As another year comes to a close, cybersecurity leaders are looking back and reviewing the top trends of 2023. Topics top of mind for many in the industry is remote workforce, cyber insurance, generative AI, security awareness training and more. Here, cybersecurity leaders share some of their thoughts.
Remote workforce
Piyush Pandey, CEO at Pathlock:
Given the realities of today’s continued hybrid workforce, organizations need to evaluate how well their access governance and threat detection and response technologies work together. Remote access anomalies, especially in the browser-based context, which were easier to detect in the past become much harder to consistently identify, putting more pressure on both IT — to identify potential and actual risks — as well as the employees themselves — waiting for access to be granted to continue their work processes.
There are a couple of key strategy additions organizations need to consider when tackling the hybrid workforce challenge. First, when operating from a foundation of “least-privilege” or “zero privilege”, the efficient handling of access requests becomes critical — both in terms of keeping the business moving, but also in employee (and partner, potentially) satisfaction. The lag in approvals for proper requests will slow down the business and frustrate the end users. So, automated workflow is key in this regard. AI can also have a big role to play in accelerated request routing and even approvals-by-proxy.
Another strategy addition organizations should be looking at is the implementation of dynamic access policies. When detecting a potentially risky account accessing information from a non-standard location, organizations should have the ability to dynamically adjust data security measures, such as by data masking, to manage the risk more effectively within a given application or business process. Having this done in an automated fashion gives IT and security teams more time to evaluate the risk and come up with a proper response, as opposed to a not-fully-informed reaction.
Dave Gerry, CEO at Bugcrowd:
Today’s workforce is unlike any we’ve previously seen. The rapid switch to remote-first has unlocked the acceptance that teams can collaborate from anywhere. This requires enabling the speed of business at a global scale and has introduced new risks that CISOs must grapple with.
Employee communications in a hybrid or remote-first environment become increasingly susceptible to social engineering attacks, and personal or unsecured corporate devices are targets for ransomware attacks. While these are not new tactics, the level at which attacks have risen indicate a continued threat.
Enabling employees to think about security differently and be security champions will go a long way towards securing this new perimeter. Traditional security approaches will not go away — securing devices, applications, networks, infrastructure and broader business systems remain important pieces of any security program.
Unlike days in the office, it’s more difficult for employees to get real-time help or information around security tools and processes. Enabling employees to continue to do their jobs, while remaining secure, is a balancing act and one that the modern CISO must overcome.
Security awareness training continues to be the best approach to securing disparate workforces. Ensuring robust security training programs, specifically focused on social engineering and ransomware, is critical.
Cyber insurance
Mark Millender, Senior Advisor, Global Executive Engagement at Tanium:
As the cyber insurance industry matures and greater historical claims data is available, the requirements for coverage continue to evolve. This is generally leading to increased demands for cybersecurity protections and more “must haves” to procure a policy, for example multi-factor authentication (MFA) and endpoint protection (EPP). Given that the industry is driven by mass data analysis and correlation detection, a single claim may not have a huge impact. But if it is indicative of a trend, it will drive change.
My best advice is to treat a cyber insurance carrier as a partner. Developing a strong relationship and engaging in regular dialogue will improve both the renewal and claims processes. Security leaders need to be proactive and forthcoming in the relationship and tell the full story of their approach to cybersecurity beyond filling out the application and questionnaires. Remember: nobody has more data on cybersecurity risks and losses than a cyber insurance carrier — it makes sense to pay attention to their advice.
Joseph Carson, chief security scientist and Advisory CISO at Delinea:
Cyber insurance companies are greatly exposed by the increase in successful cyber incidents such as ransomware and are losing money. In order to ensure they can cover the risks, they need to increase the price. In our research on cyber insurance, we found that insurance prices have increased significantly and that most companies who get cyber insurance ultimately use it and with many using it multiple times.
The dependency on third party vendors can significantly impact cyber risks and, as a result, insurance premiums. Therefore, security leaders need to ensure they get a good premium so they must manage their third-party cyber risks. If they manage risks then they can significantly reduce the costs and lower premiums. Taking a pragmatic, risk-based approach and reducing the risks by implementing strong solutions can show an underwriter that they are less likely to become a victim and will get a lower premium.
As a result of more cyber insurance policies being introduced, and ultimately many businesses needing to use them, the cost of cyber insurance is continuing to rise at alarming rates. I expect to see this continue as we move into 2024.
