Security Priorities 2023

How we live post pandemic

Each organization is different, so a generic list of priorities will not be applicable to every organization.

During 2022, ransomware campaigns declined from quarter to quarter due to the collapse of experienced groups. Several smaller groups are developing to recapture the lost ransomware market. However, ransomware is still the most worrying cyber threat.

Also in 2022, people returned to normal activities such as traveling and attending sports or music events but not yet to the office. The reasons behind this trend can be many fold, such as employees perceive that work from home (WFH) has positive productivity effects and time flexibility for employees, especially for those with families with younger children. On the other side of the spectrum, some employers perceive that WFH has negative productivity effects and thus are urging employees to return to the office. However, employers also understand the competition to retain skilled workers is harder. Thus, the trend is to have hybrid work where eligible employees can WFH for a certain portion of their work week.

Besides ransomware and the hybrid work model, in 2022, we saw an evolving threat landscape, regulatory changes, and the potential for a recession by the end of 2023, which can impact how we prioritize cybersecurity this year. Furthermore, organizations are still facing the ongoing issues of insufficient cybersecurity resources and organization modernization.

This report will explore important security trends, the security priorities that stem from these trends, and how to customize these priorities for your organization.

In Q2 2022, the median ransom payment was $36,360 (-51% from Q1 2022), a continuation of a downward trend since Q4 2021 when the ransom payment median was $117,116.
Source: Coveware, 2022

From January until October 2022, hybrid work grew in almost all industries in Canada especially finance, insurance, real estate, rental and leasing (+14.7%), public administration and professional services (+11.8%), and scientific and technical services (+10.8%).
Source: Statistics Canada, Labour Force Survey, October 2022; N=3,701

Hybrid work changes processes and infrastructure

Investment on remote work due to changes in processes and infrastructure

As part of our research process for the 2023 Security Priorities Report, we used the results from our State of Hybrid Work in IT Survey, which collected responses between July 10 and July 29, 2022 (total N=745, with n=518 completed surveys). This survey details what changes in processes and IT infrastructure are likely due to hybrid work.

Process changes to support hybrid work

Survey respondents (n=518) were asked what processes had the highest degree of change in response to supporting hybrid work. Incident management is the #1 result and service request support is #2. This is unsurprising considering that remote work changed how people communicate, how they access company assets, and how they connect to the company network and infrastructure.

Infrastructure changes to support hybrid work

For 2023, we believe that hybrid work will remain. The first driver is that employees still prefer to work remotely for certain days of the week. The second driver is the investment from employers on enabling WFH during the pandemic, such as updated network architecture (44%) and the infrastructure and day-to-day operations (41%) as shown on our survey.

Top cybersecurity concerns and organizational preparedness for them

Concerns may correspond to readiness.

In the Info-Tech Research Group 2023 Trends and Priorities Survey of IT professionals, we asked about cybersecurity concerns and the perception about readiness to meet current and future government legislation regarding cybersecurity requirements.

Cybersecurity issues

Survey respondents were asked how concerned they are about certain cybersecurity issues from 1 (not concerned at all) to 5 (very concerned). The #1 concern was talent shortages. Other issues with similar concerns included cyber risks not on leadership's radar, supply chain risks, and new regulations (n=507).

Cybersecurity legislation readiness

When asked about how confident organizations are about being prepared to meet current and future government legislation regarding cybersecurity requirements, from 1 (not confident at all) to 5 (very confident), the #1 response was 3 (n=499).

Unsurprisingly, the ever-changing government legislation environment in a world emerging from a pandemic and ongoing wars may not give us the highest confidence.

We know the concerns and readiness…

But what is the overall security maturity?

As part of our research process for the 2023 Security Priorities Report, we reviewed results of completed Info-Tech Research Group Security Governance and Management Benchmark diagnostics (N=912). This report details what we see in our clients' security governance maturity. Setting aside the perception on readiness – what are their actual security maturity levels?

Overall, assessed organizations are still scoring low (47%) on Security Culture and Policy and Process Governance. This justifies why most security incidents are still due to gaps in foundational security and security awareness, not lack of advanced controls such as event and incident management (58%).

And how will the potential recession impact security?

Organizations are preparing for recession, but opportunities for growth during recession should be well planned too.

As part of our research process for the 2023 Security Priorities Report, we reviewed the results of the Info-Tech Research Group 2023 Trends and Priorities Survey of IT professionals, which collected responses between August 9 and September 9, 2022 (total N=813 with n=521 completed surveys).

Expected organizational spending on cybersecurity compared to the previous fiscal year

Keeping the same spending is the #1 result and #2 is increasing spending up to 10%. This is a surprising finding considering the survey was conducted after the middle of 2022 and a recession has been predicted since early 2022 (n=489).

Five Security Priorities for 2023

Maintain Secure Hybrid Work

PRIORITY 01

• HOW TO STRATEGICALLY ACQUIRE, RETAIN, OR UPSKILL TALENT TO MAINTAIN SECURE SYSTEMS.

