Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Each organization is different, so a generic list of security priorities will not be applicable to every organization. Thus, you need to:
During 2022, ransomware campaigns declined from quarter to quarter due to the collapse of experienced groups. Several smaller groups are developing to recapture the lost ransomware market. However, ransomware is still the most worrying cyber threat.
Also in 2022, people returned to normal activities such as traveling and attending sports or music events but not yet to the office. The reasons behind this trend can be many fold, such as employees perceive that work from home (WFH) has positive productivity effects and time flexibility for employees, especially for those with families with younger children. On the other side of the spectrum, some employers perceive that WFH has negative productivity effects and thus are urging employees to return to the office. However, employers also understand the competition to retain skilled workers is harder. Thus, the trend is to have hybrid work where eligible employees can WFH for a certain portion of their work week.
Besides ransomware and the hybrid work model, in 2022, we saw an evolving threat landscape, regulatory changes, and the potential for a recession by the end of 2023, which can impact how we prioritize cybersecurity this year. Furthermore, organizations are still facing the ongoing issues of insufficient cybersecurity resources and organization modernization.
This report will explore important security trends, the security priorities that stem from these trends, and how to customize these priorities for your organization.
In Q2 2022, the median ransom payment was $36,360 (-51% from Q1 2022), a continuation of a downward trend since Q4 2021 when the ransom payment median was $117,116.
Source: Coveware, 2022
From January until October 2022, hybrid work grew in almost all industries in Canada especially finance, insurance, real estate, rental and leasing (+14.7%), public administration and professional services (+11.8%), and scientific and technical services (+10.8%).
Source: Statistics Canada, Labour Force Survey, October 2022; N=3,701
Investment on remote work due to changes in processes and infrastructure
As part of our research process for the 2023 Security Priorities Report, we used the results from our State of Hybrid Work in IT Survey, which collected responses between July 10 and July 29, 2022 (total N=745, with n=518 completed surveys). This survey details what changes in processes and IT infrastructure are likely due to hybrid work.
Survey respondents (n=518) were asked what processes had the highest degree of change in response to supporting hybrid work. Incident management is the #1 result and service request support is #2. This is unsurprising considering that remote work changed how people communicate, how they access company assets, and how they connect to the company network and infrastructure.
For 2023, we believe that hybrid work will remain. The first driver is that employees still prefer to work remotely for certain days of the week. The second driver is the investment from employers on enabling WFH during the pandemic, such as updated network architecture (44%) and the infrastructure and day-to-day operations (41%) as shown on our survey.
In the Info-Tech Research Group 2023 Trends and Priorities Survey of IT professionals, we asked about cybersecurity concerns and the perception about readiness to meet current and future government legislation regarding cybersecurity requirements.
Survey respondents were asked how concerned they are about certain cybersecurity issues from 1 (not concerned at all) to 5 (very concerned). The #1 concern was talent shortages. Other issues with similar concerns included cyber risks not on leadership's radar, supply chain risks, and new regulations (n=507).
When asked about how confident organizations are about being prepared to meet current and future government legislation regarding cybersecurity requirements, from 1 (not confident at all) to 5 (very confident), the #1 response was 3 (n=499).
Unsurprisingly, the ever-changing government legislation environment in a world emerging from a pandemic and ongoing wars may not give us the highest confidence.
As part of our research process for the 2023 Security Priorities Report, we reviewed results of completed Info-Tech Research Group Security Governance and Management Benchmark diagnostics (N=912). This report details what we see in our clients' security governance maturity. Setting aside the perception on readiness – what are their actual security maturity levels?
Overall, assessed organizations are still scoring low (47%) on Security Culture and Policy and Process Governance. This justifies why most security incidents are still due to gaps in foundational security and security awareness, not lack of advanced controls such as event and incident management (58%).
As part of our research process for the 2023 Security Priorities Report, we reviewed the results of the Info-Tech Research Group 2023 Trends and Priorities Survey of IT professionals, which collected responses between August 9 and September 9, 2022 (total N=813 with n=521 completed surveys).
