What Challenges Will 2023 Bring for Cyber?
After two unpredictable years of upheaval, 2022 marked the beginning of our return to business as usual.
However, many organizations, from Fortune 500 companies to government entities, were still faced with numerous challenges — from workforce concerns and rising inflation to the war in Ukraine and continued tensions with China. And underlying these challenges remained addressing cybersecurity threats coming from new areas and needing a strong workforce to defend our systems.
As we look ahead to 2023, we expect a few challenges in technology and cybersecurity policy to remain top of mind for businesses and government:
Addressing obstacles to diversity in the workforce
Focusing on how businesses can work with — or without — cyber regulations
Understanding how technological innovation can challenge cyber resiliency
And both businesses and government have opportunities to lead the way in finding innovative solutions to these challenges.
Diversity in tech will be challenged by push to return to office
We’ve entered a new work-life landscape in 2023, and we will need to examine our approach to returning to the office to ensure that we don’t lose ground on diversity in tech.
The COVID-19 pandemic forced most companies to rethink where and how employees could do their jobs. For some people, there were obvious challenges with working from home, especially for those in situations such as caring for family members or for young children whose schools were closed.
However, in the return to “business as usual,” the inherent flexibility of working from home can in many instances make it desirable, with commuting time (and costs) eliminated, and the ability to work from home when a child is ill. Indeed, a recent World Economic Forum article noted that women leaders are more likely to quit over a lack of workplace flexibility.
Return-to-office mandates may force tech professionals to reevaluate their current working situation – a recipe for losing gains in diversity in an industry that is already significantly imbalanced. If organizations are not careful, return-to-office policies can expand the cybersecurity diversity divide.
This same lens must also be used to review training and other work opportunities to ensure that we’re not unintentionally offering fewer or lower-quality opportunities for certain segments of our workforce.
For example, I recently spoke at a cybersecurity conference that had both in-person and remote attendance options. As we continue offering in-person and remote options for conferences and other events, it is important to review the data on attendance and see if women and underrepresented minorities disproportionately took the remote option, rather than attending in person, and whether that choice creates more opportunities or harms participation.
Do those remote participants miss out on in-person benefits, like networking? Or do those in-person attendees fret over wardrobe choices and microaggressions? From there, organizations can take steps to adjust their content for a richer online experience that creates parity with in-person attendance.
The shaping of this new work-life landscape is also important for governments as they work to adopt policies to facilitate closing the diversity gap in the cyber workforce, as well as to lead by example through their own diversity efforts and their approach to remote work, training, and hiring.
The Biden administration has begun the foundational work needed to facilitate the development and cross-sharing of innovative workforce programs, and last summer’s White House Cyber Workforce and Education Summit as well as its follow-up solicitation of external input on cyber workforce, training, and education, and the recent Cybersecurity Apprenticeship Sprint, which helped create 7,000 new opportunities, are steps in the right direction.
Gains in entry-level toeholds in cyber careers are important, but it is just as important to focus on policies to optimize retention and training of existing professionals, which is a large and multilayered challenge. The release of the Biden administration’s National Cyber Strategy is expected soon, and I hope that cyber workforce development is a central part of it — and that it takes a holistic and nuanced approach toward addressing the cybersecurity diversity gap.
Organizations will need to continue to manage increasing cyber risks
It’s been a year and a half since the Colonial Pipeline ransomware attack captured the nation’s attention, and although this was a wake-up call for many, progress and regulations haven’t necessarily kept pace with the changing threat landscape.
There have been some measures to implement new regulations, such as the U.S. Securities and Exchange Commission (SEC) requiring companies to disclose if anyone on their boards has cybersecurity expertise to help signal the importance of cybersecurity to companies. But this requirement will take a year or more to adopt, and the SEC leaves ambiguity as to what a “cyber expert” really means.
Meanwhile, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 was signed into law, and we await a clear understanding how this will impact the 16 critical infrastructure sectors. At the same time, other regulatory guidance on cyber incident reporting — including the SEC’s proposed cyber incident reporting rules, reporting rules for federal contractors and proposed legislation last Congress that would require cyber incident reporting to the Department of Energy within 24 hours, creating an environment filled with overlapping and fractured reporting regimes filled with confusion for critical infrastructure operators.
If the government wants to get reporting requirements and other cyber regulations right, it needs to take a holistic approach to harmonize these regulations within the United States, and then use its diplomatic tools to seek global harmonization, starting with our allies. With new regulations in limbo or a long time off from being implemented, there is a real chance that companies will avoid updating security postures despite risk — particularly given a more challenging economic environment.
Technological advancements will challenge cyber resiliency
Finally, organizations and governments must keep an eye on emerging technology and the potential risks it could create.
In the next decade, we’ll see more technological progress than in the past 100 years. We are in the midst of what some experts are calling the fourth Industrial Revolution. Technology is advancing and interweaving — smart sensors, robotics, artificial intelligence, quantum computing, virtual reality, augmented reality, and more — in an attempt to address pervasive global challenges.
While this rapid acceleration of technology is exciting and presents tremendous opportunities, it also translates into rapid acceleration of the avenues for cyberattacks and attendant cyber risks. Moreover, organic evolution in the workplace results in unforeseen risks from a cyber resilience perspective.
For example, at the onset of the pandemic, the cyberattack surface expanded significantly with work-from-home and it continued to expand with hybrid work arrangements. Organizations must incorporate good cybersecurity oversight and governance throughout their operations and prioritize cyber resilience through governance to ensure they are not overwhelmed by new and emerging cyberthreats.
In the United States, the Biden administration has already taken significant steps to push government systems and the systems of companies that do business with the government to be more resilient. The May 2021 Executive Order on Improving the Nation’s Cybersecurity created the foundation for these efforts, and recent efforts, including recent guidance from the Office of Management and Budget, require federal agencies buying software to ensure software vendors certify their software has been developed consistent with secure software development practices. It will be critical for that work to continue and for that policy to be implemented thoroughly to help limit overall risk as technology continues to advance.
Further, as Congress looks to insert itself into regulating these emerging technologies, it will need to be careful not to codify regulations that are inflexible and too restrictive. Technology advances faster than agency regulations can, and far faster than Congress can pass updated laws. Placing unreasonable restrictions on emerging technologies out of (sometimes irrational) concerns over future outcomes can put the United States at a competitive disadvantage on the global stage, allowing both allies and rivals the opportunity to dominate the marketplace for future technologies.
Takeaways for 2023
Overall, cyber risks and their associated challenges will continue to dominate boardroom and executive conversations in 2023. Those that ignore these trends will certainly do so at their own risk.
However, even with these risks, we can’t ignore the importance of continuing to cultivate a diverse workforce, particularly within cybersecurity and technology, as without a strong workforce, organizations are unable to implement the strategies and changes needed to defend from cyberattacks. Without tangible and thoughtful approaches to how technical talent is nurtured and cultivated, organizations will struggle to address cyberthreats, no matter how forewarned they were of the looming risks.
Further, we need to continue to engage at all levels of government to ensure that growing cyber regulations, even well-meaning ones, do not unintentionally overcomplicate cyber defenses, incident response and mitigation, or inhibit technological advances that will allow America’s competitors to out-innovate us.
