These are the security trends to watch in 2023
It's about the attack surface, identity and supply chains, says Gartner's Paul Furtado
“Business thinks IT has a crystal ball, but the truth is the CISO doesn’t always know what’s going on.”
That was the conclusion of Paul Furtado, VP analyst at Gartner, speaking at MES IT Security in Indianapolis this week.
There are some persistent security challenges - the skills gap, shadow IT, hybrid work - but Furtado focused on the newest threats facing security teams in 2023, along with an action plan to address each one.
#1: Expanding perimeter
While attacks are evolving, one of the biggest threats today is the expanding perimeter/attack surface.
Furtado pointed out that security regulations "don't differentiate between cloud, on-prem or SaaS - they just care about the data."
Action plan
- Perform attack surface gap analysis - "A regulator's not going to give you a free pass because you say, 'I didn't know we were using that application.'"
- Evaluate attack surface management technologies to visualise external digital footprint.
- Consider pen testing, breach simulation, etc to provide regular assessments.
- Test your response.
While most people - including Furtado, later in his presentation - recommend bringing business and IT together, he recommended keeping conversations about responses to a security separate.
"As soon as you start talking tech you've lost the board, and once you start talking about cyber insurance and marketing you've lost your tech team.
"It's the same scenario but two different people."
These are the security trends to watch in 2023
It's about the attack surface, identity and supply chains, says Gartner's Paul Furtado
“Business thinks IT has a crystal ball, but the truth is the CISO doesn’t always know what’s going on.”
#2 Identity threat detection and response
"Identity is the new perimeter," said Furtado. "[It] is the crux of your network, the core of your network, and you need to have very strong identity discipline in your environments."
Weak identity discipline leads directly to things like credential compromise, which is still one of the main reasons companies are breached.
Action plan:
- Prioritise the security of identity infrastructure with tools to monitor, protect, detect and remediate.
- Use the MITRE ATT&CK framework (or similar) to correlate ITDR techniques with common attack scenarios.
- Invest in foundational IAM security best practices like least privilege.
- Modernise IAM infrastructure using current and emerging standards.
"We're seeing more and more organisations struggling simply from the fact that they don't do a good job with fundamentals. They don't do necessarily a good job of adapting their current models to be leveraged across their entire environment."
These are the security trends to watch in 2023
It's about the attack surface, identity and supply chains, says Gartner's Paul Furtado
“Business thinks IT has a crystal ball, but the truth is the CISO doesn’t always know what’s going on.”
#3 Digital supply chain risks
Businesses have become increasingly dependent on their digital supply chain, to the extent that if a critical vendor like Salesforce, Microsoft or Amazon were to crash some firms would have no recourse.
"Does your organisation really understand the risks associated with your vendors?" Furtado asked.
More to the point, do your teams understand the risks they are associating with your business by bringing new tools into the organisation?
Action plan:
- Develop a joint governance model with business stakeholders, who need to understand the risk of making some decisions.
- Classify major digital supply chain partners by their importance to the business.
- Require regulated or high-risk partners to provide evidence of security best practices. Anyone can say they're ISO27001 certified or have a SOC2, but sometimes those are exaggerations at best. Look at their security reports.
- Build detection and resilience capabilities for mission-critical supply chain partners, i.e. Salesforce.
"If a vendor tells you they'll inform you of any security risk in your environment, you say 'No - tell me of any risk in your environment.'"
These are the security trends to watch in 2023
It's about the attack surface, identity and supply chains, says Gartner's Paul Furtado
“Business thinks IT has a crystal ball, but the truth is the CISO doesn’t always know what’s going on.”
#4 Cybersecurity products are consolidating
This should be no surprise to anyone. Vendors are expanding into new areas as they chase new business, and there's plenty of technology and capability overlap. That often leads to confusion when it comes to capabilities.
"[Vendors] are going to put their own marketing spin on it, they'll come up with their own terms. You need to make sure [the tool] does what you need.
"Sorry if I offend any vendors, but you're doing it!"
The example he gave was XDR, which everyone says they're doing but it may be in a very limited and specific way.
