an information risk component…this isn’t news to you. But when things like privacy practices generate risks which can only be controlled by changing business processes like marketing we have to think about our scope in new ways.
For example, as I moderated a panel at the Techvision Research Chrysalis conference last November, we noted increasingly adversarial domestic and international politics on social media. My colleague Fred Cohen asked: “Should the CISO be responsible for protecting the company against influence operations too?” The security organization doesn’t lead Digital Transformation, but it does have a role and responsibility to support it. Which brings us to Trend Space 2.
Trend Space #2: Governance and Organization
Expanding scope makes it more important than ever that businesses charter the security organization under the right “definition of security” and establish efficacious RACI [responsible-accountable-consulted-informed] arrangements. (I wrote a lot about this in Chapter 3 and Chapter 2 of the book by the way). We – security leaders – can best help if security is considered important enough that we get a seat at the table early enough in the decision process to get ahead of cyber-risks.
There’s evidence in recent surveys that Boards of Directors consider cybersecurity more “strategic” now than they did five or ten years ago. But keeping the trust of executives while leading security with integrity can be a difficult balancing act. In the last year, well-publicized governance failures at Uber and Twitter (where CISOs and other executives weren’t aligned) illustrate the magnitude of what can go wrong.
Meanwhile, look for tougher privacy pressures in 2023. According to the IAPP, state-level momentum for comprehensive privacy bills is at an all-time high in the U.S. Globally, regulations vary and tend to be even tougher. Fines and enforcement out of the EU and other jurisdictions are increasing. Organizations must address privacy as a cross-functional initiative built into software and business process design, not bolted on.
Security leaders should be mindful that taking on additional scope – while interesting and often helpful to the business – can lead to unfunded mandates. We’ll continue struggling to hire and retain people due to the skills shortage. Cybersecurity budgets grew during the pandemic’s easy money period, but harsh recession is possible in 2023. This could presage leaner years of security budgets – at least for some organizations.
Trend Space #3: Threat and Vulnerability Landscape
Ransomware unabated continues to be the most dangerous threat, as it often creates a trifecta of negative consequences including loss of critical IT systems’ availability, personal data breaches, and operational impairments to the business.
Organizations in sensitive geographical locations or industries face increased nation state attacks especially from Russia, North Korea, and Iran. Industrial espionage or critical infrastructure proof of concept attacks from China resumed (after a brief pause during the later Obama period) against the U.S. and some other Western countries as trade disputes and the Taiwan question escalated. That governments of so much of the world’s land mass not only officially sanction cyberattacks against the West but also turn a blind eye to (or encourage) private cybercriminals acting against us from their territories is worrisome indeed. There are signs of stabilization in the U.S. – China relationship but no near term prospect of cyber-détente there – much less with the other countries mentioned.
Phishing emails continue to be the most common attack vector. Add to that the risk of supply chain attacks coming through third party access. And software supply chain issues from popular open source packages as well as vulnerable vendor software.
Trend Space #4: Tech Trends
As the threats grow more numerous, faster-acting, and more sophisticated organizations require stronger security solutions that can’t all be provided in-house but must be outsourced to cloud services. When it comes to detecting or predicting many cyberattacks as well as providing risk engines for authentication and policy enforcement, skilled resources are required, and for AI, bigger AI really is better.
Cloud based security services also join premise based identity management solutions to enhance zero trust and defense-in-depth architectures. These continue seeing more adoption by customers in light of expanded work-from-home attack surfaces and meshed, hybrid cloud data center topologies.
Zero trust, or least privilege, can be helpful in addressing supply chain risk but what about the software supply chain? If developers rule the world and one can’t – nor wants to – over-control their creativity than we need solutions that guard against open source vulnerabilities while enabling software reuse and API interconnection. Software bill of materials (SBOM) and low code/no code solutions show promise as application security enabling approaches.
Trend Space #5: The Market
Like a rising stock chart, the security market continues expanding with volatility, booms, and busts along the way. Notwithstanding my caution that recessions and budget cuts loom in 2023 and 2024, a recent report from McKinsey and Company sees a $150 billion security products’ market at only 10% penetration with an opportunity to expand to “a staggering $1.5 trillion to $2.0 trillion.” Hype? Maybe. The authors base their claim on doubling threat volumes for mid-sized companies from 2021 to 2022 as well as regulatory pressures.
McKinsey sees cloud security tools, solutions to increase log visibility / response, and outsourcing services aimed at the mid-market as the main areas of growth. To this I add solutions for identity management and least privilege (aka zero trust). The move of these same kinds of tools to the cloud as well as the increasing need for AI/ML capabilities favors large scale providers and drives market consolidation. However, frosty regional relationships and continuing venture capital investments on new security technologies and businesses ensures an ongoing flow of new market entrants and innovation. As always, smaller is nimbler!
Please check out the book. Maybe there’s a way that we could promote and expand some of those ideas for our mutual benefit. Also, if you have questions about anything in this post, please contact us. In the New Year, let’s open to new opportunities.