We are currently experiencing one of the most challenging global recessions of the 21st century. Business leaders from all sectors are under extreme pressure to control expenditure across all company operations without sacrificing business performance or jeopardising business continuity. And cybersecurity is no different.
There is this defacto stance that the cyber budget is bulletproof, but nothing in a recession is truly off limits. It’s also a known fact that when times get tough, monetary crime goes up. It’s a lot easier and less risky to extort businesses through cybercrime than it is to rob a bank, so every business must be prepared to defend against an onslaught of cyberattacks.
So, with threats like ransomware rising and budgets tighter than ever, what changes to cybersecurity strategy and technology should businesses make in 2023? And how can business leaders gain maximum return on investment (ROI) from their cybersecurity investments during these challenging times?
A shift from prevention to containment
As cybersecurity threats become more sophisticated, businesses must build their resilience to cyberattacks. Attack motives have evolved from stealing and extorting valuable data to impacting availability and causing maximum disruption, and security strategies must evolve in tandem.
Research from ESG shows that 43 per cent of businesses suffer unplanned downtime from cyberattacks at least once every month. As companies realise that breaches are inevitable, breach containment is now the new paradigm in cybersecurity.
The rise of cybersecurity oversight committees
Going into the new era of breach containment, businesses will start establishing a separate unit to oversee and evaluate their cyber risk management strategies. This is where cybersecurity oversight committees will come into play. Similar to those already used in legal and risk management, the head of such committees will be experienced cyber leaders and veteran security professionals. Committees will be responsible for looking at cybersecurity objectively, establishing a set of baseline expectations to hold the business accountable, monitoring for oversights, and adding direction to ensure the cybersecurity strategy aligns with the business objectives.
Cybersecurity oversight committees will also help businesses to demonstrate their digital security capabilities to customers, stakeholders, and regulators. In a world where breaches can have major consequences, this is a key factor in building trust and achieving resilience. Such committees will ensure that their security programme is capable of supporting multiple business value pillars, such as trust, transformation, service, and security.
Quantifying the effectiveness of security efforts
Going forward, business leaders will also demand more actionable data on their organisation’s cybersecurity posture to inform effective decision-making. For security teams, this means leveraging new and better ways to quantifiably model threat actors and defences, for instance, through more widespread pen-testing.
Security teams will also need to build a complete picture of risk at any point in time for every critical system, including all interactions, interdependencies, vulnerabilities, and who’s responsible for them. Therefore, whenever the board asks about cyber posture, teams can provide an accurate answer.
Resilience will become the sole metric of cybersecurity success
As breaches become part of daily life, cyber resilience will become an industry recognised metric. Many organisations are already hiring for Digital Operational Resilience or Cyber Resilience roles, while the Cyber Resilience Act and Digital Operations Resilience Act set to come into force in Europe will seek to drive improvements in resilience through legislation and enforcement.
Today, most organisations judge the success of their business continuity plan on whether they can recuperate within their Recovery Time Objective (RTO) to their Recovery Point Objective (RPO), but in 2023 any downtime will be unacceptable. Stringent testing and the development of industry-wide metrics to help benchmark against peers and understand what ‘success’ looks like will force organisations to think about their appetite for risk and establish an acceptable minimum level of maintainable security to avoid fines, profit loss, or loss of reputation.
More investment on surviving attacks not preventing them
As budgets get squeezed, the number of tools businesses can implement will likely reduce, forcing leaders to make strategic decisions on what to invest in to maximise ROI. While prevention and detection technology like EDR (Endpoint Detection and Response) will still be important, businesses will put greater emphasis on breach containment technologies, like Zero Trust Segmentation (ZTS), that can limit the impact and spread of breaches.
You can imagine ZTS like a hotel. The main entrance of a hotel is its perimeter, and if someone enters through this perimeter, they can only access the lobby – not the rooms. Every room has its own unique key with unique guest policies. For instance, if a guest checks out at 10 am, they can’t access the room again at 10:30 am. They will need to go to the reception, get re-verified and attain the key from the administrator to gain access again.
Similarly, ZTS grants access between any pair of resources based on the context. For example, what application they are supporting, who the user is, and where it is being accessed from. No access is granted by default – access is only authorised based on the validated context, and only the appropriate level granted. This lack of implicit access means that, even if a breach does occur, it’s contained to have a much smaller set of resources, severely limiting threat actors from getting to the company’s most valuable assets.
Research from ESG shows that organisations that have adopted ZTS save an average of $20.1 million in application downtime, avert five cyber disasters per year, and plan to accelerate 14 more digital and cloud transformation projects over the next year.
Cybersecurity insurers will also drive this shift, as they are tired of paying out for breaches that businesses could have contained or prevented. Many are already mandating security capabilities that can offer meaningful risk mitigation, as well greater steps to prove resilience, such as regular stress-testing of IT infrastructure and incident response practices.
Always assume breach
As organisations continue to face an increasingly complex threat landscape, traditional security approaches are no longer sufficient to protect against advanced threats. Most businesses have invested significantly in cybersecurity over recent years, yet breaches are still happening. Therefore, business leaders are fast recognising that cyber risks and breaches are an unfortunate, but rather inevitable part of life.
To succeed in 2023, every business must adopt an “assume breach” mentality and re-establish security as a strategic business function rather than an evasive strategy. Cybersecurity is no longer just a security issue; it is an operational issue, and cyber resilience is non-negotiable. But with the right cyber security investments, not every breach needs to end in a cyber disaster.
About the Author
Raghu Nandakumara is the Head of Industry Solutions at Illumio