There’s no shortage of cybersecurity predictions for 2023. Whether you read lists from Security Magazine or Venture Beat with Google’s top 6 predictions or SCMedia’s 2023 Threat Predictions with concern over the economy leading to less secure organizations, there are always different perspectives. However, one common thread is clear, it has never been more important for organizations to protect their data by having a robust data security and risk management plan.
In 2022, the cost of a data breach reached a staggering $9.44m for US companies. Healthcare companies were hit the hardest with the cost of a data breach estimated at $10.10m. In addition, the number of breaches caused by ransomware grew 41% in the last year and took 49 days longer than average to identify and contain.
With those statistics in mind, there is an obvious need for CISOs and board members to invest in cybersecurity and protect the data that their organizations store, yet many are unprepared. A 2022 survey showed that 50% of global CISOs still feel their organization is unprepared to handle a cyber attack - perhaps an indication of misalignment with executive teams.
CISOs must accept the fact that it is not if, but when, they are faced with a data breach and how they react to the breach to protect their company which is critical in order to reduce damage caused. So while it is important to learn from the past, busy CISOs should not lose time in looking forward and protecting your company’s increasingly complex environment where a single breach could spell disaster.
Looking forward to cybersecurity trends in 2023
Cybersecurity is relevant to all businesses whether you are involved in healthcare, finance, or technology. All organizations must protect against relentless cybercriminals who are well-funded and constantly developing new ways of accessing your data. Now is the time to strengthen your cybersecurity program as you look forward to the year ahead.
Here are Ostendio’s top 8 cybersecurity trends to watch in 2023:
1. The value of a SOC 2 report
We predict that 2023 will see a continuing erosion of trust in the AICPA SOC 2 report, forcing companies to require their vendors and providers to request additional supporting evidence to demonstrate the strength of their data security programs.
This forecast is not due to the value of the SOC 2 report itself, per se, but rather to the increasing number of platforms offering automated SOC 2 reports with claims that a SOC 2 report can be completed in as little as 2 weeks. Leading SOC 2 auditors, such as Advanced 360 and Aprio, assert that a credible, in-depth data security report cannot be completed that quickly while, at the same time, maintaining the rigor and detail that is required to bring value.
Unless the AICPA steps up and does more to maintain the integrity of the SOC 2 audit ecosystem, the value of the SOC 2 report will diminish and organizations will be forced to provide additional evidence to support their data security claims. Organizations will look for alternative frameworks and platforms that support a more robust data security program, and where credible auditors can conduct legitimate due diligence.
[Read more: The Rise and Fall of SOC 2 audits]
2. Consolidation in the marketplace where only serious security platforms survive
The current market conditions, including economic headwinds and the proliferation of GRC and audit automation platforms currently in the market, will lead to a consolidation of platforms available as the current number cannot be supported. Expect to see some of the smaller automated platforms swallowed up by the bigger players, especially those with claims of “quick and easy” SOC audit automation.
As the market evolves past “compliance” toward operational security, only serious security platforms will survive. The data security and risk management platforms that can demonstrate the elimination of cost without sacrificing security will become the market leaders. CISOs and IT teams are looking for platforms that will grow with their organization and support multiple frameworks and standards for one price. “Simple and easy” will make way for “simpler but effective”.
3. CISOs and board members will increasingly be held accountable for data security practices
The recent result for Drizly, following their data breach, shows that the FTC may sue a corporation and corporate officers if an organization has failed to implement a data security program and follow basic compliance processes. By naming the CEO in the Drizly complaint, the FTC has raised the bar for individuals within the corporate hierarchy and related liability in such a situation.
This will lead to greater importance being placed on data security and risk management and the increasing alignment of security officers, such as CISOs, with their executive teams and board members. 2023 will see a reinforcement of information security criticality and its seat in the boardroom to drive security operationalization throughout the organization.
“My job is to educate, train, and then maybe see if you still plug the USB drive in or click the link to a .RU site without asking first. NOT the other way round. We’re NOT the department of “No” however we are going to be the ones raising our hands asking the awkward questions. My preference is to do that RIGHT at the time you think about “hey, let’s do this…” as opposed to “hey, let’s turn this loose on the world.”
