One firm argues with a “Yes”, and offers four other cybersecurity trends and predictions for readers’ analysis herein …

Here are five cybersecurity trends and predictions for 2023 which readers can hopefully benefit from exploring and monitoring.

The first trend: CISOs will be made more accountable, but they need the freedom to own their programs. Case in point: for covering up a data breach that took place in 2016, Uber’s ex-CISO was convicted this year.

The case has brought the role and responsibilities of the CISO under the spotlight, and it will lead to changes in 2023 for businesses in general — and for CISOs in particular. According to Gartner, by 2026, at least half of C-level executives will have cybersecurity risk performance requirements added into their employment contracts. This will make cybersecurity an issue that everyone across the business will concentrate on.

Yet CISOs can only be as effective as the power they are given, and with great effort hackers can still infiltrate a network with a simple phishing link activated by an absent-minded employee. So, if CISOs are to become more accountable, they first need to have control over their own department’s finances and manpower. While many have a seat on the board, they do not yet have their own spending freedom. CISOs cannot be held accountable if they cannot take action and invest in solutions autonomously.

In 2023, there will be a big shift as CISOs will have to measure and report their performance in terms of managing business risk as well as protecting IT assets. Chief Revenue Officers and Chief Marketing Officers already have KPIs around performance requirements: CISOs will have the same.

Debashish Jyotiprakash, Vice President, Asia, Managing Director, India, Qualys

Four other trends/predictions
The next trend is that enterprises will need to take the lead to reduce their supply chain risks:

    1. As more code is written, software vulnerabilities are inevitable
      In 2023 and beyond, supply chain security (in software development and other pathways) will still pose a significant risk to organizations.

      Third party tools and software components can be the weak points of any organization, and even enterprises with multi-billion dollar security budgets can still be brought to their knees by a breach within one of their suppliers.

      Organizations need to understand that their supply chain’s security posture is as important as their own, and that they need to support their suppliers to help them reach higher levels of protection.

      Not many firms have adopted this consultative and collaborative approach proactively — only choosing to get involved after an incident has occurred. Enterprises hold a massive amount of expertise, and they can share this with their key suppliers to benefit everyone over time. The only way to strengthen the weakest link is to act like a partner and share that expertise with the supply chain.

      To make this happen, more firms will adopt bill-of-materials management software to understand their components and track their vulnerabilities. However, this will not be a case of only looking internally: instead, enterprises can manage back into their suppliers and ensure that they are updating and mitigating potential issues. This will be a cost of doing business for software firms, going forward.

    2. Software vulnerabilities are inevitable as more code is written
      According to the National Vulnerability Database, 2022 had 15% more new reported vulnerabilities than in 2020, and we still have some time to go before the end of the year.

      The increase in the number of vulnerabilities is inevitable due to the sheer amount of code being written each day. While nobody writes bad code on purpose, producing 100% secure code is very hard to achieve.

      The industry therefore needs more openness around vulnerability reporting; the current ad hoc bug bounty programs are not functional when we consider all of the different sources and users of each piece of code.

      Instead, governments should provide support to create a worldwide bug bounty program that standardizes this process and provides a centralized location for all reporting.

      The moves that the Biden Government has made around open source software are a good starting point for this, and in 2023 this will continue to expand. Embedding frameworks like OWASP into how developers create and check their code should be done as standard, but this may yet grow in popularity.

    3. Combatting SOC burnout and alert fatigue with Machine Learning
      At risk of burnout, growing workloads and the low morale caused by fighting against constant close calls from adversaries, security ops center (SOC) teams need a reprieve.

      EDR alert cleaners help to reduce some noise, but implementing machine learning would reduce this further. This will allow SOC teams to focus on higher value tasks that they enjoy.

      Therefore, in 2023, analytics will play more of a role in how security teams manage attacks and levels of risk. Also, while many teams will be happy to rely on the tooling that they are given and the signals they get back, the best-performing teams will take the time to understand how the results they get come through to them. By knowing more about the theory and workings of security analytics, such teams will outperform. They will use tools to help them move faster, but they will not rely on the tools alone to get their insights.

      When security ops center teams are empowered to do the work they really want to do, job satisfaction should increase.

    4. Legislation against ransom payments is a step backwards
      According to Gartner, 30% of nation states will pass legislation regulating against ransomware payments by 2025.

      These actions are well-intentioned but will not solve the problem of organizations choosing to meet ransom demands.

      The focus should not be on penalizing firms that decide to pay, but should be on mandating the right actions and measures that will help them never get to the point where they feel their only solution is to pay.

      Legislating against ransom payments will only drive breaches further underground and foster a culture of secrecy that the industry has already worked so hard to overcome. Industry and regulations need to work together to shift towards enabling a culture of openness, transparency and support.