Check out the on-demand sessions from the Low-Code/No-Code Summit to learn how to successfully innovate and achieve efficiency by upskilling and scaling citizen developers. Watch now.
2022 was a pivotal year in the cyberthreat landscape. With the Russia-Ukraine war emboldening nation-state hackers and professional cybercriminals alike, organizations are under increasing pressure to optimize their security operations just to keep up.
Securing the software supply chain and the open-source software ecosystem, implementing zero trust, and educating employees about the risks of social engineering and phishing attempts are just some of the areas that CISOs are evaluating to mitigate potential risks.
VentureBeat recently asked CISOs from some of the top global organizations to outline their security priorities and predictions for 2023. Below are their responses (edited for length and style):
Federal emphasis on protecting national technical infrastructure against malicious activity will grow in 2023. In the year ahead, I expect to see the Biden Administration implement a consistent stream of policies following the 2021 Executive Order on Improving the Nation’s Cybersecurity and the 2022 National Security Memorandum.
Intelligent Security Summit
Learn the critical role of AI & ML in cybersecurity and industry specific case studies on December 8. Register for your free pass today.
While public/private sector collaboration has recently grown, there must be deeper coordination between agencies and Big Tech organizations. It is reasonable to expect that the government may implement more safeguarded checkpoints between agencies and Big Tech organizations.
It is reasonable to expect that the government may implement more safeguarded checkpoints for organizations to reflect on their progress for meeting regulatory requirements. As these are implemented, we can expect to see increased knowledge-sharing between public and private organizations, heightening transparency and protection around today’s biggest threats.
Malicious behavior will get worse before it gets better — and investments in technological infrastructure will rise in response. The increased malicious activity we saw in 2022 is no surprise — and will only continue to grow in 2023. My outlook long-term is optimistic, but short-term pessimistic, and I expect organizational approaches in the coming year to continue to be more cautious, especially as public and private organizations are still figuring out how to contain the growing number of cyberthreats.
In 2023, we can expect to see increased investment in IT modernization, especially as malicious activity continues to rise in sophistication. With a modernized IT environment, security will become a “built-in” element of infrastructures instead of an “add-on,” so even with short-term challenges, the long-term benefits of IT modernization are paramount and key to mitigating evolving cyberthreats.
AWS builds security services by working backward from customer problems, and we see a common thread among our customers — that security starts not only with using the best security tooling, but also building a culture of security.
Looking to 2023, AWS will continue innovating new services that solve customer problems and also help our customers prioritize building a security-first mindset based on what we’ve learned:
Educating everyone about security — no matter their role or job title — is critical to operating securely. This includes everyone from software developers to customer representatives to the C-suite.
Sharing a common language to talk about security means proactively educating everyone on security best practices, expectations and risks. When people are educated on security, they are empowered to make better decisions that result in positive security outcomes and better customer experiences.
Education is just the beginning. Building a security-first culture aligns knowledge with behaviors. In a security-first culture, developers think about securing before writing a line of code. Product managers think about security before architecting a new product or service. And C-suite decision-makers think about how security risks can impact the bottom line. Most importantly, a security-first culture enables all of them to think about how crucial security is for their customer experiences and why proper investment in security is business critical.
Attracting the best talent from diverse backgrounds and developing security leaders reinforces a security-first culture. Employees today expect companies to provide clear career paths, upskilling opportunities and leadership development.
Advancing talent through mentorship, apprenticeship programs and certification opportunities builds an inclusive and collaborative environment that improves businesses and provides more value to customers.
Making security in the builder experience as frictionless as possible maximizes the value of teams. Shifting left — embedding security as early as possible in the product development life cycle — leads to a better builder experience and more secure outcomes.
Automating as much as possible also helps builders focus on solving high-value problems for customers. Technologies like automated reasoning and machine learning not only save time for builders, but can also quickly surface unknown security risks to help organizations better protect their infrastructure, applications and customers.
Invest in a dynamic workforce. The past two years have shown us that people want flexibility and choice in where they work. Securing the tools and environments employees use to work — no matter where they are located — helps keep organizations safe. But just like the builder experience, securing for all employees should be easy, frictionless and as automated as possible.
Together, these priorities can help organizations improve their security posture by focusing on people and the culture within their teams. Using the best security tooling helps build a foundation for secure operations.
But raising the bar on securing means building pillars on that foundation where security-minded people are empowered and can operate in a culture where security comes first in everything they do through education, professional development, and making security as easy as possible for everyone.
