“It’s tough to make predictions, especially about the future,” quipped baseball legend Yogi Berra, in one of his most-repeated sayings.
It’s doubly tough when some of the highest-stakes stories of 2022 were entirely predictable, such as software supply chain and firmware attacks. But who could have predicted just how shaky the economy would become after the outbreak of the war in Ukraine, or the heavy fallout for CISOs from the Uber verdict?
With this look-ahead article, we asked security experts to take an educated guess about the most important trends for 2023. These are the issues every CISO should be on top of.
SBOM mandates move to center stage
Ready or not, software bills of materials (SBOMs) will ratchet up a notch in urgency this year. While much of that push will originate with private enterprises, which are beginning to require SBOMs from their software suppliers, perhaps the most significant pressure will come from the federal government. U.S. agencies and departments must assure that vendors adhere to secure software development practices and provide SBOMs when handling the most critical data.
Given the current level of immaturity, we believe that SBOMs are not suitable contract
There’s near-universal agreement that the standard elements of SBOMs hold the most potential to improve transparency in the software applications and components in use within organizations. Still, debate has broken out about whether the standards are ready for widespread use.
That debate escalated last November when the Information Technology Industry Council, a technology industry trade group comprised of many tech giants, argued in an open letter that more time is needed for SBOMs to mature before they can be used at scale. “Given the current level of immaturity, we believe that SBOMs are not suitable contract requirements yet,” the group said in its letter.
Congress is also exploring a requirement that government contractors provide SBOMs. For example, the Senate’s 2023 National Defense Authorization Act aims to require SBOMs for all noncommercial software created for or acquired by the Department of Defense.
Ultimately, some experts expect SBOMs to be rapidly adopted, despite industry protests. “The technology is there to implement and automate SBOMs,” says John Pescatore, director of emerging security trends at SANS Institute.
Pressure builds for data governance and privacy
Increased security and privacy mandates have caught the attention of business leaders. “Security and privacy are part of all technology decisions organizations make today,” says Pescatore. “How data is protected is going to become increasingly part of the discussion.”
Gartner analyst Anthony Carpino also predicts organizations will try to better govern their unstructured data and improve privacy compliance within data warehouses and analytics pipelines. “Organizations must focus on overlaying their core security architecture with a data-centric view,” he says.
Leaders should also expect expanded data privacy laws. For example, the few remaining business-to-business exemptions within the California Privacy Rights Act (CPRA) expired on January 1, 2023. The act now includes employee data, data collected within job applications, or past and current employees and contractors. California isn’t the only state making such moves: Virginia is moving ahead with a bill known as the Virginia Consumer Data Privacy Act (VCDPA).
Vendor consolidation accelerates
Predictions of significant security vendor consolidation abound. Observers predict a fallout from a slump in available investment capital and a decline in acquisitions from larger tech companies with solid balance sheets that strategically snap up security vendors to extend their capabilities.
Even if you don’t experience consolidation, you’ll also identify vendors you can likely live without.
Cybersecurity investment was cooling as 2022 came to a close, with valuations down sharply, Momentum Cyber found. But Andy Ellis, operating partner at cybersecurity VC firm YL Ventures, doesn’t believe consolidation will be a huge factor. “We regularly experience ebbs and flows in the cybersecurity market,” he says. “When the network was the center of security, we experienced consolidation around the biggest players. But there still existed upwards of 50 firewall vendors. The niche vendors are where we witnessed the innovation.”
The experts we surveyed suggested that security teams inventory their current security vendors and assess their performance against agreed-upon goals. Organizations should then align the high performers with the key objectives of the security program and develop plans to replace or work without vendors at risk of consolidation. “Even if you don’t experience consolidation, you’ll also identify vendors you can likely live without,” says Andrew Storms, VP of security at platform provider Replicated.
The rise of the “security experience”
Demands will grow in 2023 to improve how users actually experience security tools and policies, says Jonathan Feldman, chief information officer of Wake County, North Carolina. He says the ways that organizations talk about the customer and employee experience will very soon extend to the security experience.
“We cannot continue with security as something that occurs in a vacuum, without measuring or without finding out how it impacts people in their everyday work,” he says. “Everyone has a stake in not getting ransomware. Everyone has a stake in not having a big attack succeed.”
According to an Ernst & Young survey, 83% of U.S. employees understand their employer’s cybersecurity protocols. But younger generations in the workplace may be harder to reach. Gen Z and millennial workers are the least likely to prioritize or adhere to policies, the survey found.
Over the year ahead, Feldman advises organizations to focus on what they can do to improve the security experience. That could mean embracing single sign-on or passwordless access. It could also mean moving to zero-trust processes, rather than forcing cumbersome virtual private networks (VPNs) on employees. Ultimately, improving the security experience requires making security a natural part of the workflow, not a hurdle.
Authentication goes passwordless
Usernames and passwords are security mechanisms that only a criminal could love. No one likes having to remember them, enter them, or get reminded to change them—and security professionals know that passwords are one of the least dependable security controls available.
If we can get rid of passwords, that will knock many of the not-so-smart attackers out of the picture.
Criminals appreciate passwords because employees reuse them repeatedly. People choose passwords that are too easy to create and, therefore, easy to guess. But thanks to events last year, the concept of authenticating without passwords, or “passwordless” security, is expected to increasingly catch on. While the extinction of the password has been predicted for more than two decades now, it appears the technology and the motivation are finally aligned to at last place passwords on the endangered technologies list.
The transition stems in part from FIDO2 authentication specifications, which are based on public key cryptography and international standards. Apple, Google, and Microsoft announced last May that they would support FIDO2 to enable passwordless authentication across devices. The tech giants believe passwordless will better protect against phishing attacks and stolen passwords. The market seems to agree: The research firm MarketsandMarkets estimates the global passwordless authentication market reached a value of $6.6 billion last year, and will continue to grow at an annual rate of 26% through 2027.
“We haven’t been able to raise the cost of attack for 20 years,” says Pescatore of the SANS Institute. “But if we can get rid of passwords, that will knock many of the not-so-smart attackers out of the picture.”
Trends like these are indicative of the many uncertainties, both unknown and known, that CISOs will need to navigate over the year ahead. Those who are prepared can rest assured they will fare much better against the risks looming on the horizon.