On June 1, the New Jersey chapters of (ISC)2 and ISACA hosted SECON New Jersey 2023 at Kean University for a sold-out crowd. As part of a full-day schedule, Debra Price, Senior Product Marketing Manager at ExtraHop, hosted a panel discussion alongside Gina Pierson (Cybersecurity Engineer, Atlantic Health System), Lori Polansky (Security Engineer, Nobilis), and Sharon Kelley (Director Information Security and Compliance, The Hudson Group) entitled “The Future of Cybersecurity – Our Favorite Predictions.” Read on for a recap of the discussion, and to learn which predictions they believe will come true, and which won’t.
Prediction #1: There Will Be Wider Scale Adoption of Zero Trust
Gina Pierson from Atlantic Health System opened the panel with a discussion of zero trust, reminding the audience that zero trust isn’t a single solution, but starts with a mindset. With the introduction of new tools and processes, the security climate is shifting in this direction, but some companies are becoming overwhelmed at the process, while others claim they’ve implemented zero trust without fully understanding what it entails. The core tenet of zero trust is “never trust, always verify,” but many organizations implement multi-factor authentication and then implicitly trust any devices within the perimeter.
Although the tools needed to implement zero trust exist today, deploying and using them in practice is not easy. Like in other aspects of cybersecurity, zero trust should be part of the security plan from the start, rather than being tacked on at the end. Trying to retrofit new tools almost always leads to significant technical debt.
The verdict: Wider-scale adoption of zero trust security models will be hampered by the inherent complexity of zero trust security implementations.
Prediction #2: Security Leaders Will Increase Focus on Cyber Resilience
The Hudson Group’s Sharon Kelley led the discussion of this prediction, noting that for many years, leaders wanted their organizations to be “100% secure” from breaches. Now, she says, the conversation is shifting from “make sure it doesn’t happen to us” to “how do we mitigate [impact] when it does?”
From here, the panel opened up into a higher-level discussion of cyber resilience. Once again, involving security teams in planning from the start leads to better results. The panelists agreed that it can be helpful to think of cyber resilience along the lines of business continuity and disaster recovery, as the processes for building cyber resilience should work in the same way. Cyber resilience process documentation should be streamlined, easy to follow, and stored offline (preferably in multiple locations). Panelists also recommended regularly rehearsing resilience plans so teams can act quickly and confidently in the event of an incident or even a natural disaster.
The verdict: This prediction is already coming true as the conversation shifts to an “assume breach” mindset.
Prediction #3: Cyber Hygiene and Awareness Will Be a Top Priority in 2023
Lori Polansky with Nobilis began the conversation on cyber hygiene with a metaphor: “I brush my hair every day, cyber hygiene is the same.” But she noted that things we think of as security basics aren’t happening everywhere. No matter your organization, you should be following a security framework of some kind (NIST, PCI DSS, NERC-CIP, HITRUST, etc.), but a surprising number of enterprises don’t. Further, your processes should be easily explainable to everyone from the C-suite to the developers integrating them into their code.
This topic led to a lively discussion on the best way to conduct employee security training. Some organizations implement a “three strikes you’re out” policy when it comes to internal phishing tests, while others are more lenient. The panel agreed that while punitive measures can drive a culture shift, firing employees for failing a single phishing test might be too extreme. After all, a well-crafted email could fool even a security professional who’s looking for it. That said, failures should be tracked, even if only to identify who needs extra training. Ultimately, security awareness and hygiene come down to the human element. When your people feel like they have input into security policies, they’re more likely to follow them. Similarly, starting new hires off with good habits will propagate good security hygiene as they interact with others in your organization.
The verdict: This prediction is coming true for some organizations, while others lag behind.
For more security thought leadership, you can find each of these women on LinkedIn: