Virtualization Technology News and Information
18 Security Leaders Come Together to Share Their 2023 Predictions


What will the New Year bring in cyberspace? Here's a roundup of some of the top security industry forecasts, trends and cybersecurity predictions for 2023. Where do things go from here?

Read on as 18 industry leaders in the security space come together to provide their insights into how the cybersecurity industry will shake out in 2023.


VMware: Karen Worstell, Senior Cybersecurity Strategist - Cyber risk management will be a top priority for business leaders

"When it comes to the governance and oversight of cyber risk, our system is broken. It's no longer what it used to be fifteen years ago - we are dealing with higher stakes and fragile corporate reputations. As a result of this, in 2023, we will see companies double down on cyber risk management. Boards will need to have a much clearer role and responsibility when it comes to the process of ensuring adequate controls and reporting cyberattacks. Cyber risk governance is not just the domain of the CISO it is now clearly a Director and Officer level concern. When it comes to cyber, plausible deniability is dead."


VMware: Rick McElroy, Principal Cybersecurity Strategist - Healthcare will continue to be top targets for cybercriminals in 2023

"With telemedicine becoming the norm, ransomware and deepfake attacks on the healthcare industry will continue in 2023. As increased amounts of people turn to telehealth to connect with healthcare professionals, have prescriptions filled and file their healthcare records, the door for fraud is left wide open for attackers to strike. As healthcare becomes increasingly politicized, dark web activity and ransom demands will continue to rise as data becomes a goldmine for attackers. Attackers will aim to use this data in a way that is harmful to both the organization and the patients at hand. Adversaries know that if they want to inflict pain on an organization, targeting a hospital is the best route for destruction as a patient's life is on the line."


Corvus Insurance: Jason Rebholz, CISO - Cyber insurers will seek to fuse security data with risk modeling insights

"The 2023 cybersecurity landscape will continue to see the ripple effects from significant changes in the threat landscape throughout 2022. The fallout from Russia's invasion of Ukraine, the rising threat of MFA bypass attacks, and an increase in hacktivist groups will shift how organizations view risk - a view that has been shaped over the last five years, primarily by ransomware. The shift in the threat landscape is amplified by changing external security perimeters. Boundaries are no longer defined by office network location; the external boundary is now amorphous. It extends to the user account, third parties, and wherever the organization's data resides. We have entered a time in which networks are formless and data sprawl is near limitless.

This all necessitates the need for true risk quantification of companies' security controls now more than ever. With that, I expect to see more investment into quantifying cyber risk. This will drive better collaboration and data sharing between security companies. Cyber insurance carriers will lean into partnerships with technology companies to fuse security data with insurance and risk modeling insights. The net result is more accurate risk quantification, which will in turn help keep policyholders safer."


Corvus Insurance: Vincent Weafer, Chief Technology Officer - Cyber insurance will become a core part of understanding cyber risk and building resiliency

"I expect the volume of virtual-first business operations to increase in the year ahead. In turn, cyber insurers will need a deeper and more dynamic understanding of organizations' cybersecurity risks and IT systems in order to reduce cyber risk and build resilience. By partnering with third-party cybersecurity solutions providers, insurers will gain greater risk insights and leverage these to set new expectations for potential policyholders and help raise their cyber posture. 

As digital transformation initiatives accelerate, more organizations will also migrate to cloud-based IT environments. As a result, they must be prepared to face the new challenges in managing and mitigating the cyber risks that accompany digitization. Threats can come in the form of sophisticated ransomware attacks or even basic business email compromise (BEC) attacks - both of which can cause debilitating harm. In the new year, building cyber resiliency will be a critical priority business leaders won't be able to ignore. This can take a variety of forms, from developing larger initiatives and partnerships with insurtechs - to understand threat patterns and improve cyber risk assessments for the long-term - all the way down to building cyber skills through regular employee training." 