4. Industry-specific standards, regulations, and frameworks
Industry-specific standards, regulations, and frameworks are important because they help ensure the safety, quality, and consistency of products and services within a particular industry. Compliance with these standards can be a requirement for a company to operate within a specific industry or market. Following industry standards also helps companies to demonstrate their commitment to quality and safety, which can build trust with customers and other stakeholders.
There are many popular frameworks that organizations follow in order to demonstrate their adherence to security protocols. These can range from HITRUST, SOC 2, NIST, and HIPAA. Organizations doing business in certain countries or regions will have various standards to adhere to, including GDPR for Europe or CPRA for California. It is important for organizations to understand the requirements of their industry while establishing their data security plan. In 2023, we expect to see organizations looking to show compliance with more than one standard or framework. This can be simplified with the use of a security and risk management platform that allows evidence to be “crosswalked” from one standard to another when the control is of a similar nature. By having this option available, organizations can save time and money while demonstrating their compliance programs.
5. The importance of security training for all employees continues in 2023
The Verizon Cost of a Data Breach report estimated that over 82% of breaches involved a human element either deliberately or by accident. This could include social attacks, errors, and misuse. The importance of an effective data security training program for all employees in an organization is clear. Organizations should implement a process, typically supported by a data security platform, that incorporates training for every employee and the ability to track that training to ensure it has been completed and is up to date. When the training is tracked and authenticated it can be demonstrated in a security audit that the organization is taking security seriously.
6. Zero Trust
While the term Zero Trust has been around for a while and increasingly seems to be the trendy buzzphrase, there is a reason for this. With the increasing number and variety of attack vectors, organizations must continue to focus on defense in depth and this includes zero trust. By implementing a zero trust security model, organizations can better protect their networks and data from cyber threats by verifying the identity of users and devices before granting access to sensitive resources.
7. The importance of an Incident Response Plan
$2.66M is the average data breach cost savings at organizations with an Incident Response team that tested their plan versus those that didn’t. Having an Incident Response plan is just the start. Organizations need to run Business Continuity tabletop exercises on a regular basis to test their plans to ensure they will work when a data breach occurs. The Ostendio Professional Services team has Business Continuity experts on hand to help clients prepare for tabletop exercises and run them for your group.
8. Understanding your cyber risk
CISOs should find a tool that covers all elements of a security program and one that helps to evaluate and manage the risks involved. At Ostendio, we look at your cybersecurity program from a holistic perspective.
Understanding cyber risk is a key 2023 recommendation from Robert Herjavec, a Shark on ABC’s Shark Tank and CEO of Cyderes. In a recent blog post, he says, “Speaking to your board about the technical part of security isn’t going to cut it. The context behind all of those technical pieces is increasing in value, with more and more CEOs and boards pushing their security leaders to explain the overall risk to the business. I truly believe we’re going to see enterprises double down on cyber risk management and look at their security posture with a more holistic perspective in the upcoming year.”
Of course, this requires the CISO and the CEO to be talking in the same language. In the Ostendio Risk Management White Paper we cover why this has historically been an issue and what CISOs need to change to communicate effectively.
[Read more: Building a Third Party Risk Management Program]
How Ostendio will collaborate with serious security professionals in 2023
In 2023, Ostendio celebrates its 10th year of the Ostendio platform and continues to work with expert audit firms and MSPs to bring clients the best partners available to complete their cybersecurity, data security, risk management, and compliance plans.
With an eye on the evolving cybersecurity industry, Ostendio will be launching a new module on the Ostendio platform - Compliance Manager. With the growing need for CISOs to track their compliance on a departmental, geographical, or individual basis, the Compliance Manager module will help facilitate a smooth data security audit.
If you have any questions about establishing a data security or risk management program - expanding your existing program - or preparing for a complex security audit like SOC 2, ISO 27001, or HITRUST - speak to an expert at Ostendio.