By John Moore
The key cybersecurity trends expected to shape 2023 run the gamut from the human behind the keyboard to tools embedding machine learning.
IT services executives pointed to security training for users, a perennial issue, as a continuing focus in the coming year. Users still fall for social engineering and/or inadvertently expose data. The “2022 Verizon Breach Investigations Report” underscored the problem, finding 82% of breaches were down to the “human element.” On the other end of the human-machine spectrum, ML will become an increasingly important cyber technology and will inform the emerging generation of security products, according to consultants.
Another aspect of the cybersecurity outlook: 2023 will likely see a boost in spending as top-level executives face increasing pressure to improve their security posture. Cybersecurity remained the top technology for which organizations expect to boost their spending over the next 12 months, according to Enterprise Strategy Group’s (ESG) “2023 Technology Spending Intentions Survey.” About two-thirds of the 742 senior IT professionals polled for the November 2022 report cited cybersecurity as an area earmarked for increased investment. Cybersecurity ranked No. 1 in last year’s report as well. ESG is a division of TechTarget.
Here’s the lowdown on six trends IT services executives expect to encounter next year.
The heightened legal risk surrounding IT security has ramped up the urgency for business leaders. Events such as the conviction of the former Uber CSO in a breach cover-up case have definitely grabbed the attention of the C-suite.
“They are now facing fines and potential jail time for their lack of security preparation,” said Jay Pasteris, CIO and chief information security officer at GreenPages, of the Uber conviction. “That’s changing the market where security was already a fast- growing sector.”
GreenPages, an MSP based in Kittery, Maine, is “banking heavily on security” as a growth market, Pasteris said, noting the heightened board-level focus.
“I expect to see that continued pressure on executive boards, where they’re holding a responsibility to ensure that their business has the right security posture in place, the right security programs in place and the right security funding in place,” he said.
Greater board involvement could create a tighter relationship between business and security professionals. Those sides, sometimes at odds, have been moving closer together in recent years as cyber attacks become more numerous and more dangerous. Next year will likely see an even finer alignment between cybersecurity executives and their business leadership and boards, Chris Williamson, field CTO at FNTS, an MSP based in Omaha, Neb., said.
“With an ever-increasing threat landscape, cybersecurity has become a board-level conversation where assessing readiness, reducing attack surface and managing cyber insurance have become highly visible activities,” he said.
Digital transformation and IT modernization projects will create fertile ground for zero-trust adoption next year.
“I think zero trust accelerates in 2023,” Pasteris said. “Organizations are doing transformation. They’re rethinking their architectures. It’s a natural time to implement a zero-trust framework and architecture as you’re thinking about going through that process.”
David Chou, director of cloud capabilities at Leidos, a technology, engineering, and science solutions and services provider based in Reston, Va., also said he sees a connection between transformation and increasing interest in zero trust. He said customers are starting to realize that they have an opportunity to implement that approach when they modernize, transform operations and migrate to the cloud.
“You’re essentially cleaning the house at that point,” Chou said. “You’re looking around, seeing what’s old, what’s new, what can be kept and what needs to be replaced. That’s the appropriate time to start building these different practices of zero-trust principles and design patterns while you’re migrating.”
High-level corporate interest in security will also influence zero-trust deployments, with government directives providing a nudge in the public sector. In the U.S. federal market, the Office of Management and Budget’s zero-trust mandate, which came out in 2022, will continue to influence agencies next year.
“A lot of the agencies are definitely going to be focusing on [zero trust],” Chou said. “We’re definitely seeing an increased push and focus and funding around how do you get these applications and these programs up to a zero-trust level.”
Pasteris said end users remain the biggest gap in security. The need for training will “continue to grow as companies have to educate and mandate their users and put accountability on the end users to be the first stop, the first line [against] threats in the security space,” he said.
He said companies such as KnowBe4, a security awareness training firm, are well positioned in the user education market.
