Forrester’s 2023 predictions indicate a bumpy road ahead for CISOs

Enterprises that excel at risk management while doubling down on making their tech stacks more resilient stand the best chance of battling cyberattacks in 2023. Forrester’s Predictions 2023: Cybersecurity, Risk, and Privacy report amplifies how essential risk management, resilient infrastructure and cyber insurance will be next year.  

More CROs will get promotions and a possible board seat 

More chief risk officers (CROs) will report to CEOs next year, increasing risk quantification’s importance to C-level executives and company boards. Forrester sees CROs as instrumental in leading their organizations, from achieving compliance to becoming more resilient. 

Industry leaders throughout 2022 have predicted CISOs will be on more boards of directors, given their role in improving their organizations’ security posture and driving revenue. George Kurtz, CEO and cofounder of CrowdStrike, said he is “seeing more and more CISOs joining boards. I think this is a great opportunity for everyone here [at Fal.Con] to understand what impact they can have on a company. From a career perspective, it’s great to be part of that boardroom and help them on the journey. To keep business resilient and secure.” 

Quantifying cyber risks will be an in-demand skill set for current and future CROs in 2023. Cyber-quantification is a series of techniques to prioritize costs, risks and expected returns from competing cybersecurity projects. It’s well known throughout enterprise security that CISOs use cyber risk quantification to define and grow their budgets for zero-trust security frameworks and initiatives.

>>Don’t miss our special issue: Zero trust: The new security paradigm.<<

Deals will be won or lost on cyber insurance coverage   

More multimillion-dollar deals’ RFPs and RFQs are asking providers to have cyber insurance. Seven-figure deals will be won or lost based on how well a business has protected itself with cyber insurance. The challenge will be getting coverage at an affordable price. Cyber insurers also need to close the gaps they have, which is why Forrester is predicting they will begin acquiring managed detection and response (MDR) providers in 2023. 

Jeff Pollard, vice president and principal analyst at Forrester, advised security leaders at the firm’s recent Security and Risk Management Forum, “so if you’ve got some aspect of risk mitigation or risk transference going on with cyber insurance where you assume they’re going to be there for you if you have a breach, well, guess what? They may not be, and by the way, for you to get the policy amount and coverage that you have, well, you’ve got to have a certain level of security posture.” Meanwhile, the costs of cyber insurance keep rising. 

The need for cyber insurance makes CISOs’ roles more tightly aligned to revenue. “By the way, this can also affect revenue,” Pollard said. “If you take a look at those RFPs, RFQs, those customers are asking questions about insurance. Some of them are starting to ask questions about cyber insurance. So now you might have an RFP that your deal desk is responding to, working with a sales team for a major customer that you’d love to add. Except you’ve got to have cyber insurance.”

What Forrester sees in 2023 

Getting leadership right at the CISO and CRO levels will be challenging in 2023. On the positive side, there will be greater demand for experienced professionals in these roles. Choosing whether and how to use employee monitoring ethically, humanely and transparently, and refusing to overload already overstressed security teams will define CISOs’ careers beyond 2023. 

The following are Forrester’s five cybersecurity, risk and privacy predictions for 2023:  

1. More than 50% of CROs will report directly to the CEO

Managing risk with more accurate, real-time data while strengthening risk quantification is what’s driving CROs being promoted in 2023. From the many conversations VentureBeat has had with CISOs, it’s clear that risk management is as high of a priority as consolidating tech stacks to gain greater efficiency and cost control.  

2. A C-level executive will be fired for their firm’s use of employee monitoring

Employers initiated employee monitoring during the pandemic to sustain and grow worker productivity. But, not surprisingly, it’s had the opposite effect. Forrester notes that the typical technologies range from keystroke recording and desktop snapshots to more invasive surveillance via webcam. CISOs need to look at pilots or implementations of employee monitoring and ask themselves if it’s worth the risk of potentially violating data protection laws, including GDPR, and new laws in New York, Ontario and other Canadian provinces. Other laws are moving through the legislative process in California. 

3. At least three cyber insurance providers will acquire an MDR provider

Cyber insurance carriers will have a challenging 2023, as underwriting requirements will increase, along with client premiums, while coverage levels will drop for most clients. Before they write a policy, cyber insurers require enterprises to show they have foundational cybersecurity measures. They’re also dealing with gaps in their services, making MDR a natural acquisition for many of them. Forrester notes that “MDR acquisitions can give insurers: 1) high-value data about attacker activity to refine underwriting guidelines; 2) unparalleled visibility into policyholder environments; and 3) the ability to verify attestations,” according to its predictions study.  

4. An organization will sue an offensive security tool provider for causing its breach

Post-exploitation kits, including Cobalt Strike, Metasploit, Mimikatz and Sliver, are popular with hackers and security professionals. Forrester observes that some but not all exploitation kit providers are doing their due diligence to keep their code from being used for breaches and other illegal activity. In 2023, one or more of the offensive security tool providers will be sued. Forrester advises firms to secure the software they sell as part of their cybersecurity programs.

5. A Global 500 firm will be exposed for burning out its cybersecurity employees

Due to the chronic labor shortage, security teams continue to be short-staffed, with many senior members of departments asked to work weekends regularly to get essential maintenance and updates on systems and endpoints done. It’s common knowledge that staff is expected to be available 24/7 through disruptions, stay in control of every risk, deliver results in tight timeframes, and regularly get pushback when asking for budget. 

Forrester predicts tech whistleblowers will want to go out with a bang in 2023, and a security employee will come forward about unsafe working conditions. CISOs need to continually evaluate and address staff burnout. Creating a physically and psychologically safe environment is critical. 

CROs and CISOs face a challenging 2023 

Forrester’s predictions reflect how nuanced CRO and CISO roles will become in 2023. Their predictions also reflect how important it is for C-level executives to continually learn about risk optimization techniques while staying focused on the needs of their employees and teams. 

Employee monitoring has become so ubiquitous in some jobs that it’s written into job requirements. CISOs must help their organizations navigate this area’s current and future privacy laws. Many are using more win/win-oriented approaches to improve productivity. Gamification, adding rankings, and incentives for employees to learn more are proving effective. Most important is how CISOs can protect their teams from burnout as the pace of attacks and maintenance requirements increase simultaneously. 

CISOs are in for a rough ride in 2023, so it’s a good idea for them to manage their mental health [subscription required] to ensure they can be there for their teams and provide the tools, processes and budget to help them complete their jobs.