How our outlook on cybersecurity will change in 2023
It’s fair to say over the last year cybersecurity has become one of the hottest topics to discuss. We have seen the issue affect every possible area of life from healthcare and energy to multinational corporations, and even conflicts such as the Russia/Ukraine War.
As a result, cybersecurity (in some shape or form) is in the minds of nearly all major stakeholders, board members and leadership teams across the world. Research by IDC highlighted that European IT security spending will surpass $66 billion in 2026.
Whilst increased investment into cybersecurity by organizations is a good thing, is it being spent in the right way? As 2023 quickly approaches, what should our approach and mindset towards cybersecurity be?
We asked the experts for their verdict, and here are some of their most salient responses…
Camille Charaudeau, Vice President, Product Strategy at CybelAngel, believes that dealing with expanding attack surfaces will be one of the key challenges for businesses in 2023.
"With increased globalization and decentralization of operations, an extended attack surface quickly expands beyond an organization's own controlled perimeter and robust security practices. Simply doing business with companies with less mature security practices will increase risks in your own systems and processes.
"Security leaders will need to supercharge their external attack surface management (EASM) programs to include digital risk protection solutions (DRPS), as these technologies strongly complement each other to provide more comprehensive coverage than either alone."
There are a variety of reasons to why organizations have expanded their attack surface. One of the main reasons has been the move towards the cloud. "Just as Cloud Transformation dominated the pandemic period, we are now entering a Bring Your Own Office era, whereby employees’ home networks have become cloud droplets or mini clouds," said Joseph Carson, Chief Security Scientist at Delinea.
"A Zero Trust approach will become more essential than ever as the transformation continues. Employees should have access only to what they need to efficiently do their job, this will ensure that an attacker’s ability to move within the larger business network is limited and the attack surface reduced," added Joseph Carson.
Wade Ellery, Field Chief Technology Officer at Radiant Logic, also agrees that more organizations will move towards Zero Trust in 2023. However, he argues that many of these projects will not be successful unless they manage their identity data first.
"In 2023, we are going to see more and more businesses 'slow down to speed up' -- they’ll recognize they need to put in an identity data foundation before they can justify building new, revenue-oriented projects that demand access to identity.
"This will also be forced as more organizations implement Zero Trust. Over the past year, organizations have been looking into secure architecture and trying to understand what it truly means.
"Essentially, Zero Trust is attribution access, but an idea which is now mature. As we move into 2023, senior decision-makers and security teams are discussing how they can achieve a granular-approach in real-time, and ultimately, they will come back to the issue of identity data management."
As well as securing organizations, identity can also be used to breach organizations. Yaron Kassner, Co-Founder and CTO at Silverfort, believes that we are going to see more identity-related breaches over the next year.
"Organizations are having to affect a mindset shift from identity being an enabler of secure business, to treating it as a threat vector in its own right."
"This is not easy to do as identity presents a large attack surface which is only partially covered by traditional controls such as Multi Factor Authentication (MFA) and Privileged Access Management (PAM). Reducing exposure requires protecting numerous additional internal interfaces and resources such as PsExec, WMI, Powershell and Service Accounts – which until recently has not been technically possible.
"Solutions are emerging which take a more holistic view of protecting this large, sprawling, attack surface. Over the coming year, I believe security teams will be increasingly building such controls into their plans."
However, Raghu Nandakumara, Head of Industry Solutions at Illumio, believes that businesses will change the way they measure cyber success from stopping breaches to resilience. "As breaches become part of daily life, cyber resilience will become an industry recognized metric for all companies to achieve and measure against," said Raghu Nandakumara.
"Whereas currently, organizations judge the success of their business continuity plan on whether they can recuperate within their Recovery Time Objective (RTO) to their Recovery Point Objective (RPO), in 2023 any downtime will be unacceptable.
"Stringent testing and the development of industry-wide metrics to help benchmark against peers and understand what 'success' looks like will force organizations to think about their appetite for risk and establish an acceptable minimum level of maintainable security to avoid fines, profit loss, or loss of reputation."
Cybersecurity is also not just all about the cool, new exciting solutions and approaches that are being designed and developed, but the people as well. Bec McKeown, Director of Human Science at Immersive Labs, said that 2023 will be the year where organizations realize, they are only as secure and resilient as their people.
"Only by supporting initiatives that prioritize well-being, learning and development and regular crisis exercising can organizations better prepare for the future. Done correctly, by delivering the right training to the right people at the right time means that this can be done in a resource and cost-effective way.
"Adopting a psychological approach to human-driven responses during a crisis -- like a cybersecurity breach -- will ensure that organizations fare far better in the long run."
Ed Williams, EMEA Director SpiderLabs at Trustwave, believes that pen-testers will also be crucial for organizations in 2023. He implored organizations to "work with the good guys".
"One of the most frustrating things as a pen-tester is when you return to an organization a year later and see exactly the same issues as before," said Ed Williams.
"There is no value to this for the client. They are not maturing. In fact, they are regressing. Pen-testers are never looking to catch a client out but are on your side and only want to facilitate progress. Therefore, in 2023 I implore organizations to work with pen-testers for the best, year on year result."
Robin Campbell-Burt is CEO at Code Red.