Keeping the same spending is the #1 result and #2 is increasing spending up to 10%. This is a surprising finding considering the survey was conducted after the middle of 2022 and a recession has been predicted since early 2022 (n=489).
Source: Statista, 2022, CC BY-ND |
US recession forecastContingency planning for recessions normally includes tight budgeting; however, it can also include opportunities for growth such as hiring talent who have been laid off by competitors and are difficult to acquire in normal conditions. This can support our previous findings on increasing cybersecurity spending. |
If anything can be learned from COVID-19 pandemic, it is that humans are resilient. We swiftly changed to remote workplaces and adjusted people, processes, and technologies accordingly. We had some hiccups along the way, but overall, we demonstrated that our ability to adjust is amazing.
The pandemic changed how people work and how and where they choose to work, and most people still want a hybrid work model. However, the number of days for hybrid work itself varies. For example, from our survey in July 2022 (n=516), 55.8% of employees have the option of 2-3 days per week to work offsite, 21.0% for 1 day per week, and 17.8% for 4 days per week.
Furthermore, the investment (e.g. on infrastructure and networks) to initiate remote work was huge, and the cost doesn't end there, as we need to maintain the secure remote work infrastructure to facilitate the hybrid work model.
Remote work: A 2022 survey by WFH Research (N=16,451) reports that ~14% of full-time employees are fully remote and ~29% are in a hybrid arrangement as of Summer-Fall 2022.
Security workforce shortage: A 2022 survey by Bridewell (N=521) reports that 68% of leaders say it has become harder to recruit the right people, impacting organizational ability to secure and monitor systems.
Confidence in the security practice: A 2022 diagnostic survey by Info-Tech Research Group (N=55) reports that importance may not correspond to confidence; for example, the most important selected cybersecurity area, namely Data Access/Integrity (93.7%), surprisingly has the lowest confidence of the practice (80.5%).
Source: National Bureau of Economic Research, 2021
As part of our research process for the 2023 Security Priorities Report, we analyzed results from the Info-Tech Research Group diagnostics. This report details what we see in our clients' perceived importance of security and their confidence in existing security practices.
Diagnostics respondents (N=55) were asked about how important security is to their organization or department. Importance to the overall organization is 2.1 percentage points (pp) higher, but confidence in the organization's overall security is slightly lower (-0.4 pp).
If we break down to security areas, we can see that the most important area, Data Access/Integrity (93.7%), surprisingly has the lowest confidence of the practice: 80.5%. From this data we can conclude that leaders must build a strong cybersecurity workforce to increase confidence in the security practice.
Use this template to explain the priorities you need your stakeholders to know about.
Provide a brief value statement for the initiative.
List initiative drivers.
List initiative risks and impacts.
List initiative benefits and align to business benefits or benefits for the stakeholder groups that it impacts.
Review your security strategy for hybrid work.
Determine the skill needs of your security strategy.
Identify skills gaps that hinder the successful execution of the hybrid work security strategy.
Use the identified skill gaps to define the technical skill requirements for work roles.
Conduct a skills assessment on your current workforce to identify employee skill gaps.
Decide whether to train, hire, contract, or outsource each skill gap.
Source: Close the InfoSec Skills Gap: Develop a Technical Skills Sourcing Plan, Info-Tech
From computerized milk-handling systems in Wisconsin farms, to automated railway systems in Europe, to Ausgrid's Distribution Network Management System (DNMS) in Australia, to smart cities and beyond; system modernization poses unique challenges to cybersecurity.
The threats can be safety, such as the trains stopped in Denmark during the last weekend of October 2022 for several hours due to an attack on a third-party IT service provider; economics, such as a cream cheese production shutdown that occurred at the peak of cream cheese demand in October 2021 due to hackers compromising a large cheese manufacturer's plants and distribution centers; and reliability, such as the significant loss of communication for the Ukrainian military, which relied on Viasat's services.
Despite all the cybersecurity risks, organizations continue modernization plans due to the long-term overall benefits.
IIoT market size is USD 323.62 billion in 2022 and projected to be around USD 1 trillion in 2028.
