According to the recently released World Economic Forum (WEF) Global Risks Report 2021, cyber risks continue ranking among the top ten clear and “present dangers” (high probability risks over the next 2 years).
This present danger translates into three key cybersecurity challenges for 2021:
- Increasing cybersecurity complexity – This is driven both by increased business digitalization and the blurring line between digital and physical domains. It isn’t necessarily because attackers are becoming more sophisticated, but primarily because systems have become more interconnected and interdependent. It is no longer about protecting a single asset – it is about protecting a complex system of systems and their interconnectivity. Never has it been truer that “Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win”.
- Fragmented and complex regulations – Cyber adversaries do not stop at countries’ borders, nor do they comply with different jurisdictions. Organizations must navigate an increasingly complex system of regulations and rules, such as the General Data Protection Regulation, the California Consumer Privacy Act, the Cybersecurity Law of the People’s Republic of China and many others worldwide. Without a line-of-sight connection between compliance, security policies and internal controls, compliance creates fragmented and even sometimes conflicting priorities. Organisations’ need to explicitly define their risk appetite through security policies, understand the risk characteristics of those policies and manage the tradeoffs between cyber defense, compliance, and cost.
- IT supply chain challenges – This underlines the growing complexity of managing IT supply chain security. There are the security issues related to IT vendors in your infrastructure (e.g. SolarWinds), information and data sharing with business partners (e.g. Intel), and 3rd providers of outsourced cyber security. Addressing these challenges are difficult for any company, but even more so for companies that lack deep internal cyber security expertise. Companies must explicitly define supply chain security policy and continuously monitor it using automated risk scenarios.