New Year’s Resolutions: Where CISOs plan to invest and scale back in 2023

Hear from security leaders about their plans, strategies, and priorities for the new year.

5 minutes read

Out with the old. We’re on to 2023. But let’s first take stock in the lessons learned from 2022 and what we can rethink in the new year. Security leaders are constantly weighing what to prioritize as they build their strategies. Ultimately, it comes down to two essential questions: where should they invest their resources (people and budgets) and what should be deprioritized? We spoke with some veteran CISOs about what will be top of their minds for security in 2023, and here’s what we learned. 

Top Security Resolutions for 2023

Resolution #1: Foster internal relationships

To manage risk across the organization, it takes the entire organization. According to Rocket Companies CISO Chris Burrows, that means bringing together different teams to share knowledge and sync on how to achieve collective goals. Visibility, understanding, and appreciation through these different team lenses better serves the client relationship.

Burrows established a working group of people from different teams for face-to-face meetings in the office and plans to continue this into 2023. “It helps to see the body language and understand security is a team sport,” says Burrows. “We're discussing and taking actions, and documenting what we're doing, realizing that there are a lot of Monday morning quarterbacks.”

This is more about people and process and less about technology—we know the technology's great. But these human interactions and alignments have gone a long way. We now have a common lens on how to do our jobs and protect our clients.

Chris Burrows
CISO, Rocket Companies

Resolution #2: Invest in the talent you have

Trust the team you’ve built around you and look for ways to upgrade their capabilities. Burrows and former DocuSign and United Airlines CISO Emily Heath agree security teams have to look for ways to be more efficient and effective. That means investing in the talent you already have. Financial insecurity is looming large heading into 2023 and organizations are scrutinizing budgets more than ever. With realignment of costs happening across many companies, the fundamentals of doing business have never come more into focus. 

Heath says if there’s any area of budgeting she’s seen take a hit, it's headcount. Companies are trying to get more out of their employees and consolidate teams. “Give the Rockstars more responsibilities so they can help drive others and propel their careers. Despite the scrutiny, investment in growth will only help companies optimize their workforce and products they already have.”

Burrows adds it’s key to understand your objectives and leverage your current capabilities. You’re only as good as your team. “Give your team members the tooling, training, and authority to get the job done. Set a single Northstar and then let people take the reins to get there. It's about using the tools that you already have to train and empower the team,” he explains.

Resolution #3: Protect the backend

As more and more control is stripped away from internal security teams, their challenge will be still mitigating risks to the business. Mike Towers of multinational pharmaceutical company, Takeda says companies should look at investing their resources in protecting their cloud resources at the data level, and get ahead of issues by removing the ability for malware to spread between systems.

Focus on Zero Trust. Assume everybody is dirty, protect the data at the backend, and monitor as much as you can. Then make sure you have a robust data analytics engine to make sense of all the data you're going to capture.

Mike Towers
Chief Digital Trust Officer, Takeda

Resolution #4: Set aside money for innovation and show the value

Both Towers and Heath believe companies need to be more forward thinking, but with so much scrutiny on budgets, justify the cost of their actions. Heath explains you can’t expect to fix new issues by doing the same old things, so set aside a small portion of your security budget for innovation. Be transparent about what you’re doing and why you’re doing it to receive buy in. She also recommends being scrappy and holding innovation showcases where you can vet startups to partner with. You can find a great resource and avoid paying top dollar.

Towers believes one of the biggest challenges security leaders face is financial arrogance. Because fear funded the function in the past, CISOs didn’t have to justify the business impact of their actions. “We’re in the business of reducing risk and we get significant budgets to do so. But what is the impact and value to the business? Fear factor is not enough any longer. Showing value is going to be a key challenge.” 

“Not innovating is not the answer,” says Heath. “I've been able to continue to innovate by putting aside a small amount of time, budget, and effort from different teams so they can continue to look at new tools. And don’t be afraid to introduce startups into the equation. From a financial perspective, it's a lot cheaper than spending millions of dollars on talent and resources that you don't have because you need them for other things.”

Resolution #5: Invest in the data

As data plays a significantly more important role in security, companies are investing in their own data teams. The result is CISOs now have access to more data than they’ve ever had before, helping them connect the dots between teams, actions, and risks. While the technology that protects the data does a great job, it also produces a lot of alerts and actions that need to be taken. Bringing efficiency to how security teams interact with all this new data will be crucial.

“The absolute key here is making sense out of anything that captures and sends you data so you can build a picture of normalcy with indicators of abnormality. That's where we're heading,” says Towers. “There are certain point solutions that of course, we'll still need, but I would invest heavily in the data side and start to scale back on the others.”

Resolution #6: Finish what you started

Heath and Burrows claim the hardest part of being a CISO is deciding what not to do. Prioritization is crucial. Organizations need to focus on what matters most and decide how to get the biggest impact from the investments they've already made. Leveraging your current talent and tools, and empowering team members to do more is often a better strategy than continually looking outside the organization for alternative solutions. 

My number one goal is to always finish what we started and get the most out of the capability that we're already paying for. Today, it's even more important to go deep with your partners and not buy lots of solutions that don’t deliver the best value. So let’s finish what we started and make sure we're getting the most that we can from our current setup. If we're not getting 80% out of the tools that we already have, we should think long and hard about whether or not we actually need them.

Emily Heath
Former CSO at DocuSign and United Airlines


See what else our panel of experts had to say about security in 2023, watch the video.

Tags:

Secure everything you build and run in the cloud

Organizations of all sizes and industries use Wiz to rapidly identify and remove the most critical risks in AWS, Azure, GCP, OCI, and Kubernetes so they can build faster and more securely.

Continue reading

Lateral movement risks in the cloud and how to prevent them – Part 2: from compromised container to cloud takeover

In this second blog post, we will discuss lateral movement risks from Kubernetes to the cloud. We will explain attacker TTPs, and outline best practices for security practitioners and cloud builders to help secure their cloud environments and mitigate risk.

Malicious PyTorch dependency 'torchtriton' on PyPI: everything you need to know

The developers of PyTorch (a popular machine-learning framework) recently identified a malicious dependency confusion attack on the open-source project. Security teams are advised to check for infected resources and rotate any exposed keys.

CVE-2022-47939 critical vulnerability in Linux kernel `ksmbd` module: everything you need to know

Critical RCE vulnerability found in Linux kernel's `ksmbd` module: remote attackers can execute code without authentication. The module is not enabled by default on most operating systems.