A C-level executive will be fired for their firm’s use of employee monitoring in 2023. That’s one of the security, privacy, and risk predictions aired by Forrester on Monday.
In the coming year, lawmakers will be paying increased attention to workplace monitoring, and whistleblowers may also be demanding monitoring information to support complaints about labor law violations, according to the predictions put together by 10 Forrester analysts.
The analysts advised companies to prioritize privacy rights and employee experience when implementing any monitoring technology, whether it is for productivity, return-to-office strategies, or insider risk management.
“People in the C-suite need to be cognizant of what they monitor and people’s privacy, and ideally, they’ll have a third-party audit behind them to make sure they’re compliant with applicable regulations,” observed Joey Stanford, head of global security and privacy for Platform.sh, a global platform as a service provider.
“We have a new generation of employees coming in that care about privacy rights,” he told TechNewsWorld.
Timothy Toohey, a privacy attorney with Greenberg Glusker in Los Angeles, agreed that violations of employee or customer privacy could bring an executive down in the future.
“In light of the Drizly decision by the FTC, executives are very much in the crosshairs,” he told TechNewsWorld. “If there’s a case where there’s been inadequate security, no security plan, or a prior breach that’s been ignored, I can see someone from the C-suite being put on the chopping block.”
In the Drizly case, the Federal Trade Commission announced in October that it would impose individual sanctions against the CEO of that alcohol delivery company for data privacy abuses, which allegedly resulted in the exposure of the personal information of about 2.5 million customers.
Security Teams Burned Out
Forrester also predicted a Global 500 firm will be exposed in 2023 for burning out its cybersecurity employees.
Security teams are already understaffed, the analysts noted. They cited a 2022 study that found that 66% of security team members experience significant stress at work, and 64% have had work stress impact their mental health.
They added that staff are expected to be available 24/7 through major incidents, stay on top of every risk, deliver results in limited timeframes, and face pushback when making budget requests.
“Today, every security team, including my own, is burned out,” Stanford said. “The reason we’re burned out is we don’t have enough funding. Why don’t we have enough funding? Because security is treated at a cost center.”
The increase in supply chain attacks and the need to monitor more third-party risk is contributing to burnout, too, added Brad Hibbert, COO and CSO of Prevalent, a third-party risk consulting company.
“Companies are trying to get more visibility across more third parties,” he told TechNewsWorld. “That means they have to assess more third parties. To do that, security teams need to do more work. We’re finding that teams are hitting a wall. They can’t scale their programs effectively and efficiently without burning out security teams.”
Resetting Expectations
Cybersecurity employee burnout is a real thing, observed Roger Grimes, a defense evangelist at KnowBe4, a security awareness training provider in Clearwater, Fla.
“I’ve been in the cybersecurity world for over 34 years now, and during that time, I’ve had to counsel and mentor many people who were completely burned out in this field, mostly because what they were doing to stop cybercrime was not working and likely to never work,” he told TechNewsWorld.
“I’ve had mentees and friends quit the cybersecurity field to become artists, authors, and even work what might be otherwise seen as ‘menial labor’ because they at least felt their new jobs were making a difference in people’s lives,” he said.
“I get it. Who wants to be on a high-speed hamster wheel and never get ahead, never solve the problem you were hired to solve?” Grimes asked.
“I counsel cybersecurity professionals with burnout to get a police-like mentality for their work,” he continued. “Don’t think you’re ever going to completely solve the problem. Be like a beat cop who knows his city is full of crime, much of it they can’t stop, and it goes on all around them. But every cop puts their head down, does the best job they can, and if they put down the crime in front of them the best they can, then they’ve done a great job.”
“If you don’t want to burn out, reset your expectations, do the best job you can do within what you’re able to control and gauge your success on what you can impact,” he advised.
Ambitious Prediction
Another Forrester prediction: more than 50% of chief risk officers will report directly to their organization’s CEO.
In 2022, risk became the dominant theme at security conferences like Black Hat, the analysts noted. It has surpassed compliance as the primary driver for governance, risk, and compliance technology investment as the level of risk for enterprises has increased.
They also noted that the risk priorities of firms are moving from compliance toward resilience. Executives and boards are looking to CROs to help identify new business opportunities.
The ERM Initiative and AICPA’s 2022 The State of Risk Oversight study shows that 44% of firms have a CRO, with 47% of them reporting to the CEO, they added. To ensure ERM gets the necessary level of executive visibility and support, more CROs will report to CEOs in 2023, they noted.
Jason Hicks, field CISO and executive advisor at Coalfire, a provider of cybersecurity advisory services in Westminster, Colo., found Forrester’s 50% prediction a bit ambitious.
“Security and risk executives have been pushing for this change for years now with lackluster results,” he told TechNewsWorld. “Internal company politics is a pretty significant barrier on this one.”
“I’d expect to see more security executives reporting to the CEO, but not 50% in the next year,” he said. “I’d also broaden the titles to include CISO and CSO, as the CRO title is most prevalent in financial services and may not exist in other verticals as a standalone role.”
Getting Into the MDR Business
Forrester also predicted that at least three cyber insurance underwriters will acquire a managed detection and response (MDR) provider in 2023.
While insurance providers have introduced more rigorous underwriting processes in 2022, increased premiums and reduced coverage blind spots still exist, the analysts explained.
They expect insurers to move aggressively into cybersecurity by acquiring MDR firms, many of which will be looking for an exit from a market that’s become very competitive.
Hicks agreed with Forrester’s prognosticators. “It’s a good way to add ARR [Absolute Risk Reduction] into their revenue mix,” he said.
“We’ve already seen Aon and others purchase incident response firms, so this is another synergistic investment for the insurers,” he continued. “It could also be a good way to manage staffing challenges, as many of the MDR firms also have incident response staff.”