Executive summary

Background

If anything can be learned from COVID-19 pandemic, it is that humans are resilient. We swiftly changed to remote workplaces and adjusted people, processes, and technologies accordingly. We had some hiccups along the way, but overall, we demonstrated that our ability to adjust is amazing.

The pandemic changed how people work and how and where they choose to work, and most people still want a hybrid work model. However, the number of days for hybrid work itself varies. For example, from our survey in July 2022 (n=516), 55.8% of employees have the option of 2-3 days per week to work offsite, 21.0% for 1 day per week, and 17.8% for 4 days per week.

Furthermore, the investment (e.g. on infrastructure and networks) to initiate remote work was huge, and the cost doesn't end there, as we need to maintain the secure remote work infrastructure to facilitate the hybrid work model.

Current situation

Remote work: A 2022 survey by WFH Research (N=16,451) reports that ~14% of full-time employees are fully remote and ~29% are in a hybrid arrangement as of Summer-Fall 2022.

Security workforce shortage: A 2022 survey by Bridewell (N=521) reports that 68% of leaders say it has become harder to recruit the right people, impacting organizational ability to secure and monitor systems.

Confidence in the security practice: A 2022 diagnostic survey by Info-Tech Research Group (N=55) reports that importance may not correspond to confidence; for example, the most important selected cybersecurity area, namely Data Access/Integrity (93.7%), surprisingly has the lowest confidence of the practice (80.5%).

"WFH doubled every 15 years pre-pandemic. The increase in WFH during the pandemic was equal to 30 years of pre-pandemic growth."

Source: National Bureau of Economic Research, 2021

Leaders must do more to increase confidence in the security practice

Importance may not correspond to confidence

As part of our research process for the 2023 Security Priorities Report, we analyzed results from the Info-Tech Research Group diagnostics. This report details what we see in our clients' perceived importance of security and their confidence in existing security practices.

Cybersecurity importance

Cybersecurity importance areas

Confidence in cybersecurity practice

Confidence in cybersecurity practice areas

Diagnostics respondents (N=55) were asked about how important security is to their organization or department. Importance to the overall organization is 2.1 percentage points (pp) higher, but confidence in the organization's overall security is slightly lower (-0.4 pp).

If we break down to security areas, we can see that the most important area, Data Access/Integrity (93.7%), surprisingly has the lowest confidence of the practice: 80.5%. From this data we can conclude that leaders must build a strong cybersecurity workforce to increase confidence in the security practice.

Use this template to explain the priorities you need your stakeholders to know about.

Maintain secure hybrid work plan

Provide a brief value statement for the initiative.

Build a strong cybersecurity workforce to increase confidence in the security practice to facilitate hybrid work.

Initiative Description:

• Description must include what organization will undertake to complete the initiative.
• Review your security strategy for hybrid work.
• Identify skills gaps that hinder the successful execution of the hybrid work security strategy.
• Use the identified skill gaps to define the technical skill requirements for current and future work roles.
• Conduct a skills assessment on your current workforce to identify employee skill gaps.
• Decide whether to train, hire, contract, or outsource each skill gap.
  

Drivers:

List initiative drivers.

• Employees still prefer to WFH for certain days of the week.
• The investment on WFH during pandemic such as updated network architecture and infrastructure and day-to-day operations.
• Tech companies' huge layoffs, e.g. Meta laid off more than 11,000 employees.

Risks:

List initiative risks and impacts.

• Unskilled workers lacking certificates or years of experience who are trained and become skilled workers then quit or are hijacked by competitors.
• Organizational and cultural changes cause friction with work-life balance.
• Increased attack surface of remote/hybrid workforce.

Benefits:

List initiative benefits and align to business benefits or benefits for the stakeholder groups that it impacts.

• Increase perceived productivity by employees and increase retention.
• Increase job satisfaction and work-life balance.
• Hiring talent that has been laid off who are difficult to acquire in normal conditions.

Related Info-Tech Research:

• Close the InfoSec Skills Gap: Develop a Technical Skills Sourcing Plan
• Build an IT Employee Engagement Program
• Build an Information Security Strategy

Recommended Actions

1. Identify skill requirements to maintain secure hybrid work

Review your security strategy for hybrid work.

Determine the skill needs of your security strategy.

2. Identify skill gaps

Identify skills gaps that hinder the successful execution of the hybrid work security strategy.

Use the identified skill gaps to define the technical skill requirements for work roles.

3. Decide whether to build or buy skills

Conduct a skills assessment on your current workforce to identify employee skill gaps.

Decide whether to train, hire, contract, or outsource each skill gap.

Source: Close the InfoSec Skills Gap: Develop a Technical Skills Sourcing Plan, Info-Tech

Secure Organization Modernization

PRIORITY 02

• TRENDS SUGGEST MODERNIZATION SUCH AS DIGITAL
  TRANSFORMATION TO THE CLOUD, OPERATIONAL TECHNOLOGY (OT),
  AND THE INTERNET OF THINGS (IOT) IS RISING; ADDRESSING THE RISK
  OF CONVERGING ENVIRONMENTS CAN NO LONGER BE DEFERRED.

