At the beginning of the year, TechRepublic said one of the top 10 CXO trends to watch in 2017 was the C-suite being held more accountable for cybersecurity at their firms. It seems like that responsibility will follow tech leaders into the new year, as C-level executives report being most most afraid of security threats heading into 2018 as well.
With 2017 considered by some the year hackers would innovate, the executives' worries are not surprising. That prediction came true, with 2017 seeing new ransomware variants like WannaCry and mass breaches at places like Equifax.
Security-related concerns are impacting how business leaders are digitally transforming as well. Slightly under half of CIOs said security concerns are one of their biggest obstacles to adopting new technology, according to a March report by Fuze.
Here are the specifics of what is stressing CXOs, security related and not. Quotes have been lightly edited for length and grammar.
SEE: IT leader's guide to the threat of cyberwarfare (Tech Pro Research)
Jonathan Levine, CTO, Intermedia:
"2017 was the year of ransomware, but 2018 will be no different. Hackers find ransomware incredibly lucrative and will continue to stick their hands out for money in the form of cryptocurrency. But companies that have the proper tools in place—in the form of backup and cloud storage—will be able to fight back in 2018 and beyond. Businesses that have prepared ahead of time—whether SMBs or large enterprises—will be in a position to refuse these extortive demands. The more of us who prepare ahead of time, the less effective ransomware will become, and this in turn will encourage criminals to look elsewhere."
2. Getting breached and the media catching it first
Ian McClarty, CIO, PhoenixNAP Global IT Services:
"We have all accepted that at some point in time, someone is going to get through the defenses. With the mix of vendors on both the hardware and software side, there is going to be a vulnerability that can be exploited. Yet we hope that we 'catch' this breach in a reasonable time to limit and mitigate so that we can notify the victims/public through a controlled message. The average 'dwell time' or interpreted as average detection time, is 104 days.
"Even scarier is that only 53% of the time do we find this breach ourselves. Which means about half the time, our breach is disclosed publically, and these bad actors were rummaging through our systems for 104 days. These are both career-limiting stats for a CIO. Yet in the reality of finite budgets and a critical skills shortage, there is very little we can do to significantly move this needle. We can do a lot of the right things, yet our ultimate defense is a prayer: 'Let it not be me today.'"
3. General Data Protection Regulation (GDPR) coming to Europe
Mark Hill, CIO, Churchill Frank:
"The most talked about security development in Europe is without question the introduction of GPDR. A significant change to how personal data will be stored, it's still yet to be determined how companies will interpret the guidelines on how much data they keep based on having a 'legitimate interest' vs. that of requiring explicit 'consent'."
4. Consumers taking tech breaks
Nichole Rouillac, founder, level design:
"People are exhausted with current technology as a distraction from their relationships and values. They are starting to purposely pull away from tech or take tech breaks. In order for technology to advance with these shifts, we will start to see technology become much more invisible and integrated into innovations.
"We also see a shift in the desire for more heirloom products that will last and can be passed down to future generations. There is a frustration and backlash building from the decades of disposable products we've become accustomed to."
5. Protecting themselves and critical vendors
Carlos Solari, vice president of cyber security services, Comodo:
"2017 served to connect an important dot in the minds of business leaders. Cyber can disrupt the business—really. And it can happen indirectly, meaning that the disruption can happen to the supplier, which means it impacts me—my company. This is somewhat of a revelation, but it should not be. This problem has been here for some time. It means this: businesses now have to worry not just about the protection of their own IT systems, but also that of their critical suppliers. Cyber security seems a lot less of an abstract requirement now. That is good - a silver lining in a dark cloud."
SEE: How to choose and manage great tech partners (free PDF) (ZDNet/TechRepublic special report)
6. Having a false sense of security
Rich Hillebrecht, CIO, Riverbed:
"Because security is such a broad concern, the primary threat that should be top of mind is a false sense of security. Given threat profiles for cybersecurity and the need to protect intellectual property and financial assets etc., there is no single investment or effort that allows you to 'check the box.' Comprehensive visibility to your technology footprint—from device to application destination—is a key capability required to enable you to be successful in understanding your security position and identify new attacks."
7. The team's well-being
Rhonda Vetere, CTO, Estee Lauder:
"Being sure to be extremely considerate of folks on my team's well being and that they are making time for themselves to lead a healthy lifestyle. I want to ensure we are taking care of each other because if you aren't taking care of yourself, you won't have the ability to be a high performing team.
"I want to continue to be the C-suite example of the corporate athlete and continue to focus on time management, discipline, and training for IronMans and marathons with my heavy travel schedule. Allowing myself to make this a priority makes me a better leader, and allows me to stay healthy both physically and allows for clear decision-making"
8. Large-scale data breaches
David Levine, CISO, Ricoh USA:
"Coming off a year of major data breaches, from Equifax to Yahoo email accounts, CIOs will be more worried than ever before about their own potential data breaches. The reality is, a vast majority of all breaches occur due to unpatched systems and/or advanced social engineering attacks.
"In 2018, I expect that CIOs will be tasked to find more comprehensive patching programs, and to provide more effective cybersecurity training, for both their engineers and general employees. Most CIOs will also be looking to purchase better advanced detection/prevention solutions from outside security vendors as well as to embrace comprehensive data governance initiatives; you can't protect what you can't control or see. While there is no "silver bullet" when it comes to security, continuous improvement and limiting your exposure will go a long way to reducing your risk."
9. Employees' lack of cybersecurity skills
John Matthews, CIO, ExtraHop
"People still represent the biggest security risk for most companies. I spend an inordinate amount of time worrying what folks click on in emails and on websites. I also worry about GDPR and all of the shifting compliance rules. Trying to manage all the new rules is extremely complex when they change every couple of months. Finally, I have a fear of interconnected identity sharing: the hotel Wi-Fi, the Netflix account on the tablet over our corporate networks, the phone in the coffee shop, and all the ways we interact with networks on devices that live both inside and outside our corporate network."
10. Security issues with the Internet of Things (IoT) and BYOD
Tom DeSot, CIO, Digital Defense
"The biggest fear for CIOs that I talk to is the encroachment of IoT (Internet of Things) equipment into their organizations. So is this an irrational fear? Hardly!
"The fear comes from the knowledge that many of these devices have hard coded firmware where the passwords are common to the device, but not the user of the device. Couple this with the fact that organizations can't simply go in and change the password to make it unique and thereby less exploitable, and you've got some real challenges.The conundrum that CIOs now face is how to protect the organization while at the same time introducing new technology into the workplace, which will make employees' lives easier and make the business, as a whole, more efficient."
Avinash Ramineni, principal, Clairvoyant
"CIOs' biggest fears heading into 2018 include how to avoid a network breach along the lines of what happened to Equifax and too many others. Based on what we're seeing, these fears are warranted. It's not a question of if this will happen, but when.
"Also, with more and more companies adopting BYOD policies, CIOs are very concerned about how to account for every device attempting to access their network, how to determine the level of access that is authorized for each device, how to provide network monitoring on a 24/7 basis, and how to protect their company's most sensitive data from unauthorized access."
- The future of cyberwar: Weaponised ransomware, IoT attacks and a new arms race (TechRepublic)
- 6 big data privacy practices every company should adopt in 2018 (TechRepublic)
- Cloud innovation will power enterprise transformation in 2018 (ZDNet)
- Forrester's top 6 cybersecurity predictions for 2018 (TechRepublic)
- In 2018, IoT will move beyond experimentation (ZDNet)
- Cybersecurity predictions for 2018: it's going to be "a lot more of the same" (TechRepublic)
Olivia Krauth is a Multiplatform Reporter at TechRepublic.