The past year was one of dramatic highs and heart-breaking lows. Optimism about 2022 abounded at the start of the year as much of the world finally learned to live with the pandemic – only to be replaced by fresh geopolitical conflict, surging inflation, and yet more business uncertainty. These macro trends will remain in 2023, and given the increasingly critical role cybersecurity plays in business strategy, they will have an undoubted impact on the work of the CISO.
With the era of “cheap money” now firmly behind us, IT leaders will need to get smarter about how they manage and secure their estates. Here are five trends to look out for over the coming 12 months:
1) Supply chain security gains momentum
Big-name supply chain breaches like the SolarWinds and Kaseya campaigns may have happened over a year ago, but it often takes time for era-defining incidents like these to influence market trends. However, with an estimated 98% of global organizations having suffered a supply chain breach in 2021, we can expect a growing number of IT leaders to take action in this area over the coming year. Whether that means closer scrutiny of open source packages or continuous vetting of service providers, visibility and control will increasingly be the watchwords for firms as they look to manage third-party risk more effectively.
2) Zero Trust comes of age
Another trend years in the making is one that dates back over a decade. Now updated for an era defined by cloud and mobile-centric environments, mass hybrid working, and determined adversaries, Zero Trust is set to receive a major boost as the Biden administration rolls it out across the federal government. Expect the trickle-down first to government suppliers and then the broader business community as organizations start projects in manageable, bite-sized pilots and build from there. It will be no easy feat, but many will be pleasantly surprised that they already have some of the tools, technologies, and processes in place to give them a head start. The most important thing to remember is that there is no perfect Zero Trust end state: like all good cybersecurity, it is a journey.
3) Ransomware zeroes in on the cloud
Ransomware was the story of 2020, 2021, and 2022, so it’s unlikely to fade from view over the coming 12 months. Yet there are signs that it may be evolving, with the “as-a-service” model faltering as fewer victims pay up and law enforcers crack down. In response, we’ve already seen some changes starting to seep through: groups like Lapsus now eschew the ransom payload altogether and focus solely on extortion via data exfiltration. Others are using novel techniques to force payment. In 2023, we may also see a new focus on cloud data stores – a relatively untapped but increasingly business-critical enterprise IT resource. Cloud misconfigurations will provide an attractive vector for attack, requiring enhanced posture management to mitigate.
4) Convergence is the name of the game
Smart organizations realize that cybersecurity is an essential driver of successful digital transformation and a mitigator of breaches that could otherwise have a profound impact on the bottom line and corporate reputation. As such, they will not want to cut security budgets, even as economic headwinds gather and much of the world slips into recession. However, they may be forced to rationalize. With the average firm running as many as 75 separate security tools today, the opportunity to reduce waste is one many CISOs will grasp with open arms.
Consolidating onto vendor platforms that span multiple domains – from email and web security to APIs, networks, Zero Trust access, and cloud – will increasingly become a no-brainer in 2023. Not only will it help to reduce the cost of unnecessary licenses, but it can also enhance the productivity of increasingly stretched IT staff. They will have fewer UIs to learn and manage whilst benefitting from fewer security and visibility gaps. Organizations will not only look to platform-based approaches from their vendors but also security partners whose products slot neatly into existing architectures – the better to achieve the promise of cybersecurity mesh deployments.
5) Insurers will demand improvements
The insurance industry has had a difficult relationship with cybersecurity over recent years. In fact, companies’ access to relatively cheap cyber-insurance policies has been blamed in the past for the surge in ransomware. But there are signs that the sector is maturing fast. Premiums are soaring while coverage is being restricted for organizations in certain industries hit hard by ransomware.
The tantalizing prospect for 2023 and beyond is that insurers become a force multiplier for best-practice security. If they continue to demand more comprehensive security controls from prospective policyholders – as a pre-requisite for coverage, or perhaps even to reduce the cost of policies – the overall effect could be to drive up baseline improvements across the board. There’s a long way to go yet – an estimated 90% of cyber risk is still uninsured. But 2023 could be the year when the insurance sector begins to have a real and positive impact on cyber security.