Executive summary

From computerized milk-handling systems in Wisconsin farms, to automated railway systems in Europe, to Ausgrid's Distribution Network Management System (DNMS) in Australia, to smart cities and beyond; system modernization poses unique challenges to cybersecurity.

The threats can be safety, such as the trains stopped in Denmark during the last weekend of October 2022 for several hours due to an attack on a third-party IT service provider; economics, such as a cream cheese production shutdown that occurred at the peak of cream cheese demand in October 2021 due to hackers compromising a large cheese manufacturer's plants and distribution centers; and reliability, such as the significant loss of communication for the Ukrainian military, which relied on Viasat's services.

Despite all the cybersecurity risks, organizations continue modernization plans due to the long-term overall benefits.

Current situation

• Pressure of operational excellence: Competitive markets cannot keep pace with demand without modernization. For example, in automated milking systems, the labor time saved from milking can be used to focus on other essential tasks such as the decision-making process.
• Technology offerings: Technologies are available and affordable such as automated equipment, versatile communication systems, high-performance human machine interaction (HMI), IIoT/Edge integration, and big data analytics.
• Higher risks of cyberattacks: Modernization enlarges attack surfaces, which are not only cyber but also physical systems. Most incidents indicate that attackers gained access through the IT network, which was followed by infiltration into OT networks.

IIoT market size is USD 323.62 billion in 2022 and projected to be around USD 1 trillion in 2028.

Source: Statista,
March 2022

Modernization brings new opportunities and new threats

Higher risks of cyberattacks on Industrial Control System (ICS)

Target: Australian sewage plant. Method: Insider attack. Impact: 265,000 gallons of untreated sewage released.	Target: Middle East energy companies. Method: Shamoon. Impact: Overwritten Windows-based systems files.	Target: German Steel Mill Method: Spear-phishing Impact: Blast furnace control shutdown failure.	Target: Middle East Safety Instrumented System (SIS). Method: TRISIS/TRITON. Impact: Modified safety system ladder logic.	Target: Viasat's KA-SAT Network. Method: AcidRain. Impact: Significant loss of communication for the Ukrainian military, which relied on Viasat's services.
Target: Marconi wireless telegraphs presentation. Method: Morse code. Impact: Fake message sent "Rats, rats, rats, rats. There was a young fellow of Italy, Who diddled the public quite prettily."	Target: Iranian uranium enrichment plant. Method: Stuxnet. Impact: Compromised programmable logic controllers (PLCs).	Target: ICS supply chain. Method: Havex. Impact: Remote Access Trojan (RAT) collected information and uploaded data to command-and-control (C&C) servers.	Target: Ukraine power grid. Method: BlackEnergy. Impact: Manipulation of HMI View causing 1-6 hour power outages for 230,000 consumers.	Target: Colonial Pipeline. Method: DarkSide ransomware. Impact: Compromised billing infrastructure halted the pipeline operation.

Sources:

• DOE, 2018
• CSIS, 2022
• MIT Technology Review, 2022

Info-Tech Insight

Most OT incidents start with attacks against IT networks and then move laterally into the OT environment. Therefore, converging IT and OT security will help protect the entire organization.

Use this template to explain the priorities you need your stakeholders to know about.

Secure organization modernization

Provide a brief value statement for the initiative.

The systems (OT, IT, IIoT) are evolving now – ensure your security plan has you covered.

Initiative Description:

• Description must include what organization will undertake to complete the initiative.
• Identify the drivers to align with your organization's business objectives.
• Build your case by leveraging a cost-benefit analysis and update your security strategy.
• Identify people, process, and technology gaps that hinder the modernization security strategy.
• Use the identified skill gaps to update risks, policies and procedures, IR, DR, and BCP.
• Evaluate and enable modernization technology top focus areas and refine security processes.
• Decide whether to train, hire, contract, or outsource to fill the security workforce gap.

Drivers:

List initiative drivers.

• Pressure of operational excellence
• Technology offerings
• Higher risks of cyberattacks

Risks:

List initiative risks and impacts.

• Complex systems with many components to implement and manage require diligent change management.
• Organizational and cultural changes cause friction between humans and machines.
• Increased attack surface of cyber and physical systems.

Benefits:

List initiative benefits and align to business benefits or benefits for the stakeholder groups that it impacts.

• Improve service reliability through continuous and real-time operation.
• Enhance efficiency through operations visibility and transparency.
• Gain cost savings and efficiency to automate operations of complex and large equipment and instrumentations.

Related Info-Tech Research:

• Industrial Control System (ICS) Modernization: Unlock the Value of Automation in Utilities
• Secure IT-OT Convergence
• Build an Information Security Strategy

Recommended Actions

1. Identify modernization business cases to secure

Identify the drivers to align with your organization's business objectives.

Build your case by leveraging a cost-benefit analysis, and update your security strategy.

2. Identify gaps

Identify people, process, and technology gaps that hinder the modernization
security strategy.

Use the identified skill gaps to update risks, policies and procedures, IR, DR, and BCP.

3. Decide whether to build or buy capabilities

Evaluate and enable modernization technology top focus areas and refine
security processes.

Decide whether to train, hire, contract, or outsource to fill the security workforce gap.