Source: Statista,
March 2022
Target: Australian sewage plant. Method: Insider attack. Impact: 265,000 gallons of untreated sewage released. |
Target: Middle East energy companies. Method: Shamoon. Impact: Overwritten Windows-based systems files. |
Target: German Steel Mill Method: Spear-phishing Impact: Blast furnace control shutdown failure. |
Target: Middle East Safety Instrumented System (SIS). Method: TRISIS/TRITON. Impact: Modified safety system ladder logic. |
Target: Viasat's KA-SAT Network. Method: AcidRain. Impact: Significant loss of communication for the Ukrainian military, which relied on Viasat's services. |
Target: Marconi wireless telegraphs presentation. Method: Morse code. Impact: Fake message sent "Rats, rats, rats, rats. There was a young fellow of Italy, Who diddled the public quite prettily." |
Target: Iranian uranium enrichment plant. Method: Stuxnet. Impact: Compromised programmable logic controllers (PLCs). |
Target: ICS supply chain. Method: Havex. Impact: Remote Access Trojan (RAT) collected information and uploaded data to command-and-control (C&C) servers. |
Target: Ukraine power grid. Method: BlackEnergy. Impact: Manipulation of HMI View causing 1-6 hour power outages for 230,000 consumers. |
Target: Colonial Pipeline. Method: DarkSide ransomware. Impact: Compromised billing infrastructure halted the pipeline operation. |
Sources:
Most OT incidents start with attacks against IT networks and then move laterally into the OT environment. Therefore, converging IT and OT security will help protect the entire organization.
Use this template to explain the priorities you need your stakeholders to know about.
Provide a brief value statement for the initiative.
List initiative drivers.
List initiative risks and impacts.
List initiative benefits and align to business benefits or benefits for the stakeholder groups that it impacts.
Identify the drivers to align with your organization's business objectives.
Build your case by leveraging a cost-benefit analysis, and update your security strategy.
Identify people, process, and technology gaps that hinder the modernization
security strategy.
Use the identified skill gaps to update risks, policies and procedures, IR, DR, and BCP.
Evaluate and enable modernization technology top focus areas and refine
security processes.
Decide whether to train, hire, contract, or outsource to fill the security workforce gap.
Sources:
Industrial Control System (ICS) Modernization: Unlock the Value of Automation in Utilities, Info-Tech
Secure IT-OT Convergence, Info-Tech
Identify a modernization business case for security.
Benefits |
Metrics |
---|---|
Operational Efficiency and Cost Savings |
|
Improve Reliability and Resilience |
|
Energy & Capacity Savings |
|
Customers & Society Benefits |
|
Cost | Metrics |
---|---|
Equipment and Infrastructure | Upgrade existing security equipment or instrumentation or deploy new, e.g. IPS on Enterprise DMZ and Operations DMZ. Implement communication network equipment and labor to install and configure. Upgrade or construct server room including cooling/heating, power backup, and server and rack hardware. |
Software and Commission | The SCADA/HMI software and maintenance fee as well as lifecycle upgrade implementation project cost. Labor cost of field commissioning and troubleshooting. Integration with security systems, e.g. log management and continuous monitoring. |
Support and Resources | Cost to hire/outsource security FTEs for ongoing managing and operating security devices, e.g. SOC. Cost to hire/outsource IT/OT FTEs to support and troubleshoot systems and its integrations with security systems, e.g. MSSP. |
An example of a cost-benefit analysis for ICS modernization
Sources:
Industrial Control System (ICS) Modernization: Unlock the Value of Automation in Utilities, Info-Tech
Lawrence Berkeley National Laboratory, 2021
(Control System Defense: Know the Opponent, CISA)
An example of a high-level architecture of an electric utility's control system and its interaction with IT systems.
Source: ISA-99, 2007
Government-enacted regulatory changes are occurring at an ever-increasing rate these days. As one example, on November 10, 2022, the EU Parliament introduced two EU cybersecurity laws: the Network and Information Security (NIS2) Directive (applicable to organizations located within the EU and organizations outside the EU that are essential within an EU country) and the Digital Operational Resilience Act (DORA). There are also industry regulatory changes such as PCI DSS v4.0 for the payment sector and the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) for Bulk Electric Systems (BES).