Even the best-trained users will still make mistakes, however. Against that backdrop, Mike Laramie, associate CTO of security at SADA, a business and technology consulting firm with headquarters in Los Angeles, highlighted user protection as an important trend in 2023. That means protecting the user login pages themselves and monitoring for account takeovers and compromised passwords.
Technologies such as Google’s reCAPTCHA Enterprise and its competitors can detect bot-based login attacks and also flag vulnerable passwords as part of the application sign-in process, Laramie noted. Those tools can determine if the hash of a user’s password has been detected in a known-breached password database and send a signal back to the application, prompting the user to change the password, he added.
SADA provides a service offering around reCAPTCHA Enterprise and Security Command Center Premium, which is Google’s native cloud security posture management and threat detection technology.
“The industry is pivoting heavily towards machine learning,” Laramie said.
Laramie said he believes security teams, operating at a nonexistent unemployment rate, will look to vendors to incorporate more ML capabilities into their tools to boost efficiency. Indeed, the technology is working its way into areas such as anomaly detection. In that capacity, ML can complement — and extend — traditional security approaches, such as relying on static rule sets that teams must curate and maintain, Laramie said.
“If you know an attack method and you know how to identify it, you should absolutely put a rule set in to identify it,” Laramie noted. “But you need to get a little bit more advanced than that when you look at zero-day attacks becoming more and more effective before they can even be announced, let alone patched.”
Pasteris also cited the growing prominence of AI.
“I think ML and AI are going to play a big role and play a big part of the securing of organizations,” he said.
Security teams become fatigued, given the volume of security data they must comb through. “There’s a lot of things coming at them, a lot of noise,” Pasteris said. ML can augment human analysts who might miss important signals amid the flood of alerts, he added.
Organizations have been solidifying their hybrid work technology stacks as they move from stopgap measures to an enduring environment.
“Going from triage to making this a permanent workstyle, you’re going to have security requirements that extend not only from your office environment to your cloud services, but all the way down to your home workers,” said Andrew Gilman, chief marketing officer at NWN Carousel, a cloud communications service provider based in Exeter, R.I.
That shift creates a need for network security and having visibility across remote work setups, Gilman said. The latter might include larger network instances with switches and multiple access points. That might be the case for executives who need something more akin to a boardroom at their remote locations. Device-level security is another key layer.
The task here is to strike a balance between achieving multilayer security and avoiding security protocols so onerous that they affect employee experience, Gilman said. Another challenge next year: devising security protocols that meet the needs of specific users — a CEO versus a task worker, for example.
“That would affect the types of investments that you need to make and the types of tools that you need to have at your disposal,” Gilman said.
The network security market grew 17% in the third quarter of 2022 and is expected to expand, with the hybrid workforce contributing to the increase, according to Dell’Oro Group, a market research firm in Redwood City, Calif. That pattern is expected to continue in 2023.
“Securing hybrid work is and will continue to be in 2023 a factor driving network security growth,” Mauricio Sanchez, research director of network security and Secure Access Service Edge/software-defined WAN, at Dell’Oro Group. He said he expects to see some modulation in network security’s growth, due to the economy, but the market “will still be very healthy.”
Hybrid work’s effect on network security spend will continue to be predominately seen in cloud-delivered security offerings, such as security service edge, he added.
The software supply chain has become a bigger concern for security teams as third-party platforms and services become more prevalent.
Laramie said he expects to see security tools introduced earlier into continuous integration/continuous delivery pipelines, with the goal of reducing the number of vulnerabilities deployed in cloud environments. “We’re seeing a lot of movement in the industry around this one,” he said. “The cost of fixing something in production [versus] catching it before it is released is dramatically different.”
Securing the software supply chain involves understanding code provenance, confirming that it went through the build pipeline and ensuring it went through security scans. The idea is to produce a software bill of materials, Laramie noted: “I know that this is what’s in this container, it went through everything that I expected it to and it’s clear to deploy. I think that’s a super powerful tool.”