2023全球网络安全展望+Global+Cybersecurity+Outlook+2023

IncollaborationwithAccentureGlobalCybersecurityOutlook2023INSIGHTREPORTYlookenceContentspsDisclaimerty3478lookJanuary2023January2023Forewordcomeswithit.PaoloDalCinJeremyJurgensmndandeenglookExecutivesummarygtnonstyhe%eadersinstabilityismoderatelyorverylikelytoleadtoacatastrophiccybereventinthenexttwoyears.BusinessleadersDosmallandlargeenterprises%eadersinstabilityismoderatelyorverylikelytoleadtoacatastrophiccybereventinthenexttwoyears.BusinessleadersDosmallandlargeenterpriseshavedifferentexpectationsofgeopoliticalinfluence?Numberofemployees6%8%<250to1,00048%21%8%1,001to10,00058%44%4%100,000+35%29% NotatallMinimallyModeratelySubstantiallyCyberleadersDoorganizationsexpectgeopoliticalriskstoaffecttheircybersecuritystrategy?%ofrespondentsWhatchangeswill%ofrespondents%ofrespondentscticesforStrengthencontrolswiththirdpartieswho63% %Adjustinformationsharingpractices38%%%oups%ityOutlooklikelytostronglyagreethatmore3131likelytostronglyagreethatmore313162Comparedtolastyear,businessandcyberleadersareapproachingconsensusonthestateoftheirorganization’scybersecuritytalent.%0202220232022202320222023BusinessleadersCyberleadersls%CyberleadersBusinessCyberleadersWhatwillhavethemostpositiveinfluenceonanorganization’sapproachtoWhatwillhavethemostpositiveinfluenceonanorganization’sapproachtocybersecurityinthenext12months?Businessleaders’rankCyberleaders’rank12%12%6%6%9% ityOutlooklook1Theglobal1cyberlandscapeAlthoughcyberleaders,businessleadersandboardsofdirectorsarenowcommunicatingmoredirectlyandmoreoften,theycontinuetospeakdifferentlanguages.hasndoreedygeFIGURE3GeopoliticsoflyseatasHowlikelyisitthatgeopoliticalinstabilitywillleadtoafar-reaching,catastrophiccybereventinthenexttwoyears?441%47%47%NotverylikelyModeratelyNotverylikelyModeratelylikelyVerylikely%0ssleadersCyberleaderstyOutlook45%%ityOutlookFIGURE4Likelihoodofgeopoliticalinstabilityleadingtoafar-reachingcybereventinthenexttwoyears(bynumberofemployeesperorganization)verylikelynhpsnhps43%43%35%14%llMinimallyModeratelySubstantially01+250%% 72%73% 63%71% 51%49% 47%24% 38%41% 39%34% 9%2%eFIGURE6Howgeopoliticalriskhasinfluencedmyorganization’scybersecuritystrategyCyberleadersBusinessleaders80%60%40%20%0%20%40%60%80%ookookssislong-termimpact.rtssislong-termimpact.rtFIGURE7Regionalbreakdownofhowgeopoliticalriskinfluencescybersecuritystrategy%%%%%3%8%%3%roupsddataaccess%1.2EmergingtechnologyndEmergingthreatsMoreresourcesarebeingthrownatcybercrimecampaignsbycriminalgroups.There’sasensethatcybercrimeisconvergingwithnation-stateactorsandthatthisisleadingtoahighernumberofnewcampaignsbeinglaunchedaswellasattacksthataremoreclearlytailoredtothetargetorganization.Thegreaterthevolatilityinthethreat,themoretimeisbeingspentontacticaldefencebyCISOsandtheirteams.It’simportanttocreatethespaceforstrategicdevelopmentandeffectiveriskmanagement.tesinalrtlyoiseookook1.4LawsandregulationsThewaywebuildregulationsforcybersecurityiscentralized.Theregulationsthissystemcreatesarevaluable,buttheprocesstakestime.Itcantaketwoyearsforaregulationtobedeveloped.Standardizationcantake18months.Acyberattacktakesseconds.Thespeedatwhichemergingtechnologiesareimplementedoftenoutpacesourabilitytobuildsecuritymeasuresaroundthem.Weneedtogobeyondsimplecompliancewithregulationsiforganizationsaretobecyberresilient.rrtsFIGURE8Havingmoreeffectiveenforcementofregulatoryrequirementsacrossmysectorwouldincreasemyorganization’scyberresilience0%29%0%0368036802457edreyceshatFIGURECyberandprivacyregulationsareeffectiveinreducingmyorganization’scyberFIGURECyberandprivacyregulationsareeffectiveinreducingmyorganization’scyber37%35%29%%3%4%2022202320222023202220232022202344%%5%02022202329%24%5%3%0ook%9risk(year-on-yearchangeinresponsestothequestion,2022–2023reports)FIGURE10soheeCyberandprivacyregulationsareeffectiveinreducingmyorganization’scyberriskk2Leadershipperceptionchanges2ookThisindicatesthatperhapsbusinessleadershaveleapfroggedsecurityleadersinchampioningtheimportanceofcybersecurityoritcouldreflectalingeringperceptiongapworthyoffurtherresearch.Leadershipviewsoncybersecurity%% s%FIGUREFIGURE11PrioritizingcyberriskinbusinessMoreandmorecorporateboardsnowhavetruecyberexpertsamongtheirmembers.Ithelpswhenpeopleatboardlevelaresufficientlycyber-literatetoaskpertinentquestionsoftheirsecurityteamsbutalsotobringcyberintostrategicbusinessdiscussions.Boardsalsoneedtounderstandwhatacybereventmeansfortheirorganization.Toomanybusinessleadersstillunderestimatetheimpactacyberattackcanhaveontheiroperations,ontheirreputationandontheircompanyasawhole.re7%4%FIGURE12Cyberresilienceinmyorganizationisintegratedintoenterpriseriskmanagementstrategies7%4%%32%0%24%%21%%00689310689317FIGURE13Howdoyoufeelaboutyourorganization’sabilitytobecyberresilient?BusinessleadersCyberleaders2023ookookareconfidentthattheirorganizationiscyberresilient.%asefSupply-chainriskrtofstyaveelyreookeeeComparedtomyownorganization’scyberresilience,Iperceiveourthird-partyorganizations(whohavedirectconnections,processes,ordata)tobe…Creatingcyberresilienceacrossasupply-chaingdtoseenndFIGUREFIGURE14TheroleofcyberinsurancetoTheroleofcyberinsurancetotstoIntheabsenceofinsurance,organizationswoulddowelltofocusoninitiativesthatsupportecosystemresilience.Byincreasingthelevelofprotectionacrosstheirsupplychain,organizationswillenhancethecyberresilienceoftheirownoperations.Hasyourorganizationsubmittedaclaimusingyourcyberinsurancepolicyinthepasttwoyears?%%FIGURE150submittedaclaimmationutlookookGainingleadershipsupportSecurityexecutivesgainbyarticulatingastorytotheirboardthatalignswithcorporateandbusinesspriorities.Boardsshouldbepresentedwithacyberposturethatresonateswithcustomers’andauthorities’expectations,andhelpsaddresssectorialecosystemchallenges.ribedofleadershipsupportThe2022GlobalCybersecurityOutlookreporthighlightedhowcyberleadersperceiveleadershipsupportasaprimarychallengeinthemanagementoforganizationalcyberresilience.Thisyear’soutlookindicatesthatathirdofallcyberleadersstillrankedgainingleadershipsupportasthemostchallengingaspectofmanagingcyberresilience.Amajority,94%,ofrespondentsbelieve,however,thattheirboardofdirectorshasadutyofcarewhenitrelatestocybersecurity.Cybersecurityandtheboard’sdutyofcareThesecuritystaffdeservesthesameleveloftrustthatyouwouldputinotherbusinessleaders.Youmaynotknowexactlywhatiscoming,butyoushouldbeabletotrustthatthesecurityleaderisdirectionallyrightandyouunderstandwhattheirprioritiesare.utlook%34%30%29%00628934157FIGURE16Myorganization’sboardofdirectorsisabletouphold%34%30%29%00628934157whenitcomestocybersecurityoCybersecurityandbusinessleadersmustlearntoeffectivelytranslatetheirCybersecurityandbusinessleadersmustlearntoeffectivelytranslatetheircyberrisksintoenterpriserisk.talentmanagementtalentmanagementFIGURE17CyberlalDoesyourorganizationhavetheskillsneededtorespondtoandrecoverfromacyberattack?