When The Stack asked for cybersecurity predictions for 2023 we received no shortage. Many were self-serving – “expect a tsunami of malware of exotic stripe that only we can catch” or words to that effect from vendors.
We skirted some important but perhaps obvious observations: That commodity-style attacks are becoming ever-easier; that security hygiene is hard but important; that MSPs and IT vendors will continue to be targeted; that a shift away from legacy VPNs to more of a Zero Trust and "SASE" approach is continuing to happen (and welcome.)
Many comments, however, deserve deliberation and to start a conversation. In separating the wheat from the chaff one thing was clear: This conversation should emphatically extend to business leaders and the board.
As Bob Kolasky, a former director of the National Risk Management Center at the US Department of Homeland Security (DHS) put it to us: “By the end of 2022, it was almost a cliché to say that ‘cyber risk needs to be thought of as a business risk.’ The risk that companies face… has been made abundantly clear, and has forced integration between network defense and business continuity planning and boardroom engagement.”
Boardroom engagement has never been more critical
Improved boardroom engagement was central to many cybersecurity predictions for 2023 for CISOs in particular.
Indeed if there was one single theme that came up most often, it was that CISOs and CIOs need to creatively rethink how they measure and present cybersecurity and risk information to the broader organisation.
Omer Singer, Head of Cybersecurity Strategy, Snowflake emphasised that with it becoming ever-easier to generate data-driven reports (for some, in near real-time) around critical security metrics, he sees boards becoming more demanding.
“In 2023 board members will demand transparency through quantified insights on the company’s security posture, areas of weakness, and rate of improvement,” he said.
“Quarterly reports and PDFs are no longer sufficient given the intense scrutiny companies face over their security-related activities.
"Executives want near-real-time dashboards that allow them to drill down and assess their organisation’s security posture such as incident response times, patch latency, asset inventory completeness, third-party risk management, and employee offboarding.”
Singer added: “In addition, many directors sit on multiple boards, which means this practice will quickly spread across organisations. Expect that cross-company data sharing will be leveraged to establish peer comparisons and inform executives of how their progress compares to others in their cohort. Watch for collaboration between security and data teams to establish modern data sharing in a governed way…”
Doing more with less: M&A and the “rapid risk reduction 90-day plan”
Businesses expecting a truly buoyant 2023 are in a minority. The climate is, however, expected to lend itself to increased M&A activity and we have already seen early signs of that in January. As risk and financial advisory firm Kroll emphasises, this means that new owners of technology estates could see themselves purchasing high levels of cybersecurity debt and risk. Yet given the downturn, subsequent post-acquisition spending on strategic cyber initiatives not explicitly mandated by compliance requirements is likely to be tight.
What does that mean? Kroll’s Edward Starkie, an SVP of cybersecurity risk, predicts that “2023 may be the year of the rapid risk reduction 90-day plan owned and delivered by post acquisition interim CISOs. At the very least, CISOs will need to be focused on high-impact, low-cost control that optimise previous investments.”
Against this backdrop Nik Whitfield, Founder of Panaseer, sees a “continued trend towards business oriented CISOs, rather than technical CISOs” – because “understanding the business is the primary responsibility... secondarily, it's understanding the security risk implications for the business."
Whitfield added: “We also need fundamental change in how we measure security and present that to business and executive stakeholders. In 2023, security leaders will focus on understanding how the business wants to consume information, and how to best present information to them…”
(The Stack finds that many CISOs are using customised versions of the NIST Framework -- illustrated simply at left -- for reporting metrics, although practices seem to diverge wildly. If you have views on how best to measure and report cyber risk to the board of directors, we’d love to hear from you…)
Predictions for cybersecurity in 2023: MFA fatigue is dangerous...
Jonathan Lee, Senior Product Manager, Menlo Security emphasised that low-hanging fruit and social engineering continue to pay off for attackers: "The attack on Uber in September 2022 showed that basic security failures are opening the door to attackers... In the case of Uber, the attacker was able to gain administrative control over the company’s IT systems and security tools thanks to an exposed PowerShell script that contained admin credentials to their privileged access management (PAM) platform" -- after an MFA bypass.
CrowdStrike CTO Mike Sentonas said he sees adversaries using more such identity-based attacks for initial access and lateral movement, saying in an emailed comment: “Throughout 2022, we have seen an increase in identity-based attacks and development of sophisticated file-less techniques bypassing traditional MFA defences.”
Follow The Stack on LinkedIn for updates on events and news
He added: “It’s not just stolen credentials, as pass-the-cookie, golden-SAML, and even social engineering with MFA fatigue add to the ever growing ways to compromise an identity. In 2023, we predict adversaries will break out more quickly by compromising identities to move laterally between endpoints to deploy ransomware, achieve business email compromise (BEC) by accessing email infrastructure, or exfiltrate critical data.”
Lee added: "Off the back of the Uber breach, MFA push notifications have been shown to be exploitable, and the industry is now saying get rid of passwords and use FIDO2 passkeys and hardware tokens. Our view is that this is going to be a heavy lift to implement it, and attackers will still find the weakest link in the chain."
Cybersecurity predictions for 2023: The supply chain problem grows
Michael Adams, CISO, Zoom, was among those emphasising supply chain risk. He said: Continuing instability across the software supply chain will provide a rich environment for large-scale attacks... But we need to see more companies focus on strengthening their security practices, from considering a zero-trust approach to further securing infrastructure services (e.g., code signing, PKI, and hardening the release process).
The CISO added: "Increasing dependencies on third parties will also require more focus on security controls throughout the software supply chain, such as instituting third-party risk assessments, identity and access management, and timely patching..." (The Stack recommends reviewing Microsoft's recently open-sourced S2C2F or "Secure Supply Chain Consumption Framework", which includes some highly practical guidance to help ensure that developers are securely consuming and managing open source software.)
See also: 119 new AWS features in just 30 words each
Bernd Greifeneder, founder and CTO of Dynatrace meanwhile noted that "cyber risk will [need to] become front-of-mind for everyone involved in innovation, as growing maturity in the insurance industry makes it imperative to treat security as a shared responsibility" (making this happen, of course, is another challenge...)
He added: Organisations taking out cyber-insurance policies will be required to demonstrate that every innovator in the business can conduct due diligence and manage the risk associated with their actions. There will therefore be a growing focus on solutions that enable teams to mature their DevOps and BizDevOps-centric strategies into a more holistic SecDevBizOps approach [to ensure accountability for] delivering secure innovation.”
“Critical infrastructure is at risk" if organisations get this wrong, he concluded soberly: "There’s a very real possibility that 2023 could be the year cyber attacks threaten our trains, national grids, nuclear power plants, and even our cars (many of which today have over 100 computers). No one has ever been right betting that cyber attacks will slow down. For that reason, we should expect ransomware and theft of digital assets to ramp up in 2023".
As a result it's not the time to be cutting security, CrowdStrike's CTO Sentonas emphasised: “Cybersecurity incidents are expensive and can go on for years, including the cost of cleaning up after a breach, paying for incident response and forensic investigations, legal costs, changing security providers, notifying customers and regulators…