Sources:

Industrial Control System (ICS) Modernization: Unlock the Value of Automation in Utilities, Info-Tech

Secure IT-OT Convergence, Info-Tech

Develop a cost-benefit analysis

Identify a modernization business case for security.

An example of a cost-benefit analysis for ICS modernization

Sources:

Industrial Control System (ICS) Modernization: Unlock the Value of Automation in Utilities, Info-Tech

Lawrence Berkeley National Laboratory, 2021

IT-OT convergence demands new security approach and solutions

Identify gaps

Attack Vectors

IT

• User's compromised credentials
• User's access device, e.g. laptop, smartphone
• Access method, e.g. denial-of-service to modem, session hijacking, bad data injection

OT

• Site operations, e.g. SCADA server, engineering workstation, historian
• Controls, e.g. SCADA Client, HMI, PLCs, RTUs
• Process devices, e.g. sensors, actuators, field devices

Defense Strategies

• Limit exposure of system information
• Identify and secure remote access points
• Restrict tools and scripts
• Conduct regular security audits
• Implement a dynamic network environment

(Control System Defense: Know the Opponent, CISA)

An example of a high-level architecture of an electric utility's control system and its interaction with IT systems.

Source: ISA-99, 2007

RESPOND TO REGULATORY CHANGES

PRIORITY 03

• GOVERNMENT-ENACTED POLICY CHANGES AND INDUSTRY REGULATORY CHANGES COULD BE A COMPLIANCE BURDEN … OR PREVENT YOUR NEXT SECURITY INCIDENT.

Executive summary

Background

Government-enacted regulatory changes are occurring at an ever-increasing rate these days. As one example, on November 10, 2022, the EU Parliament introduced two EU cybersecurity laws: the Network and Information Security (NIS2) Directive (applicable to organizations located within the EU and organizations outside the EU that are essential within an EU country) and the Digital Operational Resilience Act (DORA). There are also industry regulatory changes such as PCI DSS v4.0 for the payment sector and the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) for Bulk Electric Systems (BES).

Organizations should use regulatory changes as a means to improve security practices, instead of treating them as a compliance burden. As said by lead member of EU Parliament Bart Groothuis on NIS2, "This European directive is going to help around 160,000 entities tighten their grip on security […] It will also enable information sharing with the private sector and partners around the world. If we are being attacked on an industrial scale, we need to respond on an industrial scale."

Current situation

Stricter requirements and reporting: Regulations such as NIS2 include provisions for incident response, supply chain security, and encryption and vulnerability disclosure and set tighter cybersecurity obligations for risk management reporting obligations.

Broader sectors: For example, the original NIS directive covers 19 sectors such as Healthcare, Digital Infrastructure, Transport, and Energy. Meanwhile, the new NIS2 directive increases to 35 sectors by adding other sectors such as providers of public electronic communications networks or services, manufacturing of certain critical products (e.g. pharmaceuticals), food, and digital services.

High sanctions for violations: For example, Digital Services Act (DSA) includes fines of up to 6% of global turnover and a ban on operating in the EU single market in case of repeated serious breaches.

Approximately 100 cross-border data flow regulations exist in 2022.

Source: McKinsey, 2022

Stricter requirements for payments

Obligation changes to keep up with emerging threats and technologies

An example of new requirements for PCI DSS v4.0

Source: Prepare for PCI DSS v4.0, Info-Tech

Use this template to explain the priorities you need your stakeholders to know about.

Respond to regulatory changes

Provide a brief value statement for the initiative.

The compliance obligations are evolving – ensure your security plan has you covered.

Initiative Description:

Description must include what organization will undertake to complete the initiative.

• Identify relevant security and privacy compliance and conformance levels.
• Identify gaps for updated obligations, and map obligations into control framework.
• Review, update, and implement policies and strategy.
• Develop compliance exception process and forms.
• Develop test scripts.
• Track status and exceptions

Drivers:

List initiative drivers.

• Pressure of new regulations
• Governance, risk & compliance (GRC) tool offerings
• High administrative or criminal penalties of non-compliance

Risks:

List initiative risks and impacts.

• Complex structures and a great number of compliance requirements
• Restricted budget and lack of skilled workforce for organizations such as local municipalities and small or medium organizations compared to private counterparts
• Personal liability for some regulations for non-compliance

Benefits:

List initiative benefits and align to business benefits or benefits for the stakeholder groups that it impacts.

• Reduces compliance risk.
• Reduces complexity within the control environment by using a single framework to align multiple compliance regimes.
• Reduces costs and efforts related to managing IT audits through planning and preparation.

Related Info-Tech Research:

• Build a Security Compliance Program
• Prepare for PCI DSS v4.0
• Build an Information Security Strategy

Recommended Actions

1. Identify compliance obligations

Identify relevant security and privacy obligations and conformance levels.

Identify gaps for updated obligations, and map obligations into control framework.

2. Implement compliance strategy

Review, update, and implement policies and strategy.

Develop compliance exception process.

3. Track and report

Develop test scripts to check your remediations to ensure they are effective.

Track and report status and exceptions.

