[4 minute read]
(Part 1 of 2): Part 1 delves into a review of our 2023 predictions. Part 2 offers 2024 predictions for the data security, compliance, and risk management industry.
As we approach the end of the year, we reflect on 2023 and revisit our forecasts for this past year and how well we predicted the year’s events.
Of course, when it comes to cybersecurity, making a prediction is like navigating a maze in the dark. In hindsight, we fared well in our forecasts and their alignment with the evolving threat landscape.
Here’s what we predicted last year and how we believe we scored:
“We predict that 2023 will see a continuing erosion of trust in the AICPA SOC 2 report, forcing companies to require their vendors and providers to request additional supporting evidence to demonstrate the strength of their data security programs.”
Score: 5 out of 5
While small and medium businesses continue to rely on SOC 2 reports, it's evident that simply having a SOC 2 doesn't guarantee a secure organization. Rather than reducing scrutiny from vendors, it's now just one of many prerequisites. The AICPA's lack of action in cases of conflicts of interest remains a concern. Until there's a clear separation between auditors and audit preparers, the credibility of a SOC 2 report will largely depend on the reputation of the auditing firm providing it. In November 2023, the AICPA identified some risks associated with SOC 2 audit Peer Reviews including “Service auditors may over-rely on the information provided by the SOC 2 tools without adequately testing whether the tool operates as intended and the information is complete and accurate for their purposes.” This highlights the risks of using simple automation tools that may not sufficiently meet the needs of a robust audit.
“The current market conditions, including economic headwinds and the proliferation of GRC and audit automation platforms currently in the market, will lead to a consolidation of platforms available as the current number cannot be supported.”
We predicted market conditions including the proliferation of GRC and audit automation platforms would lead to a consolidation of platforms available with smaller automated platforms swallowed up by the bigger players.
Score 2 out of 5
While we anticipate this ongoing marketplace consolidation trend to persist, recent economic challenges and reduced capital accessibility have somewhat lowered the scrutiny of organizational cybersecurity effectiveness. Consequently, many organizations still lean on checkbox compliance approaches, fueling demand for automated solutions. Additionally, entities that secured substantial capital investments or VC funding pre-pandemic may delay experiencing this consolidation for a couple of years.
“This will lead to greater importance being placed on data security and risk management and the increasing alignment of security officers, such as CISOs, with their executive teams and board members.”
Score 5 out of 5
The guidelines issued by the FTC in June and their handling of SolarWinds CISO indicate a rising expectation from regulators concerning the accountability of CISOs. Although opinions differ on the SolarWinds case, there's a growing trend to hold organizations and executives accountable for their security posture. The success of the SEC's prosecution remains uncertain, yet these developments have stirred ripples in the CISO community. Hopefully, this prompts CISOs to better communicate with executives and boards. Ultimately, the aim should be collective responsibility rather than singling out CISOs for blame.
“Industry-specific standards, regulations, and frameworks are important because they help ensure the safety, quality, and consistency of products and services within a particular industry.”
Score 3 out of 5
We’ve seen activity in 2023 with industry standards and regulations - and the impact will also be felt in 2024. Throughout 2023, we witnessed the release of SEC industry standards, White House infrastructure security guidelines, and signs of a more engaged regulatory landscape. Despite these advancements, the ongoing delay in CMMC implementation and the overall limited enforcement of various US regulations indicate that there's more work to be done. Enforcement procedures often require considerable time, so it's important to stay tuned as these developments progress.
“With over 82% of breaches involving a human element either deliberately or by accident, we predict an increased desire for organizations to provide security training to all employees.”
Score 3 out of 5
Ostendio has seen an increase in training frequency and specificity, with an uptick in diversified and more frequent training sessions. The growing value of security training platforms like KnowBe4 highlights the demand for cost-effective training solutions. However, despite these strides, it's premature to claim success as evident gaps persist, highlighted by ongoing security incidents.
“We predict organizations would continue to focus on defense in depth and this includes adopting a zero trust model.”
Score 5 out of 5
Remember the buzz surrounding Zero Trust? More organizations took this model on board and worked towards protecting their networks and data with increased security to sensitive resources.
Today, AI is all the rage! Articles and security blogs buzz about AI. Check out our upcoming 2024 predictions for a more grounded take on the practical advantages of this remarkable tech.
“With cost savings associated with implementing an Incident Response Plan, we predict more organizations will test their plans using Business Continuity exercises.”
Score 1 out of 5
Unfortunately, there hasn't been a significant rise in organizations adopting efficient Incident Management and response strategies. Despite the growing market share, it's clear that this is only a top priority for some organizations given the current landscape. We believe that as incident management and response tools integrate more with other security tech, they'll become a standard part of organizations' defense strategies. (More to come on that in Part 2 of this blog series.)
“We predict that CISOs and board members would work more closely to understand how to evaluate business risk and seek a tool that can handle data security as well as risk management.”
Score 3 out of 5
As more managed service providers (MSPs) start evaluating risk for their clients, the ability to conduct a valid risk assessment is more attainable for smaller organizations. Risk management can be challenging for any organization, so having an MSP partner who can facilitate this on your behalf makes it more attainable. As this capability becomes available through the MSP community, we will see organizations take a more risk-based approach to building out their security programs. We may be in the early days of cyber risk understanding but we believe we are heading in the right direction.
As the famous Danish scientist, Niels Bohr said, "Prediction is very difficult, especially if it's about the future." So looking back on our 2023 predictions we did well!
Our reflections on the 2023 cybersecurity landscape highlight the dynamic nature of the industry and the challenges that persist amidst advancements. While some predictions hit the mark, others revealed the complexity of cybersecurity's evolution. Part 2 of this blog post series comes next, offering a forward look into the trends and innovations projected to shape 2024. Join us as we explore what lies ahead in compliance, data security, and risk management in the coming year.
If you have any questions or predictions, feel free to chat with one of our experts to find out how Ostendio can meet your needs for 2024.