The majority of CEOs (58 percent) feel they are well prepared for a cyberattack.

Indeed, for nearly every

organization, some type of cyber event is seen as increasingly inevitable.
Security teams must be prepared for the increasing inevitability of some type of cyber event and be ready
to respond, recover and re-establish trust as quickly as possible to mitigate the damage.

Expanding the strategic security conversation

Change the conversation from cost and speed to effective security to help deliver enhanced business
value and user experience.

Securing and protecting critical assets, systems and, most importantly, sensitive proprietary and
customer data is no longer exclusively an issue for security and IT professionals. Rather, handling and
mitigating risk to help the strategic viability and operational sustainability of the entire organization is a
shared responsibility that starts with the business.

Digital technology now powers and empowers enterprises much like electricity
It also has the ability, if insufficiently secured or resilient, to interrupt communications and disrupt supply
chains.

The resulting cyber risk landscape is fuelled by an ever-growing volume of sensitive data moving across
interconnected and integrated networks.

The costs of disruption of consumer-facing systems or compromised data outweigh what cyber teams
typically quantify operationally and are magnified by degraded consumer and investor confidence, which
can have lasting impact.

speed-to- market is essential for competitive advantage today, but it’s equally important to embed
security into business processes in a way that enables the organization to maintain pace, rather than
create a bottleneck at the CISO’s office.

Impact of AI
Artificial intelligence (AI), machine learning (ML) in particular, in concert with smart, orchestrated security
tools, should be considered not only to isolate exposures and vulnerabilities, but also to automate the
fixes and remediation.

AI can help companies avoid delivering bad code to customers who might then distribute it through their
networks.
This is expected to be the overarching trend over the next several years as development volume and risk
continue to grow.

Key actions for 2022

Think less about operational key performance indicators (KPIs) and key risk indicators (KRIs) and focus on
themes and trends in the underlying data: types of incidents, internal and external program-gaps, and
data-related activities that are in progress, planned or awaiting approval
Build relationships with key business areas by increasing awareness of how quickly they can achieve
objectives by embedding security versus what they may lose in the event of a breach

Achieving the x-factor: Critical talent and skillsets Transform the posture of CISOs and their teams from
cyber security enforcers to influencers.

CISOs are not spending a lot of time talking about technology. Rather, they spend more time thinking and
talking about the forward direction of the business, striving to ensure that executives in the C-suite and
the board room are aware of and aligned with the security plan and vice versa.
Talking about firewalls, patch management, and data loss prevention — although all critical
considerations — makes non-security heads spin.

Today we are seeing essentially negative unemployment in cyber. People tend to move around in this
industry because they are looking for different experiences to strengthen existing skills and acquire new
competencies.

CISOs need to change the narrative so developers and the business lines buy into the fact that cyber
exists to support rather than hinder.
From passwords and PINs to two-factor authentication and security awareness training, employees are
going to have complaints and cyber teams should take the time to listen, be empathetic and inspirational.
Look for ways to make cyber awareness more engaging, interactive, fun, even game-like, perhaps
through augmented reality (AR) or virtual reality (VR)

Use of automation, data analytics and AI, specifically ML informs the data science aspects of decision-
support systems and aligns real-time cyber outcomes with the organization’s risk profile and response
activities.

Key actions for 2022

Don’t limit yourself to the traditional definition of cyber security; continue to build relationships with
other areas of the organization and build a network of internal business partners.
Make compliance an important outcome of your security program, rather than the reason for its
existence

Adapting security for the cloud Enhance cloud security through automation — from deployment and
monitoring to remediation.

Cloud security
While digital transformation propels cloud adoption and usage forward, it also puts institutions and
businesses at greater cyber risk
While digital transformation propels cloud adoption and usage forward, it also puts institutions and
businesses at greater cyber risk
according to research by Aqua Security, 90 percent of organizations are vulnerable to security breaches
attributable to cloud misconfigurations.
At many firms, the expectation that the cloud development team should also function as the security
engineering team can be seen. That’s not realistic or sustainable in an effective way
Certainly, organizations should expect cloud developers to embed security in their products to a much
greater degree, but development teams should never be the security backstop.

