The annual Cybersecurity Conversations Report serves as a guide for executive-level cybersecurity conversations, showcasing the trends and challenges we expect to be top-of-mind for security leaders in the coming months and ways to drive the conversation around cybersecurity within your enterprise.
In last year’s annual Cybersecurity Conversations Report, we emphasized the need to embrace constant change across the threat landscape – this is the only thing that has not changed !
Despite the rapid growth of cyber threats and shifting economic landscape, we did see several predictions from last year’s report come to fruition in 2022:
- Continued proliferation of identities: The complexity of digitally transformed enterprise environments – including a diverse set of endpoints, identities and internal and third-party access points – have created more vulnerabilities and opportunities for threat actors. Identity compromise continues to be adversaries’ primary mode of attack.
- Increasingly sophisticated attack techniques: From big game hunting (BGH) to the growth of ransomware-as-a-service (RaaS) and data leak sites (DLS), data extortion threat actors continue to innovate and evolve their tactics. New threat tactics such as Exmatter, discovered last year by the Cyderes special operations team, indicate threat actors are actively in the process of staging and developing the capability to outright destroy rather than encrypt data.
- An overwhelming amount of security alerts and talent challenges: Increased sophistication and frequency of cyber-attacks has created an unmanageable deluge of alerts. Coupled with the continued talent shortage, more enterprises are turning to outside providers to manage these alerts, and those providers are consolidating to provide more comprehensive cybersecurity support for their customers.
While the assertions in last year’s report held true in many regards, some events simply could not have been predicted. For instance, the Russian invasion of Ukraine placed cybersecurity at the forefront of global conversations as concerns of cyber warfare and attacks on critical infrastructure spread across Europe and beyond. Business leaders also began to speculate whether threat actors would be emboldened to attack targets with greater force and frequency amid the chaos.
Later in the year when Joe Sullivan, former CSO of Uber, was found guilty of obstruction of justice and concealment of a felony, there was a new precedent set for security leaders. Suddenly, CISOs could face the added consequence that they could be held personally responsible for breaches.
In fact, there is an increasing number of laws coming out that aim to add extra layers of governance and oversight of cyber risk. For example, the SEC proposed last year that it would require public companies to disclose a breach within four days. Four days ! Not only that, but the White House is also doubling down on regulation for industries considered critical to national security.
We were already starting to see the perception of cybersecurity shift at enterprises of all sizes, with leaders embracing security initiatives at the board level rather than confining them to IT. But the events of 2022 and increased governance has further expedited this shift. In fact, the National Association of Corporate Directors (NACD) now recommends that boards of directors include at least one member with an information technology background.
The reality is that security leaders are no longer siloed — they now have a very important seat at the table.
To truly drive impact within their organization, however, they must evolve to take a security-oriented approach to the business, focus resources more strategically and make it a priority to connect with leaders from across the organization.
This year, our Cybersecurity Conversations Report is dedicated to the conversations we recommend having with your executive teams to do just that, helping you to mature your security program and stay ahead of the evolving threat landscape.
- Look towards automation to modernize your SOC and focus resources on more strategic efforts
- Engage offensive security to identify your greatest risks and map your security strategy
- Make the business case for building a robust security program to your executive leaders
Last year proved to be another year full of unexpected challenges and increased pressure on security leaders, but the events of the past year are putting us on the path to an even more secure, cyber-focused future. The cyber industry is one of the most resilient, innovative communities I’ve ever been a part of – I have full confidence we will rise to the challenge of building safer, more secure enterprise organizations. I can’t wait to see what we’ll accomplish in 2023.
To Your Success,
I’ve been in infosec for over 30 years and have had the great privilege of evolving and learning as a cybersecurity executive in a space I love. This blog has been set up to help me share the insights I’ve gained and experiences I’ve had with all of you. Every month I will post some advice and recommendations for my fellow Cyber CEOs – from current events to forecasted trends, and enterprise security best practices.
Let’s collaborate and communicate as we strive to keep our organizations (cyber) safe