Risk Management
Top 3 Non-Technical Cybersecurity Trends for 2023
A strong cybersecurity strategy isn’t just about choosing the right tools. Cybersecurity experts Greg Young and William Malik discuss three non-technical cybersecurity trends for 2023 to help security leaders reduce cyber risk across the enterprise attack surface.
Cybersecurity isn’t just about technology. Non-technical aspects, such as the management of people, process, and technology, are critical to enhancing your security posture and reducing cyber risk. Unfortunately, this is often neglected. To help CISOs and security leaders gear up for a secure 2023, we’re sharing three non-technical cybersecurity trends.
Cybersecurity Trend #1: Managing security shelfware will be critical
You know that one kitchen drawer with all the fancy gadgets you swore you needed? The same applies in IT, except instead of an apple corer it’s shelfware.
According to Vendr, the average company wastes around $135,000 annually on SaaS tools they don’t really need or use. And a 2020 Gartner survey found that 80% of respondents are not utilizing between 1-49% of their SaaS subscriptions.
Shelfware happens for a myriad of reasons including integration issues, failed communication between departments, poor vendor support, or the CISO role changing hands.
Whatever the cause, CISOs need to pay close attention to shelfware management in 2023 as economic factors will prompt C-suites to ask tough questions and look for places to make cuts. By freeing up budget from unutilized SaaS subscriptions, CISOs can keep staff off the chopping block.
Consider the following three steps to avoid security shelfware:
1. Quality over quantity: Instead of tossing point products at problems as they crop up, stop and think about the bigger picture. Is it just an email problem, or do you lack visibility across the attack surface? Once you’ve identified the scope and scale of your security challenge, perform a thorough technology evaluation to ensure the solution fits your needs for today and tomorrow.
2. Include key stakeholders in the purchase process: From security professionals to developers, make sure you gather business and user requirements before purchasing to get the most bang for your buck. This will ensure business needs are being met, leading to higher and quicker adoption.
3. Make an adoption plan: Some money-hungry vendors will disappear after you sign the dotted line, leaving you to figure out how to deploy and use their product. Ask the vendor what kind of training, onboarding, and continuous support is included before purchasing anything. The skills shortage is an ongoing problem; ease-of-adoption and use are important for teams with limited resources.
Cybersecurity Trend #2: The cybersecurity skills shortage will continue to cause strain
While the cybersecurity skills shortage is beginning to level off, businesses are still struggling with high turnover rates. An ISACA survey reported that 60% of enterprises experienced difficulties in retaining qualified cybersecurity professionals and more than half felt they were either somewhat or significantly understaffed.
Finding and keeping good talent on hand is a challenge, and with purse strings tightening, there is only so much money and perks to throw at candidates. To stop IT from being a revolving door, CISOs need to address gaps in their company culture.
Ask yourself: why would a senior analyst want to work for me besides a paycheck? ISACA found that the top three reasons for cybersecurity professionals leaving their job (excluding pay) were: limited promotion and development opportunities, high work stress levels, and lack of management support.
CISOs also need to be mindful that bringing in new staff means making a change that requires flexibility. A good hire can help establish more efficient processes to overcome current issues. Not only will your organization reap the benefits of improved security, but supporting innovation is a win for team morale and retaining valuable employees.
Cybersecurity Trend #3: Shadow and distributed IT will leave CISOs in the dark
The days of monolithic IT are behind us. Digital transformation, accelerated cloud adoption, and an increase in remote workforces have led to an influx in distributed and shadow IT. Unauthorized IT-adjacent acquisitions made outside the scope of the CISO or purchasing department, such as shadow cloud/SaaS and shadow OT, are also a growing concern.
Highly distributed enterprises face the (expensive) task of securing systems and data spread across remote operations, headquarters, the cloud, etc. This can be exceptionally challenging for organizations that are set up like holding companies which have independent companies doing their own business.
Simply blocking unauthorized apps and devices won’t solve shadow IT problems; employees will find a way around it to get their jobs done and it’s nearly impossible to know exactly what needs to be blocked and allowed.
CISOs need a new approach to shed light on these growing concerns. Beyond implementing the right technology, a strong security culture needs to be established across the company. Being attuned to the needs, concerns, demands, and habits of an organization will help security leaders better “speak the language” of staff to ensure effective training.
Security training for senior management and executive roles is even more crucial than for the rest of the company. Educate the c-suite, business unit leaders, and business technologists on how security, data privacy, compliance, and risk management apply to IT deployments, so they know when they’re crossing a line and need to reach out to IT.
Next steps
For more information on cyber risk management, check out the following resources: