Moving into 2023, organizations and their security teams face compounding and troubling problems in the cyber landscape. Increasingly complex environments are contributing to growing attack surfaces and IT management difficulties. Simultaneously, security threats are increasing in volume, frequency, and sophistication. This has created an environment where organizations must manage security right every time, while bad actors only have to break through once.
The numbers aren’t pretty. The global average cost of a data breach increased by 2.6% from $4.24 million in 2021 to $4.35 million in 2022, representing a constant and significant risk to business continuity.
With stakes this high, it is critical to understand how organizations can strengthen their security posture in the face of these challenges and risks. Here are five key priorities that organizations must build into their cyber plans for 2023.
1. Assessing risk: prepare and prioritize
Not all cyber threats are equal. Some are minor with limited potential impact. Some could take down your core systems and interrupt business. So you need to manage cybersecurity as you would manage any other business risks: by prioritizing threats that pose the greatest risk to your operations and ability to produce value. This requires a programmatic and operational approach to cyber protection. People, processes, and technology need to work together effectively.
It is important to recognize that purchasing cybersecurity tools is not the same as having an effective cybersecurity program. A programmatic approach starts with building out the processes by which you will regularly identify the assets that are most valuable and vulnerable. With this understanding, you can develop an efficient program that focuses resources where they most effectively reduce cyber risks.
2. Data analytics and automation for scale and speed
Companies should always start by defining their risk profile and ensuring that their cybersecurity program is aligned with their risk profile. That enables the ITOps and Security teams to focus where it matters and to proactively shore up their security posture where it matters most.
Given the sheer volume of threats, for most organizations, there’s no way to do this without data analytics: ingesting large volumes of security and operations telemetry and using data analytics to discover patterns that indicate situations that could turn into significant incidents. Analysts can then investigate and resolve those before they become critical incidents. It also helps ignore the vast quantity of noisy alerts.
Few organizations have or can hire the staff to track down everything, so the key is to make everyone you have more effective. One way to do that is to automate tedious and repetitive tasks (typically these are so-called Level 1 and Level 2) so analysts can identify and respond faster to issues that are real risks. Instead of handling an overwhelming load of alerts, security teams can immediately respond to prioritized situations and focus on higher-level tasks.
3. Build an expert security team both internally and externally
Any IT or cybersecurity professional can confirm that the talent gap is real. Many organizations feel overwhelmed by their inability to hire more experts. The reality, however, is that hiring more people can’t solve the cybersecurity problems we’re facing now by itself. Nor will adding more tools. Savvy organizations invest in their security teams, find a technology stack that makes their teams more effective, and may use managed security service providers (MSSPs) to augment their security programs.
Investing in your security team provides valuable benefits. Advanced training helps them work more effectively and efficiently. Rather than being overwhelmed, security practitioners are engaged, challenged, and feel more valued. They are more likely to remain with their current organization instead of jumping to another company. But, again, you need to remove the tedious tasks and flood of alert noise that cause burnout and job hopping.
4. Implement a cybersecurity mindset across the entire company
Cybersecurity is operationally difficult to maintain because it is not a single person or team’s job. It inherently relies on everyone in the entire company as well as those you do business with. The office of the CISO is responsible for updating company security policies and maintaining regulatory requirements, training employees, and conducting blue team exercises. Security training and validation must also extend to external groups and third-party vendors to ensure appropriate security measures function across company and supply chain engagements.
Most recent breaches are due to “human engineering,” where employees, partners, and others with access to connected systems are tricked into giving their passwords to threat actors, so it’s critical that everyone is trained in what to look out for. Phishing emails can be very hard to recognize, and threat actors are getting more creative. Everyone should be on guard.
A good cybersecurity program also includes a well-honed incident response crisis program with a clear action plan involving key leaders, stakeholders, and ops teams. A streamlined process is essential to facilitate immediate communication, “war room” collaboration, and remediation activities. This ensures teams can respond quickly and accurately during a cyber event to avoid or minimize any business damage, disruptions, and impact on customers. Don’t assume it will all work as planned: Practice.
5. Make security a priority and ensure alignment with the board
For the vast majority of organizations, cyber threats present a persistent and dangerous business risk. This level of risk requires resources and investments that necessitate the complete buy-in of the board.
The best way to engage the board is through a transparent roadmap with quantifiable goals. Leaders must be able to visualize intended business outcomes and assign a level of business risk to each of those outcomes. From there, the board can have a solid understanding of the risks of not protecting certain assets and will ultimately be better positioned to fund effective cyber programs.
Note that communicating with the board is a challenge for most CISOs. Board members want to know “are we at risk?” so you have to align your metrics and communications to what matters to them.
Understand Your Security Maturity and Effectiveness
Security operations is an ongoing, evolving, and accelerating challenge. The most critical part of planning your security effectiveness is being honest about where you are in your journey, and about the likelihood of breaches. No company with connected systems is immune.
Examples of what you should do, if you haven’t already, include setting up patching and password policies, basic asset management, immutable backups, and more. If you’ve done that, focus on the most critical requirements of your organization and build a data analytics and automation-driven security program. Finally, shift into an elevated security program that’s proactive, predictive, and focused on intelligence-driven resolution.
With the support of your board and a culture of security in place, you will be well-positioned to maintain a strong security posture, build security ops at scale and speed, and reduce business risks in 2023 and beyond.