Skip Navigation
BlackBerry Blog

Cybersecurity’s Top 3 Opportunities for 2023

(This Cyber Tactics column, “Cybersecurity’s Top 3 Opportunities for 2023,” written by John McClurg of BlackBerry, was originally published December 19, 2022, in Security Magazine. Excerpted with permission – access the full article here).
 

With the year ahead looming, security leaders can focus on three challenges to manage and make their organizations more resilient and secure.

“God grant me the serenity to accept the things I cannot change, courage to change the things I can, 
and wisdom to know the difference.”

The saying is printed on coffee mugs, T-shirts, and signs at craft stores. The likes of Yale University, the New York Times, and media around the world have explored its history and impact. It is a very concise piece of prose with which you may be familiar.

Many know this as “The Serenity Prayer.” We in the cybersecurity profession have long appreciated that serenity is not exactly joined at the hip with what commands our attention on a daily basis. In fact, those of us who have accepted responsibility for the security of others typically adopt a state of constant vigilance, which hardly sounds like a good recipe for achieving serenity. However, when I look ahead to the cybersecurity landscape for 2023, a useful business parallel to this classic saying emerges in my mind:

We must accept that threat actors will throw some surprises our way in the year ahead. However, we can change our security posture for the better by focusing on certain priorities in 2023. And it takes the wisdom of intelligent leaders and skilled teams to carry this out successfully.

With that said, instead of making a list of random cybersecurity predictions for 2023, I want to focus on three challenges we can manage to make our organizations more resilient and secure in the coming year ahead.

1. Prepare for Executive Order Security Attestations

Are you ready to attest to the U.S. government that your software is developed securely? Around the middle of 2023, federal agencies will require attestation that organizations follow a Secure Software Development Framework (SSDF) to create software they license or sell to any agency.

The White House Executive Order (EO) 14028 requires this change for doing business with the government — and many highly regulated vertical industries are moving in this direction as well.

The SSDF is a set of secure software development practices designed to decrease the number of vulnerabilities in software releases, mitigate the impact when threat actors exploit unaddressed vulnerabilities, and help address root causes of vulnerabilities to limit future recurrences.

The National Institute of Standards and Technology (NIST) says several verification methods will be used based on the criticality of the software. These include:

  • Self-attestation
  • Requisite certifications
  • Site visits
  • Third-party assessments

Be prepared to share artifacts to prove your case because government agencies are being empowered to ask for them.

EO 14028 also allows agencies to require a Software Bill of Materials (SBOM). My colleague Christine Gadsby — who is Vice President of Product Security at BlackBerry — spends a great deal of time working in this area.

“We know the industry is feeling pressure to understand their true attack surface in their supply chain,” Gadsby says. “And I believe most companies find components in their supply chain they didn’t know existed.”

Preparing for attestation and SBOMs should be a key focus for many in 2023, and doing this exercise will increase our collective cybersecurity posture one organization at a time. Luckily, new tools are available to speed up the process of analyzing source code to find potential vulnerabilities.

2. Anticipate and Prevent Supply Chain Attacks

Creating a more cyber-secure software supply chain is part of the fallout from the SUNBURST supply chain attack, which targeted customers of SolarWinds and others. From this and other incidents, the security world was reminded that attacking a supplier can grant attackers access to multiple organizations or agencies at once.

We saw more of these supply chain attacks in 2022 and should also be preparing for this possibility in 2023. Are you relying on a single vendor to provide both business operations and cybersecurity software solutions? If so, do you have a business continuity plan for when that platform is compromised and you must suspend its use?

3. Convergence of Physical and Cybersecurity

Physical security and cybersecurity are converging. We can take advantage of this by breaking down siloes between the two sides.

For example, a physical security access program’s supporting infrastructure now sits on the network. Having monitors that reflect the status of that system sitting next to ones being monitored by your cybersecurity operations team is highly valuable. This allows for opportunities to cross-train and leverage headcount that might otherwise have to be duplicated.

And the exponential growth of Internet of things (IoT) devices attached to corporate networks should be a key focus of any convergence discussion. IDC recently highlighted 19 industry verticals that have multiple use cases for IoT devices, and, in many settings, these devices sit well outside a secured perimeter.

I started this column on what you might call “a wing and a prayer,” and now I’ll end it with a quote from corporate management guru Peter Drucker. One of his most insightful quotes stands out to me as very applicable for the year ahead.

“A time of turbulence is a dangerous time, but its greatest danger is a temptation to deny reality.”

We can no longer afford to deny the reality — in fact, the enormity — of cyber risk that faces all organizations, regardless of size. However, we can do something about this risk and reduce it to a level that improves security while aligning with our organizations’ unique risk appetite.

And despite the constant worry and watchfulness that “comes with the territory” in this security business, I believe that when our people, processes and technologies are all in alignment with each other and our corporate objectives, we can take a certain amount of serenity from knowing that we are as prepared for the unexpected as we can be.

Read the full article in Security Magazine.

John McClurg

About John McClurg

Sr. Vice President and CISO at BlackBerry.

John McClurg serves as Sr. Vice President and CISO at BlackBerry. McClurg engages the industry around the globe on the risk challenges today and how BlackBerry uniquely mitigates them with the application of machine learning and other AI supported solutions. He champions a move from a historically reactive security posture, to one focused on proactively predicting and mitigating future risks.

Before BlackBerry, McClurg served as the Ambassador-At-Large of Cylance and as Dell's CSO, where his responsibilities included the strategic focus and tactical operations of Dell’s internal global security service. He was also charged with the advocacy of business resilience and security prowess, the seamless integration of Dell’s security offerings, and with improving the effectiveness and efficiency of security initiatives.

Before Dell, McClurg served as the VP of Global Security at Honeywell International; Lucent/Bell Laboratories; and in the U.S. Intel Community, as a twice-decorated member of the FBI, where he held an assignment with the U.S. Dept of Energy (DOE) as a Branch Chief charged with establishing a Cyber-Counterintelligence program within the DOE’s newly created Office of Counterintelligence.

Prior to that, McClurg served as an FBI Supervisory Special Agent, assisting in the establishment of the FBI’s new Computer Investigations and Infrastructure Threat Assessment Center, or what is today known as the National Infrastructure Protection Center within the Dept of Homeland Security.

McClurg also served on assignment as a Deputy Branch Chief with the CIA, helping to establish the new Counterespionage Group, and was responsible for the management of complex counterespionage investigations. He additionally served as a Special Agent for the FBI in the Los Angeles Field Office, where he implemented plans to protect critical U.S. technologies targeted for unlawful acquisition by foreign powers and served on one of the nation’s first Joint Terrorism Task Forces.