As security professionals, it’s not enough to forecast what’s coming in 2023. We need to look five to 10 years down the road and prepare for these threats, because if you’re playing catchup, you’re leaving yourself vulnerable to attackers.
At Microsoft, we had to see the cloud coming and plan for it way before we were ready to migrate. We had to see passwords fail and plan for it. And now we have to anticipate the ways MFA might be vulnerable and plan for those. You have to think like a hacker.
As we prepare for 2023, my teams — and other CISOs I talk to — are focused on adapting to the developing threat landscape, as ransomware and disruptive attacks on enterprises and critical infrastructure are multiplying and not letting up anytime soon.
With the attack surface becoming exponentially more complex and dispersed, it’s even more important to focus on attack surface management to find and fix high-priority vulnerabilities, as well as threat detection and response within enterprise environments — finding and stopping attackers quickly, before they can achieve their objectives.
The events of the past two years have also been a stark reminder of how much our security depends on the security of others — supply chains, partners, open source. This remains an important area of focus.
Looking forward, we’re on the precipice of some very novel AI [artificial intelligence] innovations which hold huge potential in the cyberdefense space. We’re working closely with our colleagues within IBM Research and IBM Security to explore completely novel AI use-cases which go well beyond those being put into practice today.
Given recent and past cyberattacks like we’ve seen with SolarWinds, Okta and others, a key priority for security teams will be to better understand their organization’s vulnerability at the intersection between the technical aspects of their security postures and the human ones. Both present vulnerabilities and malicious actors increasingly focus on exploiting the inflection points where technology and people intersect.
To address any technical weak points, I believe more organizations will need to start developing security in the open, which enables security practitioners to see the underlying code of a product and understand how it works in their environment. This will help security teams identify potential blind spots and address gaps in their security technology stack while developing risk profiles for new and emerging threats.
The human aspect of security is slightly more nuanced because it is less predictable. Certain factors like the pandemic and remote work environments have led to people connecting to and interacting with technology more than ever before, but this doesn’t necessarily make them more security-aware.
Producing a software bill of materials (SBOM) will be top of mind for companies providing software to the U.S. government in accordance with President Biden’s Executive Order 14028, as they manage the details and navigate the implications of these new requirements.”
Highly visible attacks on the software supply chain start with access to the weakest link. As we head into a new year, it’s important to engage businesses of all sizes to be engaged as new secure software development practices are defined.
Leaders in the security space will also be focused on closing their cybersecurity skills shortage. In the face of a talent pipeline in desperate need of a turbocharge, adopting a prevention-first approach to cybersecurity is ultimately one of the best ways businesses can guard against malicious actors as we continue to see a growing gap between threats faced and front-line security workers available to handle them.
Over the last few years, we’ve seen every organization become a digital business. This significant increase in organizations’ digital presence unsurprisingly has led to bad actors taking advantage of insecure software supply chains.
The Log4j attack showed us just how detrimental these attacks can be, where a vulnerable codebase can impact thousands of companies. These types of attacks will not go away and will increase exponentially over the coming years.
Gartner predicts that “by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021.”
It’s paramount to ensure that not only your own organization’s software supply chain is secure, but also [those of] the companies you do business with. A top priority for every CISO needs to include proper security of every codebase, application and third party the organization uses.
When looking at 2023, my priorities are not necessarily focused on the newest trends of the day, but continuing to get cybersecurity fundamentals right. We must execute the basics with brilliance because threat actors commonly use these weaknesses to enter, navigate and compromise environments.
If fundamental processes are not sound, then those will be the first to fail. We’re continuously making sure our basic blocking and tackling is working so we are best positioned to stay ahead of evolving threats.
For many companies, mastering the fundamentals is hindered by the industry gap in cybersecurity talent. There are fewer people in the available workforce pool with the right cybersecurity skills needed to protect, detect, respond to and recover from cyberthreats. That’s why it’s important to uplift my team and provide continuous training and education, while supporting their career paths and interests.
As cyberattacks continue to affect organizations everywhere, leaders should continue investing in cybersecurity talent and focus on cybersecurity fundamentals. Although there are new and exciting technologies that are aimed at solving different attack vectors, focusing on successfully executing the fundamentals of cybersecurity remains the most effective strategy.
The Verizon Data Breach Investigations Report and other security incident-reporting have shown that most successful attacks involve the use of credentials or exploiting a software vulnerability that already has a security patch available. This means that most organizations are still not executing on the fundamentals of secure credential handling and patch/vulnerability management.
