Virtualization Technology News and Information
Article
RSS
Curtail 2023 Predictions: Predicting the Cybersecurity Landscape of 2023

vmblog-predictions-2023 

Industry executives and experts share their predictions for 2023.  Read them in this 15th annual VMblog.com series exclusive.

Predicting the Cybersecurity Landscape of 2023

By Frank Huerta, Founder, President, and Chief Executive Officer, Curtail

It has not been an easy year for the cybersecurity industry. Cybercrime damages surpassed six trillion USD for the year, and the creeping recession has hit the industry hard with record layoffs. President Biden even issued a direct policy response to ongoing cybersecurity difficulties, delivering the Executive Order on Improving the Nation's Cybersecurity in May 2022.

Will 2023 bring any good news for the sector? Cybercrime damages are only expected to rise in the new year, with increasingly sophisticated methods of attack proliferating. But ideally, the rise in cyberattacks will also be matched by the development of more secure, robust software.

Here are some likely developments in 2023:

Higher cyber insurance premiums

Following a string of high-profile cyberattacks, the cyber insurance sector was forced to respond to mounting risk with more stringent requirements for policyholders and higher premiums. Consider that the 2021 attack against Colonial Pipeline Co. led to a nearly five million dollar ransom payment, and it was one of several recent attacks with multimillion dollar damages.

So, as the potential for higher payouts grows, cyber insurance premiums have skyrocketed and will likely continue to surge in the new year. In the first quarter of 2022, cyber insurance premiums increased by an average of 28 percent. One should anticipate similar spikes in the first quarter of 2023, especially coupled with inflation.

And the problem isn't just higher premiums: a growing number of insurance carriers simply won't write cyber insurance policies at all anymore, because increasing, ever-shifting risks can't be quantified or managed, leaving many companies unable to acquire policies in the first place.

More tech breakage

The economic downturn is accelerating the ongoing issue of the cybersecurity skills gap. The lack of skilled workers means we should anticipate more security gaps and operational issues stemming from faulty or buggy software, along with less people around to fix or secure the software. 

In 2022, the cybersecurity industry was short by 3.4 million workers; and we can only expect to see that number grow in 2023. Moreover, tech layoffs are surging despite the substantial vacancies: cybersecurity vendor OneTrust already laid off 25 percent of its workforce, while security firm Cybereason cut its own workforce by 17 percent.

Widespread layoffs mean there will be even more work but fewer experts in the sector, which will inevitably lead to more tech breakage and more security vulnerabilities. There simply aren't enough skilled IT professionals employed at the moment to patch tech proactively, as opposed to reactively. In fact, we know that many patches aren't being deployed that need to be.

Increased adoption of DevSecOps

As risk mounts and the number of tech workers is insufficient to handle it, there will be a greater need for developers to write less buggy and more secure code up front, adopting DevSecOps coding practices. Under this model, developers integrate quality, operations, and security testing into every stage of software development. In DevSecOps environments, software is conceived with security in mind from the onset, as opposed to security being integrated after-the-fact in a separate, siloed component.

DevSecOps is essential for a security industry in crisis because it asks that developers write better, more secure software upfront as a means to prevent security incidents downstream, where there is a lack of personnel to fix the issue.

This holistic technique ensures better quality software, minimizing the chance of bugs or vulnerabilities emerging later. This trend in the industry is known as "shift left," or improving the code early on in the development pipeline, preventing problems from occurring downstream during the release process or in production.

Better security for Open Source Packages

Open source projects are vital to global infrastructure and the flow of information, but their decentralized nature means there's little oversight and no dedicated supervision. This represents another blatant vulnerability in the cybersecurity sector.

While there have been numerous projects working to improve the security of open source software, OpenSSF's recently announced Alpha-Omega Project, in which Microsoft and Google have each invested five million dollars, demonstrates a real thrust towards securing and hardening open source software. The Alpha-Omega Project is seeking to work with security experts to identify zero-day vulnerabilities in open source code and address security gaps before they can be exploited by cybercriminals. Again, the name of the game here is prevention.

Drive to more comprehensive automated software testing

Companies are going to increasingly leverage automated testing in development. The idea is to review and validate a software before it's released, proactively identifying and addressing any flaws or vulnerabilities.

But while automated quality assurance tests like Selenium and security tests like DAST (Dynamic Application Security Testing) and SAST (Static Application Security Testing) are useful and necessary in producing more robust software, they are insufficient. They have their own limitations and can miss bugs and attacks, even those that are known or recognized. Furthermore, these approaches in general are not very effective against zero-day bugs, or bugs that have not been cataloged.

Comprehensive automation should thereby be the desired objective, as opposed to automation in and of itself. There are reports of developers or testers remarking "the software passed my tests," even though the software failed after release or was subject to a cyberattack, because the testing-even if automated-did not find the important flaws. If you test fast but miss critical errors, then you haven't tested effectively.

To achieve success, testing must be both automated and comprehensive. Newer testing approaches like those using AI (artificial intelligence) and ML (machine learning) or NCAST (Network Comparison Application Security Testing) are a necessary part of the DevSecOps framework. NCAST finds bugs by comparing the network responses of one version of software to another version and observing the changes in behavior. These techniques can help detect both known and unknown software bugs and flaws.

Final thoughts

Cybersecurity is a rapidly evolving sector that must remain capable of continuous adaptation. This is especially true because traditional security problems are now converging with socioeconomic crises to further increase pressure on the already strained industry.

The increasing attack vectors and growing vulnerabilities are why prevention and mitigation strategies must emerge as the gold industry standard in the development process; there's less manpower available for dealing with bugs or security problems after release. The security and development sectors should now converge from the onset to produce high-quality, resilient software.

Overall, the year 2023 needs to usher in an era of proactive cybersecurity development. It's time to stop waiting until it's too late.

##

ABOUT THE AUTHOR

Frank-Huerta 

Frank Huerta is the co-founder and CEO of a provider of redundancy-based traffic analysis and continuous network security solutions. Curtail is changing how IT is implemented for service providers, enterprise organizations, government agencies and financial institutions that are developing and launching new software and services, particularly in DevOps environments. Huerta is a seasoned CEO and founder of three other companies including the security company, Recourse Technologies, which was acquired by Symantec.

Published Monday, January 23, 2023 7:30 AM by David Marshall
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Calendar
<January 2023>
SuMoTuWeThFrSa
25262728293031
1234567
891011121314
15161718192021
22232425262728
2930311234