Predicting the Cybersecurity Future: Experts Preview 2023What's in Store: Emerging Threat Landscape, Cybersecurity Budgets, Privacy Changes
In this report, you'll hear (click on player beneath image to listen):
- Former CISO of PNC Bank David Pollino offer advice to security leaders on how they can and should prepare for evolving cyberthreats next year;
- Troy Leach of Cloud Security Alliance explain why the predicted economic downturn should not trigger cybersecurity budget cuts in the new year.
The ISMG Security Report appears weekly on this and other ISMG websites. Don't miss the Dec. 15 and Dec. 22 editions, which respectively discuss how prosecutors accuse FTX's founder of crypto-based "deception" and why it is always a bad idea for organizations to pay hackers for the promise of data deletion.
Anna Delaney: In this end of year special edition of the security report, three cybersecurity and privacy experts share their thoughts on what to watch in 2023. Hi, I'm Anna Delaney. 2022 was certainly a memorable year when it comes to cybersecurity. We've seen the rise of global cyber warfare and the raging hostility of ransomware gangs. So how should cybersecurity leaders prepare for 2023? Well, this is a question our senior vice president of editorial Tom Field post to CISO David Pollino. He was the former CISO of PNC Bank. Here's what he said.
David Pollino: It goes to show that exactly how complex a security operation needs to be. If you look at traditionally, a lot of time and preparation has been focused on prevention, put on controls that are supposed to solve your security problem, and check the box, implement this. You're going to be secure when it's more about the journey, it's not about the destination. You need to be investing not just in your preventative controls, but also the ability to identify quickly that something is happening and be able to respond and recover for it. So I think you need to be shifting a little bit more toward those other areas that have received a little bit less investment, and as much as possible on collaboration. So if there's an ISAC in your industry, if there are ways to share information or learn from other companies with similar problems to yours, then you can make sure that are taken advantage of those things. And more than ever, find the framework that works for you. The NIST CSF is one that a lot of people use and it's a nice mirror that you can look at yourself and your company in that mirror and see where you do well, where you maybe do not do so well, what your maturity would be, and where you could be investing to be able to be a little bit better, holistically, not just in prevention and detection, but the whole scale of being secure. So I think you're going to see that talented security executives run to the companies that take it seriously. And the companies that are not taking it seriously, I think it's going to be a challenge for them to be able to respond to security incidents because they're definitely not going away at 23 and 24.
Jeremy Grant: I don't know how much the policy landscape is going to change, but some of the players in terms of who's leading things will. So certainly if we see a change in one or both houses of Congress, it's going to impact some things. And we just don't know who the new committee chairs would be for the committees of jurisdiction, what their priorities would be. As I mentioned, we've had good bipartisan leaders on cybersecurity issues in the House and Senate the last few years. And so you hope that will continue and that you'll have leadership that's focused on addressing these issues, but we're just not sure. I think beyond that, I think, privacy is going to continue to be a big issue. We had an attempt, as I mentioned this year, to pass a federal privacy bill, it's going to fall short, I think, before the end of the Congress, but in the meantime, you're seeing more states pass their own laws every year. And so, I think one of the things that everybody, at least in theory, has been saying is, "We don't want to end up on state privacy laws, where we ended up with data breach laws, where you have 50 different data breach notification statutes that are all a little bit different." It's great for law firms like Venable in that if you have an incident in multiple states where you need a lot of legal help. But honestly, we'd rather have a national approach. And I think it's the same on privacy where I think the lack of a federal privacy standard and a consistent policy, there is going to be a real problem for industry as more states are passing their own laws. And so I think that'll be a bigger issue that gets a bit of attention this year.
Delaney: And finally, the editors of the Collins English Dictionary have nominated 'permacrisis' to be their word of the year for 2022. Its definition: an extended period of instability and insecurity, which is most likely expected to continue in 2023. So how might this impact cybersecurity budgets? Troy Leach, chief strategy officer at the Cloud Security Alliance, spoke to Tom Field about what he foresees.
Troy Leach: I worry about that, especially with some of the other items in the economy right now. Do know that from my past experience of working with law enforcement that criminals are lazy. And so they're looking to hyperscale and do things automatically as well. Often, they don't even know they're successful. They've just pushed out bots into the world and see, did they get a bite or not? So I do think that the availability for criminals to scale - we see crime as a service, I've heard that term and seen some of the stories from the black market of people pushing out kits that people can use or service of extracting from a certain company. So I do think there has to be a relationship of that to how we design our security budgets. I do like the principles. I just heard a conversation with Jason Witty, who's the CSO over at USAA. And he was giving guidance at an event to CISOs about how they go about their budget. And I've always been a strong believer this is really each department, all the different ways that we improve and our operator, our business, they should all have their own security lines, rather than trying to silo cybersecurity as just a loss and just the cost of the organization. It should be associated with all the success and the efficiencies we can create in a company as well. And so, I do think in hope that - I don't know if budgets will stay stagnant - but I do hope that how they're allocated in corporate budgets will change over time.
Delaney: That's it from the ISMG Security Report. The music is by Ithaca Audio. I'm Anna Delaney wishing you a very happy new year.