Security Predictions - the highlights for 2023

Luckily for security professionals, security will still be valuable in 2023 (nothing like an ever expanding threat landscape to stay relevant! Go team!) But that would make for a really dull predictions blog… Instead, let’s stay current and delve into these 5 trends from the Splunk Security Predictions 2023 report:

1. Security and IT convergence
2. People: impersonation and talent
3. Supply chain and SBOMs
4. Extortion beyond ransomware
5. Hype (if you’re looking for quantum or blockchain, it’s in here)

If you work in security, I know you’re busy - so let’s get to it.

Security and IT convergence

This was the top prediction in the security report*: resilience initiatives, accumulated wisdom, and legislation are the catalysts making security and IT work closer together than ever before. 

If hearing “resilience” makes you roll your eyes, I can’t blame you. Like “digital transformation”, it can be a load of waffle and a time drain… or it can have a meaningful impact on the foundational ways your organisation runs. Let’s be kind and say it's the latter - so why is resilience often the CISO’s responsibility? I reckon it’s down to the expansion of the CISO role and remit. Security has gone from functional leadership to business differentiation, and CISOs have evolved from “professional expert” to “business enabler” and finally to “technology leader”. CISOs no longer “stop risk at all costs” - they help the business to understand, accept, manage and reduce their risk where appropriate, and lead technology initiatives. With this expansion, and its strong links to IT, security seems a very sensible place to home resilience initiatives. 

Side benefit: security’s leadership in resilience is transforming the security team’s reputation from “50 Shades of Nay” to “business enablers that work with you, not against you”.

CISOs are moving through the RACI matrix on tech investments and process changes - no longer merely informed, they are consulted at a minimum, sometimes they are accountable and, particularly when it comes to decisions about resilience, they are becoming principally responsible.

So, what to actually do? No matter your job title, look at your network (of people, not machines!) and see how many IT-not-security professionals you talk to on a regular basis. Set up some coffees, and exchange your knowledge on what resilience looks like to you and to them, to gain some shared understanding. If you’re a CISO, work out which type from the list above (expert, enabler, leader), and understand what your organisation needs from you. For resilience, find out how you are going to communicate 1) if you have it, 2) how you know that you have it, and 3) where to focus your efforts.

Your people and not your people

I love people. Security is about the steady wins, and there’s nothing steadier than 1) building a good culture and 2) investing in decent people. Of course, it’s hard and takes time, but aren’t you sick of hearing about the talent crisis by now? 2023 is the time to make some changes.

First up, culture - this will matter more, simply because impersonation attacks are on the up. Culture is why your finance team transfers emergency funds, after an email from the CEO (or purchases gift cards via text, as in our report). If you’re a demanding CEO, who sets a culture of fear and doesn’t like to be challenged, don’t expect your staff to question odd financial requests.

This culture of challenge and healthy scepticism is going to be more critical, as impersonation attacks will get more convincing - due to virtual meetings being the norm, and even deep fakes being operationalised (in the impeccable words of Bruno Mars: don’t believe me? Just watch [this RSA talk using deep fakes to make an insurance claim]).

To repeat, a healthy dose of paranoia and scepticism is no bad thing when your CEO is desperately requesting gift cards. 

Secondly, there’s the talent crisis. This year, be prepared to be bold and hire for something else that isn’t ‘experience’, such as curiosity, aptitude or simply a “flux mindset”. The shelf-life of skills is getting shorter anyway (infamously, first-year teaching at universities is outdated by the time students graduate), so recruit for flexibility. Peter Drucker said, “the greatest danger in times of turbulence is not the turbulence - it is to act with yesterday’s logic”.

It’s an issue for basically everyone, and - while automation can seriously help you out - it can’t solve the whole problem. Successful organisations are combining an approach of automation and “find talent, teach skills”. This mandate comes from the top - so make the change in your recruitment policies and stop asking for experience that is no longer relevant.

So, what to actually do? 1) Culture: Build what you want, and adapt what you built (rather than your users) if you see suboptimal behaviours. Humans don’t report phishing, because they feel shame, fear and embarrassment, and there’s often no incentive to stick their head above the parapet and say they made a mistake. The same (lack of) incentive applies to questioning demands allegedly from the CEO - so instil rewards for employees who challenge and report.

