Welcome to our Q&A section, where we bring you expert insights on the topics that matter to you. Here, we have gathered the most thoughtprovoking questions from our recent January webinar on “Cybersecurity trends – What to expect in 2023”, where the speaker, Madhu Maganti has provided the answers and compiled them into an article to help you deepen your understanding of the subject matter. From practical tips to strategic insights, you will find plenty of valuable information to apply to your work or personal life, giving readers a unique opportunity to explore the nuances of this fascinating field. This article delves into the world of “Cybersecurity trends – What to expect in 2023” and offers a comprehensive and engaging exploration of the most pressing issues in the field. Whether you are an expert or a novice, this article is sure to provide valuable insights and deepen your understanding of cybersecurity.
So let us dive in and explore the questions and answers that will help you stay informed and empowered.
Question: When it comes to cybersecurity, what is more important—the compliance or the knowledge of the end user?
Answer: While it is impossible to say which is more important for any given company, providing quality education to your employees can be done typically with relatively limited effort and spending from your IT department. There are many highly rated LMS systems that have a variety of cybersecurity-related learning modules that can be integrated with Active Directory to allow for easier user management. Attaining information security-related compliance may be a more arduous process depending on which compliance frameworks need to be complied with, but also one that a company may not be able to neglect for very long without incurring significant risk.
If a company is currently in the process of assessing or improving compliance, this is a great time to streamline processes, improve systems, and determine ways to operate more efficiently across the board. Overall, a combination of attaining compliance and a higher understanding of cybersecurity by end users will allow for a stronger security posture.
Question: How will AI technologies like ChatGPT influence the cybersecurity risk landscape?
Answer: Over the past several years, we have seen various forms of AI and machine learning used to monitor and protect information, assets, and networks. With the introduction of AI to the general public, organizations are exposed to yet another avenue of data loss. As we have already seen, employees may upload sensitive information to the website without being aware that this information may be provided to other users of the service.
ChatGPT and similar AI engines will enable the cybersecurity teams to utilize yet another avenue, albeit a powerful one, potentially for continuous monitoring and protection, along with human intervention for important decision-making abilities. One cannot rely solely on AI in its current form without validation of actions and abilities.
Question: Why is cybercrime on the increasing side despite continuous cybersecurity awareness?
Answer: Increasing cybersecurity awareness is a result of the continuous uptick in successful cybercrimes over the past several years. While the average cybersecurityrelated knowledge of the global workforce has increased substantially during this period, every organization is only as strong as its weakest link, and cybercriminals have also become more knowledgeable.
As a result, cybercriminals will continue to search for these employees with lower-than-average cybersecurity awareness and leverage social engineering to gain insider access.
Question: Will cybersecurity engineers be replaced by AI technologies?
Answer: While AI can substantially augment information technology and information security capabilities and reduce the workload of employees by managing some day-to-day tasks, it does not seem likely that IT staff or cybersecurity engineers will be fully replaced any time soon.
However, by becoming more efficient with help from more sophisticated technology, employees will be able to dedicate time to more value-added tasks and help improve the company far more than they would be able to do previously. Employees can utilize the data provided by AI to make more informed decisions for their organization.
Question: Some organizations still have legacy systems and have difficulty updating or upgrading, thus their inability to apply patches. What can best be done to minimize the risk?
Answer: While the best answer is almost always going to be to upgrade the system, network segmentation and integrating legacy systems with compatible up-to-date monitoring and protection software can help to mitigate risks. Oftentimes, it is the lack of strict patch management policies and their implementation across the various assets within the organization that gives rise to malicious actors entering the network to unleash malware.
Question: There appears to be a disconnect between many of today’s job postings for InfoSec positions. For those attempting to break into the field, many positions are asking for 5+ years of experience for “entry-level” positions, essentially gatekeeping the field from passionate professionals who wish to help “fight the good fight”. Do you see any way for organizations to help bridge this talent gap?
