What will the New Year bring in cyberspace? Here's a roundup of some of the top security industry forecasts, trends and cybersecurity predictions for 2023. Where do things go from here?
Read on as 18 industry leaders in the security space come together to provide their insights into how the cybersecurity industry will shake out in 2023.
+++
VMware: Karen
Worstell, Senior Cybersecurity Strategist - Cyber risk management will be a
top priority for business leaders
"When it comes to the governance and oversight of cyber risk, our
system is broken. It's no longer what it used to be fifteen years ago - we are
dealing with higher stakes and fragile corporate reputations. As a result of
this, in 2023, we will see companies double down on cyber risk management.
Boards will need to have a much clearer role and responsibility when it comes
to the process of ensuring adequate controls and reporting cyberattacks. Cyber
risk governance is not just the domain of the CISO it is now clearly a Director
and Officer level concern. When it comes to cyber, plausible deniability is
dead."
+++
VMware: Rick
McElroy, Principal Cybersecurity Strategist - Healthcare will continue to be
top targets for cybercriminals in 2023
"With telemedicine becoming the norm, ransomware and deepfake
attacks on the healthcare industry will continue in 2023. As increased amounts
of people turn to telehealth to connect with healthcare professionals, have
prescriptions filled and file their healthcare records, the door for fraud is
left wide open for attackers to strike. As healthcare becomes increasingly
politicized, dark web activity and ransom demands will continue to rise as data
becomes a goldmine for attackers. Attackers will aim to use this data in a way
that is harmful to both the organization and the patients at hand. Adversaries
know that if they want to inflict pain on an organization, targeting a hospital
is the best route for destruction as a patient's life is on the line."
+++
Corvus Insurance: Jason Rebholz, CISO - Cyber
insurers will seek to fuse security data with risk modeling insights
"The 2023 cybersecurity landscape will continue to see the ripple
effects from significant changes in the threat landscape throughout 2022. The
fallout from Russia's invasion of Ukraine, the rising threat of MFA bypass
attacks, and an increase in hacktivist groups will shift how organizations view
risk - a view that has been shaped over the last five years, primarily by
ransomware. The shift in the threat landscape is amplified by changing external
security perimeters. Boundaries are no longer defined by office network
location; the external boundary is now amorphous. It extends to the user
account, third parties, and wherever the organization's data resides. We have
entered a time in which networks are formless and data sprawl is near
limitless.
This all necessitates the need for true risk quantification of
companies' security controls now more than ever. With that, I expect to see
more investment into quantifying cyber risk. This will drive better
collaboration and data sharing between security companies. Cyber insurance
carriers will lean into partnerships with technology companies to fuse security
data with insurance and risk modeling insights. The net result is more accurate
risk quantification, which will in turn help keep policyholders safer."
+++
Corvus Insurance: Vincent Weafer, Chief
Technology Officer - Cyber insurance will become a core part of
understanding cyber risk and building resiliency
"I expect the volume of virtual-first business operations to
increase in the year ahead. In turn, cyber insurers will need a deeper and more
dynamic understanding of organizations' cybersecurity risks and IT systems in
order to reduce cyber risk and build resilience. By partnering with third-party
cybersecurity solutions providers, insurers will gain greater risk insights and
leverage these to set new expectations for potential policyholders and help
raise their cyber posture.
As digital transformation initiatives accelerate, more
organizations will also migrate to cloud-based IT environments. As a result,
they must be prepared to face the new challenges in managing and mitigating the
cyber risks that accompany digitization. Threats can come in the form of
sophisticated ransomware attacks or even basic business email compromise (BEC)
attacks - both of which can cause debilitating harm. In the new year, building
cyber resiliency will be a critical priority business leaders won't be able to
ignore. This can take a variety of forms, from developing larger initiatives
and partnerships with insurtechs - to understand threat patterns and improve
cyber risk assessments for the long-term - all the way down to building cyber
skills through regular employee training."
+++
Code42: Jadee
Hanson, CIO and CISO - Budget cuts, amid economic uncertainty, will leave
companies vulnerable to cyberattacks
"Once rumblings of economic uncertainty begin, wary CFOs will
begin searching for areas of superfluous spending to cut in order to keep their
company ahead of the game. For the uninformed C-suite, cybersecurity spend is
sometimes seen as an added expense rather than an essential business function
that helps protect the company's reputation and bottom line. These
organizations may try to cut spending by decreasing their investment in
cybersecurity tools or talent - effectively lowering their company's ability to
properly detect or prevent data breaches and opening them up to potentially
disastrous outcomes. This should especially be of concern amid persistent
ransomware attacks, and 2023 is expected to be another challenging year.