Your Move
Both cloud providers and the companies that use their services are entering into shared responsibility
agreements that often are misunderstood, especially on the client side. As a result, ownership of security
of the cloud versus security within the cloud can be a murky concept.
Organizational security teams should promote the view that all data that sits in the cloud is the
responsibility of the organization, data needs to be encrypted (where appropriate, of course) and
protected with the relevant controls.

With the accelerated march to the cloud, enterprises should be ready to secure their own cloud- based
data, especially through automation tools and protocols, within every type of contractual relationships.
A strong recommendation is to build a dedicated cloud security team that is centralized from a
governance perspective and distributed across the organization
Continue to automate everything you can, where appropriate, particularly in the areas of deployment,
monitoring and remediation.
Key actions for 2022
Automate your cloud security, especially around deployment, monitoring and recovery, eliminating
manual processes
Lock in the operational responsibilities in a shared model, defining which entity is responsible for security
in the cloud and which entity has responsibility for security of the cloud
Construct an incident response process that is in sync with your broad cloud strategy

Placing identity at the heart of zero trust Put IAM and zero trust to work in today’s hyperconnected
workplace.

With tens of millions of employees working at their kitchen tables and in their home offices, and billions
of consumers purchasing goods on their phones from anywhere and everywhere, protecting mission-
critical and other sensitive data within a complex ecosystem of suppliers and partners has never been
more essential.

Rapidly normalizing work-from-home structure, has provided bad actors with a window of opportunity,
there have been an unparalleled number of cyberattacks in recent months.
Current identity and access management (IAM) models, originally built to manage digital identities and
user access for single organizations, are now being re-conceptualized to offer the right level of resilience,
as well as deliver critical authentication features suitable for federated, private, public or multi-cloud
computing environments

The emergence of zero trust represents a mindset shift in which the cyber team assumes compromise in
connection with system access, and makes security decisions on the basis of identity, device, data, and
context.

Your move
In a post-pandemic business setting in which many, if not most, workers are remote, interim fixes and
temporary Band-Aids will likely prove to be unable to keep up with the pace and virulence of cyberattacks
and threats that are already bombarding businesses and government agencies.

The concept of zero trust is a growing point of interest, but many CISOs — and even more so, CIOs and
Heads of Infrastructure — should continue to work toward the most effective means of implementing an
organization- wide zero-trust architecture
The principle of least privilege is perhaps one of the simplest ideas relating to the way data is protected,
yet, it’s also one of the most important. The general idea is that users, processes, workloads, and
applications should only be granted the lowest degree of system resource access rights necessary to carry
out their role

Key actions for 2022

Experiment or begin to have a strategy around password less authentication for selected use cases
Embed a zero-trust mindset into your overall cyber strategy
Automate security functionality to enable highly skilled professionals to focus on more strategic activities
Accept that adopting a zero-trust approach is a journey — it takes time to implement

Exploiting security automation Use smart deployment of security automation to help realize business
value.

Work that was previously performed by highly trained professionals, such as vulnerability scanning, log
analysis and compliance is being standardized and automatically executed.
Automating lower level threats and routine transactions augments the security operations centre by
enabling it to prioritize tasks more effectively
In situations where data sets are too large or complex for direct analysis, automation has been tested to
be tremendously valuable and is being applied in many sectors to discover hard-to-identify links and
patterns.
Also beneficial in analysing voluminous log data, and performing high-volume data discovery, where
analysing individual files is often inefficient.

From a DevOps perspective, security automation should be built into every critical intersection point in
the SDLC.

Your Move
It’s easier to take someone that has previous experience using robotic processing automation (RPA) in
other areas of the business, or with a previous Certain technologies, like security orchestration
automation response (SOAR), are inherently complementary, meant not to replace human analysts, but
to augment their skills and workflows for a better employee experience.

Rather than having a separate security team for identifying vulnerabilities and breaches, security
automation should shift left and be present at every critical intersection point in the SDLC

Key actions for 2022

Take a proactive approach to security automation by focusing on threats instead of incidents
Leverage existing technology and automation experts within your organization
Build security automation into every critical intersection point within the SDLC

Protecting the privacy frontier Move to a multidisciplinary approach to privacy risk management that
embeds privacy and security by design.

