2023 #CISOPredicts: Elwin Wong, SVP & CISO at Ross Stores, Inc.
Members of Silicon Valley CISO Investments (SVCI) offer their take on the challenges and trends that will shape 2023.
As Chief Information Security Officers (CISOs) across industries including tech, insurance, and retail, we have the benefit of sharing (and comparing) our perspectives on a variety of hot-button issues. As members of Silicon Valley CISO Investments (SVCI), we also get a front seat to the most recent cybersecurity innovations by advising and investing in the next generation of startups—and using our decades of expertise to help them thrive.
From where we sit in the C-suite, here’s our take on the trends and challenges that will shape 2023:
SVP & CISO, Ross Stores, Inc.
Expect bifurcation between cybersecurity programs
Organizations have been focusing on strengthening their ransomware defense, security, privacy approach to product development, cyber-attack response, supply chain risk management, and operational technology (OT) security to name only a few initiatives. As we move into 2023, these activities will be in the midst of continued geopolitical risks, further emphasis on data privacy laws, and increasing regulatory pressures and board-level oversight that will drive additional priorities for cybersecurity and risk leaders.
To top it off, the U.S. economy is weakening and possibly facing a recession in the coming year which is where the bifurcation between organizations’ cybersecurity programs and their investments become more apparent as these programs will experience different challenges and have distinct priorities.
Many small and medium-sized businesses (SMBs) and private companies feeling the impacts from the economic downturn will be forced to decrease investments in cybersecurity protections, which in turn leaves them more vulnerable to increasing cyberattacks such as ransomware and others. Because of this, cybercriminals will take advantage of the situation and evolve faster to increase cyberattacks on vulnerable SMBs as prime targets in the coming year. This will force SMBs to be creative and do more with less while already contending with fewer resources and tighter budgets to defend themselves.
On the other hand, corporations with a robust business and strong financial position may be minimally impacted by a weaker economy. These companies are maintaining or even increasing their investments in cybersecurity. Although, many are feeling the mounting regulatory pressures such as the pending SEC proposed cybersecurity rules, which will incite further scrutiny and risk oversight from their boards. Boards will need to have a much clearer role and responsibility when it comes to the process of ensuring adequate controls and reporting cyberattacks. There will be a great deal of focus on cybersecurity governance, risk management, and incident reporting.
Here is an example of the likely SEC actions these organizations will need to translate and define:
Reporting “material” cybersecurity incidents and “non-material” incidents that, when combined with other incidents, become material “in aggregate”
Regardless of how you might interpret this intricate statement, imagine the effort it will take for corporations to rationalize their point of view. The outcome most certainly will require a lot of discussions and alignment to ensure the board and management are on the same page. And if a publicly traded company is in the unfortunate situation of disclosing a material cyber incident to their shareholders and SEC, they must do so by reporting on their 8K filing. This can be market-moving information and companies need to be very careful on how this is articulated. Ultimately, all of this will drive further actions and investment for corporations. At the end of the day, the outcome may improve oversight and maturity of their cybersecurity programs.
Regardless of how things actually play out, we know that cybersecurity will be front and center and the bad guys are not slowing down. So, hold on tight as 2023 is setting up to be an intense year in cybersecurity.
Keep following to read additional takes on 2023 by SVCI CISOs!