%%0utlook46%34%32%5%5%5%47%43%%34%0%32%0%0347%43%%34%0%32%0%03utlooky46%44%22323WeWehavethepeopleandskillsweneedtoday(byindustry)25%20%15%14%72%67%60%50%50%Wearemissingcriticalpeopleandskills(byindustry)ionFIGURE19Themessageisgettingthrough(year-on-yearalignmentinbusinessandsecurityviewsontheskillsgap)ook3Awayahead3ofsecurityexecutivesareconcernedaboutthelevelofcyberresilienceintheirbusiness.%ImprovingcommunicationTheroleofthechiefinformationsecurityofficer(CISO)isoneofthemostdynamiccareers.Wesecureentireorganizationsastheyevolvewithnewtechnologiesinanincreasinglydigitalenvironment.ThismeanstheCISOhasaroleinsupportingthetransformationalchangeofabusiness’stechnology,cultureandorganizationalstructures.Inthisyear’sreport,17%ofsecurityexecutivesexpressedconcernaboutthelevelofcyberresilienceintheirbusiness.Thiswasupslightlyfrom13%ofsecurityexecutivestheyearbefore.Conversely,theincreasedlevelofawarenessofcyberriskamongbusinessexecutivesledtoamarkedincreaseinconcern,from16%to27%.Thismightbeduetoabetterunderstandingbybusinessleadersofthedamagethatcanbedonetotheirbusinessoperations,commercialrelationshipsandreputationbyamajorcyberattack.Surveyresponsesforthisreportindicatethattheincreasedconcernamongbusinessexecutivescouldalsobedrivenbyregulatorydemandsforincreasedboard-levelaccountabilityforcyber-riskmanagement.Forexample,inlate2022theUnitedStatesSecuritiesandExchangeCommission(SEC)createdrulesthatmakecyber-riskreportingandbusinessresilienceplanningavitalcomponentofeffectiveboardmanagement.16Lostintranslation?Thedifficultyintranslatingcyberthreatstooperationalriskisabarriertocollaborationbetweensecurityexecutivesandbusinessleaders.Commonplacetermssuchas“ransomware”canbeexplainedtoboardsmoreeasily,butmappingcybercrimecampaignsorthreatactorstothetargetingofparticularassetsandresourcesiscomplicated.sgeomanyassetsontheirnetworktoidentifythekeyriskpoints,oreventomaptheirassets.Thismakesitdifficulttoassesswhereandhowmuchmoneyshouldbespent.Withoutawaytoclearlymapriskstovalue-creatingassetsorprocesses,aswellasaplanofactionarisingfromthis,itishardtoquantifyandjustifytheresourcesthatshouldbeallocatedtomitigatingthem.utlookutlookSharedstartingpointsFIGURE20Whatcyberriskareyoumostconcernedaboutwhenitcomestoyourpersonalcybersecurity?CyberleadersBusinessleadersIdentitytheft111232332y323434erattack45456666676712345677654321ksshtyksshtyExplainingreturnoninvestmentincybersecurityantstterantstterutlookStepstocloseStepstoclosethecommunicationsgaprateddsdcyber-resilienceprogramme.Cybersecurityleadersshoulduselesstechnicaljargonwhenspeakingwithbusinessleaders.Boardsofdirectorsshouldhelpcybersecurityleadersunderstandwhatassetsandprocessesmustbeprioritizedforprotection.Boardsshouldthenmakethemselvesaccountablefortheseprioritiesoncetheyaresetbecausecybersecurityresourcesarerarelysufficienttoeffectivelydefendallpartsofanorganizationallofthetime.FrequencyofmeetingsBoardsBoardsneedtounderstandthestrategicessenceofthemessagefromsecurityteamsandwhatthatmeansforcorporategovernanceandinvestmentdecisionsinsecurityandelsewhere.FIGURE21ReviewingorganizationaletyutlookThecybersecurityteam,ifusedthoughtfully,canprovidevitalinsightsthathelpembedcyber-riskmethodologiesinanorganization.BuildingsecuritycultureivetyToamedousnulookShortfallbetweensupplyanddemandforcybersecurityexpertsin2021ClosingthecybertalentgapPeoplethinkthatcybersecurityissomethingthat’shighlytechnical.Yes,somerolesrequiredeeptechnicalexpertise,butcybersecurityisavastdomainandmakinganorganizationcyberresilientalsorequiresgeneralistrolesthatneedabroaderskillset,fromeducationandawarenesstopolicywriting,governanceandothers.Weneedmorepeopleintheboththetechnicalandgeneralistroles.nintomMoreneedstobedonetoincreasetheflowofcybersecuritytalentintotheworkforce.Thishasbeenaconsistentlydifficultproblemtosolve,butitisalsoanareawithpossibilitiesforrealprogress.Newandinventiveprojectsarebeinglaunchedeveryyear.Asignificantnumberoforganizationsunderstandthatcybersecuritytouchesonmanyareasoftheiractivityandmakinganorganizationcyberresilientrequiresawiderangeofskillsets.Respondentstothesurveysaswellasparticipantsintheinterviewsandworkshopsconsistentlyarguedthattheacademicandprofessionaldisciplinesthatlendthemselvestocyber-resilienceskillsaremuchbroaderthanmanypeoplerealizeandarecertainlynotlimitedtocomputerscienceorengineering.Thesoftskillsforcyberrolescancomefromdisciplinessuchaseconomics,law,psychology,sociology,communicationsandmediastudies.Expandingthetalentpoolrmaloftheworkforce.However,capitalizingontheincreasedinterestincybersecurityisalsolikelytorequiregreatercollaborationbetweenorganizations.Evenhigh-qualityapprenticeshipandtrainingprogrammesrunbyindividualorganizations,suchastheAbsaCybersecurityAcademyinSouthAfrica,23haveencountereddifficultiesscalingtolargenumbers.eAscyberthreatsevolveandexpand,somustthetalentpoolthatengageswiththem.AsarguedinOctober2022byexpertsfromtheTechforGoodInstitute,theTifaFoundationandtheUnitedNationsUniversityInstitution:“Designingandimplementingappropriatecybersecuritysolutions…demandsnon-technicalcompetenciessuchasbusiness,management,legal,policyanddiplomacy.”24Theneedforthesecompetenciesgrowsas“socio-technicalthreatssuchassocialengineeringandnlineabuseareincreasinglyprolificSocialinclusionanddiversityissuesshouldnotbedecoupledfromthediscussionofcybertalentdevelopment.Manyskillsprojectsaresuccessfulbecausetheyfocusondiversityofprofessionalorlivedexperience.Diversityisnota“nice-to-have”additiontoacyber-skillsprogrammebutsomethingthatislikelytoinfluencetheprogramme’ssuccessandalsostrengthenthecyberresilienceofanorganizationtothehighestdegree.Employingarangeofpeoplewithdiverseopinions,backgrounds,experiencesandidentitiesleadstoookraitssuchascuriosity,problem-solvingandcriticalthinkingarevitalforcyberprofessionals.eeibutionsitydookConclusiontoemethicltsycantnobeookAppendix:MethodologyofCyberOutlookSurveyeamsntionnputCyberOutlookSeriesdarssookContributorsWorldEconomicForumLeadauthorsGretchenBueermannS