Today more global awareness and recognition exists for individual rights in relation to their personal
information. With the cascade of global regulations, from the GDPR in Europe to various individual
regimes across Asia, North and South America — notably the Brazilian General Data Protection Law
(LGPD), the California Consumer Privacy Act (CCPA) and other emerging US state laws, and federal and
provincial laws being enacted in Canada — the focus on data rights, privacy and security is sharper than
ever.

With so many different regulations, however, the regulatory landscape is becoming increasingly difficult
to navigate and comply with, particularly for global businesses operating in multiple jurisdictions.
Automation is the key, especially for organizations that don’t have the bandwidth and resources to
manage areas such as privacy risk identification and reporting.

Your Move
Keeping individuals’ data secure and taking data privacy seriously is more than just implementing new
processes to satisfy regulatory requirements — it’s a cultural shift.
This cultural shift should start at the top, with the C-suite recognizing that data belongs to their
customers, clients and partners.
Embedding privacy and security into organizational change, culture, processes, technology and products
is a good starting point and will likely help companies avoid costly retrofits and regulatory investigations.
Automation is critical for the effective management and enhanced efficiency of privacy processes,
particularly privacy impact assessments and data subject access requests.
Automation can also help break down the silos between the cyber security and privacy functions

Becoming familiar and conversant with emerging technologies such as automation and AI is important
and recommended, but the basic principles from security and privacy perspectives are largely constant.
That is, secure consent from individuals whose data you collect; only gather the data that is relevant;
retain it only as long as it is needed; dispose of it when it’s no longer needed; and protect it properly.
Key actions for 2022
Adopt a privacy-by-design standard to supplement and complement the rules, regulations and regulatory
expectations around privacy
Explore opportunities to implement a data privacy management technology tool to automate processes,
comply with regulations, help increase response speed and assist with reducing human error

Securing beyond the boundaries Transform supply chain security approaches — from manual and time
consuming to automated and collaborative.

Becoming a digital-first organization implies a data-centric approach in which data is shared on a near-
constant basis throughout a complex and connected ecosystem of partners and suppliers.
This creates numerous opportunities for cyber attackers to compromise systems and data.

There should be proper vetting of all potential vendors’ organizational security policies, as well as the
security built into the products and services to be accessed.
Some organizations, particularly in regulated industries, are also making better use of security-ratings
companies, whose services supplement point-in-time assessments by providing security risk scores
against a set of pre-defined parameters.
CISOs are faced with the difficult task of transitioning away from the compliance-based strategy to a
much more proactive approach that puts continuous monitoring, usage of AI/ML-based solutions, threat
intelligence, and zero trust at the heart of their ecosystem security model.

Your Move
A strong risk management framework that looks both inward and outward is key especially for high- risk
industries.
In an effort to help ensure that all ecosystem partners follow a clear path in protecting their own
organizations, as well as the broad ecosystems within which they operate.
AI/ML can be applied to security policies to address shadow IT issues and provide better oversight of
third-party SaaS products, as well as to implement self-service chatbots and automate many aspects of
the organization’s third- party risk management processes.
Continuous controls monitoring (CCM) takes this a step further, moving security assessments away from
point-in-time activities
companies are realizing they have a responsibility to protect their supplier ecosystem, particularly
partners that don’t have the same level of resources.

Key actions for 2022

Consider CCM as a way of moving ecosystems from compliance to a more operationally based view of
security
Larger, more resourceful organizations should seek to take a capacity-building approach by applying
security measures to protect their broader ecosystem, in addition to their own environment

Reframing the cyber resilience conversation Broaden the ability to sustain operations, recover rapidly
and mitigate the consequences when a cyberattack occurs.

Resilience demands an assessment of the key operational processes of the business and a strategy for
protecting them.

Your Move
Organisations are evolving toward what might be referred to as a Chief Digital Resilience Officer, which
entails a broader agenda of shared security, technology risk and business continuity priorities.

