What will keep CISOs awake at night in 2023?
The role of Chief Information Security Officers (CISOs) has evolved tremendously over the last few years, from a strictly technology-oriented position to an executive-level taking vital decisions for their business. To grow in this position, CISOs have a strong peer community to rely on and understand where the cybersecurity market is heading.
That’s why we interviewed three CISOs from very different organizations to understand what their main cybersecurity challenges will be for next year.
Our contributors are Paul Bayle, Group CSO at Atos, Steven Ramsden, CSO at the Global Fund, an organization designed to accelerate the end of the AIDS, tuberculosis and malaria epidemics, and Cédric Voisin, Group CISO of Doctolib, an online and mobile booking platform that enables patients to book medical appointments with healthcare professionals. So, without further preamble, let’s dive right into the key challenges for CISOs in 2023.
What threats are you concerned about the most right now?
Paul Bayle: Overall I admit that what raises most concern to me are the “unknowns,” and especially the unknown unknowns, as described by Donald Rumsfeld. These unknown unknowns are threats that we have no choice to accept, with risk to discover once they started to materialize. The only way to reduce the unknown unknowns is to constantly challenge your defense and learn from the others.
Steven Ramsden: Phishing and social engineering continues to remain the main threat vector. Business email compromise, social engineering opportunity fraud, imposters trying to trick us either via email, over the phone or internet.
Cédric Voisin: Data breaches and data leaks are the major risks for a company like Doctolib. Everyday we focus on mitigating those risks with the highest level of caution.
Which threats do you fear the most for 2023? External or internal?
Paul Bayle: Definitely the external threats are with higher concerns even if we must keep an eye opened on the insider threats. It’s important to note also that we see now a bridge between the two worlds with external threat actors financially motivating internal employees to leak credentials/data and information.
Steven Ramsden: Ransomware is a pervasive threat, it’s something we all have to learn to deal with and essential to test our ransomware and crisis response plans. We need to detect and respond quickly as well as stop it spreading.
Cédric Voisin: As a healthcare company and given the sensitivity of the data we have to deal with we cannot afford either internal or external confidentiality, integrity or availability breaches. They are of equal importance to us.
Are you also concerned about threats related to specific technologies or trends?
Steven Ramsden: Third-party and supply chain cyber risks, essentially. We all rely on someone. Whilst we all bolster our cyber security programs, the reality is it just takes only a small slip-up, misconfiguration or unnoticed flaw for hackers to get in even for the big cloud suppliers. It’s essential therefore to get “cyber hygiene” basics in place — like security patching, scanning and vulnerability management, etc.
Cédric Voisin: A bit of both actually. We often have to manage interoperability with other specific technologies — with hospitals for instance — and we must make sure that interconnections are secured.
On the other hand, we also carefully monitor technological changes, typically quantum computing. Around 2030, quantum technologies could render obsolete the encryption mechanisms, which are one of our most important means of protection.
Paul Bayle: The quantum computing threat is also a concern that I share . We are preparing ourselves upwards for post-quantum cryptography to ensure we will have quantum-safe encryption algorithms for our systems and solutions, as well as for our customers. Also, the digitalization and expansion of social media, gives a platform to malicious actors for spear phishing and identify fraud, leveraging deep fakes technologies — voice and image — for example.
Where does the biggest risk come from? Inside or outside your organization?
Paul Bayle: Both indeed. Over the past years, the paradigm shifted from attacks directed towards industries or markets, to attacks towards individuals – for which malicious actors have an in-depth knowledge of their strengths and weaknesses. Therefore organizations must have full protection, the best possible. and have an entire coverage of the security landscape. If today they were to focus only on the inside perimeter of the organization, then attackers would target their external attack threat surface. On the reverse, if organizations have a strong external attack surface management, but do not raise their staff’s awareness, then attackers would target the staff, with phishing campaigns for example.
Steven Ramsden: The highest probability risk is from phishing. We are now moving more and more to the cloud, so it’s essential you understand exactly where all your data is. Business and anyone can now buy cloud services with a credit card.
Cédric Voisin: Logically, the biggest risk comes from the outside, but we can never be too cautious about the inside as well.
Will you change your risk management strategy based on the threat and risks?
Paul Bayle: We constantly watch the technological and threats evolution to adapt our risk management strategy accordingly. The goal is to make sure it is always up-to-date, and that its foundations are strong.
Steven Ramsden: I am moving over to a threat intelligence based risk approach, also moving from a qualitative to a quantitative risk analysis using the FAIR methodology.
I will also focus more on ‘crown jewels’ assessment and leveraging enterprise architecture, looking at the inter-relationships of business, system, processes and data-life and data management and third parties. Understanding the whole organization is key.
Also measuring the cyber risk exposure of the third-party supply chain.
Nowadays too it’s not a question if you will get hit, it’s when, so focusing too on overall organization wide resilience and consequence-based scenarios like power outages, etc.