Organizations should use regulatory changes as a means to improve security practices, instead of treating them as a compliance burden. As said by lead member of EU Parliament Bart Groothuis on NIS2, "This European directive is going to help around 160,000 entities tighten their grip on security […] It will also enable information sharing with the private sector and partners around the world. If we are being attacked on an industrial scale, we need to respond on an industrial scale."
Stricter requirements and reporting: Regulations such as NIS2 include provisions for incident response, supply chain security, and encryption and vulnerability disclosure and set tighter cybersecurity obligations for risk management reporting obligations.
Broader sectors: For example, the original NIS directive covers 19 sectors such as Healthcare, Digital Infrastructure, Transport, and Energy. Meanwhile, the new NIS2 directive increases to 35 sectors by adding other sectors such as providers of public electronic communications networks or services, manufacturing of certain critical products (e.g. pharmaceuticals), food, and digital services.
High sanctions for violations: For example, Digital Services Act (DSA) includes fines of up to 6% of global turnover and a ban on operating in the EU single market in case of repeated serious breaches.
Approximately 100 cross-border data flow regulations exist in 2022.
Source: McKinsey, 2022
64 New requirements were added 13 New requirements become effective March 31, 2024 11 New requirements only for service providers |
Defined roles must be assigned for requirements. Focus on periodically assessing and documenting scope. Entities may choose a defined approach or a customized approach to requirements. |
An example of new requirements for PCI DSS v4.0
Source: Prepare for PCI DSS v4.0, Info-Tech
Use this template to explain the priorities you need your stakeholders to know about.
Provide a brief value statement for the initiative.
Description must include what organization will undertake to complete the initiative.
List initiative drivers.
List initiative risks and impacts.
List initiative benefits and align to business benefits or benefits for the stakeholder groups that it impacts.
Related Info-Tech Research:
Identify relevant security and privacy obligations and conformance levels.
Identify gaps for updated obligations, and map obligations into control framework.
Review, update, and implement policies and strategy.
Develop compliance exception process.
Develop test scripts to check your remediations to ensure they are effective.
Track and report status and exceptions.
Sources: Build a Security Compliance Program and Prepare for PCI DSS v4.0, Info-Tech
# | Security | Jurisdiction |
---|---|---|
1 | Network and Information Security (NIS2) Directive | European Union (EU) and organizations outside the EU that are essential within an EU country |
2 | North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) | North American electrical utilities |
3 | Executive Order (EO) 14028: Improving the Nation's Cybersecurity, The White House, 2021 | United States |
# |
Privacy | Jurisdiction |
---|---|---|
1 | General Data Protection Regulation (GDPR) | EU and EU citizens |
2 | Personal Information Protection and Electronic Documents Act (PIPEDA) | Canada |
3 | California Consumer Privacy Act (CCPA) | California, USA |
4 | Personal Information Protection Law of the People’s Republic of China (PIPL) | China |
An example of security and privacy compliance obligations
The cat and mouse game between threat actors and defenders is continuing. The looming question "can defenders do better?" has been answered with rapid development of technology. This includes the automation of threat analysis (signature-based, specification-based, anomaly-based, flow-based, content-based, sandboxing) not only on IT but also on other relevant environments, e.g. IoT, IIoT, and OT based on AI/ML.
More fundamental approaches such as post-quantum cryptography and zero trust (ZT) are also emerging.
ZT is a principle, a model, and also an architecture focused on resource protection by always verifying transactions using the least privilege principle. Hopefully in 2023, ZT will be more practical and not just a vendor marketing buzzword.
Next-gen cybersecurity technologies alone are not a silver bullet. A combination of skilled talent, useful data, and best practices will give a competitive advantage. The key concepts are explainable, transparent, and trustworthy. Furthermore, regulation often faces challenges to keep up with next-gen cybersecurity technologies, especially with the implications and risks of adoption, which may not always be explicit.
ZT: Performing an accurate assessment of readiness and benefits to adopt ZT can be difficult due to ZT's many components. Thus, an organization needs to develop a ZT roadmap that aligns with organizational goals and focuses on access to data, assets, applications, and services; don't select solutions or vendors too early.