Code42: Jadee Hanson, CIO and CISO - Budget cuts, amid economic uncertainty, will leave companies vulnerable to cyberattacks

"Once rumblings of economic uncertainty begin, wary CFOs will begin searching for areas of superfluous spending to cut in order to keep their company ahead of the game. For the uninformed C-suite, cybersecurity spend is sometimes seen as an added expense rather than an essential business function that helps protect the company's reputation and bottom line. These organizations may try to cut spending by decreasing their investment in cybersecurity tools or talent - effectively lowering their company's ability to properly detect or prevent data breaches and opening them up to potentially disastrous outcomes. This should especially be of concern amid persistent ransomware attacks, and 2023 is expected to be another challenging year. Companies that maintain efficient cybersecurity resources will fare much better in the long run than those who make widespread cuts."


Code42: Nathan Hunstad, Deputy CISO - Continued rise in cloud collaboration tech usage will cause more company data exposures

"Remote work isn't going anywhere - in fact, we're seeing signs that today's job market is trending toward a situation where the candidate pool includes the entire world, no matter the location. At the same time, our workforce is more transient than it has been previously because employees are changing jobs multiple times throughout the span of their careers. This combination means corporate data is more vulnerable than ever in the coming year. Cloud technology isn't infallible, and employees may utilize unauthorized tools to get their jobs done faster and easier. Job hopping also lends itself to more data exfiltration as people leave and take data with them, whether with malicious intentions or not. In fact, our data has shown there's a one in three chance your company loses IP when an employee quits, and nearly three-quarters (71%) of organizations are unaware of how much sensitive data their departing employees typically take with them. To account for this, we'll almost certainly see security teams revamping protocols in 2023 with these new data exfiltration capabilities in mind."


Immersive Labs: Bec McKeown, Director of Human Science - Cyber resilience will come from people-not technology

"I believe that 2023 will be the year when enterprises recognize that they are only as secure and resilient as their people-not their technologies. Only by supporting initiatives that prioritize well-being, learning and development and regular crisis exercising can organizations better prepare for the future. Done correctly, by delivering the right training to the right people at the right time means that this can be done in a resource and cost-effective way. Adopting a psychological approach to human-driven responses during a crisis-like a cybersecurity breach-will ensure that organizations fare far better in the long run."


Immersive Labs: Kev Breen, Director of Cyber Threat Research - Automated attacks will rise + cybercriminals will get quicker in 2023

"As we look to 2023, I expect we'll continue to see severe ransomware risks, as well as supply chain cyber attacks that pose massive threats. Also, the world is getting "smarter" daily, so it's likely there will be an increase in automated attacks against home smart devices at scale, tapping into direct consumers more than we're seeing now, which could, in turn, impact companies with remote workforces. 

The number of reported common vulnerabilities and exposures (CVEs) in 2022 was the lowest it has been since 2016. It's difficult to know if this number is trending downward due to software vendors getting stronger at identifying vulnerabilities at the source or if researchers have gotten busier this past year and haven't been reporting on this as much. Either way, we know researchers and threat actors will continue to find, publish, and exploit new vulnerabilities.

Cybercriminals are also getting quicker. To compound that issue we've seen that once a vulnerability is announced, it's exploited within minutes to hours, not days to weeks. In 2023, the pace of the threat landscape will further quicken, and most defenders will find themselves one step behind, which is why proving cyber resilience and preparing for future risk are key."


Obsidian Security: Ben Johnson, CTO and co-founder of Obsidian Security (previously the co-founder at Carbon Black) - 2023 will be the year of SSPM and securing SaaS

"2023 will be the year of SSPM and securing SaaS, but for that to happen, we must continue educating organizations on the risks of SaaS. In doing so, organizations must ensure their left-of-boom teams (vulnerability management and GRC) have the ability to reduce SaaS risk while ensuring their right-of-boom teams (security operations, incident response, threat hunting) have continuous threat management capabilities. While SaaS security has given organizations the ability to scale applied security, not just awareness, now is the time to distribute security hardening and operations to go with the distributed technology and distributed responsibility. As we know, the pandemic sped up the hybrid work model, and organizations that prioritized endpoint or public cloud security over the past couple years are now ready to secure SaaS and the modern workflow."

"Financially motivated crimes such as ransomware, blackmail, and selling access tokens will continue to gain popularity and will be the top adversaries in 2023. I also believe that with the increase in economic uncertainty, as well as the recent midterm elections and shifts in power, groups like Anonymous will come back and conduct vigilante missions. Additionally, CISA came into its own in 2022. This next year, we'll see CISA drive better, more resilient security, especially in critical infrastructure - increasing the sector's maturity as a whole."


Immuta: Matt Carroll, CEO and co-founder - CISOs will need to become the enablers - not the bottlenecks - of the modern data stack

"The rapid shift of data from on-premises to the cloud is spurring one of the greatest cybersecurity challenges to date. Despite most CISOs having a full arsenal of tools for protecting data in the cloud, the proliferation of cloud players and cloud-based SaaS solutions has accelerated data sharing to a breaking point. Traditional approaches that worked for on-premises environments can't keep up with the exponential growth in the number of users, data sources, and policies that must be governed, managed, and secured today. 

In 2023 we'll see a major shift in data security architecture, forcing CISOs to roll up their sleeves and put controls into place around this budding "Modern Data Stack." This will include proper access controls that effectively balance access and security, continuous monitoring of business intelligence, and data science activities for anomaly detection. At the same time, how we think about monitoring will have to change - zero trust won't work using traditional approaches because there are too many endpoints."


OneSpan: Michael Klieman, Chief Product Officer -- With Trust Under Attack, Identity Verification is an Urgent Matter

"High confidence in people's identities throughout every experience is the starting point to establishing digital trust and is paramount for organizations everywhere in 2023. To realize the promise of Web 3.0, organizations must enhance trust and confidence in today's most critical customer experiences and ensure that integrity is never in question. Think about the simple example of a caller in a Zoom session who has video turned off - can a business be certain it's truly the person they believe it to be on the other end of a screen sharing session? Can an organization prove that a legitimate customer opened an account, or was it done with a manufactured, synthetic identity? The trust involved here, that confidence in knowing who you are interacting with, is central to how businesses operate.

Advances in identity proofing, password-less authentication, and adaptive risk-based orchestration are coming together to secure and increase the confidence and trust of interactions throughout digital customer journeys as we head into 2023."


OneSpan: Caroline Vignollet, SVP of R&D -- Continued widening of the cybersecurity talent gap

"We're starting to accept the cybersecurity talent gap as an ongoing challenge, and this will continue into the new year as we struggle as an industry to encourage younger generations to enter the field. Cybersecurity education is pivotal, and while we see more universities develop cyber courses, it still remains very small in comparison to the critical challenges organizations face daily. For this new generation to be successful, universities must expand cyber education and provide real hands-on cyber training, not just theoretical training. 

Of course, companies must take training into their own hands. Every person in an organization plays a role - even if it's just increasing awareness around phishing emails and avoiding insecure links. Organizations must also work to better support their cyber teams. As cyber leaders, we have a responsibility to create safe environments and make this known to anyone interested in the field. In fact, one of the most important KPIs to look for within employee engagement surveys is whether employees feel comfortable talking to leadership - it's the strongest way to avoid burnout as this widening talent gap continues into 2023."


Wasabi Technologies: Andrew Smith, Senior Manager, Strategy and Market Intelligence - The changing role cloud will play in preventing cyber threats in 2023

"Given the heavy reliance on virtual tools to support hybrid work environments across the globe, increasing adoption of SaaS tools, and continued growth of enterprise data volumes, it is inevitable that cybersecurity threats will persist and become increasingly complex in 2023. It is nearly impossible to prevent all the ways bad actors can infiltrate networks, exploit unknown vulnerabilities, and target company data and backups to extort money from organizations. 

In many ways, security preparedness and malware prevention is a cat-and-mouse game, which is why so many organizations deploy security strategies that include not just prevention and detection, but data protection, backup, and recovery as well. I expect to see more IT and security decision-makers adopting cloud-based backup strategies as a central tenet of their overall data security strategy. And, as security threats remain persistent in 2023 and beyond, cloud data management and protection features like cross-region replication and object lock/immutability will be increasingly important tools for security and infrastructure admins in their perpetual battle to prevent data loss and downtime due to malware and ransomware attack." 


NetSPI: Scott Sutherland, VP of Research - Can DTL Help Stop Software Supply Chain Attacks? 