Answer: This is an issue that is more widespread than we know. While there are a lot of organizations that seem to indulge in these gatekeeping exercises, there are some organizations that are trying to right the wrong. There is a disconnect between the HR and the information security department in some cases due to the reproduction of a prior job posting template which results in these unattainable needs.
Organizations can help bridge the talent gap only if they are able to attract the right talent that will bring the right value to the firm. To bridge the gap, organizations need to ensure they are looking into their job descriptions and that there are attainable needs for entry-level positions. Entrylevel roles need to be geared towards individuals fresh out of college, and on-the-job training should be encouraged. This allows for more realistic hiring and helps prepare the workforce of the future.
Question: The EU enacted the NIS2, DORA, and other directives in January. How do you see the pressure on the GRC services market now that entities have to be compliant by 2024Q4 and onwards – will the requirements on incident reporting make the ISO 22301 BCMS business certification a top priority now for doing business in Europe?
Answer: As we see an uptick in information securityrelated regulations and directives being passed across the globe, it is important to stay current and compliant. For GRC platforms and service providers, assisting their customers on this front will be of utmost importance. We can likely expect to see these platforms and services adding additional features and reporting capabilities to remain competitive against their peers.
For any companies who may be affected by these new requirements, the precedent set by case law, as well as mandates from clients, business partners, insurance companies, and other relevant parties, will help determine whether any certifications will be beneficial. Regardless of regulatory requirements, however, it is always important to continuously improve all aspects of your information security environment over time.
Question: How can cybersecurity officers effectively work if they are not getting the support of management?
Answer: For cybersecurity officers, especially those reporting directly to management, one of the most important aspects of the job is to be able to effectively communicate with members of management. This means describing risks, potential impacts, and other information security-related news in terms and language that they are used to hearing. Performing a risk assessment across the organization, identifying gaps, and prioritizing risks is a great starting point. Information security should also be a standing topic in recurring management meetings, where risks to the company and areas of improvement in future projects are discussed.
By presenting the management team with a prioritized risk assessment with recommendations for mitigating gaps, bringing up information security frequently, and speaking in a language they are used to hearing, they may start to see the need to support the organization’s cybersecurity initiatives. Providing key metrics on information security will allow for the feedback loop with management that is critical for support.
Question: What could be the cause of penalizing staff for negligence in information security risk actions?
Answer: Any lapse or negligence with information security risk actions could result in a lot of damage to the organization. People are typically the weakest link in any organization, and this is the reason a lot of emphasis is put on employee awareness training.
There are sanctions for those employees who continue to neglect their training while increasing the risk within the organization. While organizations are willing to work with employees who might need additional training following failure in a phishing campaign or other tests, it is important that the organizations identify those employees who continue to increase risk despite being provided all avenues to increase their cybersecurity knowledge.
Rather than penalizing staff, this can be viewed as a sanction as an organization needs to ensure all their employees are equipped to identify threats when they see them and involve the right members to help mitigate the risk identified.
Question: If a company cannot find a local insurer to provide cyber insurance, what would be the best course of action in that instance?
Answer: It is important that companies can transfer some of their cybersecurity risks by having a strong cybersecurity insurance policy. If a company cannot find a local insurer, it is often best to speak with individuals within their industry in their city or attend professional organization events.
This will allow a company to gather information from colleagues within their industry. Multiple quotes should be obtained by the company, and the best policy, considering the coverage and clauses, should be chosen.
Question: What steps should an organization take to efficiently detect vulnerabilities?
Answer: While it is always possible to conduct a selfassessment against an industry-standard framework, an initial assessment performed by an advisory or cybersecurity organization will provide a great deal of information and help set the tone for information securityrelated activities going forward.
Doing so will also help the organization understand its detective and preventative controls and prioritize and better mitigate the identified risks by receiving recommendations from a team that’s worked with countless other organizations across various industries. The assessment will help set the tone for short-term and long-term priorities.
After procedures have been put in place and a foundation for the information security environment has been established, the organization may rely on GRC tools or various SaaS solutions to streamline future assessments, self-audits, and other activities.
If you would like to revisit the Webinar and check out the live recording, you can click here.