Regularly simulating real-world cyberattacks with executives is important and helps them understand the
potential impact of a cyberattack on the organization, and what it takes to respond and recover.
Organizations should supplement the basics with solid detection capabilities, an advanced ability to
respond and recover rapidly, and a focus on managing the consequences of a cyberattack.

Elevate the topic of cyber security and cyber resilience to board level
Have the humility to acknowledge that your assumptions might be wrong and an alternate plan that can
be operationalized quickly
Help the C-suite develop their crisis management capabilities and their individual roles in the event of a
cyberattack through regular, real-world simulations

IIOT
Industrial Internet of Things – millions of devices will be connected to each other sharing information.

The urgency from a cyber perspective is that, in the rush to innovate, the software used in these
hyperconnected systems often doesn’t include the appropriate risk management controls
Organizations should expect to focus on how deeply security is embedded within the products that
enable the IIoT and the way these devices are leveraged within the broader ecosystem
IIoT should be viewed as a component of a broader ecosystem of solutions that ultimately constitute an
overarching security posture

Top initiatives to better secure IIoT environments

Design, develop, and implement security programs that enable organizations to better manage cyber risk
associated with IIoT products and ecosystems.
Assess the enterprise-level framework and associated processes that organizations use to secure their
connected devices and associated infrastructures.
Perform technical security testing, including the latest techniques, tradecraft, and procedures utilizing
manual and automated tooling and reviews, to identify potential vulnerabilities at the hardware,
software, and firmware level
Prepare new security executives for their position in an IIoT security program with tailored training that
includes role responsibilities, industry-leading practices, and assistance developing strategy
Securely procure IIoT product, devices, components, and sensors critical to an organization’s industrial
functions
Execute paper-based security testing based on stakeholder feedback to help identify potential
vulnerabilities at the plant, ecosystem, and industrial product level, and drive remediation activities.
Evaluate fielded products or products maintained via third-party technology to proactively identify and
remediate risks as they arise.

5G networks
A 5G network is fundamentally different from 4G in terms of speed, bandwidth, latency and overall
sophistication.
5G is going to enable massive connectivity advances, but it also brings a different set of security
challenges and requires highly sophisticated security architecture, monitoring and controls
With 5G, cyber professionals will likely be in a position where millions of devices, each with its own digital
identity, may be connecting simultaneously in untrusted environments characterized by very fluid
connection architectures.
This air of unpredictability suggests organizations should assume an ongoing zero-trust mindset and an
authentication architecture that is flexible and adaptable to these new dependencies and resilience
issues.

Risk factors for 5G technologies

Exponential Increase In Attack Surface

5G’s dynamic software-based systems have far more traffic routing points than the current hardware-
based, centralized hub-and-spoke designs that 4G has. Multiple unregulated entry points to the network
can allow hackers access to location tracking and even cellular reception for logged-in users.
Risk Mitigation: 5G technologies require a complete rehaul of network security, which isn’t possible
without significant funding and executive support.

Non-existent IoT Security Standards

Many IoT devices are being manufactured with minimal or non-existent cybersecurity measures
In the future, such unsecured IoT devices could easily allow for man-in-the-middle attacks. A
cybercriminal could intercept and change sensitive communication over 5G

Risk Mitigation: Just like the FCC (Federal Communications Commission) grades radio systems, we should
have a new regulatory body to oversee IoT devices.

Dynamic Spectrum Sharing Makes Network Partitioning Complex

5G uses short-range, low-cost and small-cell physical antennas within the geographic area of coverage.
Each antenna can become a single point of control. Botnet and denial of service (DDoS) type attacks can
bring down whole portions of the network simply by overloading a single node

Risk Mitigation: Artificial Intelligence And Machine Learning In Network Management

The dynamic nature of 5G’s network architecture requires a dynamic and fast-learning management
system.
AI-powered cyber solutions will continue learning and updating themselves. AI and machine learning can
serve as powerful tools for 5G cybersecurity.