Cédric Voisin: Our risk management strategy has been built considering those threats and risks. Of course, they evolve with time and technology, and we must adapt continually, but our core foundations do not change, they are built for the long run.
What is your #1 challenge?
Paul Bayle: A key challenge is the orchestration of the security services to implement consistent security across the board. It would be useless to implement a top security strategy on 90% of your environment but to leave 10% with lowest security without compensating controls. We need to raise security on the entire scope at the same time and it is one of the main challenge CISOs have to address.
Steven Ramsden: The number one challenge today is phishing and it will continue into 2023. Moving to cyber resilience is a key theme, and supply chain cyber risk management is important to identify, analyze and mitigate risks inherent in external suppliers, their applications and their software and use of open source. Also, systems-to-systems mapping of all the assets in the organization and their relationships for a deep technical analysis with also a behavioural science overlay to provide a holistic view of cyber resilience.
Cédric Voisin: The first challenge that comes to my mind is talent acquisition. The cybersecurity job market is tense and we focus on staying highly competitive and providing strong added value to talents while looking for deep expertise to build a strong team.
Dealing with a complex regulatory framework is also a challenge for every cybersecurity professional.
Moreover, we’re all aware that defenders cannot allow themselves a single mistake. The devil hides in detail. On the other hand, a hacker can make thousands of mistakes, but he just needs one successful attempt. But that’s also why our job is exciting and challenging on a daily basis.
Do you have specific challenges related to governance and budget?
Paul Bayle: Sure, and these two are intertwined. The governance challenge is to get your Board on board, so that it understands the importance of cybersecurity, what is at stake, and why it matters to keep investing in new technologies, to identify and protect both the internal and external attack surface, to detect, mitigate and recover. Once this done, comes the budget challenge. As you must invest a bit everywhere, otherwise you will develop a weak point that attackers will identify and exploit – getting your Board of Directors all-in will certainly help to receive sufficient investment budget.
Steven Ramsden: No organization has the budget to protect everything, so there must be strong business driven governance in place, sponsored by top management and business decision makers. Being able to adequately quantify the risk exposure using a quantitative risk assessment like the FAIR methodology to ensure a transparent business risk, cost-based approach for all security investments decisions.
Cédric Voisin: We are at the hyperscale phase of our company now, we must adapt processes and governance while we grow.
Like every company, budgets are a challenge, but security always comes first.
What is your key piece of advice for CISOs to succeed in 2023?
Paul Bayle: CISOs should absolutely focus on the mapping of the IT system. Various and numerous government agencies, and the NIST itself — in its cybersecurity framework — state it: it is what lies behind the first step of the process: “Identify.” So, before all the rest – Protect, Detect, React and Recover. What comes first and should always come first is to identify, whether it is before, during or after an attack.
It is even more important, because decades ago you could just map what was inside the walls of the organizations, behind the firewalls. But now as we also have the public cloud and the supply chain, it is no longer only about mapping the infrastructure, but it is also about the application landscape or key suppliers.
Steven Ramsden: Regularly test the resilience of the organization, identify and play the top threat scenarios through a scenario driven table-top exercise and focusing on consequence driven scenarios like power outages, ransomware, etc. Regular security penetration and Red teaming exercises to continue to test continually.
Cédric Voisin: I would say that the basic security hygiene and foundations of a system are the most important. We must make sure they are solid and completely secured before considering high added value security works.
About the authors
Group Chief Information Security Officer, Doctolib
Cédric Voisin, Chief Information Security Officer at Doctolib, specializes in securing fast-moving businesses and high-performance technology platforms. He is responsible for global security development and is dedicated to creating secure web, mobile and customer service solutions to improve access to healthcare. Prior to joining Doctolib, he was Chief Information Security Officer at Lyreco, a global office supplies company.
Chief Information Security Officer, The Global Fund based in Geneva, Switzerland to fight HIV, Malaria and TB
The Global Fund is a public and private partnership which operates in 120+ countries and has saved 50 million lives worldwide.
Before joining Global Fund Steve held senior management positions within UK Government, responsible for blue print and design for UK Government’s new Shared Services and was a certified GCHQ/CESG information assurance advisor for protection of UK government systems. He also worked within the energy business in Australia where he was responsible for Information Security and resilience for national critical infrastructure and SCADA/OT systems. Steve has passion for education and supports the University of Geneva SDG lab and helps in awareness in emerging frontier innovation technologies including, WEB3, blockchain, encryption and privacy preserving technologies (multi-party computation/Zero Knowledge proofs) to make social impact.
Group Chief Security Officer, Atos
After a 27-year career at Atos, specializing in security since 2000, Paul now leads the Group’s security strategy. His responsibilities include defining the Atos Group’s security strategy, monitoring security transformation plans and managing Atos’ global community of security leaders around the world.