Sources: Build a Security Compliance Program and Prepare for PCI DSS v4.0, Info-Tech

Identify relevant security and privacy compliance obligations

Identify obligations

An example of security and privacy compliance obligations

How much does it cost to become compliant?

• It is important to understand the various frameworks and to adhere to the appropriate compliance obligations.
• Many factors influence the cost of compliance, such as the size of organization, the size of network, and current security readiness.
• To manage compliance obligations, it is important to use a platform that not only performs internal and external monitoring but also provides third-party vendors (if applicable) with visibility into potential threats in their organization.

Adopt Next-Generation Cybersecurity Technologies

PRIORITY 04

• GOVERNMENTS AND HACKERS ARE RECOGNIZING THE IMPORTANCE OF EMERGING TECHNOLOGIES, SUCH AS ZERO TRUST ARCHITECTURE AND AI-BASED CYBERSECURITY. SO SHOULD YOUR ORGANIZATION.

Executive summary

Background

The cat and mouse game between threat actors and defenders is continuing. The looming question "can defenders do better?" has been answered with rapid development of technology. This includes the automation of threat analysis (signature-based, specification-based, anomaly-based, flow-based, content-based, sandboxing) not only on IT but also on other relevant environments, e.g. IoT, IIoT, and OT based on AI/ML.

More fundamental approaches such as post-quantum cryptography and zero trust (ZT) are also emerging.
ZT is a principle, a model, and also an architecture focused on resource protection by always verifying transactions using the least privilege principle. Hopefully in 2023, ZT will be more practical and not just a vendor marketing buzzword.

Next-gen cybersecurity technologies alone are not a silver bullet. A combination of skilled talent, useful data, and best practices will give a competitive advantage. The key concepts are explainable, transparent, and trustworthy. Furthermore, regulation often faces challenges to keep up with next-gen cybersecurity technologies, especially with the implications and risks of adoption, which may not always be explicit.

Current situation

ZT: Performing an accurate assessment of readiness and benefits to adopt ZT can be difficult due to ZT's many components. Thus, an organization needs to develop a ZT roadmap that aligns with organizational goals and focuses on access to data, assets, applications, and services; don't select solutions or vendors too early.

Post-quantum cryptography: Current cryptographic applications, such as RSA for PKI, rely on factorization. However, algorithms such as Shor's show quantum speedup for factorization, which can break current crypto when sufficient quantum computing devices are available. Thus, threat actors can intercept current encrypted information and store it to decrypt in the future.

AI-based threat management: AI helps in analyzing and correlating data extremely fast compared to humans. Millions of telemetries, malware samples, raw events, and vulnerability data feed into the AI system, which humans cannot process manually. Furthermore, AI does not get tired in processing this big data, thus avoiding human error and negligence.

Data breach mitigation cost without AI: USD 6.20 million; and with AI: USD 3.15 million

Source: IBM, 2022

Traditional security is not working

Alert Fatigue

Too many false alarms and too many events to process. Evolving threat landscapes waste your analysts' valuable time on mundane tasks, such as evidence collection. Meanwhile, only limited time is spared for decisions and conclusions, which results in the fear of missing an incident and alert fatigue.

Lack of Insight

To report progress, clear metrics are needed. However, cybersecurity still lacks in this area as the system itself is complex and some systems work in silos. Furthermore, lessons learned are not yet distilled into insights for improving future accuracy.

Lack of Visibility

System integration is required to create consistent workflows across the organization and to ensure complete visibility of the threat landscape, risks, and assets. Also, the convergence of OT, IoT, and IT enhances this challenge.

Source: IBM Security Intelligence, 2020

A business case for AI-based cybersecurity

Threat management

Prevention

Risk scores are generated by machine learning based on variables such as behavioral patterns and geolocation. Zero trust architecture is combined with machine learning. Asset management leverages visibility using machine learning. Comply with regulations by improving discovery, classification, and protection of data using machine learning. Data security and data privacy services use machine learning for data discovery.

Detection

AI, advanced machine learning, and static approaches, such as code file analysis, combine to automatically detect and analyze threats and prevent threats from spreading, assisted by threat intelligence.

Response

AI helps in orchestrating security technologies for organizations to reduce the number of security agents installed, which may not talk to each other or, worse, may conflict with each other.

Recovery

AI continuously tunes based on lessons learned, such as creating security policies for improving future accuracy. AI also does not get fatigue, and it assists humans in a faster recovery.

AI has been around since the 1940s, but why is it only gaining traction now? Because supporting technologies are only now available, including faster GPUs for complex computations and cheaper storage for massive volumes of data.

Use this template to explain the priorities you need your stakeholders to know about.

Adopt next-gen cybersecurity technologies

Use this template to explain the priorities you need your stakeholders to know about.

Develop a practical roadmap that shows the business value of next-gen cybersecurity technologies investment.

Initiative Description:

Description must include what organization will undertake to complete the initiative.

• Identify the stakeholders who will be affected by the next-gen cybersecurity technologies implementation and define responsibilities based on skillsets and the degree of support.
• Adopt well-established data governance practices for cross-functional teams.
• Conduct a maturity assessment of key processes and highlight interdependencies.
• Develop a baseline and periodically review risks, policies and procedures, and business plan.
• Develop a roadmap and deploy next-gen cybersecurity architecture and controls step by step, working with trusted technology partners.
• Monitor metrics on effectiveness and efficiency.

