Security Priorities 2023 | Info-Tech Research Group

Most people still want a hybrid work model but there is a shortage in security workforce to maintain secure remote work, which impacts confidence in the security practice.
Pressure of operational excellence drives organizational modernization with the consequence of higher risks of security attacks that impact not only cyber but also physical systems.
The number of regulations with stricter requirements and reporting is increasing, along with high sanctions for violations.
Accurate assessment of readiness and benefits to adopt next-gen cybersecurity technologies can be difficult. Additionally, regulation often faces challenges to keep up with next-gen cybersecurity technologies implications and risks of adoption, which may not always be explicit.
Software is usually produced as part of a supply chain instead in a silo. Thus, a vulnerability in any part of the supply chain can become a threat surface.

Our Advice

Critical Insight

Secure remote work still needs to be maintained to facilitate the hybrid work model post pandemic.
Despite all the cybersecurity risks, organizations continue modernization plans due to the long-term overall benefits. Hence, we need to secure organization modernization.
Organizations should use regulatory changes to improve security practices, instead of treating them as a compliance burden.
Next-gen cybersecurity technologies alone are not the silver bullet. A combination of technologies with skilled talent, useful data, and best practices will give a competitive advantage.

Impact and Result

Use this report to help decide your 2023 security priorities by:
- Collecting and analyzing your own related data, such as your organization 2022 incident reports. Use Info-Tech’s Security Priorities 2023 material for guidance.
- Identifying your needs and analyzing your capabilities. Use Info-Tech's template to explain the priorities you need to your stakeholders.
- Determining the next steps. Refer to Info-Tech's recommendations and related research.

Security Priorities 2023 Research & Tools

1. Security Priorities 2023 Report – A report to help decide your 2023 security priorities.

Each organization is different, so a generic list of security priorities will not be applicable to every organization. Thus, you need to:

Collect and analyze your own related data such as your organization 2022 incident reports. Use Info-Tech’s Security Priorities 2023 material for guidance.
Identify your needs and analyze your capabilities. Use Info-Tech's template to explain the priorities you need to your stakeholders.
Refer to Info-Tech's recommendations and related research for guidance on the next steps.

Member Testimonials

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.

9.0/10

Overall Impact

$909

Average $ Saved

1

Average Days Saved

Client

Experience

Impact

$ Saved

Days Saved

Testimonial

ABF Holdings limited

Guided Implementation

9/10

N/A

1

well structured and put together. Focused both on technology and people/process. It helped reinforce the plans we already have and led us into ot... Read More

Security Priorities 2023

How we live post pandemic

Each organization is different, so a generic list of priorities will not be applicable to every organization.

During 2022, ransomware campaigns declined from quarter to quarter due to the collapse of experienced groups. Several smaller groups are developing to recapture the lost ransomware market. However, ransomware is still the most worrying cyber threat.

Also in 2022, people returned to normal activities such as traveling and attending sports or music events but not yet to the office. The reasons behind this trend can be many fold, such as employees perceive that work from home (WFH) has positive productivity effects and time flexibility for employees, especially for those with families with younger children. On the other side of the spectrum, some employers perceive that WFH has negative productivity effects and thus are urging employees to return to the office. However, employers also understand the competition to retain skilled workers is harder. Thus, the trend is to have hybrid work where eligible employees can WFH for a certain portion of their work week.

Besides ransomware and the hybrid work model, in 2022, we saw an evolving threat landscape, regulatory changes, and the potential for a recession by the end of 2023, which can impact how we prioritize cybersecurity this year. Furthermore, organizations are still facing the ongoing issues of insufficient cybersecurity resources and organization modernization.

This report will explore important security trends, the security priorities that stem from these trends, and how to customize these priorities for your organization.

In Q2 2022, the median ransom payment was $36,360 (-51% from Q1 2022), a continuation of a downward trend since Q4 2021 when the ransom payment median was $117,116.
Source: Coveware, 2022

From January until October 2022, hybrid work grew in almost all industries in Canada especially finance, insurance, real estate, rental and leasing (+14.7%), public administration and professional services (+11.8%), and scientific and technical services (+10.8%).
Source: Statistics Canada, Labour Force Survey, October 2022; N=3,701

Hybrid work changes processes and infrastructure

Investment on remote work due to changes in processes and infrastructure

As part of our research process for the 2023 Security Priorities Report, we used the results from our State of Hybrid Work in IT Survey, which collected responses between July 10 and July 29, 2022 (total N=745, with n=518 completed surveys). This survey details what changes in processes and IT infrastructure are likely due to hybrid work.

