In
2022,
we
saw
a
large
number
of
cyberattacks
and
breaches
that
affected
both
companies
and
countries,
driven
primarily
by
accelerating
innovation
by
threat
actors
and
continued
diversification
of
the
threat
actor
economy.
While
many
technical
responses
have
been
proposed,
the
policy
responses
pose
a
more
challenging
issue,
as
companies
will
need
to
comply
with
public
policy
decisions
despite
challenging
macroeconomic
conditions
and
a
persistent
lack
of
skilled
professionals
to
work
on
cybersecurity.
In
short,
2023
will
be
the
year
of
risk.
1.
Anticipate
org
chart
changes
and
more
collaboration
with
the
C-suite.
Pending
regulatory
changes
require
that
the
CISO
be
independent,
and
this
independence
will
likely
require
organizational
chart
changes,
as
CISOs
have
historically
reported
to
the
CIO,
CTO,
or
another
senior
executive
with
a
background
in
technology.
This
frequently
creates
an
implicit
conflict
of
interest
when
budgets
and
staffing
considerations
arise,
as
the
incentives
of
the
CIO
or
other
senior
executives
do
not
necessarily
align
with
the
goals
of
the
CISO.
In
2023,
CISOs
should
prepare
to
be
adequately
independent
and
have
good
visibility
into
the
management
of
cyber-risk.
Being
independent
includes
the
responsibility
of
setting
staffing
and
budgets
for
approval
by
a
committee,
rather
than
providing
a
cybersecurity
budget
line
item
as
part
of
another
senior
executive’s
larger
budget
for
the
year.
2.
Be
ready
to
answer
more
risk-related
questions
from
the
board
…
Boards
want
to
have
more
oversight
of
cyber-risk.
In
2023,
organizations
should
plan
on
inviting
their
CISO
to
a
board
meeting
(and
to
be
somewhat
forgiving
of
that
first
meeting
with
those
CISOs
who
come
from
a
technical
background).
While
not
all
board
members
need
to
understand
cybersecurity,
all
CISOs
(or
CIOs,
or
whoever
presents
to
the
board)
need
to
be
able
to
speak
to
the
board
in
the
language
of
risk
to
effectively
communicate
status,
learn
about
larger
initiatives,
and
ask
for
assistance
or
perspective
when
needed.
Although
this
will
be
a
new
requirement
for
publicly
traded
companies,
privately
held
companies
should
strongly
consider
adopting
this
new
change
to
reporting.
3.
…
and
as
a
result,
be
more
diligent
about
communicating
risk.
Companies
should
track
the
risk
of
noncompliance
and
be
able
to
describe
their
risk
management
plans
associated
with
noncompliance.
Depending
on
the
specific
regulatory
body,
civil
and
criminal
penalties
are
potential
outcomes,
as
well
as
congressional
hearings
or
reputational
damages.
Companies
that
have
DFARS
requirements
—
particularly
those
with
CMMC
level
2
control
requirements
—
hold
the
dual
risks
of
noncompliance
leading
to
denial
of
future
Department
of
Defense
contracts
as
well
as
the
potential
of
whistleblowers
under
the
False
Claims
Act.
As
a
result,
CISOs
will
need
to
be
consistent
and
persistent
about
communicating
the
status
of
their
risk
and
compliance
posture.
4.
CISOs
will
need
to
invest
in
internal
assessments
as
more
security
breaches
hit
the
news.
Cybersecurity
breaches
were
a
hot
topic
in
2022,
with
several
high-profile
cases
making
national
headlines.
For
example,
the
Federal
Trade
Commission
(FTC)
sought
action
against
online
alcohol
marketplace
Drizly
—
and
its
CEO,
Cory
Rellas
—
for
cybersecurity
failures
affecting
over
2.5
million
consumers.
Notably,
the
FTC
specifically
named
and
sanctioned
Rellas
—
a
new
move
for
the
governing
body.
This
change
in
posture
may
indicate
a
larger
shift
toward
enforcement
at
the
FTC,
particularly
for
organizations
that
don’t
have
adequate
controls
around
the
protection
and
disposition
of
consumer
data.
One
lesson
carries
across
these
stories:
the
importance
of
effective
internal
assessments,
as
they
are
critical
tools
to
find
weaknesses
in
your
security
program
and
assuring
that
those
weaknesses
are
fixed.
We
predict
a
sharp
increase
in
investigations
with
adversarial
discovery
in
2023
as
companies
watch
these
major
news
stories
play
out
in
real-time.
5.
SMBs
should
consider
increasing
security
control
monitoring
to
avoid
cyberattacks.
Smaller
companies
are
more
vulnerable
to
cyberattacks,
but
why?
Simply
put,
they
don’t
have
the
budget
or
resources
to
combat
ransomware
attacks,
which
is
why
they
are
a
high
priority
for
threat
actors.
More
controls
in
place
means
more
processes
for
maintaining
those
controls,
which
results
in
more
manual
processes
that
IT
security
professionals
must
handle.
For
example,
SMBs
will
need
to
map
out
the
GDPR
compliance
legalese
to
controls
for
breach
notifications,
or
quickly
finding
CIS
Control
Group
3
to
help
with
data
disposal.
IT,
security,
and
risk
management
professionals
will
need
to
better
collect
and
organize
their
evidence
in
preparation
for
applications
and
renewals
of
their
cyber
insurance
policies.
They
might
also
consider
a
tool
that
enables
them
to
link
risks
to
controls
to
decide
how
much
coverage
they
actually
need.
About
the
Author
Kayne
McGladrey,
CISSP,
is
the
field
CISO
for
Hyperproof
and
a
senior
member
of
the
IEEE.
He
has
over
two
decades
of
experience
in
cybersecurity
and
has
served
as
a
CISO
and
advisory
board
member,
and
focuses
on
the
policy,
social,
and
economic
effects
of
cybersecurity
lapses
to
individuals,
companies,
and
the
nation.
About Author
