Out with the old. We’re on to 2023. But let’s first take stock in the lessons learned from 2022 and what we can rethink in the new year. Security leaders are constantly weighing what to prioritize as they build their strategies. Ultimately, it comes down to two essential questions: where should they invest their resources (people and budgets) and what should be deprioritized? We spoke with some veteran CISOs about what will be top of their minds for security in 2023, and here’s what we learned.
To manage risk across the organization, it takes the entire organization. According to Rocket Companies CISO Chris Burrows, that means bringing together different teams to share knowledge and sync on how to achieve collective goals. Visibility, understanding, and appreciation through these different team lenses better serves the client relationship.
Burrows established a working group of people from different teams for face-to-face meetings in the office and plans to continue this into 2023. “It helps to see the body language and understand security is a team sport,” says Burrows. “We're discussing and taking actions, and documenting what we're doing, realizing that there are a lot of Monday morning quarterbacks.”
This is more about people and process and less about technology—we know the technology's great. But these human interactions and alignments have gone a long way. We now have a common lens on how to do our jobs and protect our clients.Chris BurrowsCISO, Rocket Companies
Trust the team you’ve built around you and look for ways to upgrade their capabilities. Burrows and former DocuSign and United Airlines CISO Emily Heath agree security teams have to look for ways to be more efficient and effective. That means investing in the talent you already have. Financial insecurity is looming large heading into 2023 and organizations are scrutinizing budgets more than ever. With realignment of costs happening across many companies, the fundamentals of doing business have never come more into focus.
Heath says if there’s any area of budgeting she’s seen take a hit, it's headcount. Companies are trying to get more out of their employees and consolidate teams. “Give the Rockstars more responsibilities so they can help drive others and propel their careers. Despite the scrutiny, investment in growth will only help companies optimize their workforce and products they already have.”
Burrows adds it’s key to understand your objectives and leverage your current capabilities. You’re only as good as your team. “Give your team members the tooling, training, and authority to get the job done. Set a single Northstar and then let people take the reins to get there. It's about using the tools that you already have to train and empower the team,” he explains.
As more and more control is stripped away from internal security teams, their challenge will be still mitigating risks to the business. Mike Towers of multinational pharmaceutical company, Takeda says companies should look at investing their resources in protecting their cloud resources at the data level, and get ahead of issues by removing the ability for malware to spread between systems.
Focus on Zero Trust. Assume everybody is dirty, protect the data at the backend, and monitor as much as you can. Then make sure you have a robust data analytics engine to make sense of all the data you're going to capture.Mike TowersChief Digital Trust Officer, Takeda
Both Towers and Heath believe companies need to be more forward thinking, but with so much scrutiny on budgets, justify the cost of their actions. Heath explains you can’t expect to fix new issues by doing the same old things, so set aside a small portion of your security budget for innovation. Be transparent about what you’re doing and why you’re doing it to receive buy in. She also recommends being scrappy and holding innovation showcases where you can vet startups to partner with. You can find a great resource and avoid paying top dollar.
Towers believes one of the biggest challenges security leaders face is financial arrogance. Because fear funded the function in the past, CISOs didn’t have to justify the business impact of their actions. “We’re in the business of reducing risk and we get significant budgets to do so. But what is the impact and value to the business? Fear factor is not enough any longer. Showing value is going to be a key challenge.”
“Not innovating is not the answer,” says Heath. “I've been able to continue to innovate by putting aside a small amount of time, budget, and effort from different teams so they can continue to look at new tools. And don’t be afraid to introduce startups into the equation. From a financial perspective, it's a lot cheaper than spending millions of dollars on talent and resources that you don't have because you need them for other things.”
As data plays a significantly more important role in security, companies are investing in their own data teams. The result is CISOs now have access to more data than they’ve ever had before, helping them connect the dots between teams, actions, and risks. While the technology that protects the data does a great job, it also produces a lot of alerts and actions that need to be taken. Bringing efficiency to how security teams interact with all this new data will be crucial.
“The absolute key here is making sense out of anything that captures and sends you data so you can build a picture of normalcy with indicators of abnormality. That's where we're heading,” says Towers. “There are certain point solutions that of course, we'll still need, but I would invest heavily in the data side and start to scale back on the others.”
Heath and Burrows claim the hardest part of being a CISO is deciding what not to do. Prioritization is crucial. Organizations need to focus on what matters most and decide how to get the biggest impact from the investments they've already made. Leveraging your current talent and tools, and empowering team members to do more is often a better strategy than continually looking outside the organization for alternative solutions.
My number one goal is to always finish what we started and get the most out of the capability that we're already paying for. Today, it's even more important to go deep with your partners and not buy lots of solutions that don’t deliver the best value. So let’s finish what we started and make sure we're getting the most that we can from our current setup. If we're not getting 80% out of the tools that we already have, we should think long and hard about whether or not we actually need them.Emily HeathFormer CSO at DocuSign and United Airlines
See what else our panel of experts had to say about security in 2023, watch the video.