(616) 828-4416

Photo: Sigmund/Unsplash

The year 2022 was a game-changer in the cyber threat landscape. Securing the software supply chain and open-source software ecosystem, implementing zero trust, and educating employees about the risks of social engineering and phishing attempts are just a few of the areas that CISOs are looking into to reduce potential risks. Continue reading to learn about CISO Considerations for Data Privacy and Compliance in 2023. 

Understanding Data Privacy Regulations 

As the importance of privacy grows both domestically and globally; enterprise security leaders must remain aware of the ever-changing privacy landscape. What that effort looks like and how much time and attention must be devoted to privacy is primarily determined by the size of the company, the products and services it provides, and the location of the company’s operations.  

Obtaining a thorough understanding of all applicable privacy laws is a tough prospect. The list of country or state-specific requirements are growing. Most businesses will almost certainly be required to comply with multiple privacy laws and regulations. 

While the United States lacks a single comprehensive federal privacy law, several states have enacted their own. According to the International Association of Privacy Professionals (IAPP), 29 states will consider privacy bills in 2022, up from just two in 1998. The patchwork of state privacy laws in the United States continues to grow. 

Data Privacy & Compliance Trends Prediction for 2023  

Gartner’s top trends predictions for 2023 for the CISOs are as follows: 

  1. Most businesses will use an SSE platform from a single vendor to unify web, cloud, and private application access. 
  2. Consumer privacy rights will be extended to 5 billion people and more than 70% of the global GDP. 
  3. By 2025, 60% of organizations will consider cybersecurity risk when conducting third-party transactions and business engagements. 
  4. By 2025, 60% of organizations will use zero trust as a starting point for security. More than half will not reap the benefits. 
  5. By 2025, 30% of nation-states will have passed legislation governing ransomware payments, fines, and negotiations. 
  6. By 2025, threat actors will have successfully weaponized operational technology environments in order to cause human casualties. 
  7. To survive, 70% of CEOs will require an organizational resilience culture by 2025. 
  8. By 2026, 50% of C-level executives will have risk-related performance requirements built into their employment contracts. 

What These Trends May Mean for CISOs 

Woman in tech sitting at a computer

These revealed several themes such as 

  • Internal pressures 
  • External changes 
  • Solution adoption. 

CISOs must be aware of the pressures that may arise within the organization. Risk-related elements in C-level executive employment contracts may result in a greater emphasis on risk management. This may help CISOs position cyber security as part of the risk assessment, potentially unlocking more support for risk reduction initiatives.  

Aligned is the concept of CEOs mandating a culture of organizational resilience. CISOs are now talking about “cyber security culture change,” which involves making business colleagues identify as part of the organization’s overall security. This may now include adaptability. 

Again, CISOs may find this to be a vehicle for change. 

Risk as a consideration when deciding whether to do business with third parties will highlight the third-party dependency issues that CISOs are now concerned about. The perimeter is long gone; security now extends beyond the CISO’s organizational remit. Understanding and cooperating with third-party security will become increasingly important. There is a disadvantage for CISOs. Many people are already burdened by the requirement to report on compliance and audits. This may increase as current, and potential business partners inquire about the organization’s cyber security posture.  

The issue of privacy is related to compliance and reporting. It is expected that consumer privacy will expand to cover the majority of countries. This may necessitate a greater emphasis on the extent and scope to which privacy is reported. Many CISOs are already addressing this due to regulations such as GDPR. This could provide a solid foundation for moving forward. Privacy has been viewed positively by CISOs. “Do you really need that data?” is a common question. Organizations can reduce the amount of unwanted data that must be stored and secured. 

Another trend is the constant change in tactics in response to attacks. Payment for ransomware is debatable. Making payments has moral, legal, and practical implications. If this becomes regulated, it may provide a more solid foundation for decision-making. Perhaps it will act as a deterrent to future attacks. Why attack the victim if they cannot pay? Perhaps this is just wishful thinking on my part. On the negative side, attackers may significantly increase the capability of their tools in the operational technology environment; a current area of concern for CISOs that may become more prominent in the future.  

On the plus side, the majority of organizations will use zero trust as their starting point for security. However, many people will not benefit. CISOs are increasingly addressing the organizational and cultural change required for Zero Trust to succeed, recognizing that it is about more than just technology. Cisco research papers have identified several clear benefits. CISOs want to introduce new consolidated web, cloud, and private application access technologies. This may reduce technical debt and allow for more efficient operational management, centralized policy control, and improved reporting.  

To summarize, today’s enterprise security leaders must have a thorough understanding of the ever-changing privacy risk landscape and must constantly assess their security posture to ensure that all applicable privacy laws and regulations have been taken into account. 

The legal/privacy functions of a company should help to alleviate the burden. Both security and privacy teams should maintain regular and ongoing collaboration to ensure regulations are understood and appropriate controls are designed and implemented. Assessments and exercises should be performed to validate the strategy’s effectiveness. 

IP Consulting takes a multi-layered approach to cybersecurity with your organizational needs and your budget in mind. Our expert team offers businesses best-in-class cybersecurity solutions that keep up with the ever-changing nature of cyber threats. Contact us by filling out our online form.