Cybersecurity considerations 2023

Digital trust is finding its way onto Board agendas as privacy, security and ethics debates gain momentum — partly driven by regulation and partly by public opinion. The future success of any digitally enabled business is built on digital trust — cybersecurity and privacy are vital foundations for that trust. CISOs must be prepared to help the Board and C-suite create and maintain the trust of their stakeholders if they are to create a competitive advantage. Realizing this potential requires a collective commitment from all stakeholders.

Embedding security within the business in a way that helps people work confidently, make productive choices, and play their part in protecting the organization must be a key, albeit often elusive, CISO objective. It’s too easy for people to see security as an impediment, and only by considering security from both human and business-centric perspectives can CISOs hope to change this mindset.

It’s no surprise that business operating models have fundamentally changed over the last decade — becoming more fluid, data-centric, connected ecosystems of internal and external partners and service providers. In this distributed computing world, to help reduce the blast radius of any potential outages or breaches, CISOs and security teams must adopt very different approaches, such as zero trust, Secure Access Service Edge (SASE) and cybersecurity mesh models.

Gone are the days when security teams focused solely on the security of their organization’s IT systems. CISOs need to understand when to hit the brakes, when to press go on outsourcing cybersecurity efforts and determine what skills to keep in-house today and in the future. Security has become a business priority, delivered through a shared responsibility model between the organization and service providers.

In the race to innovate and harness emerging technologies, concerns over security, privacy, data protection and ethics, while gaining more attention, are often ignored or forgotten. Left unchecked, this negligence could lead businesses to sabotage their potential, especially with new AI privacy regulations on the horizon.

Businesses across virtually every industry are shifting to a product mindset — focusing on developing network-enabled services and managing their supporting devices. CISOs and their teams are getting pulled into discussions with engineering, development and product support teams as organizations realize product security matters too.

The time from initial compromise to enterprise-wide ransomware activation is shrinking. Increasingly, rogue and state-sponsored attackers can penetrate systems with automated tooling and accelerate the exploitation of systems. Security operations should be optimized and structured to fast-track the recovery of priority services when an incident occurs, which can reduce the impact on clients, customers and partners.

Every security system is flawed. There is an air of inevitability that, at some point, an organization will suffer an incident, large or small, and likely more than one. Regulators are increasingly focusing on plausible scenarios and pushing companies — particularly those in strategically important industries like energy, finance, and health care — to be resilient and position themselves to recover.