We recently had the chance to discuss the top trends prediction for 2023 issued by Gartner and what these may mean for CISOs. The trends are below:
- Consumer privacy rights will cover 5 billion citizens and more than 70% of global GDP.
- Most enterprises will adopt a strategy to unify web, cloud services and private application access from a single vendor’s SSE platform.
- 60% of organizations will embrace zero trust as a starting point for security by 2025. More than half will fail to realize the benefits.
- By 2025, 60% of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements.
- Through 2025, 30% of nation-states will pass legislation that regulates ransomware payments, fines and negotiations.
- By 2025, threat actors will have weaponized operational technology environments successfully to cause human casualties.
- By 2025, 70% of CEOs will mandate a culture of organizational resilience to survive.
- By 2026, 50% of C-level executives will have performance requirements related to risk built into their employment contracts.
These showed several themes: internal pressures, external changes and solution adoption.
CISOs need to be aware of the pressures that may come from inside the business. C Level executives having risk related elements in their employment contracts (8) may result in a higher focus on Risk management. This may benefit CISOs to position cyber security as part of the Risk calculation and perhaps unlock more support for risk reduction initiatives.
Aligned is the concept of a culture of organisational resilience being mandated by CEOs (7). CISOs now talk about culture change in cyber security, making business colleagues identify as part of the overall security of the organisation. This may now include resilience. Again, this may provide a vehicle for change for CISOs.
Risk as a factor when assessing whether to do business with third parties (4) will highlight the third-party dependency issues that now concern CISOs. The perimeter is now long gone; security extends beyond the organisational remit of the CISO. The ability to understand and collaborate with third party security will become n increasing requirement. There is a downside for CISOs. Many are already burdened with the need to report on compliance and audits. This may increase as requests come in from business partners, current and potential, on the organisation’s cyber security posture.
Related to compliance and reporting is the issue of Privacy. It is predicted the consumer privacy will increase to cover most countries (1). This may require additional focus on the extent and scope to which Privacy is reported. Many CISOs address this already due to requirements such as GDPR. This may provide a strong basis to move forward. CISOs have seen Privacy as a positive. “Do you really need that data?” is a question often asked. Organisations can reduce the amount of unwanted data stored and needing security.
Responding to attacks and the relentless change in tactics is an additional trend. Payments for ransomware is contentious. From the morale, legal and practical aspects of making payments. If this becomes regulated (5) it may provide a clearer basis for decision making. Perhaps it may provide a for of deterrent for attacks. If the victim cannot pay why attack them? Perhaps this is just wishful thinking. On the negative side attackers may increase the capability of their tools in the operational technology environment with extreme impact (6). A current area of concern for CISOs that may increase in focus.
On a positive side a majority of organisation will adopt zero trust as a starting point for their security (3). However, many will not gain the benefits. CISOs are now increasing addressing the organisational and cultural change required to make Zero Trust succeed and realising it is not just about the technology. There are clear benefits that have been identified in Cisco research papers1. CISOs are looking to introduce new consolidated technologies in web, cloud services and private application access (3). This may reduce tech debt, enable smoother operational management, centralised policy control and better reporting.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels