Will 2023 be a pivot year for cybersecurity?
The past 12 months have once again been a challenging time for everyone in and around cybersecurity. Unlike previous years, it felt very different, with a continuous stream of attacks. In the past, mega vulnerabilities happened once a quarter, but this past year we've been dealing with critical vulnerabilities almost weekly in some cases.
The time to known exploitation continues to shorten, leaving organisations with less time to patch their systems and prepare for exploits against vulnerabilities. It's also becoming a more complex ransomware ecosystem, which plagued several high-profile organisations in Australia this past year. Beyond extortion, attacks have left organisations feeling the impact of data being shared and sensitive customer information ending up in the hands of adversaries. With new penalties being enforced and the punitive damages from governments and other regulatory bodies increasing, non-compliance is no longer an option, and organisational leaders know they must do a much better job.
Unfortunately, businesses can be a victim of their own appetite for innovation. To be competitive, they need to innovate at speed, which means taking risks. Yet, in taking risks, you create vulnerabilities. The faster you innovate, the more complicated your environment becomes — with more gaps and vulnerabilities. Then there is the issue of scarcity of security talent, which stretches and puts a burden on existing resources. Against that backdrop, this year has the potential to be a real pivot year in our industry. So, what lies ahead?
Security is getting harder
The security industry's predisposition to publish and post content and research remains, but in doing so, we know threat actors are monitoring what we're accomplishing. As such, ransomware groups will continue to innovate by exploiting published research and upgrading their arsenal. That means how an organisation operationalises its cybersecurity and incorporates better context into decision-making becomes more important.
For example, you may decide not to patch a particular vulnerability because it's not being actively exploited. However, the complexity of defending from known vulnerabilities, emerging zero-day malware, stolen credentials, or sophisticated phishing attacks, is getting harder. That said, how an organisation manages its exposure to stay ahead of bad actors is within its control, and that comes down to how you create business processes internally and integrate security as a component.
We believe understanding attacker techniques will assist organisations in prioritising which controls are implemented and that communicating this will be integral to a solid defence. The mega vulnerabilities of 2022 provided organisations with a chance to test their playbooks, capturing lessons learned and treating these scenarios like near-miss situations. This brought about the confidence to respond to actual attacks and deliver that message around vulnerability management more generally across the business.
Scarcity of talent
Without the influx of new talent, and with graduates generally only having one domain of cybersecurity knowledge, we need to hire differently. A priority moving forward is finding individuals with a 360-degree view of what cyber means for an organisation, together with diversity across all measures – from ethnicity to gender to socioeconomic background. This breadth of employees can bring more diverse thinking to a security problem, thereby removing us from our traditional infosec bubble by encouraging greater collaboration between security and other teams, such as engineering. We need to nurture talent and start putting effort into providing the opportunity for individuals to learn, train, and understand. To be successful in cybersecurity, you need to have a passion for it, and what better way to demonstrate that than getting stuck into open-source projects and contributing to the community?
Are we safe?
The gap between technical stakeholders and the business, CISOs and the organisation, and even the board, is getting bigger. How we communicate with senior stakeholders must evolve. Whenever there's a publicised cyber breach, you can expect someone at a senior level to walk into a CISO's office and ask the question, "are we safe?" You may be ISO compliant, improving your patching velocity and decreasing your risk scores, but there is no such thing as safe. So, it's important the board accepts there is always a degree of risk and understands how that risk is being decreased through the investments being made.
Operationalising Security
Security leadership turns up in three ways. First, it can be through a risk framework and making sure that's embedded in the business. Second, it can turn up in incidents and in the event of an attack, ensuring you lead from the front. Third, in driving security improvement programs.
In 2023, security teams need to build operational momentum to limit exposure, which can be achieved by good engineering and operational processes around exposure management and in detecting and responding to attacks. Whilst it is security leadership's role to identify and inform the organisation of threats, risks, or potential vulnerabilities, you can only be effective if you hand off the intelligence (of the problem or the risk) to other parts of the organisation. It is critical that these other teams are accountable for resolving the issues that have been identified; otherwise, security controls fail.
The quickest way to operationalise security in this way is through a concept called the protection level agreement. The protection level agreement is for any critical vulnerability that's been identified. For example, the agreed goal is to resolve it within 30 days. So, to be effective, the security team will identify the vulnerability and provide the relevant information to resolve that issue. It is handed off to product management, who are accountable for remediating or mitigating that risk, and that's what you measure against.
To be successful, security must be a team sport and a culture where everyone pitches in, with shared responsibility across the organisation, shifting the mentality from being a guard to being a leader, striving for measurable business outcomes.