Operationalising cybersecurity

“We’re constantly evolving and getting very good at identifying zero-day vulnerabilities and telling the world about the current exploits and vulnerabilities. At the same time though, threat actors are weaponising those advisories to use against organisations.

Over the next year, we’re going to see the splintering off of Twitter and people moving to other social media platforms. However, the appetite to publish and post content will still remain. Threat actors are going to continue to watch and monitor these posts as they find new ways to exploit organisations by leveraging published research and upgrading their arsenal.

Therefore, in 2023, organisations are going to need to operationalise cybersecurity. This means implementing cybersecurity solutions properly, to really help solve the business’ problems and work towards their operations and aims. We need to move away from a binary perspective to one where we start incorporating better context to make more informed cybersecurity decisions.

A fundamental challenge for the cybersecurity industry has been making sure that the wider organisation is taken on a journey and a traditionally very technical subject is explained in such a way that it is understood by all. The cybersecurity landscape is changing at such a pace that the way that we’ve done things in the past simply doesn’t apply. Cybersecurity is not binary, there are levels of security that you need to implement.”

Nurturing top talent

“The expectation that you can go out to the market and hire an experienced security practioner for £50,000 a year has never existed. However, we cite there being a talent shortage, but the reality is there exists a shortage of organisations willing to teach and train individuals with the passion and help them understand how to develop the skills needed.

In 2023, organisations need to recognise that they’ve got to start putting effort into providing the opportunity for individuals to learn, train, and understand. Organisations are asking for more unique skill sets; therefore, collectively as an industry, there must be a commitment to nurture top talent.”

The role of CISOs

“As CISOs, it is crucial that we are able to answer questions about whether the business is safe from a cyberattack or a vulnerability. Having been a CISO I was unable to to answer these questions which appear reasonable to the business. The reason this disconnect happens is because cybersecurity is the only part of the business that doesn’t use the traditional metrics most other parts of the business align to.

Over the next year, the cybersecurity industry must do everything it can to support KPIs that demonstrate a security team’s progress, and that the investment being made is demonstrably making the business safer and more secure.

Currently, we are in a cycle of “ask for money, find further security gaps, and subsequently ask for more money” — this cannot be allowed to continue to happen. As an industry, cybersecurity needs to be operationalised and demonstrating improvements made a priority.”