Companies that maintain efficient cybersecurity resources will fare much better
in the long run than those who make widespread cuts."
+++
Code42: Nathan Hunstad,
Deputy CISO - Continued rise in cloud collaboration tech usage will
cause more company data exposures
"Remote work isn't
going anywhere - in fact, we're seeing signs that today's job market is
trending toward a situation where the candidate pool includes the entire world,
no matter the location. At the same time, our workforce is more transient than
it has been previously because employees are changing jobs multiple times
throughout the span of their careers. This combination means corporate data is
more vulnerable than ever in the coming year. Cloud technology isn't
infallible, and employees may utilize unauthorized tools to get their jobs done
faster and easier. Job hopping also lends itself to more data exfiltration as
people leave and take data with them, whether with malicious intentions or not.
In fact, our data has shown there's a one in three chance your company loses IP when an employee quits,
and nearly three-quarters (71%) of organizations are unaware of how much
sensitive data their departing employees typically take with them. To account
for this, we'll almost certainly see security teams revamping protocols in 2023
with these new data exfiltration capabilities in mind."
+++
Immersive Labs: Bec McKeown, Director of
Human Science - Cyber resilience will come from people-not technology
"I believe that 2023 will be the year when enterprises recognize
that they are only as secure and resilient as their people-not their
technologies. Only by supporting initiatives that prioritize well-being,
learning and development and regular crisis exercising can organizations better
prepare for the future. Done correctly, by delivering the right training to the
right people at the right time means that this can be done in a resource and
cost-effective way. Adopting a psychological approach to human-driven responses
during a crisis-like a cybersecurity breach-will ensure that organizations fare
far better in the long run."
+++
Immersive Labs: Kev Breen, Director of
Cyber Threat Research - Automated attacks will rise + cybercriminals will
get quicker in 2023
"As we look to 2023, I expect we'll continue to see severe
ransomware risks, as well as supply chain cyber attacks that pose massive
threats. Also, the world is getting "smarter" daily, so it's likely there will
be an increase in automated attacks against home smart devices at scale,
tapping into direct consumers more than we're seeing now, which could, in turn,
impact companies with remote workforces.
The number of reported common vulnerabilities and exposures (CVEs)
in 2022 was the lowest it has been since 2016. It's
difficult to know if this number is trending downward due to software vendors
getting stronger at identifying vulnerabilities at the source or if researchers
have gotten busier this past year and haven't been reporting on this as much.
Either way, we know researchers and threat actors will continue to find,
publish, and exploit new vulnerabilities.
Cybercriminals are also getting quicker. To compound that issue
we've seen that once a vulnerability is announced, it's exploited within
minutes to hours, not days to weeks. In 2023, the pace of the threat landscape
will further quicken, and most defenders will find themselves one step behind,
which is why proving cyber resilience and preparing for future risk are key."
+++
Obsidian Security: Ben Johnson, CTO and
co-founder of Obsidian Security (previously the co-founder at Carbon Black) - 2023
will be the year of SSPM and securing SaaS
"2023 will be the year of SSPM and securing SaaS, but for that to
happen, we must continue educating organizations on the risks of SaaS. In doing
so, organizations must ensure their left-of-boom teams (vulnerability
management and GRC) have the ability to reduce SaaS risk while ensuring their
right-of-boom teams (security operations, incident response, threat hunting)
have continuous threat management capabilities. While SaaS security has given
organizations the ability to scale applied security, not just awareness, now is
the time to distribute security hardening and operations to go with the
distributed technology and distributed responsibility. As we know, the pandemic
sped up the hybrid work model, and organizations that prioritized endpoint or
public cloud security over the past couple years are now ready to secure SaaS
and the modern workflow."
"Financially motivated crimes such as ransomware, blackmail, and
selling access tokens will continue to gain popularity and will be the top
adversaries in 2023. I also believe that with the increase in economic
uncertainty, as well as the recent midterm elections and shifts in power,
groups like Anonymous will come back and conduct vigilante missions.
Additionally, CISA came into its own in 2022. This next year, we'll see CISA
drive better, more resilient security, especially in critical infrastructure -
increasing the sector's maturity as a whole."
+++
Immuta: Matt
Carroll, CEO and co-founder - CISOs will need to become the enablers - not
the bottlenecks - of the modern data stack
"The rapid shift of data from on-premises to the cloud is spurring
one of the greatest cybersecurity challenges to date. Despite most CISOs having
a full arsenal of tools for protecting data in the cloud, the proliferation of
cloud players and cloud-based SaaS solutions has accelerated data sharing to a
breaking point. Traditional approaches that worked for on-premises environments
can't keep up with the exponential growth in the number of users, data sources,
and policies that must be governed, managed, and secured today.
In 2023 we'll see a major shift in data security architecture,
forcing CISOs to roll up their sleeves and put controls into place around this
budding "Modern Data Stack." This will include proper access controls
that effectively balance access and security, continuous monitoring of business
intelligence, and data science activities for anomaly detection. At the same
time, how we think about monitoring will have to change - zero trust won't work
using traditional approaches because there are too many endpoints."
+++
OneSpan: Michael
Klieman, Chief Product Officer -- With Trust Under Attack, Identity Verification
is an Urgent Matter
"High
confidence in people's identities throughout every experience is the starting
point to establishing digital trust and is paramount for organizations
everywhere in 2023. To realize the promise of Web 3.0, organizations must
enhance trust and confidence in today's most critical customer experiences and
ensure that integrity is never in question. Think about the simple example of a
caller in a Zoom session who has video turned off - can a business be certain
it's truly the person they believe it to be on the other end of a screen
sharing session? Can an organization prove that a legitimate customer opened an
account, or was it done with a manufactured, synthetic identity? The trust
involved here, that confidence in knowing who you are interacting with, is
central to how businesses operate.
Advances
in identity proofing, password-less authentication, and adaptive risk-based
orchestration are coming together to secure and increase the confidence and
trust of interactions throughout digital customer journeys as we head into
2023."
+++
OneSpan: Caroline
Vignollet, SVP of R&D -- Continued widening of the cybersecurity talent
gap
"We're starting to accept the cybersecurity talent gap as an
ongoing challenge, and this will continue into the new year as we struggle as
an industry to encourage younger generations to enter the field. Cybersecurity
education is pivotal, and while we see more universities develop cyber courses,
it still remains very small in comparison to the critical challenges
organizations face daily. For this new generation to be successful,
universities must expand cyber education and provide real hands-on cyber
training, not just theoretical training.
Of course, companies must take training into their own hands.
Every person in an organization plays a role - even if it's just increasing
awareness around phishing emails and avoiding insecure links. Organizations
must also work to better support their cyber teams. As cyber leaders, we have a
responsibility to create safe environments and make this known to anyone
interested in the field. In fact, one of the most important KPIs to look for
within employee engagement surveys is whether employees feel comfortable
talking to leadership - it's the strongest way to avoid burnout as this
widening talent gap continues into 2023."
+++
Wasabi Technologies: Andrew
Smith, Senior Manager, Strategy and Market Intelligence - The changing role
cloud will play in preventing cyber threats in 2023
"Given the heavy reliance on virtual tools to support hybrid work
environments across the globe, increasing adoption of SaaS tools, and continued
growth of enterprise data volumes, it is inevitable that cybersecurity threats
will persist and become increasingly complex in 2023. It is nearly impossible
to prevent all the ways bad actors can infiltrate networks, exploit unknown
vulnerabilities, and target company data and backups to extort money from
organizations.
In many ways, security preparedness and malware prevention is a
cat-and-mouse game, which is why so many organizations deploy security
strategies that include not just prevention and detection, but data protection,
backup, and recovery as well. I expect to see more IT and security
decision-makers adopting cloud-based backup strategies as a central tenet of
their overall data security strategy. And, as security threats remain
persistent in 2023 and beyond, cloud data management and protection features
like cross-region replication and object lock/immutability will be increasingly
important tools for security and infrastructure admins in their perpetual
battle to prevent data loss and downtime due to malware and ransomware
attack."
+++
NetSPI: Scott
Sutherland, VP of Research - Can DTL Help Stop Software Supply Chain
Attacks?
