The New Year is always a time of reflection for me. Every year, I gather any family and friends that are staying with us and make them all write down their goals for the next year – what they want to achieve, what they’re focusing on, what will change, etc. Then we mail it to ourselves and open them the following New Year’s Eve. It’s a good way to keep yourself accountable and truly reflect on what you’ve accomplished over the last 12 months.
As technology leaders, this can be a particularly interesting exercise. Tech changes a lot. Sometimes the goals we set out to achieve at the start of the year are put on the back burner because we have to respond to new, unprecedented threats, adapt to shifting business priorities, etc.
Change is inevitable. Our ability to evolve – embrace changing, adapting, and expanding – is what will define your success.
While we may not yet know what will define the year ahead, the writing is on the wall: Cyber risk management and resilience are taking center stage.
A new era of cyber oversight and regulations
When Joe Sullivan, former CSO of Uber, was found guilty of obstruction of justice and concealment of a felony, there was a new precedent set for security leaders. Suddenly, CISOs face the added consequence that they could be held personally responsible for breaches.
In fact, there are lots of laws coming out that aim to add extra layers of governance and oversight of cyber risk. The one that blew my mind was one that the SEC proposed last year that would require public companies to disclose a breach within four days.
To me, I can’t even say it with a straight face. How many companies have the ability to even know they were breached in four days? The average lateral attack within an enterprise – the average time that they had been breached before becoming aware of the issue – was six months. That was the average.
If this regulation is passed – and it looks like will be – it’s going to be a truly monumental shift. These shifts are changing the way leaders think and speak about security. Executives are now saying, hang on a second – if I don’t disclose properly, my people could have criminal liability, whether they intended to or not.
Cyber risk management and resilience take center stage
All of this is making large companies rethink the concept of risk. The language of cyber has fundamentally changed, with security moving away from being solely a security business to now becoming a risk-based business.
Hear more on this topic from my recent keynote at the 2022 Qualys Security Conference
Speaking to your board about the technical part of security isn’t going to cut it. The context behind all of those technical pieces is increasing in value, with more and more CEOs and boards pushing their security leaders to explain the overall risk to the business. I truly believe we’re going to see enterprises double down on cyber risk management and look at their security posture with a more holistic perspective in the upcoming year.
Yes, security programs will always focus on protecting against cyber threats. But we can also expect an increased focus on cyber resilience, which also considers what recovery and continuity looks like in the event of a breach. How will you not only protect against an attack, but also mitigate the impact and continue operations in the event of a breach? What are the people, processes, and technologies needed to ensure your enterprise is truly resilient?
To Your Success,
I’ve been in infosec for over 30 years and have had the great privilege of evolving and learning as a cybersecurity executive in a space I love. This blog has been set up to help me share the insights I’ve gained and experiences I’ve had with all of you. Every month I will post some advice and recommendations for my fellow Cyber CEOs – from current events to forecasted trends, and enterprise security best practices.
Let’s collaborate and communicate as we strive to keep our organizations (cyber) safe.
Take the first step in transforming your cybersecurity program
Enterprise security teams are adapting to meet evolving business needs. With six global Security Operations Centers, emerging technology partners and a dedicated team of security specialists, Cyderes is well-positioned to be your organization’s trusted advisor in cybersecurity. We’ll help you understand your risk exposure, increase your visibility and ROI, and proactively hunt for the latest threats.
