“God grant me the serenity to accept the things I cannot change, courage to change the things I can, and wisdom to know the difference.”
The saying is printed on coffee mugs, T-shirts, and signs at craft stores. The likes of Yale University, the New York Times, and media around the world have explored its history and impact. It is a very concise piece of prose with which you may be familiar.
Many know this as “The Serenity Prayer.” We in the cybersecurity profession have long appreciated that serenity is not exactly joined at the hip with what commands our attention on a daily basis. In fact, those of us who have accepted responsibility for the security of others typically adopt a state of constant vigilance, which hardly sounds like a good recipe for achieving serenity. However, when I look ahead to the cybersecurity landscape for 2023, a useful business parallel to this classic saying emerges in my mind:
We must accept that threat actors will throw some surprises our way in the year ahead. However, we can change our security posture for the better by focusing on certain priorities in 2023. And it takes the wisdom of intelligent leaders and skilled teams to carry this out successfully.
With that said, instead of making a list of random cybersecurity predictions for 2023, I want to focus on three challenges we can manage to make our organizations more resilient and secure in the coming year ahead.
1. Prepare for Executive Order Security Attestations
Are you ready to attest to the U.S. government that your software is developed securely? Around the middle of 2023, federal agencies will require attestation that organizations follow a Secure Software Development Framework (SSDF) to create software they license or sell to any agency.
The White House Executive Order (EO) 14028 requires this change for doing business with the government — and many highly regulated vertical industries are moving in this direction as well.
The SSDF is a set of secure software development practices designed to decrease the number of vulnerabilities in software releases, mitigate the impact when threat actors exploit unaddressed vulnerabilities, and help address root causes of vulnerabilities to limit future recurrences.
The National Institute of Standards and Technology (NIST) says several verification methods will be used based on the criticality of the software. These include:
- Requisite certifications
- Site visits
- Third-party assessments
Be prepared to share artifacts to prove your case because government agencies are being empowered to ask for them.
EO 14028 also allows agencies to require a Software Bill of Materials (SBOM). My colleague Christine Gadsby — who is Vice President of Product Security at BlackBerry — spends a great deal of time working in this area.
“We know the industry is feeling pressure to understand their true attack surface in their supply chain,” Gadsby says. “And I believe most companies find components in their supply chain they didn’t know existed.”
Preparing for attestation and SBOMs should be a key focus for many in 2023, and doing this exercise will increase our collective cybersecurity posture one organization at a time. Luckily, new tools are available to speed up the process of analyzing source code to find potential vulnerabilities.
2. Anticipate and Prevent Supply Chain Attacks
Creating a more cyber-secure software supply chain is part of the fallout from the 2021 SolarWinds attack. From this and other incidents, the security world was reminded that attacking a supplier can grant attackers access to multiple organizations or agencies at once.
We saw more of these supply chain attacks in 2022 and should also be preparing for this possibility in 2023. Are you relying on a single vendor to provide both business operations and cybersecurity software solutions? If so, do you have a business continuity plan for when that platform is compromised and you must suspend its use?
3. Convergence of Physical and Cybersecurity
Physical security and cybersecurity are converging. We can take advantage of this by breaking down siloes between the two sides.
For example, a physical security access program’s supporting infrastructure now sits on the network. Having monitors that reflect the status of that system sitting next to ones being monitored by your cybersecurity operations team is highly valuable. This allows for opportunities to cross-train and leverage headcount that might otherwise have to be duplicated.
And the exponential growth of Internet of things (IoT) devices attached to corporate networks should be a key focus of any convergence discussion. IDC recently highlighted 19 industry verticals that have multiple use cases for IoT devices, and, in many settings, these devices sit well outside a secured perimeter.
I started this column on what you might call “a wing and a prayer,” and now I’ll end it with a quote from corporate management guru Peter Drucker. One of his most insightful quotes stands out to me as very applicable for the year ahead.
“A time of turbulence is a dangerous time, but its greatest danger is a temptation to deny reality.”
We can no longer afford to deny the reality — in fact, the enormity — of cyber risk that faces all organizations, regardless of size. However, we can do something about this risk and reduce it to a level that improves security while aligning with our organizations’ unique risk appetite.
And despite the constant worry and watchfulness that “comes with the territory” in this security business, I believe that when our people, processes and technologies are all in alignment with each other and our corporate objectives, we can take a certain amount of serenity from knowing that we are as prepared for the unexpected as we can be.