AI-ML
Clearly, securing learning AI applications is a very different challenge to securing conventional systems.
There are so many questions: Is the software operating within its trained parameters? How much
unconscious bias is present? Is the application being manipulated by a bad actor or adversarial AI in an
effort to compromise sensitive information? Looking ahead, cyber professionals may also have to think
about the integrity, predictability and acceptability of the AI application within the context of the
operating environment for which it’s been trained and designed. In this sphere, CISOs and their teams
should expect to build strong partnerships with the Chief Technology Officer and their data science team.
As a security matter, this is new territory.

There are numerous liability issues around AI. Legal frameworks are phenomenally immature and
regulatory initiatives abound. It may take time for cyber security professionals to appreciate the
implications, while cybercriminals will likely be more entrepreneurial.

AI presents two types of risk that change the nature of their jobs. The first is that criminals, bad state
actors, unscrupulous competitors, and inside threats will manipulate their companies’ fledgling AI
programs. The second risk is that attackers will use AI in a variety of ways to exploit vulnerabilities in their
victims’ defences.

AI systems are generally empowered to make deductions and decisions in an automated way without
day-to-day human involvement. 
They can be compromised, and that can go undetected for a long time.
The reasons that a machine-learning or AI program makes particular deductions and decisions are not
always immediately clear to overseers.
The underlying decision-making models and data are not necessarily transparent or quickly interpretable.

AI initiatives present an array of potential vulnerabilities, including malicious corruption or manipulation

of the training data, implementation, and component configuration.
Blockchain

The blockchain protocol is a special case of DLT, where the consensus protocol creates a daisy chain
immutable ledger of all transactions that is shared across all participants.
This framework allows for near real-time value transfer.
Any transfer of value between two parties and the associated debits and credits are captured in the
blockchain ledger for all parties to see.

Risks:
Standard risks: Blockchain technologies expose institutions to risks that are similar to those associated
with current business processes but introduce nuances for which entities need to account.
Value transfer risks: Blockchain enables peer-to-peer transfer of value without the need for a central
intermediary. The value transferred could be assets, identity, or information. This new business model
exposes the interacting parties to new risks that were previously managed by central intermediaries.
Smart contract risks: Smart contracts can potentially encode complex business, financial, and legal
arrangements on the blockchain, and could result in the risk associated with the one-to-one mapping of
these arrangements from the physical to the digital framework.

AR/VR
Augmented reality (AR) technology is advancing with extraordinary speed,
and new innovations hit the marketplace regularly. Powerful and
sophisticated applications are being implemented in everything from
manufacturing and industrial environments to shipping and logistics.

The business proposition of AR is causing it to be adopted before the risks

have been vetted or having tech developed by companies without
significant IT experience
Wearable and tablet-based AR almost always requires Wi-Fi, which carries
significant security risks. Even the latest WPA3 encryption standard has
been found to have serious vulnerabilities.

Many wearable AR companies require cloud connectivity, which exposes

new threat vectors
Data moving to and from the cloud can often be intercepted.
Cloud servers can be breached, potentially exposing sensitive dat a

Wearable devices can host malware, enabling cameras, collecting data,

corrupting work instructions or disrupting operation.

Many companies are reluctant to house their sensitive data on someone

else’s cloud. This is a challenge for responsible AR solutions providers
because very few manufacturers have meaningful security measures on
their internal systems.
References:

KPMG report – cyber security considerations 2022

Information technology for Management by O.P. Wali

https://www2.deloitte.com/us/en/pages/risk/solutions/industrial-internet-of-things-and-cybersecurity.html

https://www.forbes.com/sites/forbestechcouncil/2021/10/29/why-5g-networks-are-disrupting-the-
cybersecurity-industry/?sh=b6facf91fe9e

https://www.bcg.com/publications/2018/artificial-intelligence-threat-cybersecurity-solution

https://www2.deloitte.com/us/en/pages/risk/articles/blockchain-security-risks.html

https://www.forbes.com/sites/forbestechcouncil/2019/09/06/cybersecurity-and-the-explosion-of-augmented-
reality/?sh=7c29f9c73c07

https://www.japcc.org/cybersecurity-challenges-with-emerging-technologies/

https://www.tsp.me/blog/cyber-security/the-6-biggest-cyberattacks/