As 2023 approaches, it is an opportune time for organizations of all sizes to examine their IT infrastructure and review their cybersecurity policies. With ongoing digital transformation and an evolving regulatory landscape, organizations are increasingly targets for cyberattacks. Heightened stakeholder expectations have become an enduring challenge for enterprises regardless of size, industry or affiliation. On top of that, approximately 52 million data breaches occurred globally during the second quarter of 2022 alone.1 In response, there are 8 important trends we can expect in the cybersecurity realm in 2023.
Increased CISO Shortages and Burnout
It is no secret that every industry is struggling to find the necessary skills to address future growth. The chief information security officer (CISO) role is proving particularly difficult to fill, resulting in significant burnout among existing CISOs. The reason for the burnout is simple: There are not enough candidates with the necessary skills available to fill positions. This causes existing CISOs and others involved in cybersecurity management to be stretched too thin and, ultimately, become overworked and burnt out. The almost-universal migration to the cloud is partly to blame for spurring this increase in cybersecurity demand. While many current CISOs are highly experienced with on-premises (on-prem) security, some lack necessary skills and lag behind what is currently required in the market.
New Remote Working Trends
Working from home changed much of what was once known about cybersecurity risk and how to manage it. I predict there will be new security measures for working remotely in 2023. But these solutions could actually produce new sources of cybersecurity risk involving artificial intelligence (AI), machine learning (ML), the Internet of Things (IoT) and smart devices such as Google Home. These technologies benefit remote working by streamlining scheduling, improving virtual conferencing, accelerating workflows and helping to detect user habits. However, the same capabilities can introduce risk by increasing the number of potential attack surfaces.
Currently, many people remain unaware of the extent of the risk presented by an intruder accessing their professional and personal data. As this risk increases, the need to address the cyberrisk of remote work becomes more pressing. Using basic security protocols such as virtual private networks (VPNs), installing networkwide antivirus software and following a strong password policy can help mitigate this risk.
Better Data Privacy Protection
Human beings are the primary risk factors for data leakage and cybersecurity breaches. For years, there was a focus on intruders hacking machines, but enterprises are starting to realize employees might pose a greater risk than servers. An emphasis on phishing training and other aspects of human vulnerabilities has begun to resonate. As more organizations migrate their data to the cloud instead of keeping them on-prem, teams will require new skill sets that include cloud security knowledge. Blanket solutions are no longer sufficient and there is a need for more customization to ensure data privacy and security. For example, adding multifactor authentication (MFA) in conjunction with monitoring end-user activities could help one enterprise, while introducing enhanced bring-your-own-device (BYOD) policies and a comprehensive offboarding process could be more beneficial for another organization.
Blanket solutions are no longer sufficient and there is a need for more customization to ensure data privacy and security.
Advanced Automation Capabilities
Just as data quantities increase daily, automated monitoring of the cloud environment will do the same. One unmistakable sign of this is how venture capitalists (VCs) continue to invest in cybersecurity start-ups—even while other organizations are rejected for funding due to the current market slump. The more enterprises automate their cybersecurity, the less they depend on human beings–and the fewer errors they experience.
Launching Independent Security Frameworks
Microsoft is launching its own cybersecurity framework intended to make enterprises more secure. Moving forward, if one wants to work with Microsoft or one is processing data for Microsoft, they will be required to use the Microsoft framework. Very soon, I predict additional enterprises will launch cybersecurity frameworks, and others will continue to evolve. These are typically based on infrastructure architecture, rather than a general framework related to SOC 2.2
Updated ISO 27001 Standards
The International Organization for Standardization (ISO) standard ISO 270013 provides valuable protection against cyberrisk. However, much has changed since its initial release, and the shift to cloud computing has triggered an important revision. ISO 270024 combines some existing controls and adds new ones specific to cloud practices. ISO 27001 has been brought in line with ISO 27002 to enable enterprises to certify to the 2022 version. I foresee more enterprises working to comply with the ISO standard in 2023, not only because of the increased protection it offers, but because it shows customers and supply partners that security is an organizational priority.