Drivers:

List initiative drivers.

• Pressure of attacks by sophisticated threat actors
• Next-gen cybersecurity technologies tool offerings
• High cost of traditional security, e.g. longer breach lifecycle

Risks:

List initiative risks and impacts.

• Lack of transparency of the model or bias, leading to non-compliance with policies/regulations
• Risks related with data quality and inadequate data for model training
• Adversarial attacks, including, but not limited to, adversarial input and model extraction

Benefits:

List initiative benefits and align to business benefits or benefits for the stakeholder groups that it impacts.

• Reduces the number of alerts, thus reduces alert fatigue.
• Increases the identification of unknown threats.
• Leads to faster detection and response.
• Closes skills gap and increases productivity.

Related Info-Tech Research:

• Build a Zero Trust Roadmap
• AI Governance
• Leverage AI in Threat Management (keynote presentation available on request)

Recommended Actions

1. People

Identify the stakeholders who will be affected by the next-gen cybersecurity technologies implementation and define responsibilities based on skillsets and the degree of support.

Adopt well-established data governance practices for cross-functional teams.

2. Process

Conduct a maturity assessment of key processes and highlight interdependencies.

Develop a baseline and periodically review risks, policies and procedures, and business plan.

3. Technology

Develop a roadmap and deploy next-gen cybersecurity architecture and controls step by step, working with trusted technology partners.

Monitor metrics on effectiveness and efficiency.

Source: Leverage AI in Threat Management (keynote presentation), Info-Tech

Secure Services and Applications

PRIORITY 05

• APIS ARE STILL THE #1 THREAT TO APPLICATION SECURITY.

Executive summary

Background

Software is usually produced as part of a supply chain instead of in silos. A vulnerability in any part of the supply chain can become a threat surface. We have learned this from recent incidents such as Log4j, SolarWinds, and Kaseya where attackers compromised a Virtual System Administrator tool used by managed service providers to attack around 1,500 organizations.

DevSecOps is a culture and philosophy that unifies development, security, and operations to answer this challenge. DevSecOps shifts security left by automating, as much as possible, development and testing. DevSecOps provides many benefits such as rapid development of secure software and assurance that, prior to formal release and delivery, tests are reliably performed and passed.

DevSecOps practices can apply to IT, OT, IoT, and other technology environments, for example, by integrating a Secure Software Development Framework (SSDF).

Current situation

Secure Software Supply Chain: Logging is a fundamental feature of most software, and recently the use of software components, especially open source, are based on trust. From the Log4j incident we learned that more could be done to improve the supply chain by adopting ZT to identify related components and data flows between systems and to apply the least privilege principle.

DevSecOps: A software error wiped out wireless services for thousands of Rogers customers across Canada in 2021. Emergency services were also impacted, even though outgoing 911 calls were always accessible. Losing such services could have been avoided, if tests were reliably performed and passed prior to release.

OT insecure-by-design: In OT, insecurity-by-design is still a norm, which causes many vulnerabilities such as insecure protocols implementation, weak authentication schemes, or insecure firmware updates. Additional challenges are the lack of CVEs or CVE duplication, the lack of Software Bill of Materials (SBOM), and product supply chains issues such as vulnerable products that are certified because of the scoping limitation and emphasis on functional testing.

Technical causes of cybersecurity incidents in EU critical service providers in 2019-2021 shows: software bug (12%) and faulty software changes/update (9%).

Source: CIRAS Incident reporting, ENISA (N=1,239)

Software development keeps evolving

DOD Maturation of Software Development Best Practices

Best practices in software development are evolving as shown on the diagram to the left. For example, 30 years ago the lifecycle was "Years or Months," while in the present day it is "Weeks or Days."

These changes also impact security such as the software architecture, which is no longer "Monolithic" but "Microservices" normally built within the supply chain.

The software supply chain has known integrity attacks that can happen on each part of it. Starting from bad code submitted by a developer, to compromised source control platform (e.g. PHP git server compromised), to compromised build platform (e.g. malicious behavior injected on SolarWinds build), to a compromised package repository where users are deceived into using the bad package by the similarity between the malicious and the original package name.

Therefore, we must secure each part of the link to avoid attacks on the weakest link.

Software supply chain guidance

Secure each part of the link to avoid attacks on the weakest link.

Source: "Securing the Software Supply Chain" series, Enduring Security Framework (ESF), 2022

"Most software today relies on one or more third-party components, yet organizations often have little or no visibility into and understanding of how these software components are developed, integrated, and deployed, as well as the practices used to ensure the components' security."

Source: NIST – NCCoE, 2022

Use this template to explain the priorities you need your stakeholders to know about.

Secure services and applications

Provide a brief value statement for the initiative.

Adopt recommended practices for securing the software supply chain.

Initiative Description:

Description must include what organization will undertake to complete the initiative.