To ensure these essential activities are being done, it takes hardworking team members to focus on security. Whether it’s teams on the vendor side or in-house experts, having the right team in play should be a priority for all companies.
As a tech company we are faced with the important responsibility of ensuring that what we build and how we build is safe for our company and for the customers we service. We pride ourselves on the trust our customers place in us and work hard to build security into everything we do.
Like most companies, we have to maximize security resources and investments; so shifting left in our security and building secure products up front is important. Doing so lets us find weaknesses early and allows for quicker, more efficient remediation, thereby reducing MTTR and driving down costs.
We leverage our expertise in security and engineering to build tools that are safe, trustworthy and reliable; and we utilize our own platform to ensure that not only do we have a great understanding of our own dynamic attack surface; but that we are regularly and reliability testing our apps, machines and cloud instances in order to manage risk in a proactive way and stay ahead of attackers.
In 2023, CISOs need to focus on how they can defend and protect employees beyond the walls of corporate systems. More and more, we’re seeing attackers target employees in social engineering scams that originate on their personal networks — through LinkedIn, SMS text or their personal email account — with the ultimate goal of compromising the workplace.
For example, if an employee’s laptop is compromised, the attacker can often gain access to the personal email of the employee to then attempt to social engineer their employer’s IT team into giving them access.
Attackers don’t respect work-life boundaries, so we need to continue investing in security programs that support and enable our employees in their personal lives while still maintaining the right balance and boundaries.
It’s clear that security needs to extend outside of corporate walls, but there’s an important balance that CISOs and security leaders need to strike. How do we support employees not just at work but in their personal lives, while still respecting boundaries with their personal devices and accounts? How do you address that there will always be employee devices that you don’t own and control?
Nearly every CISO that I’ve had a conversation with lately has had the same top-of-mind priority: the simplification of security operations. They are being forced to simplify security, as budgets consolidate and the tech stack becomes too complex for long-term sustainability. Here are a few areas I recommend evaluating first:
Security’s greatest enemy is complexity. Therefore, the first area to focus on is the simplification of processes. In many cases, there are too many security controls in place without thinking about the resulting friction it puts on the business at large. By simplifying processes, you also eliminate a few of the unnecessary controls.
Push-based MFA was seen as the anodyne to lessen the user experience burden when it came to using vaults, a variety of software and hardware authenticator apps with TOTP. However, it has shown to be a weak implementation of MFA much as SMS has become due to social engineering attacks.
For 2023, investment and in-depth analysis of how and where MFA is implemented needs to be undertaken primarily to implement MFA that presents a challenge, captures log details and has risk-based policy controls to prevent MFA spam attacks from holding.
Usernames and passwords for personal social media accounts continue to make up a large portion of breached data dumps. 2023 will see a rise in more targeted account-takeover attempts with these leaked credentials, including corporate accounts.
We noticed an uptick in unauthorized access attempts and trolling on our own corporate accounts when we shared resources related to CISA’s Shields Up guidance. I think this targeting of accounts sharing guidance for organizations around geopolitical cyber events will increase into 2023.
With ransomware still the number one threat to the safety of company data, CISOs should prioritize enhancing security monitoring capabilities and building up defenses.
Another priority is security analytics. Traditional, rule-based security information and event management (SIEM) is no longer sufficient given the scale and speed of real-time threats. Preparing for 2023, CISOs should integrate data analytics into security monitoring and alert analysis.
The lingering questions of, “Have we done all that we can to protect ourselves and our customers, and are there additional measures we can adopt?” really keeps me up at night. The truth is, we have implemented a number of security measures and we will continue to evaluate these measures for adequacy.
Each year, cyberattackers innovate to increase their capability and capacity to conduct attacks.
With cybercriminals incentivized by monetary gain and nation-states driven by geopolitical tensions and the possibility for intelligence gathering and causing major disruption for adversaries, the attack surface faced by organizations globally continues to widen. The CISOs of global businesses must contend with this backdrop in every cybersecurity decision.
In an inflationary environment with global economic slowdowns, CISOs are going to be faced with several difficult choices around how they build an effective security program given increasing budget constraints.
Many will be unable to invest in large security teams capable of manually operating security functions and will have to look to AI as a force multiplier. Obtaining comprehensive AI-powered security solutions, incorporating outsourced services that are additive to the cybersecurity program, and retaining key security talent will be primary objectives for the CISO in 2023.
As we approach 2023, I believe that our current method of addressing the evolving threat landscape with a controls-centric focus remains inefficient and that we must find or make a way to develop the security acumen of our most critical asset: the humans (people network) in our organizations.
