As we wrap up another year, we gaze into our crystal ball in anticipation of what the new year will bring. Nothing is certain in life except for change, and the same is true for cybersecurity. Shifting global, industry and workforce factors are re-shaping cybersecurity requirements once again.
Here’s how we expect those factors to impact this year’s IT and security technology trends:
Prediction #1: Regulators and insurance providers alike will tighten risk parameters and risk language.
In recent years regulators like the SEC and policy providers have shaped their guidelines and compliance requirements around vulnerability language and how changing vulnerabilities affect overall cybersecurity risk. But the idea of cybersecurity itself has changed. Expect insurers and regulators to pivot and push companies to understand their risk tolerance and what that means for risk at certain points in time. Outside of mandated requirements not enough companies do due diligence questionnaires. Recognizing this, insurers and regulators will start to require that companies demonstrate that appropriate controls are in place – and enforced.
Prediction #2: Tech stack consolidation will *actually* happen.
Let’s face it. Companies buy products for the sake of buying them. They purchase because they think they should have certain products or that they might need certain capabilities for regulatory compliance. But after purchase too many products collect dust. Vendor consolidation is one thing; operational consolidation is another. Resourcing and workforce restrictions mean that many companies don’t have the luxury of having 2-3 staff available to run enterprise tools, which depreciates tool ROI. Leaders will have no choice but to consolidate and optimize their tech stack based on internal resourcing availability and expertise mapping. This exercise will generate some fringe benefits including cost savings and cross-team efficiencies.
Prediction #3: Data privacy will take compliance requirements to a new level.
Expect big news this year around big breach events and how regulators treat them. Gone are the days of a slap on the wrist; this year we anticipate that companies will be held liable if they’re found in non-compliance.
Prediction #4: The cybersecurity buck stops at the board.
When Uber’s former CISO was charged for attempting to conceal a breach it opened a Pandora’s box when it comes to executive responsibility when a breach happens. But the reality is that when it comes to fiduciary duty, an officer or director of the company can't be held accountable other than being fired. Really, duty and responsibility start at the board level. Cybersecurity ownership has always been a hot potato, but the buck has to start and stop at the board level. Expect accountability to heighten with the person in charge of compliance getting a bigger voice and possibly even a seat at the board.
Prediction #5: Attackers will shift their focus to cloud providers.
Companies are moving to cloud service providers like Azure, Office365, etc. en masse. They’re adopting five cloud service providers at a minimum and we expect to see that number continue to climb. When it comes to liability ownership, cloud services are in a tricky spot; the provider holds the data and so many companies assume their data is safe. Breaches happen at all levels and if you're a bad actor you’re probably going to spend your time targeting the crown jewels. Nowadays those jewels live in cloud services. This year cloud security and preventative breach controls will be heightened because of the realization of shared duty across cloud service providers and their customers. For IT and security teams, this means implementing additional layers of due diligence and control checks.
Prediction #6: Nation-state attacks will rise.
Global unrest has been driving malicious nation-state attacks and we expect to see this continue through this year. Nation-state actors and criminal syndicates are highly funded and able to drive sophisticated attacks so covert that people don’t even realize that they’re happening. Per prediction #5, “crown jewel” data migration to cloud services means that nation-state attackers will target cloud providers.
Prediction #7: The economic downturn will bring unexpected security consequences.
When there's negativity in the market, companies start to cut back on budgets and resources. As we’ve seen in the news, security and IT departments aren’t immune from these cuts. The result will heighten the gap in protecting the supply chain, especially in industries like financial services.
Prediction #8: The remote and hybrid workforce mix will complicate infrastructure.
Over the last two years IT and security teams have successfully implemented distributed IT to meet remote workforce demands, but the current pull to in-office and adapted hybrid models complicates the remote architecture that’s been prioritized. The workforce mix means companies must pivot to multi-surface attack management, as their attack surface continues to shift and expand. Many companies will need to revisit their infrastructure at the top of the year in consideration of their current and future-state attack surface first to ensure they’ve got scalable controls and defenses in place.
Check out our Buyer’s Guide to Cyber Asset Attack Surface Management for the latest attack surface management best practices and guides that can help you get a head start on FY’23 security infrastructure and security planning.