Security and data privacy are increasingly evolving in today's world, and the landscape is changing rapidly. The predictions for 2023 by many cybersecurity analysts indicate that companies would not simply be able to reduce their vulnerability to cyberattacks by optimizing their existing processes. Instead, they will also have to eradicate them, they have to re-evaluate how they deal with cybersecurity in general, not just how they approach it in an isolated way.
A recent article in VentureBeat shares some of Forrester analysts' top cybersecurity predictions for 2023 based on their research. A shift in the cultural orientation of organizations in how they manage risk and privacy concerns can be seen in these statistics in the report.
In Forrester's forecast, the most shocking predictions include the increasing number of cybersecurity employees turning into whistle-blowers due to burnout, C-level executives facing pressure for their use of employee monitoring, and a rising number of cyber insurance providers expanding their MDR business.
A majority of Chief Risk Officers (CROs) report directly to their CEOs in most cases
The Forrester senior analyst Alla Valente explained that in addition to businesses adopting innovative and digital strategies. They are now also facing unprecedented changes that result from systematic risk forces, a constantly evolving regulatory environment, ever-chaotic supply chains, and shifting customer expectations while they embrace innovative digital strategies.
The role of the chief risk officer (CRO) has become increasingly significant, especially for non-financial companies, as companies are expanding the scope of their risk management strategies to include a wide range of sources of risk and repositioning their center of gravity to include non-financial risks.
Today's CROs cannot hedge against downside risks (compliance, insurance) in the same way as CROs of the past. The CRO may be tasked with finding opportunities for growth as risk management receives more attention and becomes an internal concern gaining internal prominence.
It is pertinent to note that risk management does not have to be seen as an unnecessary expense but rather as an opportunity to increase business. CROs are now reporting directly to the CEO, resulting in a change in the reporting structure.
C-level executives will be terminated for using employee monitoring in their companies
The Forrester principal analyst Heidi Shey mentioned that some employers are turning to the electronic monitoring of employees to keep an eye on their performance with the rise of remote and anywhere work options. As part of any monitoring technology implementation, companies must consider privacy rights and the employee experience. This is true regardless of whether the system is being implemented to track employee productivity, enable a return-to-work strategy, or address internal concerns about insider trading.
There are many opportunities for disaster from a regulatory and workforce perspective when it comes to implementing this type of business initiative. Therefore, companies need to be very careful with their planning and implementation.
In addition to causing violations of GDPR, employee monitoring efforts can also violate new laws enacted recently in New York and Ontario, Canada. These laws are specifically related to employee monitoring with specific monitoring types. The bill being proposed in California aims to improve accountability in the workplace surveillance system, and therefore we can expect additional attention from legislators in 2023.
According to the analysts, there is also a possibility that employers will become more intrusive, which could lead to a rise in employee protests as well as strikes and organizing by labor unions in response to such monitoring efforts.
Three cyber insurers are expected to acquire MDR providers
The Forrester VP principal analyst Jeff Pollard explained that there is an expectation that cyber insurers will aggressively move into the MDR segment this year. This is because they calculate that it is better to offer detection and response services by themselves to the clients they insure rather than leaving it to the clients to do it all on their own. In 2022, Acrisure began a trend that would continue for several years.
Some benefits, that can be gained by insurers through MDR acquisitions include the following.
- High-value data about attacker activity, which can be used to refine underwriting guidelines
- Unprecedented visibility into the policyholder environment
- Confirmation of the claimant's statements.
When cybersecurity leaders purchase MDR from an insurer, they must evaluate how the insurer will use telemetry when underwriting — which is not likely to be favorable for them. They should also consider whether the insurer is willing to offer cybersecurity services such as MDR. In addition, they should consider whether they are confident they can rely on their insurer to help them stop active attacks while they are doing so.
Organizations will sue offensive security tool providers for causing their security breaches
The Forrester senior analyst Allie Mellen discussed that most of the post-exploitation kits used by security professionals and attackers are Cobalt Strike, Metasploit, and Mimikatz, among others. To ensure that customers do not misuse the technology for harmful purposes, some providers share disclosures or involve due-diligence processes during the sale process.
There will be a growing number of tools available in the marketplace. Enterprises and governments will be compelled to ensure that the tools do not fall into the wrong hands. This will also affect how these tools are created and distributed.
According to the study, litigation may follow in 2023 against a software company. This may set a precedent for other software products to fall into the crossfire in the future. This is as tensions continue to mount over the potential breaches of third parties.