The security organization maintains numerous technology-centric functions to identify structural weakness and protect the organization, while providing support to the people-centric functions of detection, response and recovery associated with adversarial impact.
Deploying phishing-resistant multifactor authentication at scale –- and managing the inevitable gaps: Incidents throughout 2022 have underscored the need to move away from SMS, TOTP and push-based multifactor authentication (MFA).
Phishing-resistant FIDO2 Web Authentication (WebAuthn) is more accessible than ever — with hardware tokens, built-in hardware like TouchID and Windows Hello, and the recent release of PassKeys –- but organizations will struggle with in-house and vendor systems that provide inconsistent or incomplete support for these mechanisms.
The long tail of incompatible systems will force many organizations to continue supporting pockets of their environment with insecure MFA methods for many years to come.
GoTo is dedicated to monitoring and continuously improving our security, technical, and organizational measures to protect our customers’ sensitive information.
In addition to our SOC and SOC 3 compliance, we’re executing a security-by-design approach working on administrative safeguards, least privileges and identity access management (IAM), enhanced multifactor authentication (MFA), zero trust, asset management and automated capabilities, which also will continue to be a priority in the year ahead.
With the average cost of data breaches [at] an all-time high, businesses need to take every precaution to protect themselves from outside attack or malicious users, and a security-by-design model is an effective way to leave no doubt.
We have recently seen several high-profile attacks that have exploited MFA implementations that remain susceptible to social engineering. MFA is not a panacea, particularly if users can still be tricked into giving up the MFA token to an attacker.
In 2023, we should see efforts to make users aware of these attacks and improvements in MFA implementations to make them more phishing resistant.
To borrow Richard Danzig’s analogy, we are on a diet of poisoned fruit with respect to our software supply chain. This poison is not going to go away, so we will need to learn how to survive and thrive under these conditions.
Being aware of the risks (through efforts such as SBOMs) and managing the risks (through compensating controls such as egress filtering) will be a priority in 2023 and the foreseeable future.
It is the 2023 planning season, and much of the focus has been on which security tools CISOs should invest in next year. Instead of prioritizing security tooling, CISOs should prioritize alignment to 2023 business objectives.
What does the business plan to do next year? Is the company going to release a new product that will generate significant revenue needed to achieve revenue goals? Is the company going to expand into a new geography?
CISOs should understand the company’s strategic objectives for next year and look for ways to minimize risk and enable business initiatives. Business risks should also drive the CISO’s 2023 priorities. SEC Form 10-Ks are excellent resources that outline the key risks to the business.
I have one priority for 2023 — to be data-driven for risk-making decisions. My commitment starting fiscal year 2023 is to be data-driven with quantitative risk-management practices.
That means providing the business units with a dashboard and trending metrics to the state of assets, vulnerabilities and threats that comprise their attack surface.
From this, we can continually score threat likelihood and business impact to make informed decisions on where to best focus resources.
Making this happen requires a tightly integrated security stack that shares data into a single aggregated data lake to threat model and answer questions.
To paraphrase in buzzwords/market lingo:
Risk quantification is my main priority for 2023 because it’s essential to securing funding on all my security initiatives. And as most CISOs are acutely aware, new security spend isn’t easy to come by.
In order to fund anything, CISOs must be able to quantify the potential risk in dollars. While it’s often more achievable to quantify the material impact of losing an application for a day, or even a ransomware attack, it’s much harder to quantify the probability of that impact occurring.
In 2023, I want to improve our quantification capabilities so we can demonstrate to leadership the continuum between risk and dollars. For example, if you accept this amount of risk, it costs this amount. If you’re willing to accept more risk, you pay less. Risk quantification has the potential to advance the clarity in our communication with the business.
CISOs will be looking for ways to bolster the security department’s impact in an unsteady economic climate, without substantial additional cost or investment. One tangible element of that is developing partnerships within the organization.
When CISOs and security teams are able to spearhead partnerships with other departments, it can reduce the overall cost of securing the organization — whether working with HR on company-wide security awareness efforts, training development teams in security, or partnering with marketing to make security a business differentiator.
Cybersecurity approaches will become tomorrow’s law: CISOs must actively engage with state and federal officials to educate policymakers and lawmakers on business and data security requirements to positively impact the way new regulations are written.
More importantly, as different states are moving at varied paces and approaches, CISOs should focus on advocating that federal officials step in to create a national standard for data privacy and protection.
