Managing
the
“polycrisis”
was
the
issue
on
everyone’s
mind
at
the
World
Economic
Forum
in
Davos
this
year
and,
with
cyber-risks
emerging
as
the
third-highest
risk
to
growth
for
CEOs,
navigating
the
cyber
landscape
in
2023
is
high
on
the
agenda.
New
cyber
threats
continue
to
emerge,
including
the
rise
of
state-backed
cybercrime
and
the
uncertainties
posed
by
emerging
technologies,
such
as
quantum
computing,
artificial
intelligence
(AI)/machine
learning
(ML),
5G,
and
the
metaverse.
This
comes
on
top
of
the
struggles
companies
already
face
defending
themselves
against
long-established
vulnerabilities
like
business
email
compromise,
ransomware
attacks,
and
supply
chain
software
risk.
At
the
same
time,
penalties
for
compliance
failures
are
getting
harsher
as
the
regulatory
screws
tighten,
notably
the
European
Union’s
Digital
Operational
Resilience
Act
(DORA)
and
NIS2
Directive,
Australia’s
amended
Security
of
Critical
Infrastructure
Act,
as
well
as
a
whole
new
suit
of
cybersecurity
regulations
in
the
US.
The
economic
crunch,
meanwhile,
is
putting
the
brakes
on
cyber
budgets.
Paradoxically,
this
more
complex,
volatile
cybersecurity
environment
means
that
to
survive
the
year
ahead
relatively
unscathed,
companies
must
radically
simplify
and
streamline,
by
rationalizing
their
architecture,
technology
stacks,
and
decision-making.
A
technology
declutter
is
required.
Our
research
has
found
that
most
organizations
use
only
10%
to
20%
of
the
technology
they
own,
while
continuing
to
pay
higher
license
costs
for
technology
that
they
have
not
leveraged
for
other
business
needs.
Pressure
on
cyber
budgets
can
provide
an
opportunity
to
review
and
rationalize.
This
could
also
help
identify
and
eliminate
the
sharp
edges
and
risks
that
come
with
a
multilayered
software,
application
programming
interface
(API),
and
technology
stack,
coupled
with
the
fact
that
more
and
more
cyber
technology
is
being
bundled
with
cloud
licenses,
making
a
strong
economic
argument
for
consolidation.
Companies
are
likely
to
shift
more
cybersecurity
to
managed
services
providers,
especially
to
fill
the
human
resources
and
skills
gap.
There
are
cost
savings
here
too,
and,
in
addition,
managed
services
providers
typically
have
better
access
to
talent,
thanks
to
the
more
varied
projects
they
offer,
compared
with
a
cyber
role
within
the
four
walls
of
individual
companies,
especially
if
the
company
is
in
a
sector
perceived
as
humdrum
or
conventional.
Keep
It
Simple
Simplification
isn’t
just
a
technology
story,
though.
The
C-suite
will
need
to
put
in
place
more
simplified
and
streamlined
decision-making
processes
to
be
utilized
during
a
cybersecurity
incident,
such
as
securing
board-level
approval
for
corporate
ransomware
policies
and
thresholds
for
payment,
if
any,
allowing
the
leadership
team
to
take
swift
action
when
a
crisis
hits.
Governance
and
operating
models
for
cybersecurity
can
also
be
simplified,
by
leveraging
existing
forums
for
cybersecurity
decision-making,
such
as
the
safety
Committee,
as
well
as,
of
course,
the
audit
and
risk
committee.
Simplification
will
not
just
be
an
imperative
for
the
companies
that
consume
cybersecurity
products
and
services.
The
vendor
landscape
will
also
consolidate
as
the
technology
companies
themselves
make
more
acquisitions.
“Cyber
suite”
providers
will
be
the
winners
in
the
year(s)
ahead,
as
opposed
to
the
many
point-solution
startups
and
companies
offering
firewalls,
monitoring
software,
data
protection
software,
email
security,
and
the
like.
Simplification
will
make
companies
more
adaptive
and
pragmatic.
It
will
support
a
shift
from
a
complexity-inducing
approach,
created
when
cyber
leaders
try
to
invest
in
and
uplift
every
control,
and
thereby
create
a
spray
of
projects,
to
an
adaptive
approach
that
works
backward
from
core
risks
and
sets
companies
up
to
move
swiftly
when
attacks
strike.
Simplification
will
result
in
operational
efficiencies,
reduced
technology
and
infrastructure
overhead,
and
ultimately
the
ability
to
respond
to
cyber
threats
more
quickly.
Cyber
leaders
should
address
this
simplification
requirement
by
taking
an
inventory
of
the
assets
they
currently
use
and
maximizing
the
capabilities
of
technology
stacks
they
own,
especially
in
conjunction
with
a
move
to
cloud.
Going
forward,
they
should
limit
new
investment
in
niche
solutions
that
only
address
single
cyber
use
cases.
Broadly,
decision-makers
should
take
a
risk-based
approach
to
uplifting
controls,
prioritizing
those
that
manage
the
risks
they
face,
rather
than
those
that
have
been
identified
as
weak
during
an
audit.
Finally,
they
should
simplify
and
consolidate
cyber
incident
response
processes
with
other
crisis
management
processes
that
exist
in
the
organization.
The
year
ahead
will
not
be
easy
for
cyber
teams.
The
best
defense
is
to
build
an
organizational
infrastructure
that
is
nimble
and
adaptive.
That
starts
with
simplifying.
About Author
