Four cybersecurity trends and predictions for 2023

December 15, 2022

Nik Whitfield

Panaseer founder and Chief Seer Nik Whitfield shares his view of cybersecurity trends and what he expects to see in the next 12 months. He has something of a knack for it, having predicted #1 in 2014.

The way we practice security has shifted in the last three years and it will continue to do so. As technologies and threats change, so will the way we operate. In this article I’ll give an overview of the trends that I think will have the biggest impact on the way we manage cybersecurity risk in 2023.

79% of enterprises have suffered cyber incidents that should have been prevented with safeguards they’d already bought. We’ll see more breaches due to control failures next year.

 

1. Control failure will continue to be the leading cause of breaches and losses

Security control failure is the biggest challenge in cybersecurity today and will be again in 2023.

79% of enterprises have suffered cyber incidents that should have been prevented with safeguards they’d already bought. We’ll see more breaches due to control failures next year. As attackers increasingly use automation and AI to find and exploit the gaps, companies will suffer if they assume their security controls are operating effectively, rather than automatically checking they’re operating effectively.

The truth is enterprises have a giant gap between their perceived residual cyber risk – the risk they think they’re carrying after they’ve invested in controls – and the actual residual cyber risk. This is because of a variety of control failures that companies aren’t aware of. Missing endpoint protection, missed vulnerability scans, missed phishing tests, leavers who still have access to systems, patches not applied in time, out-of-date software, and more. This perception gap means boards will make decisions with a mistaken confidence in their cyber risk, leading to breaches that should have been prevented.

To overcome this problem, we’ll see a continued move towards security controls automation. Expect to hear more about Controls as Code, Continuous Controls Monitoring and other processes and technologies that increase assurance and understanding of cyber posture.

 

2. Increase in oversight

Regulation is on the rise globally. Initiatives like DORA will pose new challenges for financial institutions and the NIS2 directive will affect new sectors.

My research shows the number of bodies performing oversight will increase in 2023, the breadth and depth of the oversight will increase, and more organisations will be subject to oversight. The scale and complexity of responding to these requirements will increasingly drown our CISOs and their teams, who tell me this is already more than 50% of their role.

Regulation is on the rise globally. Initiatives like DORA will pose new challenges for financial institutions and the NIS2 directive will affect new sectors that are now considered critical national infrastructure.

Expect stricter oversight from regulators, auditors, insurers, clients and investors. Prepare for it with automation, better security posture measurement, and solid processes for collecting and disseminating this information.

The CISO role has been and will continue to evolve away from a focus on technical cybersecurity knowledge towards executive and risk domain expertise.

3. CISO roles will evolve towards risk-oriented business executives

The CISO role will continue to evolve away from a focus on technical cybersecurity knowledge towards executive and risk domain expertise.

At the executive level, cybersecurity is just another risk to the business. A significant one, sure, but managing risk is what boards do for a living. Increasingly, we’ll see CISOs becoming more adept at engaging, navigating and influencing at board level.

The starting point for understanding risk is to understand what is at risk, i.e. the business. Historically I’ll admit, we in cybersecurity haven’t appreciated this and focused too heavily on the technical aspects of security. As the risk continues to grow, boards will increasingly expect CISOs to operate as executives who are knowledgeable about the business and able to engage with and influence around the organisation as other senior leaders do.

With 3.4 million or so open roles in security, we have a real challenge in taking technical security leaders and helping develop their business risk management and executive skills. And on the other hand, taking business risk executives and educating them in cybersecurity.

Given recent events in the US, CISOs are increasingly considering the personal liability they take on in performing the role. Let’s hope this additional burden doesn’t influence the decisions of our most talented people when choosing whether to take on those highly accountable positions.

 

4. Business leaders will take more accountability for cybersecurity risk

Business stakeholders will increasingly be required to understand the security posture of the business operations they’re responsible for, including applications and customer interactions.

Doing business today means using technology. Businesses are accountable for the risks they take. And as they are increasingly leveraging new technologies, building new applications and exploring technical innovations, they take on increasing and varied technology risk. Cybersecurity risk, in particular.

This means business stakeholders will increasingly be required to understand the security posture of the business operations they’re responsible for, including applications and customer interactions. Companies that are successful in both business innovation and cybersecurity will have strong relationships between business stakeholders and the security team. In particular, they will converse around clear, high-quality data which articulates the security posture of the business, and how that changes with business decisions they make.

Organisations using point in time, manual processes to produce security metrics as the basis of the conversation between the business and security will suffer either slow business change or increased chances of breach. Those with automated, high-quality measurements, easily interpreted by the business, will move faster and more securely.

Expect to see business stakeholders with more cybersecurity accountability, and increased automation in security KPIs.

 

The final word…

In my view, there’s a fundamental problem that continues to plague security teams: most breaches could be prevented with the tools and controls we already have in place.

It’s down to security teams to improve the way they measure and improve the efficacy of their controls, so organisations can be confident they’re mitigating cyber risk. Without increasing automation, it will be a bridge too far. Security leaders are going to feel the rising accountability, oversight, and workload – a recipe for burnout.

The industry is waking up to this challenge. In 2023, I predict security teams will start to prioritise stopping those preventable breaches by using automation to improve their security posture. This will go some way to reducing the threat from all types of cyber-attacks, including ransomware, and reduce the heavy burden facing security teams.