By Christian Have
As 2023 closes in it’s time to make our predictions for the cybersecurity market. We expect that CISOs will face daunting challenges amidst global economic uncertainty and comprehensive new cybersecurity legislation focusing more on the cybersecurity practices of businesses and organizations. It’ll force them to overcome the last frontier – bridging the gap between technical cybersecurity professionals and the C-suite. The latter now care about cybersecurity. CISOs need to improve communication, so everyone understands the cyber issues and what’s being done about them.
Here are 5 things we expect for 2023:
The CISO caught between a rock and a hard place
With NIS2 going into effect as the global economic outlook worsens, we see the CISOs in a tough spot in 2023. On the one hand, NIS2 demands organizations strengthen security requirements, introducing personal accountability of top management and expensive sanctions for non-compliance. As a result, the C-suite must be able to challenge the cybersecurity staff to cover their own backs. On the other hand, a looming recession will make the C-suite eager to save costs where possible, and CISOs must be able to justify their cybersecurity spending.
In essence, NIS2 and the economic outlook will drive a fundamental need for transparency and a shared understanding of the risk and the actual cybersecurity performance – with top management and the board as bannermen. The CISOs capable of measuring cyber risk and how effective the cybersecurity setup is in a meaningful way for the C-suite and the technical staff will win.
End-to-end technology leads the CISO out of the dark
Cybersecurity teams manage a growing portfolio of security technologies. Measuring the efficacy of the controls these technologies are expected to deliver is an inherently difficult undertaking for security teams as well as the company leadership. Adding to the difficulty, providing confidence of coverage is increasingly tricky: Cloud-based services, IoT (Internet of Things) environments and increased autonomy of line functions to design and implement semi-shadow IT all change the topology of the network and classical understanding of the cybersecurity coverage that falls under the CISOs domain.
Put bluntly: The attacker doesn’t care about what’s in the scope of your security controls.
Breach and attack simulation (BAS) software can run automated, controlled attacks to identify vulnerabilities before they’re exploited. Converging BAS with detection, endpoint protection, and attack surface management can lead the CISO out of the dark in 2023, uncovering broken processes and shadow IT. It’ll be a game-changer, empowering CISOs to prove to the C-suite that their cybersecurity approach and investments are appropriate and guide the security staff to genuinely bolster security.
Security teams embrace automation
In 2023, we expect that security teams will start taking advantage of automation – especially in the mid-market, where they struggle with many alerts. We are seeing advances in AI to allow the fusion of weaker signals into high-value cases and prioritize investigation and response efforts accordingly. The point here is that independently observed “alerts” or weaker signals won’t be acted on. They serve as context, or indicators in larger cases, eliminating much of the time waste associated with false positives.
We also see the ability to assess automation components by meta-analysis emerging. It’ll enable CISOs to measure the effectiveness of security controls compared to other organizations and evaluate the maturity of capabilities spanning processes as well as technologies. The meta-analysis will help drive the CISOs agenda with the C-suite to make the right decisions, e.g., outsourcing security operations to a Managed Detection and Response (MDR) provider. In addition, CISOs can standardize how they evaluate technology and determine opportunities to reduce costs by using meta-analysis as a benchmarking function. It’ll make it easier for CISOs to report to the C-suite about general cybersecurity performance.
Cybersecurity technology will protect business-critical systems
We see CISOs empowered to address the security limitations of business-critical systems such as SAP, Oracle, and Salesforce in 2023. We are observing that the “classical cybersecurity” paradigms and ways of thinking are yet to fully materialize in how the owners of business-critical applications are evaluating risks and threats. In 2023 CISOs will be able to extend the often hard-earned expertise of protecting infrastructure and applications to include, e.g., ERP and CRM. By including these systems in analytics and response platforms, the workflows, playbooks, and policy enforcement capabilities can be implemented and open new doors for business opportunities. Imagine being able to adjust the ERP authorizations of suppliers or other third parties in real-time based on their behavior and current observed threats.
With continuous monitoring across the IT landscape, CISOs will gain unparalleled visibility. And automated controls processed in real-time will empower them to spot and respond to fraudulent activity and security breaches immediately before the suspicious activity proceeds too far. Applying cybersecurity technologies to business-critical systems will enable the CISO to ensure that invaluable information, such as intellectual property and data about customers, suppliers, and employees, will stay protected and that the organization complies with regulations.
The XDR bubble will burst
In 2022, Extended Detection and Response (XDR) reached the “peak of inflated expectations” on Gartner’s Hype Cycle for Security Operations. In 2023, we expect CISOs to become increasingly skeptical of XDR, moving XDR towards the “trough of disillusionment.” CISOs will learn that XDR doesn’t solve all their cybersecurity problems and cannot stand alone. Even though mid-tier enterprises might still consider XDR to cover specific use cases, they’ll soon recognize the need for a broader foundation.
Organizations need the data collected and analyzed in a SIEM to demonstrate compliance and the evidence material required to investigate security breaches. They need UEBA and SOAR to prioritize incidents and augment strained security teams. And they need coverage across the entire systems landscape, including business-critical applications, to avoid blind spots. Converging detection, endpoint protection, breach and attack simulation, and attack surface management tools are necessary for the CISOs to drive better decisions and investments and develop fruitful conversations with the C-suite. Mid-sized enterprises will increasingly turn to MDR providers if they lack the resources to manage the setup on their own.
2023 is the year CISOs will be empowered – and forced – to address cybersecurity from a business perspective
Adversaries don’t care about risk assessments, nor does the stock market. CISOs must ensure that the organization can protect against real threats and prove it to the C-suite, demanding more cybersecurity than ever due to the NIS2 directive and grim economic outlooks. Through the convergence of tools like SIEM, SOAR, UEBA, and Business-Critical Security solutions, CISOs can gain complete insights into security posture and performance, empowering them to address cybersecurity from a business-value perspective and protect the business appropriately.