Blog

Security Prediction: Radical Data Breach Transparency in 2023

Graph showing Data Perimeters in AWS

Throughout 2022, we’ve seen vast changes to the cybersecurity landscape, and many of our predictions from a year ago have come to fruition. Claude Mandy, Chief Evangelist for Data Security at Symmetry Systems recently joined Sounil Yu from JupiterOne, Fernando Montenegro from Omdia, and Kelly Shortridge from Fastly in debating where they think cybersecurity is going to go in 2023. Top predictions included:

Claude Mandy’s top prediction was that there will be a radical movement towards transparency from the CISO in regards to breaches. With the added pressure to be quicker, faster, and more precise about data breaches, CISOs will be put between a rock and a hard place to ensure they are as transparent about data breaches as quickly as possible when they occur. What does this mean for CISO’s in 2023?

2022 Breaches Will Necessitate 2023 Transparency

After seeing headlines in previous years about terrifying software supply chain vulnerabilities from enterprise sources like SolarWinds and open-source software like Log4j, 2022 headlines were filled with news stories very different in nature: Uber, Twitter, Twilio, Doordash, the list goes on.

In late 2022, Former Uber CISO was convicted of federal charges for covering up a data breach. Security leaders took note that this is what NOT to do: hide or misrepresent a breach, which can lead to facing felony charges. In the case of the Twitter whistleblower, an employee shed light on how the social media giant could cause “real harm to real people” and stated that executives were misleading the public, regulators, and the company’s own board about its broken defenses against hackers. Yikes. With blunders like this taking shape and putting pressure on the CISO, Claude Mandy predicts that in 2023, CISO’s will be radically transparent about data breaches as they occur.

Why Transparency Matters

Kelly Shortridge sees this stance as “radical accountability.” This will require organizations to tie security programs to security success. She continues by saying, “Maybe this is going to be a good forcing function to finally, as the kids say, get good at stuff.”

When you’re telling people that these incidents are happening a lot more frequently than we currently suspect, there’s pressure to be a lot more detailed about your analysis of how it happened, which can only improve security as a whole, which can also lead to this “accountability.”

Safety VS Security

There’s also a good point made by Sounil Yu about the difference between safety and security. When it comes to the notion of security breaches and having radical transparency around that, there’s a national level interest in some cases to not share VS safety incidents, which should always be shared. We should always be transparent when it comes to safety.

It Takes an Army

From Claude Mandy’s perspective, organizations have historically only disclosed breaches at a certain level of severity, but in 2023 he predicts that CISO’s will be upfront about breaches, regardless of size or damage. Claude Mandy continues on by making a point about there being strength in numbers so it’s not just the one company that steps out to say “I had a data breach.” We actually need all organizations to be open and transparent, and that’s the radical part about it. The industry as a whole needs to take the same stance of “we’re going to be transparent about data breaches” to really make an impact.

The Downstream Effect of Being Transparent

This radical transparency is like a double edge sword and there will be some repercussions of being transparent about breaches in 2023.

Cyber insurance

Being more transparent can lead to implications with cyber insurance. If you’re more open about what happened, how it happened, and how often it happens, that’s going to have interesting implications for cyber insurers.

Lawsuits

If organizations are more open and honest about breaches, to what extent are you opening yourself for liability? Will there be reputational damage and frivolous lawsuits coming your way if you are open and honest about breaches taking place?

“Good Guys” Mythos

Security is typically positioned as the “good guys” and attackers are the “bad guys.” But what if this shift in radical transparency changes the way security is seen. Security might be seen as they’re not there to protect you as the user. They’re there to protect the company. With that mindset, we wouldn’t be able to call security professionals the good guys anymore. Kelly Shortridge proposed that there will be a reckoning with some of the terms and mythos that we create about ourselves as security professionals.

What else does the future have in store for cloud security? Watch or read the transcript to this debate amongst security leaders to learn more!