"Adoption of distributed ledger technology (DTL) is still in its
infancy and we'll see some interesting use cases gain momentum in 2023. DLT can
basically be used as a database that enforces security through cryptographic
keys and signatures. Since the stored data is immutable, DTL can be used
anytime you need a high integrity source of truth. That comes in handy when
trying to ensure the security of open-source projects (and maybe some
commercial ones). Over the last few years, there have been several "supply
chain compromises'' that boil down to an unauthorized code submission. In
response to those attacks, many software providers have started to bake more
security reviews and audit controls into their SDLC process. Additionally, the
companies consuming software have beefed up their requirements for
adopting/deploying 3rd party software in their environment. However neither
really solves the core issue, which is that anyone with administrative access
to the systems hosting the code repository can bypass the intended controls.
DLT could be a solution to that problem."
+++
NetSPI: Nick
Landers, Director of Research - By the end of next year every major
financial institution will have announced adoption of Blockchain technology
"There is a notable trend of Blockchain adoption in large
financial institutions. The primary focus is custodial offerings of digital
assets, and private chains to maintain and execute trading contracts. The
business use cases for Blockchain technology will deviate starkly from
popularized tokens and NFTs. Instead, industries will prioritize private chains
to accelerate business logic, digital asset ownership on behalf of customers,
and institutional investment in Proof of Stake chains.
By the end of next year, I would expect every major financial
institution will have announced adoption of Blockchain technology, if they
haven't already. Nuanced technologies like Hyperledger Fabric have received
much less security research than Ethereum, EVM, and Solidity-based smart
contracts.Additionally, the supported features in business-focused private
chain technologies differ significantly from their public counterparts. This
ultimately means more attack surface, more potential configuration mistakes, and
more required training for development teams. If you thought that blockchain
was "secure by default", think again. Just like cloud platform adoption, the
promises of "secure by default" will fall away as unique attack paths and
vulnerabilities are discovered in the nuances of this tech."
+++
1E: Jason
Keogh, Field CTO of 1E - 2023 will show it's possible to achieve positive
DEX and security, together
"In 2023, organizations will focus on driving a positive digital
employee experience (DEX) without compromising security. Not only do draconian
security controls lead to bad DEX, but they also cause users to find
workarounds, which on balance creates an overall less-secure IT estate. Out of
frustration with tough or confusing restrictions, they may, for example, create
or store company data on personal devices or in personal cloud storage, or
access company apps and data from unprotected personal machines. Better
auditing and change control aligned to self-service and real-time capabilities
are key to good security with good end-user experience. Looking ahead to 2023,
organizations should implement real-time controls and exception handling to
improve DEX and security-together."
+++
D2iQ: Deepak
Goel, CTO of D2iQ - Cloud-native and Kubernetes projects become secure
by default
"Kubernetes offers many advantages but also poses unique security
challenges that can be difficult to address for organizations lacking in
Kubernetes talent and experience. Although Kubernetes has many built-in
security features, its security requires understanding of how to address
different types of vulnerabilities that can impact each part of the stack. For
many organizations, Kubernetes security has been left for the architects and
developer teams to manage. However, Kubernetes clusters are not secure by
default, and as threats become more advanced and mature it will be unrealistic
to require developer teams to also be security experts.
This is why organizations will increasingly see the need to
reevaluate their security practices and prioritize a more advanced
security-focused culture in 2023. Deploying Kubernetes platforms with security
built in by default will be recognized as a means to reduce the burden of
security on IT teams. Keeping security and developer expertise separate will
reduce the pressure and burnout on both sides."
+++
Veriff: Kaarel
Kotkas, Founder & CEO at Veriff - Identity verification will be
crucial to companies' success in the Metaverse
"As technology leaders across industries prepare for the new
opportunities the metaverse can offer them, security - and most importantly, a
solid base of digital trust - needs to be top of mind. Despite estimates of the
technology's value reaching $800 billion by 2024, without solving the biggest
roadblocks, including trust, engagement and an obvious hardware problem,
connections in the metaverse for businesses and customers alike will remain
just endless hype. For companies looking to take full advantage of what the
metaverse has to offer in 2023, it is critical that robust and effective
identity verification and KYC tools, and protocols to match, are put into
place. If the metaverse is to be successful, there needs to be a guarantee that
users are who they say they are."
##