• Define and keep security requirements and risk assessments up to date.
• Require visibility into provenance of product, and require suppliers' self-attestation of security hygiene.
• Verify distribution infrastructure, product and individual components integrity, and SBOM.
• Use multi-layered defenses, e.g. ZT for integration and control configuration.
• Train users on how to detect and report anomalies and when to apply updates to a system.
• Ensure updates from authorized and authenticated sources and verify the integrity of the updated SBOM.

Drivers:

List initiative drivers.

• Cyberattacks exploit the vulnerabilities of weak software supply chain
• Increased need to enhance software supply chain security, e.g. under the White House Executive Order (EO) 14028
• OT insecure-by-design hinders OT modernization

Risks:

List initiative risks and impacts.

Only a few developers and suppliers explicitly address software security in detail.

Time pressure to deliver functionality over security.

Lack of security awareness and lack of trained workforce.

Benefits:

List initiative benefits and align to business benefits or benefits for the stakeholder groups that it impacts.

Customers (acquiring organizations) achieve secure acquisition, deployment, and operation of software.

Developers and suppliers provide software security with minimal vulnerabilities in its releases.

Automated processes such as automated testing avoid error-prone and labor-intensive manual test cases.

Related Info-Tech Research:

• Build a Zero Trust Roadmap
• Embed Security Into the DevOps Pipeline

Recommended Actions

1. Procurement and Acquisition

Define and keep security requirements and risk assessments up to date.

Perform analysis on current market and supplier solutions and acquire security evaluation.

Require visibility into provenance of product, and require suppliers' self-attestation of security hygiene

2. Deployment

Verify distribution infrastructure, product and individual components integrity, and SBOM.

Save and store the tests and test environment and review and verify the
self-attestation mechanism.

Use multi-layered defenses, e.g. ZT for integration and control configuration.

3. Software Operations

Train users on how to detect and report anomalies and when to apply updates to a system.

Ensure updates from authorized and authenticated sources and verify the integrity of the updated SBOM.

Apply supply chain risk management (SCRM) operations.

Source: "Securing the Software Supply Chain" series, Enduring Security Framework (ESF), 2022

