SecurityScorecard has been in Davos, Switzerland for the past week with heads of state, CEOs, and other global leaders as part of the 2023 World Economic Forum’s Annual Meeting. Along with climate change, sustainability, and geopolitical complexities, cybersecurity is one of the hottest topics of WEF’s official programming and the myriad private events that are part of the Davos annual experience.
SecurityScorecard presented at the Cyber Future Foundation’s 5th Annual Global Cyber Future Dialogue series. Along with leading companies such as Salesforce, Palo Alto Networks, and Fortinet, we are proud members of the World Economic Forum’s Centre for Cybersecurity which bridges “the gap between cybersecurity experts and decision-makers at the highest levels to reinforce the importance of cybersecurity as a key strategic priority.”
Based on our discussions in Davos, the following five insights emerged:
1) Supply chain/third-party — Fifty-four percent of publicly reported breaches in the last two years have been due to third parties, vendors, or suppliers, representing one of the greatest cybersecurity risks1. “Vendor Risk Management” (VRM) is rapidly evolving, and three foundational principles are emerging to reduce cybersecurity risk: they are Visibility of your entire vendor ecosystem, Remediation to verify and mitigate the risk posed by a vendor, and continuous Measurement or quantification of the risk within that ecosystem.
2) Critical infrastructure. Featured in Bloomberg, our latest paper “Addressing the Trust Deficit in Critical Infrastructure,” revealed that an increased number of cyberattacks and highly publicized breaches have undermined the public’s trust in the resilience of our societies, prompting both business leaders and policymakers globally to seek solutions for this mounting trust deficit. Specifically, we found that 48% of critical manufacturing companies (e.g., primary metals, machinery, electrical appliances and components, transportation) are rated “C” or “D” or “F,” specifically struggling with applying key system patches, likely due to an increased volume of vulnerabilities. We also detected 37% of such organizations have malware infections.
3) Cyber workforce. According to an October 2022 study from the International Information System Security Certification Consortium (ISC)2, the global cybersecurity workforce gap increased 26% in the demand for security talent, rising to 3.4 million in 2022. Seventy percent of respondents said their organizations are understaffed, hampering functional and operational elements, such as slower patching of critical systems and inability to dedicate enough time and resources for training. In response to this jobs crisis, the barriers to entry into cybersecurity must decrease (one expert astutely commented, “make it easy and franchise it.”) Forward-leaning organizations are re-training less skilled IT positions such as system admins or network engineers, and then backfilling those roles. Soldiers are revered as heroes, why not cyber warfare talent?
4) Automation. Organizations that can automate elements of their cybersecurity workflow while they seek to hire human talent will have strong cyber resilience against cybersecurity attacks including ransomware and/or other network threats. Automation leads to efficiency, which saves time and money, especially important given uncertain market conditions. In the current environment, security teams are being pressed to “do more with less” as discretionary budgets are eroding.
5) Boards and C-suite engagement. Security is not an “IT problem,” but an enterprise-wide issue. Relatedly, IT has to speak the same language as the business. To understand the risk and impact of cybersecurity, board directors are hungry for useful and understandable metrics, arming them to then know how to ask the right questions. Role-playing “dry run” scenarios such as tabletop exercises are critical for boards and C-suite executives to achieve a “touch and feel” for cybersecurity. Gartner has predicted that by 2025, 40% of boards will have a dedicated cybersecurity committee overseen by a qualified board member. “Board diversity” isn’t simply about gender or racial diversity, but diversity of expertise, such as cybersecurity and risk.
____________________________________________________________________________________________
1“Report: 54% of organizations breached through third parties in the past 12 months,” VentureBeat, September 16, 2022
2Predicts 2021: Cybersecurity Program Management and IT Risk Management, January 8,2021