With 2022 drawing to a close, Debashish Jyotiprakash, Vice President for Asia and Managing Director for India at Qualys, looks into his crystal ball to predict the following transformative technology trends for 2023.
Prediction #1: CISOs will be made more accountable (but they need the freedom to own their program)
Uber’s ex-CISO was convicted this year for covering up a breach that took place in 2016. The case brought the role and responsibilities of the CISO into the spotlight, and it will lead to changes in 2023 for businesses in general and for CISOs in particular.
According to Gartner, at least 50 percent of C-level executives will have cybersecurity risk performance requirements added into their employment contracts by 2026. This will make cyber security an issue that everyone across the business will concentrate on. Yet CISOs can only be as effective as the power they’re given, and even with great efforts hackers can still infiltrate a network with a simple phishing link clicked by an absent-minded employee.
If CISOs are to become more accountable, they first need to have control of their own finances and manpower. While many have a seat on the board, they don’t yet have their own spending freedom. CISOs can’t be held accountable if they can’t take action and invest in solutions autonomously.
In 2023, there will be a big shift as CISOs will have to measure and report their performance in terms of managing business risk as well as protecting IT assets. Chief Revenue Officers and Chief Marketing Officers already have KPIs around performance requirements, CISOs will have the same.
Prediction #2: Enterprises need to take the lead to reduce their supply chain risk
Supply chain security will still pose a significant risk to organizations in 2023, and far beyond. Third party tools and software components can be the weak points of any organization, and even enterprises with multi-billion dollar security budgets can still be brought to their knees by a breach within one of their suppliers.
Organizations need to understand that their supply chain’s security posture is as important as their own, and that they need to support their suppliers to help them reach higher levels of protection. Not many companies have adopted this consultative and collaborative approach pro-actively, only choosing to get involved after an incident has occurred. Enterprises hold a massive amount of expertise, and they can share this with their key suppliers to benefit everyone over time. The only way to strengthen the weakest link is to act like a partner and share that expertise with the supply chain.
To make this happen, more companies will adopt software bill of materials to understand their components and track their vulnerabilities. However, this won’t be a case of only looking internally – instead, enterprises can manage back into their suppliers and ensure that they are updating and mitigating potential issues. This will be a cost of doing business for software companies going forward.
Prediction #3: Software vulnerabilities are inevitable as more code is written
New vulnerabilities are discovered daily, and CISA is continuously adding new ones to its catalogue. According to the National Vulnerability Database (NVD), the number of new vulnerabilities reported in 2022 is 15 percent higher than in 2020, and we still have some time to go before the end of the year.
The increase in the number of vulnerabilities is inevitable due to the sheer amount of code being written each day. While nobody writes bad code on purpose, producing 100 percent secure code is very hard to achieve.
The industry therefore needs more openness around vulnerability reporting; the current ad-hoc bug bounty programs are not functional when we consider all of the different sources and users of each piece of code. Instead, governments should provide support to create a worldwide bug bounty program that standardizes this process and provides a centralized location for all reporting. The moves that the Biden Government has made around open source software are a good starting point for this, and in 2023 this will continue to expand.
There is also a need to encourage software developers to follow best practices around application development. Embedding frameworks like OWASP into how developers create and check their code should be done as standard, but this will grow in popularity.
Prediction #4: Machine learning will be a prerequisite to combat SOC burnout and alert fatigue
Most attackers automate, and have done so for a long time, yet organizations have been reluctant to adopt the same tactics. This reliance on manual forms of defense against automated attacks is like fighting against a tank with a bow and arrow. Automation and machine learning can help – the technologies can speed up detection and remediation times, but also to cut through all alert noise.
The 2022 Devo SOC performance report shows 71 percent of SOC professionals would likely quit their job because of burnout, growing workload and the low morale caused by fighting against constant close calls from adversaries. EDR alert cleaners help to reduce some noise, but implementing machine learning would reduce this further. This allows security teams to focus on higher value tasks that they enjoy.
In 2023, analytics will play more of a role in how security teams manage attacks and levels of risk. Many teams will be happy to rely on the tooling that they are given and the signals they get back, but the best-performing teams will take the time to understand how the results they get come through to them. By knowing more about the theory and workings of security analytics, these teams will outperform. They will use tools to help them move faster, but they won’t rely on the tools alone to get their insights.
Using technology to weed out the irrelevant threats will allow teams to get back to the more “juicy” work by addressing the serious threats that they were trained to handle. When SOC teams are empowered to do the work they really want to do, job satisfaction should increase.
Prediction #5: Legislation against ransom payments is a step backwards, and will drive more breaches underground
Ransom demands should never be paid. Evidence suggests that paying the ransom doesn’t even mean systems can be recovered. And yet, many organizations still choose to pay.
According to Gartner, 30 percent of nation states will pass legislation regulating against ransomware payments by 2025. These actions are well-intentioned but won’t solve the problem. The focus should not be on penalizing companies that have decided to pay, instead, it should be on mandating the right actions and measures that will help them never get to the point where they feel their only solution is to pay.
Legislating against ransom payments will only drive breaches further underground and foster a culture of secrecy that the industry has already worked so hard to overcome. The industry and regulations need to shift towards enabling a culture of openness, transparency and support.