Post-quantum cryptography: Current cryptographic applications, such as RSA for PKI, rely on factorization. However, algorithms such as Shor's show quantum speedup for factorization, which can break current crypto when sufficient quantum computing devices are available. Thus, threat actors can intercept current encrypted information and store it to decrypt in the future.
AI-based threat management: AI helps in analyzing and correlating data extremely fast compared to humans. Millions of telemetries, malware samples, raw events, and vulnerability data feed into the AI system, which humans cannot process manually. Furthermore, AI does not get tired in processing this big data, thus avoiding human error and negligence.
Data breach mitigation cost without AI: USD 6.20 million; and with AI: USD 3.15 million
Source: IBM, 2022
Too many false alarms and too many events to process. Evolving threat landscapes waste your analysts' valuable time on mundane tasks, such as evidence collection. Meanwhile, only limited time is spared for decisions and conclusions, which results in the fear of missing an incident and alert fatigue.
To report progress, clear metrics are needed. However, cybersecurity still lacks in this area as the system itself is complex and some systems work in silos. Furthermore, lessons learned are not yet distilled into insights for improving future accuracy.
System integration is required to create consistent workflows across the organization and to ensure complete visibility of the threat landscape, risks, and assets. Also, the convergence of OT, IoT, and IT enhances this challenge.
Source: IBM Security Intelligence, 2020
Risk scores are generated by machine learning based on variables such as behavioral patterns and geolocation. Zero trust architecture is combined with machine learning. Asset management leverages visibility using machine learning. Comply with regulations by improving discovery, classification, and protection of data using machine learning. Data security and data privacy services use machine learning for data discovery.
AI, advanced machine learning, and static approaches, such as code file analysis, combine to automatically detect and analyze threats and prevent threats from spreading, assisted by threat intelligence.
AI helps in orchestrating security technologies for organizations to reduce the number of security agents installed, which may not talk to each other or, worse, may conflict with each other.
AI continuously tunes based on lessons learned, such as creating security policies for improving future accuracy. AI also does not get fatigue, and it assists humans in a faster recovery.
AI has been around since the 1940s, but why is it only gaining traction now? Because supporting technologies are only now available, including faster GPUs for complex computations and cheaper storage for massive volumes of data.
Use this template to explain the priorities you need your stakeholders to know about.
Use this template to explain the priorities you need your stakeholders to know about.
Description must include what organization will undertake to complete the initiative.
List initiative drivers.
List initiative risks and impacts.
List initiative benefits and align to business benefits or benefits for the stakeholder groups that it impacts.
Identify the stakeholders who will be affected by the next-gen cybersecurity technologies implementation and define responsibilities based on skillsets and the degree of support.
Adopt well-established data governance practices for cross-functional teams.
Conduct a maturity assessment of key processes and highlight interdependencies.
Develop a baseline and periodically review risks, policies and procedures, and business plan.
Develop a roadmap and deploy next-gen cybersecurity architecture and controls step by step, working with trusted technology partners.
Monitor metrics on effectiveness and efficiency.
Source: Leverage AI in Threat Management (keynote presentation), Info-Tech
Software is usually produced as part of a supply chain instead of in silos. A vulnerability in any part of the supply chain can become a threat surface. We have learned this from recent incidents such as Log4j, SolarWinds, and Kaseya where attackers compromised a Virtual System Administrator tool used by managed service providers to attack around 1,500 organizations.
DevSecOps is a culture and philosophy that unifies development, security, and operations to answer this challenge. DevSecOps shifts security left by automating, as much as possible, development and testing. DevSecOps provides many benefits such as rapid development of secure software and assurance that, prior to formal release and delivery, tests are reliably performed and passed.
DevSecOps practices can apply to IT, OT, IoT, and other technology environments, for example, by integrating a Secure Software Development Framework (SSDF).
Secure Software Supply Chain: Logging is a fundamental feature of most software, and recently the use of software components, especially open source, are based on trust. From the Log4j incident we learned that more could be done to improve the supply chain by adopting ZT to identify related components and data flows between systems and to apply the least privilege principle.
