Industry executives and experts share their predictions for 2023. Read them in this 15th annual VMblog.com series exclusive.
Layered Security, NIST and, Security Budgets
By Cam
Roberson, Vice President at Beachhead
Solutions
2023
will see organizations trying to weather an unclear economic outlook (and
tightening budgets) amid increasing infosecurity threats. It'll be a tricky
juxtaposition that will, unfortunately, probably lead to security breach
headlines for some. I anticipate the following three narratives will be a big
part of the security story in 2023:
1. NIST will take the spotlight
While
compliance with the U.S. government's NIST
cybersecurity framework
provides for voluntary security guidance and best practices, its comprehensive structure
offers a valuable blueprint for all more specific government
(e.g. CMMC, DFARS) and other industry mandates. NIST includes five core
functions and more than 100 subcategories delineating specific technologies and
best practices to identify, protect, detect, respond, and recover from
cybersecurity attacks.
In
2023, NIST will continue to rise as a (if not the) de facto cross-industry.
Businesses will put in the work to achieve NIST compliance, and promote that
achievement as proof of their effective cybersecurity practices. Companies will
utilize this proof point as a competitive differentiator over less secure competitors.
As familiarity continues to grow in the coming year, NIST compliance will rise
as an effective method of winning customers, as well as keeping their data
safe. Importantly, the comprehensive nature of NIST also puts organizations in
an easily-attainable position to meet other compliance mandates they are
subject to.
2. Businesses with
ransomware-centric protections will pursue more layered security postures
Ransomware
defense continues to get a lot of attention-and a lot of budget-from businesses
across industries. And as well it should. But organizations will use 2023 to
take a deeper look at how comprehensive and holistic their current security
posture is. Are they over-prioritizing ransomware attention to the
detriment of other significant risks to business data and continuity (like insider
risk, lost and stolen devices, and compliance violations)? Businesses still
need to have continuous security training regimens that teach employees to
recognize phishing emails, keep login credentials secure, stick to approved
network connections, and not share devices or leave a credentialed session
unattended. Businesses also need to introduce (if they haven't already)
governance controls capable of recognizing insider threats, complete with
audit-quality activity logging and reporting. Finally, encryption and remote
access control safeguards must be ready to automatically deny data access in
real-time the second that threat conditions are present. Organizations that
introduce these well-rounded measures in 2023 will find themselves not only
safer from ransomware, but from the full spectrum of threats-many of which are
more likely to affect them than ransomware.
3. Organizations will resist the temptation
to cut security budgets
Economic
uncertainty will have many businesses seeking to tighten up budgets and reduce
overhead costs wherever they can. That said, most businesses understand that
cybersecurity is one area where budget cuts would be a penny-wise-but-pound-foolish
decision. The stakes are just too high, given that cybersecurity investments
safeguard not just systems and data but also a business's regulatory compliance
and reputation. Fines from regulatory enforcement are steep enough to cripple
many companies, and loss of reputation can be even harder to bounce back from.
In 2023, businesses may seek to become more efficient with their security
budgets, but will be careful to keep the effectiveness of their cybersecurity
measures intact.
A year of security reflection and
improvement
Aligning
with these trends, 2023 may well be the year that budget pressures make
businesses closely examine and optimize their cybersecurity postures. By
following NIST guidance and bringing ransomware fears into balance,
organizations can come away with more robust and comprehensive protections that
remain well in-budget.
##
ABOUT THE AUTHOR
Cam
Roberson is Vice President at San Jose-based Beachhead Solutions, which provides a PC and device security
platform for businesses (and MSPs) across industries to encrypt data and
automate threat responses. Cam began his career with Apple Computer, where he
held several senior product management roles in the computing and imaging
divisions.