The line between business risk and cyber risk has been obliterated. Increasingly, companies can separate risk models built around financial uncertainty and legal liabilities from IT security risk. For risk management officers, that translates to keeping the company chief security officer on speed dial.
Cyber risk as business risk isn’t new. For example, cybersecurity compliance has long been a reality for organizations. But trends tied to a new post-pandemic reality for employees and businesses will accelerate the blurring of cyber and business risk lines this year.
Those trends include the pace of globalization, heavy reliance on supply chains, new adversarial tactics and geopolitical targets, cloud dependencies, an economic downturn and the slow migration of employees back to the office. It’s a long list, but the confluence has forced organizations to look beyond traditional definitions of risk exposure, assessment, mitigation and monitoring.
Meanwhile C-level security and risk leaders are taking a fresh look at cybersecurity liabilities as regulators take a more aggressive stance against companies that they believe are being negligent when it comes to breaches. There are even instances where a CSO has faced criminal charges tied indirectly to a breach.
Dozens more 2022 breach examples have caught the attention of regulators and class-action attorneys. Financial penalties paid over the past year serve as harbingers of choppy waters ahead for companies that fail to safeguard the private information of customers, resulting in a cyberattack and a data breach.
Arguably, each of these firms misgauged or couldn’t identify risk in their attack surface pre-attack and then wrongly assessed additional risks tied to the post-attack “what-if” scenarios.
Cyber defenses need to address compliance, architecture and post-breach scenarios. But that can’t be all they do. They also need to focus on preventing the cyberattack in the first place. This requires more emphasis on the “attacker’s perspective” of identifying and mitigating external attack surface security blind and weak spots.
Business simply don’t want to get breached. However, all businesses have operational risk, and that includes breaches. That risk can translate to dollars and cents. The average cost of a data breach in 2022 was $9.4 million in the United States, according to a data breach report by the Ponemon Institute.
No return to “normal” post-pandemic
The year ahead will challenge employers as they grapple with a post-pandemic whiplash of employees slowly returning to offices. Couple that with the Great Resignation of 2022 now sliding into what’s called the Great Reset of 2023. This trend is tied to corporate belt tightening related to shifting macroeconomic conditions.
Underlying conditions will push IT operations teams to rejigger their IT stacks. Organizations will continue to upgrade and change infrastructure. They will move away from any hastily built pandemic-driven solutions. Instead, companies will prioritize creating more sustainable, affordable and easier to manage systems.
That change introduces risk. As internal IT restructuring plays out over the next 12 months, security teams will have to juggle supporting an old platform and bringing a new one online at the same time. Managing this switch creates massive risk as even the smallest misconfiguration or overlooked asset can leave holes in a company’s external attack surface and risk profile.
We define third-party cybersecurity risk as an organization's reliance on vendors in their supply chain and any partner or subsidiary including IT service providers, cloud environments and SaaS applications. Companies also need to consider third-party risk posed by downstream and upstream vendors that work with the partners and subsidiaries they work with.
External forces pose new risk landscape
Globalization makes the world a riskier place, asserts Secretary of Homeland Security Alejandro Mayorkas. In a speech given in December Mayorkas said the U.S. faces a “new kind of warfare,” one that makes no distinction between private and public organizations.
“Economic and political instability, and our globalized economy have erased borders and increasingly bring threats and challenges directly into our communities — to our schools, hospitals, small businesses, local governments, and critical infrastructure,” Mayorkas said.
Responding to this riskier geopolitical pressure has been a wave of new federal and private regulations around risk identification, risk analysis and assessment, and risk mitigation and monitoring.
This past year, the Cybersecurity and Infrastructure Security Agency (CISA) issued the Binding Operational Directive (BOD) 23-01, which mandates federal agencies identify assets in their attack surface and improve vulnerability detection and remediation capabilities by April 3, 2023.
It goes well beyond this and requires an automated asset discovery (within an organization’s entire IPv4 space) every seven days. Agencies are also required to run a vulnerability assessment for all endpoints and network and mobile devices every 14 days.
Industry standards tied to cybersecurity compliance, such as SOX, HIPAA, HITRUST, PCI and CIS, have each recently revised guidelines addressing the newest healthcare-related cyberthreats keeping security teams on their toes.
While compliance is important, it’s not enough.
The focus for this year
For the year ahead, the threats that keep CEOs up at night are those that will have a material impact on their business, according to a 2022 PwC survey of CEOs. In the next 12 months, CEOs shared with PwC they are most concerned about cyber risks (49%).
“CEOs are most worried about the potential for a cyberattack or macroeconomic shock to undermine the achievement of their company’s financial goals—the same goals that most executive compensation packages are still tied to,” PwC found.
That focus on critical business activities has become a priority that begs the questions: What’s will attackers target, and why? What exploits might an attacker use to strike? And, what effect will it have on business continuity?
Moving business leaders to the center of the cybersecurity conversation revolves around good digital stewardship, business leadership, and staying out of the red.
Rob Gurzeev, chief executive officer, CyCognito