With 2023 now underway, it’s time for leaders to think about their cybersecurity posture as the threat landscape continues to grow.
2022 was another year of tumultuous cyberattacks and data breaches, affecting companies such as Microsoft, Nvidia and Revolut.
Throughout the year, SiliconRepublic.com heard from several CIOs, CTOs and security and data experts about the trends they see coming down the line in their industry and how their IT strategies are changing in the face of ongoing digital transformation.
We also asked them to share their top security advice for companies and business leaders. Many cited the evolving threat landscape and the increased risks that come with a more flexible workforce, meaning it’s more important than ever for leaders to react quickly to protect their businesses.
As we roll into 2023, it’s a great time to review your security processes and infrastructure and heed the advice of these thought leaders.
Practise good security hygiene
Many of the leaders we heard from said the human element is often the weakest link in the security chain. Therefore, good security hygiene and regular education for all staff is paramount.
Panzura’s Katie McCullough said that while it “may not sound sexy”, getting the basics right is a critical form of defence.
“It should be security 101 and companies know they ought to be doing it, yet jobs like patching or access and account management visibility often drop down the list.”
Meanwhile, LearnUpon’s Des Anderson said more training and educational courses on cybersecurity can help address the challenges around human error.
“This gives the industry a bigger talent pool to help us battle these issues and allows us train our broader teams to create further awareness,” he said.
Be mindful of AI in security
AI can bring a wide range of benefits to many business areas, including security. However, it must not be viewed as a silver bullet and can often come with its own challenges.
Fujitsu’s Vivek Mahajan says the use of AI will accelerate in the future, which will require transparency, a sense of responsibility and vigilance against potential abuses.
“AI offers many benefits, but it can also be potentially ‘tricked’ or compromised. Adding special noises to video data, for example, can cause AI to misidentify people or falsely detect certain actions, and confidential information in training data for algorithms is still vulnerable to bad actors in many cases,” he said.
Be SOC compliant
Another major area leaders need to pay attention to is SOC compliance. This stands for system and organisation controls, and it refers to a type of certification that shows companies have met a certain standard when it comes to information security and data control.
Radiant Logic’s Chad McDonald said lots of businesses are afraid to change their security and instead assume that the platform they currently use will be secure enough.
“The threat landscape, the way cyberattacks happen and the businesses themselves, are always changing. Therefore, security procedures which were implemented a year ago might not necessarily be able to protect the organisation now,” he said.
“The biggest security risk is stagnation; you should always be looking to improve your security posture.”
Ensure you have visibility
Visibility is a key element of good security posture, which both Netskope’s Shamla Naidoo and SmartBear’s Christine Whichard told SiliconRepublic.com
“Visibility allows control and mitigation. Gain visibility to inform your actions when everyone in your ecosystem is accessing everything in the ecosystem, most of which are outside of your control,” said Naidoo.
Whichard added that simplicity has always been an important element in security, though that in itself is not always simple to accomplish.
“That’s where pervasive visibility comes in. It’s so important to have true visibility across all your solutions so there’s early detection and response,” she said.
“Visibility is the answer to addressing today’s security challenges. It’s a constant theme in the industry, and something that I work toward every day.”
Consider queryable encryption
Any security leader will know that one of the basic building blocks to security is encryption. That is, scrambling data with a secret key so that only authorised users can read it.
But MongoDB’s Mark Porter said that when you encrypt your data, you lose the ability to do searches and queries on it, which makes writing secure and performant applications slow and error-prone. This, he said, is where queryable encryption comes in.
“With this new technology, which we’ve been working on for years and just released the first version of, you can store your data and query it at speed, and yet be able to prove that nobody, not even your cloud provider or their operations personnel, can read it,” he said.
“By doing this, we’re removing what used to be a tough choice – whether to protect your data fully or use it efficiently – and let people just write secure and performant apps.”
Allow the proper security budget
Because cybersecurity tools and resources are used as a defence against attacks and risks you hope won’t happen, some leaders can be tempted to direct resources towards what they deem to be more pressing needs. This can be a particular problem for smaller or early-stage companies according to Signify Health’s Josh Builder.
“Frankly, investing in security costs a lot of money, especially early on, and it can slow a company’s development, so it gets put off until the point of absolute necessity,” he said.
“I’m not suggesting that a small company hires a big security team early in its inception, because that’s not feasible from a financial standpoint, but there are small steps you can take to set a positive culture from the beginning so that you don’t run up against issues later.”
Listen to your security team
While many areas of tech have been going through staff shortages, cybersecurity has been suffering with these gaps for several years, leading to many overworked and under-resourced teams.
Add to that the increasing level of supply chain attacks, data breaches, DDoS attacks and phishing scams and you have a recipe for disaster.
It’s vital that leaders listen to their security team’s needs, according to is Snyk’s Adi Sharabani.
“We need to place developers at the kernel of our strategies. At the end of the day, they are the people responsible for building and maintaining applications and software – and when vulnerabilities are exploited, they are very often handed the blame,” he said.
“Thus, they need our support more than ever to push security forward in line with digital transformation. Listening to their pain points and their needs must drive how we overcome security challenges.”
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.