CISOs must advance efforts to achieve zero trust in their security protocols. CISOs must seek solutions and vendors that can help them advance zero trust from a goal that is hard to achieve, to a security standard that is an operating prerogative.
In 2023, one of my top priorities is addressing cybersecurity and operational risk in the software supply chain, especially as regulators continue to enact guidance about protecting critical business functions and confidential data in this area. From PyPI to Lapsus$, attackers are taking full advantage of the vulnerabilities in third-party applications, and the fact that businesses can’t stop them.
I’m focused on helping my customers understand their IT supply chain from the inside-out — whether it’s their applications, their data flows, their code or their people — and put dynamic policies in place to control it.
It’s only through that inside-out view of the supply chain (via observability technology and a Software Bill of Materials) that we can fully assess enterprise risk and the context surrounding it, choose what security strategies to prioritize, and then close the everyday vulnerabilities in enterprise software that attacks so easily take advantage of.
Sandbox grew from 20 employees to nearly 100 in 2022, and we expect to reach 200-300 in 2023. As the company grows, there is increased pressure to support more and more platforms while maintaining security discipline (e.g., continue to enforce SSO everywhere).
We don’t have a perimeter, the increased user and technology complexity leads to more scenarios that can stack up to allow threat actors to operate. Additional care must be taken to make sure the telemetry and altering scales with the infrastructure and security policies continue to be enforced.
Finally, as the organization size crosses Dunbar’s number, we need to stay focused on maintaining a good attitude towards security and a positive culture where reporting suspicious activity is encouraged.
Our priorities keep coming back to the cybersecurity fundamentals, with a focus on increasing coverage and effectiveness of core security controls. Looking at some of the most recent and impactful breaches, the attackers are getting access to critical systems and sensitive data by exploiting basic vulnerabilities that exist in the security posture.
A key priority that we are carrying over from FY ’22 is an ongoing focus on security awareness training and education on social engineering attacks for all our employees. This needs to be a campaign in order to build and sustain the muscle memory required to reduce the exposure.
Another priority is to continue to focus on credentials management that includes increasing RBAC, least-privileged access, and ensuring proper password management practices. Even with the progress made year-over-year, this is an area that requires constant management to ensure that changes to our environments maintain the targeted level of credentials management.
The security of the software supply chain continues to plague organizations. We expect that supply chain attacks will become more complex, but we also expect to see sophisticated solutions developed to thwart those attacks.
With supply chain attacks on the rise, we expect that CISOs will invest more robustly in securing the software development life cycle and building up formalized patch management programs to maintain clean software libraries.
Open-source code is the lifeblood of software development innovation, so we expect CISOs to prioritize protection of code more than ever before.
The most important skill for a CISO is to know their company inside and out. This means knowing how technology and data are used to create value, and being involved with new projects early. This level of integration is not easy, and has no end date, so should be at the top of every CISO’s priority list for 2023.
That said, CISOs do have other priorities that will be important next year.
In 2023, leaders should focus on training staff, automation, and finding a holistic solution which brings together security and data protection to strengthen an organization’s data.
Trusting the right people with your data can be tricky, and complex. As proven by countless instances of humans playing a key role in a data leak or beach: you can never be too safe.
Time and again it’s proven that humans are the weakest link in the security chain. To ensure data resilience in wake of a disaster or attack, organizations should prioritize the proper training of their IT professionals while equipping them with the right systems to automate processes.
It’s important that organizations shed the idea that their teams must manually handle these processes, from backing up data each night to monitoring systems. With touchless systems, teams can rest assured that their operations and data are always safe — even if a disaster strikes.
We recognize this, and have invested in solutions that monitor, detect and provide information on our IT environment. As a CISO, the greatest challenge I see security teams face is how to leverage that information and significantly reduce remediation time.
We use our Challo platform to orchestrate and automate incident response through a single “pane of glass” so we can accelerate collaboration between internal and external experts, streamline secure access to system data and documents, and automate workflows that are relevant to various incident-types that are captured and reported by monitoring tools.
Investing in incident response has directly addressed challenges with ecosystem complexity, and improved agility and cybersecurity posture in the process.
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.
Join us virtually this December 8 to hear insights from experts and learn the importance of cybersecurity in your organization.
© 2022 VentureBeat. All rights reserved.
We may collect cookies and other personal information from your interaction with our website. For more information on the categories of personal information we collect and the purposes we use them for, please view our Notice at Collection.
source
—
Note that any programming tips and code writing requires some knowledge of computer programming. Please, be careful if you do not know what you are doing…