Cybersecurity compliance will evolve to add automated continuous security control validation to an existing list of compliance mandates.
Historically compliance standards have been focused on getting organizations to build capability in their security programs, with an emphasis on achieving checklist implementation of defensive security controls.
The reality is that enterprises are at war, and they need to test their capabilities in real-world environments, not just on paper. In late 2022 we began to see a shift, with CISA recommending for the first time in September that companies adopt automated continuous testing of security controls, in production, to protect against longstanding threats. The authoring agencies recommend exercising, testing and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework.
This is only the beginning. In 2023, we will see organizations shift from a reactive mindset to a proactive one in order to better prevent and remediate cyberattacks. Security operations teams will do this by turning to tools that leverage automated, continuous real-time testing to help them better manage risk and ensure less impactful security events with greater effectiveness.
The CISO role will evolve from a primarily technical function to include a greater focus on measurable security outcomes and security program effectiveness.
A CISOs primary responsibility is protecting the business. This must be measured, benchmarked and aligned to the needs of the organization based on the risk profiles of the business. It has nothing to do with technology. It is about looking at each information security function and the level of protection it delivers to business.
Historically, CISOs were technical individuals that got promoted into management positions. In the year ahead amid a tighter financial period, we will see the strategic clarity of security’s function within the organization matter more than technology decisions. This will cause CISOs to shift their thinking to measuring security program performance as a result of increased pressure to create real security outcomes that matter to and are understandable by the business.