2) Talent crisis: combine automation and a change in your recruitment philosophy (and policies). Understand what, when and how you can automate, stop asking for irrelevant experience on job advertisements, and recruit for adaptability to unblock the pipeline.

Supply Chain and SBOMs

To put it mildly, SolarWinds and Log4J highlighted the fragility of supply chain security and prioritised the issue for many organisations. From MSPs to open source libraries, everyone started caring a lot more about what risk exposure they were inheriting from suppliers. 

As a result, Software Bills of Materials (SBOMs) are becoming central to the solution, driven by the US (by 2025, you need an SBOM to sell software to the US Federal Government). This isn’t quite “problem solved” though. For sure, SBOMs help, and wide adoption will revolutionise the way we manage software, but they aren’t a silver bullet (nothing ever is). Ultimately, merely having an SBOM doesn’t help at all if you don’t use it to drive action.

Before you do ANYTHING, think about why you would want an SBOM and what you hope to achieve for your supply chain security.

So, what to actually do? Visibility, active management, prioritisation? Usually, it’s all of these - to understand your risk exposure, to demand better from your suppliers, or to compare security posture between vendors. When you have that understanding, work backwards: think about the process needed to make SBOMs valuable, i.e. ask how you plan to make SBOMs for your software, and how you plan to consume them in your organisation. Get involved in standards, and start previewing to your suppliers how and when you will want their SBOMs. 

Extortion beyond ransomware 

Of course, it wouldn’t be a blog on security trends without ransomware. Ransomware has become shorthand for “attack that makes you pay”, sometimes several times (e.g. stealing data before encrypting it) - but now, threat actors are coming full circle: to extort without encrypting.

Like many security professionals, cyber criminals are also crossing the “PowerShell to PowerPoint” rubicon - extorting organisations at the business, rather than the technical, level.

Instead of full-on encrypting your system, the new trend is to select proof of compromise, and send a few discreet emails to key company stakeholders (CEO, the board, CISO), demanding payment for this to all go away quietly. Kind of like old-fashioned hacking, with a touch of professionalism.

So what to actually do? Most security folks here would say, “eat your cyber vegetables”, i.e. do that practice you should have always done. I say, “ew, who likes vegetables?” Yes, you should do that good practice, but be honest - you haven’t done it yet because it’s dull and unsatisfying. You need to find the cyber ‘chocolate’ to make the improvements feel good: reward those who report phishing, create leaderboards for system patching status, visualise risk to incentivise board investments, and tell engaging narratives.

Jazz hands and hype

I could only write about three areas before I could take no more hype: quantum, blockchain and machine learning as an attack vector. I know.

So,... what are you going to do about quantum? Easy one to start: in 2023, there are waaaay more imminent threats to invest your security time and effort. Wait for NIST to finish its standardisation process fully, and maybe research those algorithms if you’re super keen. In the meantime, relax and use the buzzword as an excuse to make or refresh your asset inventory - it’s good practice anyway, but will help you to prepare for migration when the time is right (if ever). There’s a great standard from ETSI on this topic (TR 103 619) that has actionable and practical lists of questions to work through to improve crypto-agility and “get ready”.

So,... the blockchain can be hacked? Like all technology, the theory can be untouchable but it doesn’t survive implementation. If you do use blockchain, I hope that 1) you have a good reason, and 2) that you understand the limitations, i.e. wallets can have vulnerabilities, just like all software. If you don’t use blockchain: don’t use it, until you meet 1) and 2) above.

So,... what about when machine learning goes on the attack? A bit sensationalist, and I apologise, since ML going bad is usually unintentional. “Defend” through operationalisation, i.e. building a proper lifecycle - including securing the data supply chain (i.e. protect data that trains your ML models) - and making machine learning systems explainable. Then, if your ML does go rogue, at least you know where, when and why that happened.

Thanks for sticking with me, all the way to the end. I hope this blog has given you some clear things to take forward with you into 2023. Now, let’s get to it.

Footnotes

*Amusingly, this trend is only 4th in the ITOps report. Perhaps IT is just too cool to care about security these days? Or maybe security is finally reciprocating IT’s interest? Who knows - it’s a complex relationship.