We recently hosted our latest roundtable to hear from our local CISO peers on what their key pain points were going to look like for 2023 and beyond, and come up with some interesting predictions ahead of RSA. With a rising host of troubles in the cyber space ranging from hiring, to cyber insurance, to automation, the goal was to hear the group’s perspectives on how they plan to respond to some of these difficulties.
The top concerns posed by the group across the evening were:
- Doing Less with Less – How can companies better prioritize what’s truly important during a period of cost-cutting and uncertainty?
Budgets are tight
- If you’re a vendor, the time to be flexible is now. Building trust trumps everything – if issues arise, it always comes back to relationships. Help companies reduce an existing problem, not find a new one for them
- Stay data driven here – get ahead of renewals before the 30-day notice arrives and there isn’t any time to evaluate alternatives
- Metrics – Where should the focus be? What is meaningful? What will matter to the board? Is it easy to communicate with the board? What are the top three things that are quantifiable and easy to measure?
- How is what you are doing helping the business?
- It’s time to run shorter POCs, make vendors show their value sooner
- Generative AI – How is this going to impact the landscape? Do you own ChatGPT code? How will ChatGTP be used for phishing? Etc.
- Where does AI ops come in to help combat this?
- Breaches Aren’t Going Away – There have been over 9K breaches in the last several years
- It’s time to start evaluating the root cause of all these breaches rather than throwing more tools at the problem
- Boards are throwing tons of money at the security team expecting to see breaches disappear, but they aren’t. So control your budget, don’t just bloat up, and push the money down into insurance policies
- Accountability/Personal Liability – If something bad happens, what is a CISO or security team’s level of accountability or liability?
- CISOs still don’t understand their personal liabilities, and are being pressured to understate risk
- Are you covered on D&O policies? Are you in a position to answer hard questions?
- Talent – There are rising costs here despite the layoffs, and a lot of churn
- Time pressures on busy teams that are spread thin
- Existing teams need to be properly instrumented – minimal false alerts, etc.
- Sometimes, keeping talent can be harder than finding new talent
- External talent development is important too
Here were the other major contenders:
- Creating a frictionless environment is important for driving top-line revenue growth and helping employees do their jobs better
- Do you really have a playbook for ransomware? There are a lot of lawsuits here, it’s expensive, the government is reacting to it. What would your team do in a ransomware scenario? Where does cyber insurance come in?
- Are your on-prem policies for home access during the pandemic finally cleaned up? How much exposure is still out there? New innovation is great, but cleaning house is important too. Where are there third party Saas app vulnerabilities with shadow IT or otherwise?
- Data Encryption While In-Use is an emerging space, important because when data scientists play with models, that still needs to encrypted
- The financial crash is killing startups, what will happen to innovation in security?
- How much time should dev spend on security? How can devs spend more time on just developing and how can they get the most quality data in the first place?
- SIMS don’t work, so what is next here?
- The resurgence of IAM – It’s time to get back to identity and access management, and resiliency, not just vulnerability management. It’s not just about managing identity, but breaking attack chains. How will digital identity align with the human side? How can machines (IoT, workloads, etc.) gain their own identity? In the cloud, human and machine identities are blended. How can we move away from passwords?
- The Role of the CISO is becoming more like the role of the CFO, it’s much more of a partner to the business organization and it needs a true seat at the table with a connection to the board or at least the CEO. It’s important to develop cross-functional relationships across the organization in order to help instill cultural change, particularly with those who drive the revenue