DevSecOps: A software error wiped out wireless services for thousands of Rogers customers across Canada in 2021. Emergency services were also impacted, even though outgoing 911 calls were always accessible. Losing such services could have been avoided, if tests were reliably performed and passed prior to release.
OT insecure-by-design: In OT, insecurity-by-design is still a norm, which causes many vulnerabilities such as insecure protocols implementation, weak authentication schemes, or insecure firmware updates. Additional challenges are the lack of CVEs or CVE duplication, the lack of Software Bill of Materials (SBOM), and product supply chains issues such as vulnerable products that are certified because of the scoping limitation and emphasis on functional testing.
Technical causes of cybersecurity incidents in EU critical service providers in 2019-2021 shows: software bug (12%) and faulty software changes/update (9%).
Source: CIRAS Incident reporting, ENISA (N=1,239)
Best Practices | 30 Years Ago | 15 Years Ago | Present Day |
---|---|---|---|
Lifecycle | Years or Months | Months or Weeks | Weeks or Days |
Development Process | Waterfall | Agile | DevSecOps |
Architecture | Monolithic | N-Tier | Microservices |
Deployment & Packaging | Physical | Virtual | Container |
Hosting Infrastructure | Server | Data Center | Cloud |
Cybersecurity Posture | Firewall | + SIEM | + Zero Trust |
Best practices in software development are evolving as shown on the diagram to the left. For example, 30 years ago the lifecycle was "Years or Months," while in the present day it is "Weeks or Days."
These changes also impact security such as the software architecture, which is no longer "Monolithic" but "Microservices" normally built within the supply chain.
The software supply chain has known integrity attacks that can happen on each part of it. Starting from bad code submitted by a developer, to compromised source control platform (e.g. PHP git server compromised), to compromised build platform (e.g. malicious behavior injected on SolarWinds build), to a compromised package repository where users are deceived into using the bad package by the similarity between the malicious and the original package name.
Therefore, we must secure each part of the link to avoid attacks on the weakest link.
Guide for Developers |
Guide for Suppliers |
Guide for Customers |
---|---|---|
Secure product criteria and management, develop secure code, verify third-party components, harden build environment, and deliver code. |
Define criteria for software security checks, protect software, produce well-secured software, and respond to vulnerabilities. |
Secure procurement and acquisition, secure deployment, and secure software operations. |
Source: "Securing the Software Supply Chain" series, Enduring Security Framework (ESF), 2022
"Most software today relies on one or more third-party components, yet organizations often have little or no visibility into and understanding of how these software components are developed, integrated, and deployed, as well as the practices used to ensure the components' security."
Source: NIST – NCCoE, 2022
Use this template to explain the priorities you need your stakeholders to know about.
Provide a brief value statement for the initiative.
Description must include what organization will undertake to complete the initiative.
List initiative drivers.
List initiative risks and impacts.
Only a few developers and suppliers explicitly address software security in detail.
Time pressure to deliver functionality over security.
Lack of security awareness and lack of trained workforce.
List initiative benefits and align to business benefits or benefits for the stakeholder groups that it impacts.
Customers (acquiring organizations) achieve secure acquisition, deployment, and operation of software.
Developers and suppliers provide software security with minimal vulnerabilities in its releases.
Automated processes such as automated testing avoid error-prone and labor-intensive manual test cases.
Define and keep security requirements and risk assessments up to date.
Perform analysis on current market and supplier solutions and acquire security evaluation.
Require visibility into provenance of product, and require suppliers' self-attestation of security hygiene
Verify distribution infrastructure, product and individual components integrity, and SBOM.
Save and store the tests and test environment and review and verify the
self-attestation mechanism.
Use multi-layered defenses, e.g. ZT for integration and control configuration.
Train users on how to detect and report anomalies and when to apply updates to a system.
Ensure updates from authorized and authenticated sources and verify the integrity of the updated SBOM.
Apply supply chain risk management (SCRM) operations.