"Adoption of distributed ledger technology (DTL) is still in its infancy and we'll see some interesting use cases gain momentum in 2023. DLT can basically be used as a database that enforces security through cryptographic keys and signatures. Since the stored data is immutable, DTL can be used anytime you need a high integrity source of truth. That comes in handy when trying to ensure the security of open-source projects (and maybe some commercial ones). Over the last few years, there have been several "supply chain compromises'' that boil down to an unauthorized code submission. In response to those attacks, many software providers have started to bake more security reviews and audit controls into their SDLC process. Additionally, the companies consuming software have beefed up their requirements for adopting/deploying 3rd party software in their environment. However neither really solves the core issue, which is that anyone with administrative access to the systems hosting the code repository can bypass the intended controls. DLT could be a solution to that problem."


NetSPI: Nick Landers, Director of Research - By the end of next year every major financial institution will have announced adoption of Blockchain technology

"There is a notable trend of Blockchain adoption in large financial institutions. The primary focus is custodial offerings of digital assets, and private chains to maintain and execute trading contracts. The business use cases for Blockchain technology will deviate starkly from popularized tokens and NFTs. Instead, industries will prioritize private chains to accelerate business logic, digital asset ownership on behalf of customers, and institutional investment in Proof of Stake chains. 

By the end of next year, I would expect every major financial institution will have announced adoption of Blockchain technology, if they haven't already. Nuanced technologies like Hyperledger Fabric have received much less security research than Ethereum, EVM, and Solidity-based smart contracts.Additionally, the supported features in business-focused private chain technologies differ significantly from their public counterparts. This ultimately means more attack surface, more potential configuration mistakes, and more required training for development teams. If you thought that blockchain was "secure by default", think again. Just like cloud platform adoption, the promises of "secure by default" will fall away as unique attack paths and vulnerabilities are discovered in the nuances of this tech."


1E: Jason Keogh, Field CTO of 1E - 2023 will show it's possible to achieve positive DEX and security, together

"In 2023, organizations will focus on driving a positive digital employee experience (DEX) without compromising security. Not only do draconian security controls lead to bad DEX, but they also cause users to find workarounds, which on balance creates an overall less-secure IT estate. Out of frustration with tough or confusing restrictions, they may, for example, create or store company data on personal devices or in personal cloud storage, or access company apps and data from unprotected personal machines. Better auditing and change control aligned to self-service and real-time capabilities are key to good security with good end-user experience. Looking ahead to 2023, organizations should implement real-time controls and exception handling to improve DEX and security-together."


D2iQ: Deepak Goel, CTO of D2iQ - Cloud-native and Kubernetes projects become secure by default 

"Kubernetes offers many advantages but also poses unique security challenges that can be difficult to address for organizations lacking in Kubernetes talent and experience. Although Kubernetes has many built-in security features, its security requires understanding of how to address different types of vulnerabilities that can impact each part of the stack. For many organizations, Kubernetes security has been left for the architects and developer teams to manage. However, Kubernetes clusters are not secure by default, and as threats become more advanced and mature it will be unrealistic to require developer teams to also be security experts. 

This is why organizations will increasingly see the need to reevaluate their security practices and prioritize a more advanced security-focused culture in 2023. Deploying Kubernetes platforms with security built in by default will be recognized as a means to reduce the burden of security on IT teams. Keeping security and developer expertise separate will reduce the pressure and burnout on both sides." 


Veriff: Kaarel Kotkas, Founder & CEO at Veriff - Identity verification will be crucial to companies' success in the Metaverse

"As technology leaders across industries prepare for the new opportunities the metaverse can offer them, security - and most importantly, a solid base of digital trust - needs to be top of mind. Despite estimates of the technology's value reaching $800 billion by 2024, without solving the biggest roadblocks, including trust, engagement and an obvious hardware problem, connections in the metaverse for businesses and customers alike will remain just endless hype. For companies looking to take full advantage of what the metaverse has to offer in 2023, it is critical that robust and effective identity verification and KYC tools, and protocols to match, are put into place. If the metaverse is to be successful, there needs to be a guarantee that users are who they say they are."


Published Tuesday, November 29, 2022 10:01 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<November 2022>