Process changes to support hybrid work

A bar graph is depicted with the following dataset: None of the above - 12%; Change management - 29%; Asset management - 34%; Service request support - 41%; Incident management - 42%

Survey respondents (n=518) were asked what processes had the highest degree of change in response to supporting hybrid work. Incident management is the #1 result and service request support is #2. This is unsurprising considering that remote work changed how people communicate, how they access company assets, and how they connect to the company network and infrastructure.

Infrastructure changes to support hybrid work

For 2023, we believe that hybrid work will remain. The first driver is that employees still prefer to work remotely for certain days of the week. The second driver is the investment from employers on enabling WFH during the pandemic, such as updated network architecture (44%) and the infrastructure and day-to-day operations (41%) as shown on our survey.

Top cybersecurity concerns and organizational preparedness for them

Concerns may correspond to readiness.

In the Info-Tech Research Group 2023 Trends and Priorities Survey of IT professionals, we asked about cybersecurity concerns and the perception about readiness to meet current and future government legislation regarding cybersecurity requirements.

Cybersecurity issues

A bar graph is depicted with the following dataset: Cyber risks are not on the radar of the executive leaders or board of directors - 3.19; Organization is not prepared to respond to a cyber attack - 3.08; Supply chain risks related to cyber threats - 3.18; Talent shortages leading to capacity constraints in cyber security - 3.51; New government or industry-imposed regulations - 3.15

Survey respondents were asked how concerned they are about certain cybersecurity issues from 1 (not concerned at all) to 5 (very concerned). The #1 concern was talent shortages. Other issues with similar concerns included cyber risks not on leadership's radar, supply chain risks, and new regulations (n=507).

Cybersecurity legislation readiness

A bar graph is depicted with the following dataset: 1 (Not confident at all) - 2.4%; 2 - 11.2%; 3 - 39.7%; 4 - 33.3%; 5 (Very confident) - 13.4%

When asked about how confident organizations are about being prepared to meet current and future government legislation regarding cybersecurity requirements, from 1 (not confident at all) to 5 (very confident), the #1 response was 3 (n=499).

Unsurprisingly, the ever-changing government legislation environment in a world emerging from a pandemic and ongoing wars may not give us the highest confidence.

We know the concerns and readiness…

But what is the overall security maturity?

As part of our research process for the 2023 Security Priorities Report, we reviewed results of completed Info-Tech Research Group Security Governance and Management Benchmark diagnostics (N=912). This report details what we see in our clients' security governance maturity. Setting aside the perception on readiness – what are their actual security maturity levels?

A bar graph is depicted with the following dataset: Security Culture - 47%; Policy and Process Governance - 47%; Event and Incident Management - 58%; Vulnerability - 57%; Auditing - 52%; Compliance Management - 58%; Risk Analysis - 52%

Overall, assessed organizations are still scoring low (47%) on Security Culture and Policy and Process Governance. This justifies why most security incidents are still due to gaps in foundational security and security awareness, not lack of advanced controls such as event and incident management (58%).

Security Priorities 2023 visualization

Secure your organization post pandemic.

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Table of Contents

Talk to an Analyst

Our analyst calls are focused on helping our members use the research we produce, and our experts will guide you to successful project completion.

Book an Analyst Call on This Topic

You can start as early as tomorrow morning. Our analysts will explain the process during your first call.

Get Advice From a Subject Matter Expert

Each call will focus on explaining the material and helping you to plan your project, interpret and analyze the results of each project step, and set the direction for your next project step.

Authors

Michel Hebert

Kate Wood

Ida Siahaan

Contributors

Andrew Reese, Cybersecurity Practice Lead, Zones
Ashok Rutthan, Chief Information Security Officer (CISO), Massmart
Chris Weedall, Chief Information Security Officer (CISO), Cheshire East Council
Jeff Kramer, EVP Digital Transformation and Cybersecurity, Aprio
Kris Arthur, Chief Information Security Officer (CISO), SEKO Logistics
Mike Toland, Chief Information Security Officer (CISO), Mutual Benefit Group

Search Code: 100406
Last Revised: February 1, 2023

TAGS:

hybrid work, evolving threat landscape, evolving regulatory, GRC tools, 2023 recession, limited skilled cybersecurity workforce, organization modernization, operational technology (OT), IT-OT convergence, OT insecure-by-design, remote work, next-gen cybersecurity, zero trust, secure services and applications, software supply chain

Visit our Exponential IT Research Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019