Microsoft SSPA Audit Requirements
Microsoft’s Supplier Security and Privacy Assurance (SSPA) Program5 stipulates the privacy and security requirements for the company’s vendors. It ensures compliance of all suppliers working with personal data or Microsoft confidential data. Enterprises aiming to work with Microsoft will be required to satisfy SSPA audit documentation through an independent assessment, evidence of SOC 2 compliance, ISO certification or a combination of these before they can start.
Increase in HITRUST Assessments
The Health Information Trust Alliance (HITRUST)6 was created to harmonize and maintain the combined US Health Insurance Portability and Accountability Act (HIPAA)7 ISO standards ISO 27001/27002, the US National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53,8 the EU General Data Protection Regulation (GDPR),9 and the Payment Card Industry Data Security Standard (PCI DSS) frameworks.10 HITRUST helps health care organizations and other industries (e.g., education, travel, insurance) streamline information security and privacy controls. The HITRUST Implemented, 1-Year (i1) framework will become more common in 2023, making the certification process easier with a 1-year assessment period rather than the previous R2 version, which takes 2 years.11
Next Steps
The first step for enterprises that want to improve their cybersecurity should be to to consider the listed trends and related risk factors and determine whether migrating their data to the cloud could be the right solution. Doing so would enable them to implement the latest technologies to automate, monitor and protect their information. Next, they must focus on employee training. Since 90% of hacks result from employees falling for phishing attempts or unknowingly putting credentials into fake websites, cybersecurity training is critical to enabling staff to become an organization’s first line of defense.
There is no escaping the fact that cybersecurity will continue to be a key issue for business for the foreseeable future. Establishing security strategies that scale with the organization helps avoid having to make more drastic changes in the future. However, it is never too late to apply rigorous standards and controls. Small efforts made over time can help improve an organization’s security posture and position it to better evolve and keep pace with the growing technological and regulatory landscape. Taking timely action helps organizations to reduce their risk and improve their future growth potential.
Endnotes
1 Statista, “Number of Data Records Exposed Worldwide From 1st Quarter 2020 to 3rd Quarter 2022,” October 2022
2 American Institute of Certified Public Accountants (CPAs) (AICPA), “SOC 2—SOC for Service Organizations: Trust Services Criteria,” USA
3 International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC), “ISO/IEC 27001 and Related Standards,” Switzerland
4 Ibid.
5 Microsoft, “SSPA: Supplier Security and Privacy Assurance Program”
6 HITRUSTalliance.net
7 US Department of Health and Human Services, “Summary of the HIPAA Privacy Rule,” USA
8 National Institute of Standards and Technology, “Special Publication (SP) 800-53—Security and Privacy Controls for Information Systems and Organizations,” USA, September 2020
9 GDPR, “Complete Guide to GDPR Compliance,” United Kingdom
10 Parker, A. M.; “An Introduction to PCI-DSS,” Cryptomathic, 23 March 2018
11 HITRUST, "HITRUST Implemented, 1-Year (i1) Validated Assessment” http://hitrustalliance.net/content/uploads/HITRUST-Implemented-1-Year-i1-Assessments.pdf
Editor’s Note
Hear more about what the author has to say on this topic by listening to the “Eight Cybersecurity Trends to Watch for in 2023” episode of the ISACA® Podcast.
Justin Rende
Has been providing comprehensive and customizable technology solutions around the globe since 2001. With his focus on innovation and efficiency, Rende’s technology-forward methodology has set him apart from other cybersecurity professionals. His understanding of industry trends has allowed him to stay on top of the latest security threats and match them with the most innovative and best-of-breed solutions, products and solutions. In 2015, Justin founded Rhymetec to focus exclusively on cybersecurity and develop the most secure, simplified and innovative cybersecurity solutions. He advises his clients to adopt cutting-edge technology before it becomes mainstream, resulting in the most secure and cost-effective technology that scales with a client’s business.