Action plan:
- Inventory and group solutions by the security problem they solve.
- Evaluate products that could be enhanced by shared data management, common policies enforcement and integrated workflows.
- Highly scrutinise isolated security products.
- Budget for, and acquire, professional services assistance for consolidation projects to augment staff.
"This is not something you can afford to get wrong. It's not something you want your staff to be learning on the fly, because a small little configuration mistake can leave a big gap."
These are the security trends to watch in 2023
It's about the attack surface, identity and supply chains, says Gartner's Paul Furtado
“Business thinks IT has a crystal ball, but the truth is the CISO doesn’t always know what’s going on.”
#5 Cybersecurity mesh
Leading on from the last point is Gartner's concept of the cybersecurity mesh, a framework of tools that work together to build a comprehensive security posture.
The company's exact definition is "a collaborative ecosystem of tools and controls to secure a modern, distributed enterprise."
Vendor consolidation will help with this a little, but really - especially for SME firms without a dedicated security team - you should look at tool consolidation to drive operational efficiency.
Action plan:
- Focus modernisation efforts on composable security tools.
- Evaluate products that are interoperable through established and emerging standards.
- Evolve your IAM infrastructure to operate as an identity fabric.
Open APIs are Furtado's personal bugbear when it comes to interoperable tools.
"An open API is not a connection. An open API is work for you… If you think you're using a leading product and you've got a vendor that you want to bring for that, it's great. They have an open API? You're not in development ops. They've got the resources, leverage them to build those interfaces for you."
These are the security trends to watch in 2023
It's about the attack surface, identity and supply chains, says Gartner's Paul Furtado
“Business thinks IT has a crystal ball, but the truth is the CISO doesn’t always know what’s going on.”
#6 Cybersecurity leadership is decentralised
Not all security decisions rest with the CISO anymore, or even with the IT team. But do the other people who are making those decisions understand security?
"Do they understand what this means? Do they know what questions to ask, when they're going through and evaluating tech or deciding that's what they want to bring in? Some of them can't even spell IT."
It's down to IT teams to help these people and provide them with the ability to make good decisions, because the reality is, "We're not going to be able to move away from the decentralisation of IT. The reality is it's going to go up."
Action plan:
- Empower distributed security leaders to make their own informed risk decisions.
- Foster cyber judgement throughout the business.
- Empower local governing bodies with decision rights, instead of defaulting to top-down decision-making.
These are the security trends to watch in 2023
It's about the attack surface, identity and supply chains, says Gartner's Paul Furtado
“Business thinks IT has a crystal ball, but the truth is the CISO doesn’t always know what’s going on.”
#7 Human factors require a reframing of security awareness programmes
Everyone learns differently, so we need to take a multi-modal approach to security training. Some people might learn better by reading a document, others will respond better to video. Still others need something interactive. You need to find out how your employees learn best.
This is especially important when you're trying to change security culture. The best way of doing so? "Don't make it all about the business."
If people have bad cyber habits at home, they'll bring those to work with them - so give them a reason to change their habits at home.
Furtado gave an example of one security leader who had "given up" on MFA. Instead, "He came up with a personal payroll protection programme that basically said, in order for you to make a change to your HR record you're going to get a message on your phone. Only after you authorise it can you go in and change that banking information. So ,we're protecting your payroll."
That programme - really MFA by another name - had an adoption rate of 90%.
"When you make it about the individual, that's going to resonate more… If we want to change the culture, we have to deal with the human animal."
Action plan:
- Develop culture change that equips users with cyber judgement skills.
- Investigate use of organisational change management best practices and social science principles, such as culture hacks - "It doesn't always have to be about the IT guy."
- Collaborate with business leaders on culture-changing activities.
- Adopt new training methods like gamification, in-the-moment nudges, real-world phishing simulation and outcome-driven metrics.
The future of defence might be unclear, but bringing in some business focus will make protection easier - for the organisation, the IT team and even the users.
Furtado ended with his advice to security leaders who were still struggling to secure investment from their leadership teams:
"Treat cybersecurity as a business risk that needs business-led investment. We need to be able to defend that investment."