This post is part of our 2023 cybersecurity predictions series.
Aleksandr Yampolskiy, CEO and Founder of SecurityScorecard:
CISOs will be required to connect cyber risk to the broader business to keep their jobs.
It’s no secret the economic downturn has meant significant budget cuts for many companies. As cyber threats escalate, cybersecurity investments are either staying put or increasing in 2023—that is, only if security teams can rightly prove the value of their cybersecurity programs to senior leadership and the board. However, the majority of CISOs are struggling to effectively express the business impact of cyber risks to their board. In 2023, this ability will go from a nice-to-have to a must-have, and we will see an influx of CISOs losing their jobs if they can’t adapt.
With the economy remaining uncertain next year, CISOs will feel increased stress from their board and senior management to justify the spend on their cyber tech stack. To ensure their security program is well-financed, CISOs will need to set specific management-level cyber metrics that can help them properly articulate whether the cybersecurity products and tools they have purchased provide a sound return on investment.
There will be a stronger government push toward security by default.
According to Gartner, digital immune systems that deliver resilience and mitigate security and operational risks will be a key strategic technology trend in 2023. We’ve already seen considerable mentions of security by default practices in the past several months within CISA’s Strategic Plan for 2023 - 2025 and the White House’s Guidance on enhancing software supply chain security. In 2023, we’re going to see increased guidance and legislation surrounding secure development practices that include specific metrics and timelines for federal agencies. As technology companies seek government contracts in the coming year, it will be increasingly crucial that they collaborate with the public sector and look at these government regulations as a baseline to build foundationally secure software.
Sam Kassoumeh, COO and Co-Founder of SecurityScorecard:
An enterprise will cut ties with a brand-name business partner due to poor cyber hygiene.
With the uptick in massive third-party data breaches, conversations around business ecosystem risk have escalated to the senior leadership level. Organizations have also begun taking the security posture of vendors into account before doing business with them. Gartner forecasts that the majority of enterprises will use cybersecurity risk as a core determinant in conducting business engagements and third-party transactions by 2025.
Network defenses such as firewalls and identity management solutions are still essential to maintaining a strong cybersecurity posture. However, in 2023 organizations will need to place equal investment in threat intelligence and monitoring tools that can illuminate hidden cyber risks across their extended business ecosystem. With increased visibility into third- and fourth-party risk, more enterprises are likely to withdraw from partnerships that pose a threat to their business.
Sachin Bansal, Chief Business Officer of SecurityScorecard:
Hiring and retaining strong cyber talent will be one of the top challenges for the public sector.
The cybersecurity skills gap that has plagued the security community for the last several years won’t be closing any time soon. Research reveals that 80% of organizations suffered from at least one data breach in the past 12 months due to a lack of cybersecurity talent or awareness. The public sector is especially at risk, with more than 700,000 unfilled cybersecurity positions as of July 2022.
In 2023, the inability to hire and retain appropriate talent to defend against a high volume of attacks will leave the public sector highly vulnerable. To fill the widening cyber skills gap, the public sector must improve compensation packages to prevent losing talent to well-paid roles within the private sector, as well as expand diversity within their workforce.
Ryan Slaney, Threat Researcher at SecurityScorecard:
A successful kinetic cyberattack against Ukraine is highly likely.
Many experts were surprised at the evident ineffectiveness of Russian cyber espionage during the Ukraine war. However, Russia’s unsuccessful attempts thus far are not to say we won’t see one occur in 2023. Russian cyberattacks have succeeded in shutting down Ukraine’s power grid in the past and Ukraine has already reported numerous instances of Russian hacker attempts to cut off its electricity this year. In 2023, we can expect a higher level of sophistication coming from Russian hackers.
There will be a reckoning among IoT manufacturers as customers demand the strengthening of product security .
Connected devices have been historically known for their poor security posture. From vulnerabilities within baby monitors to critical bugs in home security systems, it’s just a matter of time before a malicious actor takes full control of a user’s smart home device.
To protect the privacy and security of consumers and their homes, the U.S. government has confirmed plans for a cyber labeling program, set to launch in the spring of 2023. The initiative will help consumers make informed cybersecurity decisions about their IoT devices with easily recognized labels. With new regulations placing increased scrutiny on IoT device manufacturers in 2023, they will be compelled to significantly enhance security across their products.