Doing more with less: It's the new shift for cybersecurity. Driven by a looming recession and increased management scrutiny around expenses.
But what does this look like in practice? How do cybersecurity teams keep pace with threats and attackers even as spending flatlines? Here is a look at 2022 trends, some 2023 predictions, and recommendations on how organizations can still protect themselves while maintaining flat security budgets.
2022 Cybersecurity Trends Recap
In 2022, several key cybersecurity trends were top-of-mind for organizations. The increased prevalence of ransomware attacks, leveraging supply chain weaknesses and misconfigurations in cloud environments, remained popular and effective with attackers. As in previous years, the challenge for defenders remains increasing the attackers’ cost of exploitation while limiting the blast radius of a successful compromise. If your defenses raise the level of effort or cost required to successfully compromise your assets beyond the expected value of the compromise the attacker hopes to achieve through the attack, it’s likely they’ll move on to other, more lucrative targets.
Again in 2022, challenges in hiring top security talent remained top of mind for security leadership, and the concerns over data privacy continued to increase, as did the record data privacy fines. Over a billion dollars in GDPR fines were levied in 2022, with some individual companies facing fines of hundreds of millions of dollars each.
2023 Cyber Security Predictions
What is on the horizon for 2023? Here are eight up-and-coming trends to watch:
1. Malicious Use of Artificial Intelligence in Cybersecurity
With the accelerating levels of maturity in AI-fueled tools, it is looking increasingly like when and not if AI capabilities will be weaponized by cybercriminals looking to lower the cost and increase the effectiveness of their attacks. Look for an arms race in the coming years as AI-powered offensive and defensive tools are increasingly leveraged by both sides.
2. Ongoing Focus on CISO Accountability and Insightful Reporting
A recent study noted that 70% of C-Suite executives interviewed agreed that cybersecurity should be a part of every board meeting. Thus, Chief Information Security Officers (CISOs) should expect an increased emphasis on visibility and accountability. In practice, CISOs should expect growing cybersecurity awareness and the requirement to demonstrate the impact of security tools and technologies in defending critical assets or avoiding potential threats. Boards expect accountability and clear metrics with near real-time information on cyber threats, risks to the business, the likelihood of successful attacks, and vulnerability remediation progress.
3. Focus on Clearly Defined Risk Categorization and Risk Tolerances
CISOs will also be expected to clearly define acceptable cyber risk levels and the metrics associated with these levels. Moreover, they will be the “go-to” C-suite members leading the move from current processes to new operations.
4. Establishing Justified Cybersecurity Budgets
As budgets come under greater scrutiny, security leaders will need to provide demonstrable proof that current spending is clearly linked to reduced security risk. In practice, this could include data around the number of detected incidents versus the number of successful breaches and, in turn, the time, effort, and money saved.
5. Positioning of Cybersecurity as a Business Enabler
Collaboration across the organization will be critical as companies look to move toward environments where security is a business enabler rather than simply corporate compliance or IT risk management. Clear intentions should be made to achieve positive business outcomes through increased cybersecurity solution modernization.
6. Growing Cyber Security Focus in Automotive and Energy Sectors
With electric vehicles (EVs) increasingly going mainstream, automakers and energy companies will be under greater threat from nation-state actors to obtain intellectual property, new vehicle features and layouts, and other data that gives an automotive or energy company a competitive edge. As a result, there's a growing focus on adaptable and intelligent cybersecurity in these sectors.
7. Weaponization of Social Media Platforms
Social media security issues are on their way up in 2023. According to a study conducted by VMware in 2022, 60% of security professionals said they spotted the use of "deepfakes" — legitimate-looking images often lifted from social media profiles that help malicious actors carry out fraud via social engineering.
8. Unaffordable and Low Payout Cyber Insurance
Cyber insurance is getting more expensive even as the probability of having a pay out in the event of an incident is decreasing. As noted by Dark Reading, for example, cyber insurance providers such as Lloyd's of London recently announced that their policies would exclude coverage for state-sponsored cyberattacks.
Recommendations for Cybersecurity Success in 2023
With budgets flatlining as the visibility of cyber issues and expectations increase, where does this leave security teams? While there's no silver bullet to solve cybersecurity issues at the lowest cost possible, there are opportunities for organizations to minimize the risk to their systems and data while also optimizing their security spend.
Begin the new year with a fresh look at your security risk tolerance. Does the current model still accurately reflect the top security risks to the business, and is your security program still focused on mitigating and measuring any remaining risks? If gaps are found, are your security program priorities and spending for 2023 targeted toward those gaps, and if not, why not?
Security leaders should also revisit their security program organizational structure to reassess each team’s function and the responsibilities of all the roles across their organization. Reevaluate whether the current structure is sustainable and can address risk tolerance needs, tackle upcoming projects, address security ad-hoc requests, and perform daily operations on a reduced budget or the current budget. Further, consider the usage of Managed Security Service Providers (MSSP) or third-party contracts to offset costs or provide expert insights on areas lacking security maturity (e.g., data security, endpoint security, network security, cloud security, etc.).
Today, it is more critical than ever to keep breaking down silos. While this has been a priority for many companies over the past few years, companies can't afford to take their foot off the gas now. By implementing businesswide, cloud-based policies and procedures, it's possible to create a security-by-design framework that embeds protections into key functions.
Finally, it's worth evaluating where you could save money on cyber security without compromising overall protection. Potential areas for improved cost management include:
1. Streamlining security tools
The fewer security tools you use, the lower the overall cost and the smaller the risk of something slipping through the cracks. More tools sometimes result in too much data or even conflicting data that needs to be rationalized. Ensure any new tools fill a specific need that maps to gaps in your coverage model from whatever frameworks you’ve chosen to support your risk tolerance.
2. Examining current MSSP (Managed Security Service Provider) capabilities
With more than 10,000 MSSPs in operation, it is worth comparing current provider capabilities and costs to other market options. Partnering with an MSSP isn’t an all-or-nothing decision. It could be as simple as receiving staff augmentation to provide 24x7 coverage of critical events or as broad as fully outsourcing the specific security product choice, deployment, and operations as many are considering in the endpoint detection and response (EDR) space.
3. Working backward to move forward
As attack vectors evolve, new security tools will be required. To keep spending under control, start from what you have and work backward to pinpoint areas where current tools do not cover critical gaps. Invest the savings in further modernizing, standardizing, and securing your cloud-based workloads. Greater degrees of solution standardization and automation can drastically reduce configuration errors and vulnerabilities and, over time, reduce operational costs and risk.
4. Re-evaluating Cybersecurity Insurance Policies
Organizations need to constantly evaluate their cyber insurance's efficacy and cost to ensure it is filling a critical need and offers substantial value. If you are paying tens of thousands per month for coverage with a low likelihood of a payout in the event of a covered attack, it may be time to rethink your current policy or provider. Some organizations are even considering reducing the amount of cyber insurance coverage they purchase or self-insuring, given the changes in the insurance market.
What is the bottom line? Budgets aren't getting bigger, but business leaders expect cybersecurity to increasingly become a business enabler in 2023. To do more with less, teams need to focus on the basics, evaluate their insurance, break down silos and look for ways to reduce spending without sacrificing security.