Bibliography

Aksoy, Cevat Giray, Jose Maria Barrero, Nicholas Bloom, Steven J. Davis, Mathias Dolls, and Pablo Zarate. "Working from Home Around the World." Brookings Papers on Economic Activity, 2022.
Barrero, Jose Maria, Nicholas Bloom, and Steven J. Davis. "Why working from home will stick." WFH Research, National Bureau of Economic Research, Working Paper 28731, 2021.
Boehm, Jim, Dennis Dias, Charlie Lewis, Kathleen Li, and Daniel Wallance. "Cybersecurity trends: Looking over the horizon." McKinsey & Company, March 2022. Accessed
31 Oct. 2022.
"China: TC260 issues list of national standards supporting implementation of PIPL." OneTrust, 8 Nov. 2022. Accessed 17 Nov. 2022.
Chmielewski, Stéphane. "What is the potential of artificial intelligence to improve cybersecurity posture?" before.ai blog, 7 Aug. 2022. Accessed 15 Aug. 2022.
Conerly, Bill. "The Recession Will Begin Late 2023 Or Early 2024." Forbes, 1 Nov. 2022. Accessed 8 Nov. 2022.
"Control System Defense: Know the Opponent." CISA, 22 Sep. 2022. Accessed 17 Nov. 2022.
"Cost of a Data Breach Report 2022." IBM, 2022.
"Cybersecurity: Parliament adopts new law to strengthen EU-wide resilience." European Parliament News, 10 Nov. 2022. Press Release.
"Cyber Security in Critical National Infrastructure Organisations: 2022." Bridewell, 2022. Accessed 7 Nov. 2022.
Davis, Steven. "The Big Shift to Working from Home." NBER Macro Annual Session On
"The Future of Work," 1 April 2022.
"Digital Services Act: EU's landmark rules for online platforms enter into force."
EU Commission, 16 Nov. 2022. Accessed 16 Nov. 2022.
"DoD Enterprise DevSecOps Fundamentals." DoD CIO, 12 May 2022. Accessed 21 Nov. 2022.
Elkin, Elizabeth, and Deena Shanker. "That Cream Cheese Shortage You Heard About? Cyberattacks Played a Part." Bloomberg, 09 Dec. 2021. Accessed 27 Oct. 2022.
Evan, Pete. "What happened at Rogers? Day-long outage is over, but questions remain." CBC News, 21 April 2022. Accessed 15 Nov. 2022.
"Fewer Ransomware Victims Pay, as Median Ransom Falls in Q2 2022." Coveware,
28 July 2022. Accessed 18 Nov. 2022.
"Fighting cybercrime: new EU cybersecurity laws explained." EU Commission, 10 Nov. 2022. Accessed 16 Nov. 2022.
"Guide to PCI compliance cost." Vanta. Accessed 18 Nov. 2022.
Hammond, Susannah, and Mike Cowan. "Cost of Compliance 2022: Competing priorities." Thomson Reuters, 2022. Accessed 18 Nov. 2022.
Hemsley, Kevin, and Ronald Fisher. "History of Industrial Control System Cyber Incidents." Department of Energy (DOE), 2018. Accessed 29 Aug. 2022.
Hofmann, Sarah. "What Is The NIS2 And How Will It Impact Your Organisation?" CyberPilot,
5 Aug. 2022. Accessed 16 Nov. 2022.
"Incident reporting." CIRAS Incident Reporting, ENISA. Accessed 21 Nov. 2022.
"Introducing SLSA, an End-to-End Framework for Supply Chain Integrity." Google,
16 June 2021. Accessed 25 Nov. 2022.
Kovacs, Eduard. "Trains Vulnerable to Hacker Attacks: Researchers." SecurityWeek, 29 Dec. 2015. Accessed 15 Nov. 2022.
"Labour Force Survey, October 2022." Statistics Canada, 4 Nov. 2022. Accessed 7 Nov. 2022.
Malacco, Victor. "Promises and potential of automated milking systems." Michigan State University Extension, 28 Feb. 2022. Accessed 15 Nov. 2022.
Maxim, Merritt, et al. "Planning Guide 2023: Security & Risk." Forrester, 23 Aug. 2022. Accessed 31 Oct. 2022.
"National Cyber Threat Assessment 2023-2024." Canadian Centre for Cyber Security, 2022. Accessed 18 Nov. 2022.
Nicaise, Vincent. "EU NIS2 Directive: what's changing?" Stormshield, 20 Oct. 2022. Accessed
17 Nov. 2022.
O'Neill, Patrick. "Russia hacked an American satellite company one hour before the Ukraine invasion." MIT Technology Review, 10 May 2022. Accessed 26 Aug. 2022.
"OT ICEFALL: The legacy of 'insecure by design' and its implications for certifications and risk management." Forescout, 2022. Accessed 21 Nov. 2022.
Palmer, Danny. "Your cybersecurity staff are burned out - and many have thought about quitting." ZDNet, 8 Aug. 2022. Accessed 19 Aug. 2022.
Placek, Martin. "Industrial Internet of Things (IIoT) market size worldwide from 2020 to 2028 (in billion U.S. dollars)." Statista, 14 March 2022. Accessed 15 Nov. 2022.
"Revised Proposal Attachment 5.13.N.1 ADMS Business Case PUBLIC." Ausgrid, Jan. 2019. Accessed 15 Nov. 2022.
Richter, Felix. "Cloudy With a Chance of Recession." Statista, 6 April 2022. Web.
"Securing the Software Supply Chain: Recommended Practices Guide for Developers." Enduring Security Framework (ESF), Aug. 2022. Accessed 22 Sep. 2022.
"Securing the Software Supply Chain: Recommended Practices Guide for Suppliers." Enduring Security Framework (ESF), Sep. 2022. Accessed 21 Nov. 2022.
"Securing the Software Supply Chain: Recommended Practices Guide for Customers." Enduring Security Framework (ESF), Oct. 2022. Accessed 21 Nov. 2022.
"Security Guidelines for the Electricity Sector: Control System Electronic Connectivity."
North American Electric Reliability Corporation (NERC), 28 Oct. 2013. Accessed 25 Nov. 2022.
Shepel, Jan. "Schreiber Foods hit with cyberattack; plants closed." Wisconsin State Farmer,
26 Oct. 2022. Accessed 15 Nov. 2022.
"Significant Cyber Incidents." Center for Strategic and International Studies (CSIS). Accessed
1 Sep. 2022.
Souppaya, Murugiah, Michael Ogata, Paul Watrobski, and Karen Scarfone. "Software Supply Chain and DevOps Security Practices: Implementing a Risk-Based Approach to DevSecOps." NIST - National Cybersecurity Center of Excellence (NCCoE), Nov. 2022. Accessed
22 Nov. 2022.
"Ten Things Will Change Cybersecurity in 2023." SOCRadar, 23 Sep. 2022. Accessed
31 Oct. 2022.
"The Nature of Cybersecurity Defense: Pentagon To Reveal Updated Zero-Trust Cybersecurity Strategy & Guidelines." Cybersecurity Insiders. Accessed 21 Nov. 2022.
What Is Threat Management? Common Challenges and Best Practices." IBM Security Intelligence, 2020.
Woolf, Tim, et al. "Benefit-Cost Analysis for Utility-Facing Grid Modernization Investments: Trends, Challenges, and Considerations." Lawrence Berkeley National Laboratory, Feb. 2021. Accessed 15 Nov. 2022.
Violino, Bob. "5 key considerations for your 2023 cybersecurity budget planning." CSO Online,
14 July 2022. Accessed 27 Oct. 2022

Research Contributors and Experts

Andrew Reese
Cybersecurity Practice Lead
Zones

Ashok Rutthan
Chief Information Security Officer (CISO)
Massmart

Chris Weedall
Chief Information Security Officer (CISO)
Cheshire East Council

Jeff Kramer
EVP Digital Transformation and Cybersecurity
Aprio

Kris Arthur
Chief Information Security Officer (CISO)
SEKO Logistics

Mike Toland
Chief Information Security Officer (CISO)
Mutual Benefit Group