With 2022 drawing to a close, Debashish Jyotiprakash, Vice President for Asia and Managing Director for India at Qualys, looks into his crystal ball to predict the following transformative technology trends for 2023.
Prediction 1: CISOs will be made more accountable (but they need the freedom to own their program).
Uber’s ex-CISO was convicted this year for covering up a breach that took place in 2016. The case brought the role and responsibilities of the CISO into the spotlight, and it will lead to changes in 2023 for businesses in general and for CISOs in particular.
According to Gartner, at least 50% of C-level executives will have cybersecurity risk performance requirements added to their employment contracts by 2026. This will make cybersecurity an issue that everyone across the business will concentrate on. Yet CISOs can only be as effective as the power they are given, and even with great effort, hackers can still infiltrate a network with a simple phishing link clicked by an absent-minded employee.
If CISOs are to become more accountable, they first need to have control of their own finances and manpower. While many have a seat on the board, they do not yet have their own spending freedom. CISOs cannot be held accountable if they cannot take action and invest in solutions autonomously.
In 2023, there will be a big shift as CISOs will have to measure and report their performance in terms of managing business risk as well as protecting IT assets. Chief Revenue Officers and Chief Marketing Officers already have KPIs around performance requirements, CISOs will have the same.
Prediction 2: Enterprises need to take the lead to reduce their supply chain risk.
Supply chain security will still pose a significant risk to organisations in 2023, and far beyond. Third-party tools and software components can be the weak points of any organisation, and even enterprises with multi-billion dollar security budgets can still be brought to their knees by a breach within one of their suppliers.
Organisations need to understand that their supply chain’s security posture is as important as their own, and that they need to support their suppliers to help them reach higher levels of protection. Not many companies have adopted this consultative and collaborative approach proactively, only choosing to get involved after an incident has occurred. Enterprises hold a massive amount of expertise, and they can share this with their key suppliers to benefit everyone over time. The only way to strengthen the weakest link is to act like a partner and share that expertise with the supply chain.
To make this happen, more companies will adopt software bill of materials to understand their components and track their vulnerabilities. However, this won’t be a case of only looking internally; instead, enterprises can manage back into their suppliers and ensure that they are updating and mitigating potential issues. This will be a cost of doing business for software companies going forward.
Prediction 3: Software vulnerabilities are inevitable as more code is written.
New vulnerabilities are discovered daily, and CISA is continuously adding new ones to its catalogue. According to the National Vulnerability Database (NVD), the number of new vulnerabilities reported in 2022 is 15% higher than in 2020, and we still have some time to go before the end of the year.
The increase in the number of vulnerabilities is inevitable due to the sheer amount of code being written each day. While nobody writes bad code on purpose, producing 100 percent secure code is very hard to achieve.
The industry, therefore, needs more openness around vulnerability reporting; the current ad-hoc bug bounty programs are not functional when we consider all of the different sources and users of each piece of code. Instead, governments should provide support to create a worldwide bug bounty program that standardises this process and provides a centralised location for all reporting. The moves that the Biden Government has made around open source software are a good starting point for this, and in 2023 this will continue to expand.
There is also a need to encourage software developers to follow best practices around application development. Embedding frameworks like OWASP into how developers create and check their code should be done as standard, but this will grow in popularity.
Prediction 4: Machine Learning will be a prerequisite to combat SOC burnout and alert fatigue
Most attackers automate, and have done so for a long time, yet organisations have been reluctant to adopt the same tactics. This reliance on manual forms of defence against automated attacks is like fighting against a tank with a bow and arrow. Automation and Machine Learning can help. The technologies can speed up detection and remediation times, but also to cut through all alert noise.
The 2022 Devo SOC performance report shows 71% of SOC professionals would likely quit their job because of burnout, growing workload and the low morale caused by fighting against constant close calls from adversaries. EDR alert cleaners help to reduce some noise, but implementing machine learning would reduce this further. This allows security teams to focus on higher value tasks that they enjoy.
In 2023, analytics will play more of a role in how security teams manage attacks and levels of risk. Many teams will be happy to rely on the tooling that they are given and the signals they get back, but the best-performing teams will take the time to understand how the results they get come through to them. By knowing more about the theory and workings of security analytics, these teams will outperform. They will use tools to help them move faster, but they won’t rely on the tools alone to get their insights.
Using technology to weed out the irrelevant threats will allow teams to get back to the more “juicy” work by addressing the serious threats that they were trained to handle. When SOC teams are empowered to do the work they really want to do, job satisfaction should increase.
Prediction 5: Legislation against ransom payments is a step backwards, and will drive more breaches underground.
Ransom demands should never be paid. Evidence suggests that paying the ransom does not even mean systems can be recovered. And yet, many organisations still choose to pay.
According to Gartner, 30% of nation-states will pass legislation regulating against ransomware payments by 2025. These actions are well-intentioned but won’t solve the problem. The focus should not be on penalising companies that have decided to pay; instead, it should be on mandating the right actions and measures that will help them never get to the point where they feel their only solution is to pay.
Legislating against ransom payments will only drive breaches further underground and foster a culture of secrecy that the industry has already worked so hard to overcome. The industry and regulations need to shift towards enabling a culture of openness, transparency and support.
Archive
- October 2024(44)
- September 2024(94)
- August 2024(100)
- July 2024(99)
- June 2024(126)
- May 2024(155)
- April 2024(123)
- March 2024(112)
- February 2024(109)
- January 2024(95)
- December 2023(56)
- November 2023(86)
- October 2023(97)
- September 2023(89)
- August 2023(101)
- July 2023(104)
- June 2023(113)
- May 2023(103)
- April 2023(93)
- March 2023(129)
- February 2023(77)
- January 2023(91)
- December 2022(90)
- November 2022(125)
- October 2022(117)
- September 2022(137)
- August 2022(119)
- July 2022(99)
- June 2022(128)
- May 2022(112)
- April 2022(108)
- March 2022(121)
- February 2022(93)
- January 2022(110)
- December 2021(92)
- November 2021(107)
- October 2021(101)
- September 2021(81)
- August 2021(74)
- July 2021(78)
- June 2021(92)
- May 2021(67)
- April 2021(79)
- March 2021(79)
- February 2021(58)
- January 2021(55)
- December 2020(56)
- November 2020(59)
- October 2020(78)
- September 2020(72)
- August 2020(64)
- July 2020(71)
- June 2020(74)
- May 2020(50)
- April 2020(71)
- March 2020(71)
- February 2020(58)
- January 2020(62)
- December 2019(57)
- November 2019(64)
- October 2019(25)
- September 2019(24)
- August 2019(14)
- July 2019(23)
- June 2019(54)
- May 2019(82)
- April 2019(76)
- March 2019(71)
- February 2019(67)
- January 2019(75)
- December 2018(44)
- November 2018(47)
- October 2018(74)
- September 2018(54)
- August 2018(61)
- July 2018(72)
- June 2018(62)
- May 2018(62)
- April 2018(73)
- March 2018(76)
- February 2018(8)
- January 2018(7)
- December 2017(6)
- November 2017(8)
- October 2017(3)
- September 2017(4)
- August 2017(4)
- July 2017(2)
- June 2017(5)
- May 2017(6)
- April 2017(11)
- March 2017(8)
- February 2017(16)
- January 2017(10)
- December 2016(12)
- November 2016(20)
- October 2016(7)
- September 2016(102)
- August 2016(168)
- July 2016(141)
- June 2016(149)
- May 2016(117)
- April 2016(59)
- March 2016(85)
- February 2016(153)
- December 2015(150)