Source: "Securing the Software Supply Chain" series, Enduring Security Framework (ESF), 2022
Aksoy, Cevat Giray, Jose Maria Barrero, Nicholas Bloom, Steven J. Davis, Mathias Dolls, and Pablo Zarate. "Working from Home Around the World." Brookings Papers on Economic Activity, 2022.
Barrero, Jose Maria, Nicholas Bloom, and Steven J. Davis. "Why working from home will stick." WFH Research, National Bureau of Economic Research, Working Paper 28731, 2021.
Boehm, Jim, Dennis Dias, Charlie Lewis, Kathleen Li, and Daniel Wallance. "Cybersecurity trends: Looking over the horizon." McKinsey & Company, March 2022. Accessed
31 Oct. 2022.
"China: TC260 issues list of national standards supporting implementation of PIPL." OneTrust, 8 Nov. 2022. Accessed 17 Nov. 2022.
Chmielewski, Stéphane. "What is the potential of artificial intelligence to improve cybersecurity posture?" before.ai blog, 7 Aug. 2022. Accessed 15 Aug. 2022.
Conerly, Bill. "The Recession Will Begin Late 2023 Or Early 2024." Forbes, 1 Nov. 2022. Accessed 8 Nov. 2022.
"Control System Defense: Know the Opponent." CISA, 22 Sep. 2022. Accessed 17 Nov. 2022.
"Cost of a Data Breach Report 2022." IBM, 2022.
"Cybersecurity: Parliament adopts new law to strengthen EU-wide resilience." European Parliament News, 10 Nov. 2022. Press Release.
"Cyber Security in Critical National Infrastructure Organisations: 2022." Bridewell, 2022. Accessed 7 Nov. 2022.
Davis, Steven. "The Big Shift to Working from Home." NBER Macro Annual Session On
"The Future of Work," 1 April 2022.
"Digital Services Act: EU's landmark rules for online platforms enter into force."
EU Commission, 16 Nov. 2022. Accessed 16 Nov. 2022.
"DoD Enterprise DevSecOps Fundamentals." DoD CIO, 12 May 2022. Accessed 21 Nov. 2022.
Elkin, Elizabeth, and Deena Shanker. "That Cream Cheese Shortage You Heard About? Cyberattacks Played a Part." Bloomberg, 09 Dec. 2021. Accessed 27 Oct. 2022.
Evan, Pete. "What happened at Rogers? Day-long outage is over, but questions remain." CBC News, 21 April 2022. Accessed 15 Nov. 2022.
"Fewer Ransomware Victims Pay, as Median Ransom Falls in Q2 2022." Coveware,
28 July 2022. Accessed 18 Nov. 2022.
"Fighting cybercrime: new EU cybersecurity laws explained." EU Commission, 10 Nov. 2022. Accessed 16 Nov. 2022.
"Guide to PCI compliance cost." Vanta. Accessed 18 Nov. 2022.
Hammond, Susannah, and Mike Cowan. "Cost of Compliance 2022: Competing priorities." Thomson Reuters, 2022. Accessed 18 Nov. 2022.
Hemsley, Kevin, and Ronald Fisher. "History of Industrial Control System Cyber Incidents." Department of Energy (DOE), 2018. Accessed 29 Aug. 2022.
Hofmann, Sarah. "What Is The NIS2 And How Will It Impact Your Organisation?" CyberPilot,
5 Aug. 2022. Accessed 16 Nov. 2022.
"Incident reporting." CIRAS Incident Reporting, ENISA. Accessed 21 Nov. 2022.
"Introducing SLSA, an End-to-End Framework for Supply Chain Integrity." Google,
16 June 2021. Accessed 25 Nov. 2022.
Kovacs, Eduard. "Trains Vulnerable to Hacker Attacks: Researchers." SecurityWeek, 29 Dec. 2015. Accessed 15 Nov. 2022.
"Labour Force Survey, October 2022." Statistics Canada, 4 Nov. 2022. Accessed 7 Nov. 2022.
Malacco, Victor. "Promises and potential of automated milking systems." Michigan State University Extension, 28 Feb. 2022. Accessed 15 Nov. 2022.