Bud Broomhead, CEO at Viakoo:
Three key trends are driving the growth of the cyber insurance market. This includes the expanding liabilities from cyber breaches, boards and senior management holding more responsibility for breaches, and the “forcing function” that cyber insurance provides to maintain their cybersecurity posture.
These factors have, and will, change over time, and will continue to for a few more years, because unlike any other form of insurance the ability to predict the extent of damages from a cyber incident is very limited; compared to automotive or homeowner insurance where there is a lot of data to suggest the possible payout amounts cyber insurance is still grappling with what potential payouts might be. For example, insurers are just starting to do risk assessment on IoT/OT systems which have potential for loss of life, physical damage and much more reputational damage than losses from data exfiltration.
Risk assessment and cyber insurance will always be evolving in the same way that threat vectors themselves evolve. Recent changes such as the shift of threat actors exploiting vulnerable IoT/OT devices and more open source vulnerabilities are driving insurers to adapt their risk models and to also impose conditions on the insured, such as requiring automated cyber hygiene for non-IT devices and systems.
The most important thing is for an organization to do its own risk assessment and ensure that their internal policies address their entire attack surface. Too often an organization develops well-crafted internal policies but then only applies them to traditional IT resources; all digitally connected assets (like IoT/OT) should fall under these policies unless a specific exemption has been granted.
Generative AI
John Allen, Vice President of Cyber Risk & Compliance at Darktrace:
Because of the current and future risks posed by generative AI, I expect we will see data privacy regulations strengthened in the near future. People care about privacy and will expect their representatives to enact laws and regulations to protect it. As an industry, in order to realize the anticipated value from AI, we need to work alongside governing bodies to help ensure a level of consistency and sensibility are present in potential laws and regulations.
The use of generative AI tools is ultimately still in its infancy and there are still many questions that need to be addressed to help ensure data privacy is respected and organizations can remain compliant. We all have a role to play in better understanding the potential risks and ensuring that the right guardrails and policies are put in place to protect privacy and keep data secure.
Shawn Surber, Senior Director of Technical Account Management at Tanium:
Unlike most risk factors, generative AI is becoming universal. AI is being rapidly built into all sorts of tools, and whenever development is rapid, it creates a potential for unexpected vulnerabilities. Additionally, with free and paid access to generative AI available to everyone, the risk of unintentional insider threat style data leaks grows exponentially.
Generative AI could potentially take the concept of malware as a service and script-kiddy activities to a whole new level as newcomers to the field utilize code generators to build their code. It won’t generally be the most effective, most efficient, or most stealthy code, however, it means that more people can churn out malicious code even faster, which elevates the general threat level across the board. This could potentially increase the number of smaller organizations and consumers targeted by this type of malware. Compromise of help bots remains one of my largest concerns for generative AI attacks.
Patrick Harr, CEO at SlashNext:
Generative AI has been a game changer for cybercriminals, who can use it develop, disseminate and modify attacks very quickly. It has also improved security efficacy in organizations as well. With the increase in sophistication and volume of threats attacking organizations on all devices, generative AI-based security provides organizations with a fighting chance at stopping these breaches.
Security awareness training
Mika Aalto, Co-Founder and CEO at Hoxhunt:
In 2023, we once again saw how important it is for security teams to focus on employee behavior, not just awareness, in our age of sophisticated online attacks. The legacy security awareness training model was designed for compliance with yesterday's threats. What is needed for the attacks of today and tomorrow is a dynamic security behavior change platform that stays current with the constantly evolving threat landscape. And remember that human threat intelligence is a terrible thing to waste. It's likely that you have security champions within your organization who are reporting new attacks like this one. Make sure you have a good SOC process that emphasizes speed in reporting threats and responding to them so the danger can be mitigated as effectively as possible.
Tom Corn, Chief Product Officer at Ontinue:
2023 once again demonstrated that strong information security awareness within an organization is critical to preventing cyberattacks. An organization must develop a culture of “reporting without consequence” to ensure employees feel safe and comfortable reporting suspicious activity. In addition to building this culture among employees, organizations must also perform continuous monitoring of all potential attack surfaces.
