Managing the “polycrisis” was the issue on everyone’s mind at the World Economic Forum in Davos this year and, with cyber-risks emerging as the third-highest risk to growth for CEOs, navigating the cyber landscape in 2023 is high on the agenda.
New cyber threats continue to emerge, including the rise of state-backed cybercrime and the uncertainties posed by emerging technologies, such as quantum computing, artificial intelligence (AI)/machine learning (ML), 5G, and the metaverse. This comes on top of the struggles companies already face defending themselves against long-established vulnerabilities like business email compromise, ransomware attacks, and supply chain software risk.
At the same time, penalties for compliance failures are getting harsher as the regulatory screws tighten, notably the European Union’s Digital Operational Resilience Act (DORA) and NIS2 Directive, Australia’s amended Security of Critical Infrastructure Act, as well as a whole new suit of cybersecurity regulations in the US. The economic crunch, meanwhile, is putting the brakes on cyber budgets.
Paradoxically, this more complex, volatile cybersecurity environment means that to survive the year ahead relatively unscathed, companies must radically simplify and streamline, by rationalizing their architecture, technology stacks, and decision-making.
A technology declutter is required. Our research has found that most organizations use only 10% to 20% of the technology they own, while continuing to pay higher license costs for technology that they have not leveraged for other business needs. Pressure on cyber budgets can provide an opportunity to review and rationalize. This could also help identify and eliminate the sharp edges and risks that come with a multilayered software, application programming interface (API), and technology stack, coupled with the fact that more and more cyber technology is being bundled with cloud licenses, making a strong economic argument for consolidation.
Companies are likely to shift more cybersecurity to managed services providers, especially to fill the human resources and skills gap. There are cost savings here too, and, in addition, managed services providers typically have better access to talent, thanks to the more varied projects they offer, compared with a cyber role within the four walls of individual companies, especially if the company is in a sector perceived as humdrum or conventional.
Keep It Simple
Simplification isn’t just a technology story, though. The C-suite will need to put in place more simplified and streamlined decision-making processes to be utilized during a cybersecurity incident, such as securing board-level approval for corporate ransomware policies and thresholds for payment, if any, allowing the leadership team to take swift action when a crisis hits. Governance and operating models for cybersecurity can also be simplified, by leveraging existing forums for cybersecurity decision-making, such as the safety Committee, as well as, of course, the audit and risk committee.
Simplification will not just be an imperative for the companies that consume cybersecurity products and services. The vendor landscape will also consolidate as the technology companies themselves make more acquisitions. “Cyber suite” providers will be the winners in the year(s) ahead, as opposed to the many point-solution startups and companies offering firewalls, monitoring software, data protection software, email security, and the like.
Simplification will make companies more adaptive and pragmatic. It will support a shift from a complexity-inducing approach, created when cyber leaders try to invest in and uplift every control, and thereby create a spray of projects, to an adaptive approach that works backward from core risks and sets companies up to move swiftly when attacks strike. Simplification will result in operational efficiencies, reduced technology and infrastructure overhead, and ultimately the ability to respond to cyber threats more quickly.
Cyber leaders should address this simplification requirement by taking an inventory of the assets they currently use and maximizing the capabilities of technology stacks they own, especially in conjunction with a move to cloud. Going forward, they should limit new investment in niche solutions that only address single cyber use cases. Broadly, decision-makers should take a risk-based approach to uplifting controls, prioritizing those that manage the risks they face, rather than those that have been identified as weak during an audit. Finally, they should simplify and consolidate cyber incident response processes with other crisis management processes that exist in the organization.
The year ahead will not be easy for cyber teams. The best defense is to build an organizational infrastructure that is nimble and adaptive. That starts with simplifying.