Maxim, Merritt, et al. "Planning Guide 2023: Security & Risk." Forrester, 23 Aug. 2022. Accessed 31 Oct. 2022.
"National Cyber Threat Assessment 2023-2024." Canadian Centre for Cyber Security, 2022. Accessed 18 Nov. 2022.
Nicaise, Vincent. "EU NIS2 Directive: what's changing?" Stormshield, 20 Oct. 2022. Accessed
17 Nov. 2022.
O'Neill, Patrick. "Russia hacked an American satellite company one hour before the Ukraine invasion." MIT Technology Review, 10 May 2022. Accessed 26 Aug. 2022.
"OT ICEFALL: The legacy of 'insecure by design' and its implications for certifications and risk management." Forescout, 2022. Accessed 21 Nov. 2022.
Palmer, Danny. "Your cybersecurity staff are burned out - and many have thought about quitting." ZDNet, 8 Aug. 2022. Accessed 19 Aug. 2022.
Placek, Martin. "Industrial Internet of Things (IIoT) market size worldwide from 2020 to 2028 (in billion U.S. dollars)." Statista, 14 March 2022. Accessed 15 Nov. 2022.
"Revised Proposal Attachment 5.13.N.1 ADMS Business Case PUBLIC." Ausgrid, Jan. 2019. Accessed 15 Nov. 2022.
Richter, Felix. "Cloudy With a Chance of Recession." Statista, 6 April 2022. Web.
"Securing the Software Supply Chain: Recommended Practices Guide for Developers." Enduring Security Framework (ESF), Aug. 2022. Accessed 22 Sep. 2022.
"Securing the Software Supply Chain: Recommended Practices Guide for Suppliers." Enduring Security Framework (ESF), Sep. 2022. Accessed 21 Nov. 2022.
"Securing the Software Supply Chain: Recommended Practices Guide for Customers." Enduring Security Framework (ESF), Oct. 2022. Accessed 21 Nov. 2022.
"Security Guidelines for the Electricity Sector: Control System Electronic Connectivity."
North American Electric Reliability Corporation (NERC), 28 Oct. 2013. Accessed 25 Nov. 2022.
Shepel, Jan. "Schreiber Foods hit with cyberattack; plants closed." Wisconsin State Farmer,
26 Oct. 2022. Accessed 15 Nov. 2022.
"Significant Cyber Incidents." Center for Strategic and International Studies (CSIS). Accessed
1 Sep. 2022.
Souppaya, Murugiah, Michael Ogata, Paul Watrobski, and Karen Scarfone. "Software Supply Chain and DevOps Security Practices: Implementing a Risk-Based Approach to DevSecOps." NIST - National Cybersecurity Center of Excellence (NCCoE), Nov. 2022. Accessed
22 Nov. 2022.
"Ten Things Will Change Cybersecurity in 2023." SOCRadar, 23 Sep. 2022. Accessed
31 Oct. 2022.
"The Nature of Cybersecurity Defense: Pentagon To Reveal Updated Zero-Trust Cybersecurity Strategy & Guidelines." Cybersecurity Insiders. Accessed 21 Nov. 2022.
What Is Threat Management? Common Challenges and Best Practices." IBM Security Intelligence, 2020.
Woolf, Tim, et al. "Benefit-Cost Analysis for Utility-Facing Grid Modernization Investments: Trends, Challenges, and Considerations." Lawrence Berkeley National Laboratory, Feb. 2021. Accessed 15 Nov. 2022.
Violino, Bob. "5 key considerations for your 2023 cybersecurity budget planning." CSO Online,
14 July 2022. Accessed 27 Oct. 2022
Andrew Reese
Cybersecurity Practice Lead
Zones
Ashok Rutthan
Chief Information Security Officer (CISO)
Massmart
Chris Weedall
Chief Information Security Officer (CISO)
Cheshire East Council
Jeff Kramer
EVP Digital Transformation and Cybersecurity
Aprio
Kris Arthur
Chief Information Security Officer (CISO)
SEKO Logistics
Mike Toland
Chief Information Security Officer (CISO)
Mutual Benefit Group