The
past
few
years
have
been
a
bumpy
ride
all
around.
2022
was
supposed
to
be
a
breather
for
CISOs
as
the
uncertainty
surrounding
the
pandemic
largely
subsided.
Sadly,
they
found
themselves
coming
to
terms
with
the
new
“never
normal”
instead.
A
soaring
cost
of
living,
geopolitical
conflicts,
catastrophic
climate
crisis,
and
a
rapidly
evolving
regulatory
environment
all
will
shape
the
cybersecurity
landscape
this
year.
Newer
threats
have
emerged
and
older
ones
have
evolved.
Critical
infrastructure,
public
service
delivery,
and
people’s
privacy
all
seem
to
be
in
the
line
of
fire.
And
with
ongoing
digital
transformation
initiatives,
exponential
data
growth,
limited
funds,
and
an
ongoing
skills
shortage,
CISOs
and
their
teams,
it
seems,
are
barely
holding
it
together.
Waypoints
on
Path
to
Action
Keeping
up
with
emerging
threats
and
challenges
in
2023
can
help
organizations
get
on
the
path
to
developing
a
coherent
security
strategy.
1.
Cyberattacks
increase,
tactics
evolve:
Ransomware
incidents
dropped
by
34%
earlier
in
2022,
only
to
roar
back
with
a
vengeance.
Ransomware
has
evolved
to
double
and
triple
extortion
with
data
theft
and
denial
of
service.
We’ll
see
an
uptick
in
stolen
data
being
sold
on
Dark
Web
forums
and
later
being
used
in
highly
targeted
phishing
attacks.
The
underground
cybercrime
landscape
is
also
shifting
from
cybercrime-as-a-service
to
cyber
mercenaries
for
hire.
Expect
cybercriminals
and
nation-state
actors
to
hire
highly
skilled
cyber
mercenaries
for
granular
tasks
that
can
lead
to
major
attacks
and
breaches.
These
attacks
will
be
very
impactful
but
near
impossible
to
trace.
2.
Supply
chain
risks
balloon:
Supply
chain
security
risks
quickly
bleed
into
the
business
side
of
operations,
often
bringing
them
to
a
halt.
These
risks
will
likely
balloon
this
year
as
businesses
outsource
the
infrastructure,
applications,
and
services
they
need
to
multiple
cloud
and
software-as-a-service
(SaaS)
vendors.
With
so
many
external
providers
and
partners,
attackers
will
target
the
most
vulnerable
ones
to
gain
easy
access.
3.
Data-well
poisoning
attacks
emerge:
Artificial
intelligence-powered
systems
depend
on
the
integrity
of
the
data
they’re
fed
to
make
sound
decisions.
As
businesses
get
real
with
AI
in
2023,
data
will
become
an
invaluable
asset
as
well
as
a
liability.
Cybercriminals
will
be
targeting
data
wells
to
manipulate
systems
into
making
rogue
decisions.
Beyond
confidentiality
and
availability,
data
integrity
is
now
at
risk.
4.
Tech,
threat,
and
regulatory
environments
continually
change:
Threats
are
evolving,
and
so
is
the
regulatory
landscape.
General
and
country-specific
regulations
will
compel
organizations
to
ensure
ethical
data
collection,
storage,
and
use.
These
changes
will
likely
keep
CISOs
on
their
toes,
trying
to
preserve
all
the
good
pieces
of
the
security
pie
while
also
ensuring
enough
flexibility
to
accommodate
new
changes.
Creating
a
Business-Based
Security
Strategy
Here’s
what
organizations
in
general
need
to
focus
on
to
create
a
security
strategy
that
can
steer
them
through
what
appears
will
be
a
challenging
year
for
security,
economy,
and
trade.
1.
Aligning
security
with
business
strategy:
CISOs
are
responsible
for
assuring
business
executives
that
cybersecurity
is
a
business
risk,
not
just
an
IT
issue.
As
boards
determine
a
business’s
strategic
direction,
CISOs
must
incorporate
security
into
that
process.
To
do
that,
addressing
cyber-risks
should
frequently
be
on
the
agenda
for
board
meetings.
A
CISO
who
appreciates
the
business
tactic
of
developing
a
security
strategy
that
supports
the
organization’s
goals
probably
won’t
have
to
chase
after
the
board
for
security
funds
and
resources.
2.
Building
cyber
resiliency:
Cyber
resiliency
is
an
organization’s
preparedness
to
deal
with
the
impact
of
threats
that
can’t
be
predicted
or
prevented.
The
first
step
to
achieving
cyber
resilience
is
to
adopt
a
governance
framework
for
monitoring
cyber
activities,
including
partner
collaborations
and
relevant
regulatory
changes.
Organizations
must
also
develop
cyber
situational
awareness
through
cyber
threat
intelligence
gathering,
analysis,
and
sharing.
Next,
they
should
identify
and
prioritize
critical
assets
and
continually
evaluate
them
as
their
value
changes.
Based
on
the
insights
they
gather,
they
need
to
plan
and
rehearse
for
just-in-case
scenarios.
Rehearsed
incident-response
plans
can
cut
down
the
cost
of
a
data
breach
almost
by
half.
Building
cyber
resilience
is
an
ongoing
process
because
threats
evolve,
businesses
mature,
and
the
value
of
different
assets
changes.
Keeping
up
with
the
process,
organizations
can
prevent,
detect,
and
respond
to
emerging
threats
and
their
aftermath
immediately
and
effectively.
3.
Determining
cyber-risk
tolerance:
Organizations
need
to
determine
and
define
their
risk
tolerance
regarding
cyber-loss
incidents.
And
that
involves
evaluating
the
dependencies,
stability,
and
security
of
external
partners
and
providers
as
well.
Monitoring
and
protecting
assets
and
data
is
not
about
boiling
the
ocean.
It’s
about
starting
small,
being
very
specific
in
identifying
critical
data
elements,
and
then
ensuring
their
security
and
integrity
at
all
stages
of
the
data
life
cycle.
A
similar,
selective
approach
should
work
for
addressing
changes
in
regulatory
and
compliance
requirements,
too.
Organizations
don’t
have
the
time
or
resources
to
do
it
all.
They
must
identify
what
matters
and
make
changes
selectively
based
on
their
strategic
business
goals.
Addressing
cyber-risks
isn’t
a
static
process.
Security
teams
know
it,
and
the
boards
must
realize
it.
The
world
of
work
is
changing,
and
policies
and
procedures
will
have
to
reflect
that.
This
rapidly
evolving
work
and
security
environment
can
cause
cyber
fatigue
and
mental
health
challenges.
Organizations
must
prioritize
employees’
education,
satisfaction,
and
mental
health.
Otherwise,
we’ll
also
be
witnessing
a
surge
in
insider
threats
on
top
of
everything
else.
About Author
