The 10 challenges of 2023
With more and more visible and numerous crises, the topic of cybersecurity is more than ever on the agenda of leaders in 2023 In the latest PwC survey, Global Digital Trust Insights 2023, While more than 70% of 3,522 respondents observed improvements in cybersecurity in 2022, less than 40% considered their initiatives to have fully mitigated the risks. Also, despite significant advances in cyber defence in recent years, cyber risk is still present and its impact is very significant for the companies affected. So how to take this risk into account, reduce it and demonstrate resilience in cybersecurity?
Our 10 recommendations to aim for greater cyber resilience in 2023
1. Make your CISO (Chief information security officer) a hub in your business
The CISO (Chief Information Security Officer) is an essential link to effectively fight cyber attacks but also to secure programs. It is your company’s #1 defence against cyber risk. We urge you to continue the fundamental movement that tends to transform the function: the CISO should no longer be seen as a purely technical collaborator within an IT department, its function and the expectations related to its position become strategic. As cyber risk exposure increases, the function of the CISO must change. The latter must be much more armed, initially on a purely technical level as cyber risk grows and becomes more complex. Now, the CISO is also expected on its ability to raise awareness of cybersecurity and popularization to transcribe the risk to uninitiated audiences but also on its management capacity to change the way the company operates. The CISO (RSSI) now has a much stronger leadership role to play, and you must support it in this change of dimension. One of the challenges lies in building trusting relationships with the entire C-Suite.
2. Pay special attention to cyber risks associated with the transition to the cloud
The transition of companies to the cloud is accelerating, and at the same time leads to increased exposure to cyber risks and new threats. 38% of companies surveyed in the Global Digital Trust Insights 2023 survey say they are exposed through the Cloud. The interconnection of cloud environments that may exist with enterprise information systems must be seen as a potential new gateway for attackers. Today, an unsecure cloud can allow an external attacker to compromise it and ultimately compromise the company’s information system. By relying on major players in the Cloud, you benefit from their strike force to manage the security of this Cloud, particularly through patches deployed regularly, which aim to correct vulnerabilities. Be careful, however, not to neglect the actions that remain in the hands of the company, such as setting the Cloud, which can expose you to an increased risk if this step is not taken seriously.
3. Play as a team and collaborate your lines of defense
As we have seen, the deployment of the Cloud within your company can improve its security, provided that things are well prepared beforehand (especially with the implementation of the company’s hand-held devices that protect itself and those that ensure over time that the cloud remains secure). This is about establishing lines of defence. Operational security is the responsibility of the first line of defence, while the monitoring and challenge of cybersecurity systems is the responsibility of a second line of defence (often integrated within a risk directorate in the most mature environments). This is the work of a team, where the whole organization has a role to play. To succeed in the challenge of cyber, we must play collectively, and be in a constructive approach. The second line of defense must come out of a logic that is still too punitive to move towards collaborative. Its role is to complete a first line that has the means to secure environments, with a dimension of control that constructively challenges the first lines of defense.
4. Share and evangelize around your defense shields
Each of your employees must be able to play its role as a “bulwark” to cyber attacks, in IT teams but not only. All of the company’s stakeholders must be made aware of the entry points that can be exploited by attackers, right up to the end customers. Set up a process to continuously raise awareness. This awareness is a mandatory step to change the modes of operation and uses of the technology and thus better protect oneself.
5. Develop a cyber by design approach
As the company digitizes and equips itself with technological tools, it gains in agility but it also increases its exposure to cyber risks by deploying new gateways that can be exploited by attackers. It is therefore key to integrate cybersecurity into all technological projects, from their conception, and in particular in those concerning the digital transformation of the company. Only then do they become an opportunity for the company and not a source of additional threats.
6. Move to the Operational Resilience Paradigm
Do not confine cybersecurity to its technical dimension. The operational resilience paradigm integrates cybersecurity with other dimensions such as IT risk management, business continuity or third-party risk management to move towards a more resilient enterprise, capable of functioning in case of disturbances.
7. Take your cyber initiatives to the end
A large number of cyber devices are launched but they are unfortunately still too inefficient, that is to say they do not yet cover the entire perimeter of the company. It is essential to continue your initiatives and carry them through.
8. Put yourself in the real world and test your safety devices
Cyber attacks are not a fiction, many companies have paid the price and will still be victims in 2023. But it can be difficult and abstract for a leader to grasp this reality without having already experienced it. However, it is observed that the actors with the most progress in cyber risk management are those who have suffered one or more cyber attacks (PwC Global Digital Trust Insights Survey, 2023). Preparation is therefore a key step towards greater resilience, and for this, nothing better than testing its devices in real conditions and its capacity to manage the crisis. The digital tools used to raise awareness in crisis management are a track to be explored to give additional weapons to react in the event of an attack.
9. Set your cyber strategy and communicate around it
Establish a vision, aligned and understood by all stakeholders of the company and that gives meaning. Identify and communicate within the company about the role and missions of the cybersecurity function. This will help the other functions of the company understand the requests that can be made during the year by the cyber teams, which, in essence, can be binding. In general, by going towards more transparency, you will allow all functions, and in particular top management, to better understand the subject of cybersecurity and all its operational implications.
10. Maintain and optimize your investments
While cybersecurity budgets are maintaining or even strengthening in the current context (post-Covid and in an uncertain economic situation), it is essential to maintain this level of investment. However, this must be accompanied by a search for even greater efficiency, seeking to optimize cybersecurity budgets.
Obviously, cyber risk needs to be treated as a systemic risk, by setting up an organization that can identify it, better understand it, understand it effectively, and face it in a resilient way.