C-level executive will be fired for their firm’s use of employee monitoring in 2023. That’s one of the security, privacy, and risk predictions aired by Forrester on Monday.
In the coming year, lawmakers will be paying increased attention to workplace monitoring, and whistleblowers may also be demanding monitoring information to support complaints about labor law violations, according to the predictions put together by 10 Forrester analysts.
The analysts advised companies to prioritize privacy rights and employee experience when implementing any monitoring technology, whether it is for productivity, return-to-office strategies, or insider risk management.
“People in the C-suite need to be cognizant of what they monitor and people’s privacy, and ideally they’ll have a third-party audit behind them to make sure they’re compliant with applicable regulations,” observed Joey Stanford, head of global security and privacy for Platform.sh, a global platform as a service provider.
“We have a new generation of employees coming in that care about privacy rights,” he told TechNewsWorld.
Timothy Toohey, a privacy attorney with Greenberg Glusker in Los Angeles, agreed that violations of employee or customer privacy could bring an executive down in the future.
“In light of the Drizly decision by the FTC, executives are very much in the crosshairs,” he told TechNewsWorld. “If there’s a case where there’s been inadequate security, no security plan, or a prior breach that’s been ignored, I can see someone from the C-suite being put on the chopping block.”
In the Drizly case, the Federal Trade Commission announced in October that it would impose individual sanctions against the CEO of that alcohol delivery company for data privacy abuses, which allegedly resulted in the exposure of the personal information of about 2.5 million customers.
Security Teams Burned Out
Forrester also predicted a global 500 firm will be exposed in 2023 for burning out its cybersecurity employees.
Security teams are already understaffed, the analysts noted. They cited a 2022 study that found that 66% of security team members experience significant stress at work, and 64% have had work stress impact their mental health.
They added that staff are expected to be available 24/7 through major incidents, stay on top of every risk, deliver results in limited timeframes, and face pushback when making budget requests.
A D V E R T I S E M E N T
“Today, every security team, including my own, is burned out,” Stanford said. “The reason we’re burned out is we don’t have enough funding. Why don’t we have enough funding? Because security is treated at a cost center.”
The increase in supply chain attacks and the need to monitor more third-party risk is contributing to burnout, too, added Brad Hibbert, COO and CSO of Prevalent, a third-party risk consulting company.
“Companies are trying to get more visibility across more third parties,” he told TechNewsWorld. “That means they have to assess more third parties. To do that, security teams need to do more work. We’re finding that teams are hitting a wall. They can’t scale their programs effectively and efficiently without burning out security teams.”
Cybersecurity employee burnout is a real thing, observed Roger Grimes, a defense evangelist at KnowBe4, a security awareness training provider in Clearwater, Fla.
“I’ve been in the cybersecurity world for over 34 years now, and during that time I’ve had to counsel and mentor many people who were completely burned out in this field, mostly because what they were doing to stop cybercrime was not working and likely to never work,” he told TechNewsWorld.
“I’ve had mentees and friends quit the cybersecurity field to become artists, authors, and even work what might be otherwise seen as ‘menial labor’ because they at least felt their new jobs were making a difference in people’s lives,” he said.
“I get it. Who wants to be on a high-speed hamster wheel and never get ahead, never solve the problem you were hired to solve?” Grimes asked.
“I counsel cybersecurity professionals with burnout to get a police-like mentality for their work,” he continued. “Don’t think you’re ever going to completely solve the problem. Be like a beat cop that knows his city is full of crime, much of it they can’t stop, and it goes on all around them. But every cop puts their head down, does the best job they can, and if they put down the crime in front of them the best they can, then they’ve done a great job.”
“If you don’t want to burn out, reset your expectations, do the best job you can do within what you’re able to control, and gauge your success on what you can impact,” he advised.
Another Forrester prediction: more than 50% of chief risk officers will report directly to their organization’s CEO.
In 2022, risk became the dominant theme at security conferences like Black Hat, the analysts noted. It has surpassed compliance as the primary driver for governance, risk, and compliance technology investment as the level of risk for enterprises has increased.
They also noted that the risk priorities of firms are moving from compliance toward resilience. Executives and boards are looking to CROs to help identify new business opportunities.
The ERM Initiative and AICPA’s 2022 The State of Risk Oversight study shows that 44% of firms have a CRO, with 47% of them reporting to the CEO, they added. To ensure ERM gets the necessary level of executive visibility and support, more CROs will report to CEOs in 2023, they noted.