Mobile device security
JT Keating, SVP of Strategic Initiatives at Zimperium:
Today, mobile security and education in the enterprise is more crucial than ever. In most cases, mobile devices represent a significant, unaddressed attack surface for enterprises. No matter if they are corporate-owned or part of a BYOD strategy, the need to implement appropriate security controls, and educate end-users about potential threats, is critical.
As technology evolves to address today’s new business challenges and needs, the modern mobile era has ushered in a new category of security to help combat current threats.
API security
Scott Gerlach, Co-Founder and CSO at StackHawk:
API security took center stage in 2023. It continues to be challenging due to the rapid pace of development outpacing available security resources, leading to overlooked vulnerabilities. The security teams’ limited visibility during development and playing catch-up with new and existing APIs further emphasizes risks. Organizations can make API security more attainable by fostering collaboration between security and engineering teams, utilizing code-generated API documentation for accurate testing, integrating security tests early in development pipelines, providing developers with contextual vulnerability information, and automating routine security tasks. This approach enables a proactive security strategy, minimizes vulnerabilities, and allows security teams to focus on complex testing, enhancing the organization’s overall API security posture.
Zero Trust
Darren Guccione, CEO and Co-Founder at Keeper Security:
Cyberattacks, like the ones earlier this year on MGM and Caesars, underscore the importance of prioritizing cybersecurity by organizations of all sizes before a cybercriminal strikes. In the event of an attack, no matter how a threat actor accesses the network, the next step is to make sure they are unable to go any further. Organizations large and small should implement a zero trust security architecture with least-privilege access to ensure employees only have access to what they need to do their jobs.
Zero trust is a modern security framework that eliminates implicit trust. It requires all human users and devices to be continuously and explicitly validated, and strictly limits access to network systems and data. Instead of focusing on where users are logging in from, zero trust concentrates on who they are. By adopting a zero trust framework within their infrastructure, leaders will be in a stronger position to not only identify and react to attacks on their organization but also mitigate any potential damage.
Nick Rago, Field CTO at Salt Security:
API usage exploded in 2023. The resulting API sprawl has led to increased data exposure risks, and most organizations lack governance strategies for their APIs. Yet APIs now power the vast majority of applications and services businesses and consumers rely on daily. This rapid escalation of APIs has also created a much larger attack surface for attackers — and attackers are fully aware of the immense value of the data being transported by APIs. Because they typically transport personally identifiable data (PII) and other critical financial data, APIs represent a highly lucrative target. Cyber criminals can use the information for nefarious purposes, such as ransom or resale on the black market.
Organizations must have the ability to continuously discover the APIs that exist in their environment. They must understand the purpose of each API to assess if it has the correct security posture and ensure it is exposing the correct level of data based on its purpose. In addition, organizations need proper API runtime protection. Runtime protection is essential to uncover potential threats and defend against data leaks. By seeing and understanding API behaviors as they are being used, organizations can spot anomalies to quickly identify and stop any API misuse or abuse when an adversary tries to take advantage of a badly-designed or misconfigured API.
Posture management
Claude Mandy, Chief Evangelist, Data Security at Symmetry Systems:
Posture management is the equivalent of a health check for the security of a digital asset or a collection of digital assets, even an entire organization. Like a health check, the intent is to proactively look for and address symptoms before they become bigger problems. By continually assessing, gathering evidence and remediating the expected configurations and controls protecting the assets, an organization can ensure the security of their assets is in perfect health. Unfortunately, most organizations struggle to even identify their assets, so posture management must start with the discovery and inventorying of the assets themselves.
Device Posture checks were probably the first mainstream posture management — being used to check the security of user devices before being granted network access. Since then, Cloud Security Posture Management (CSPM) made its mainstream appearance in 2014 when Netflix open sourced Security Monkey. Like many Netflix open source projects, this swiftly turned into a significant number of commercial CSPM products. The use of CSPM has become an essential part of every cloud security team’s toolkit, but has limitations due to the lack of business context about the data and identities within the cloud infrastructure.
The key thing about security posture management in any form is that it should be actionable. Like health checks, you can’t keep pointing out something that can’t be fixed or doesn’t need to be fixed. Unfortunately a lot of these tools create a lot of noise that requires a lot of investigation to determine whether the findings need to be fixed or can be fixed without business impact. Enterprises should look for tools that have driven demonstrable and maintained security posture improvements beyond the first 12 months. This usually requires the tool to gather additional context about the business data and the business logic about who should have access, and a way to assess the impact on current operations.