The Cybersecurity Dive Outlook on 2023

There are a few certainties in cybersecurity: ransomware will cause headaches for companies; third parties will spark cyber incidents; and every December, cybersecurity analysts will put together lists of their predictions and trends they believe will have an impact in the coming year. 

Most of the predictions are designed to help organizations build out their security programs, but every so often a trend will build slowly over time until its impact is clear.

Sometimes these trends will reach far beyond an individual company and impact society at large. 

Here are some of the biggest trends Cybersecurity Dive is watching this year. Are there any security patterns you are watching closely? Email us at [email protected].

The global impact of state-sponsored activities

State-sponsored threats trend every year, but as we begin 2023, those threats have a different, more menacing, feel to them. The countries responsible for much of the state-sponsored activity — Russia, China and Iran — are embroiled in conflict. 

“In the past year, we’ve seen [Russia's] invasion of Ukraine; a worsening of the relationship between China and the West combined with tightening control by Xi Jinping and further pressure on Taiwan; and a growing concern in Iran about dissident activity and pressures on the regime both internally and abroad,” said Mike McLellan, director of intelligence for the Secureworks Counter Threat Unit. 

All those factors affect state-sponsored threat group tasking and activities and will be reflected in what they do in the coming year.

“While cybercriminal threats such as ransomware are an ‘equal opportunity’ risk for organizations lacking robust cybersecurity defenses in all sectors, state-sponsored threats can be more targeted,” said McLellan. 

As political tensions rise in these countries, it is expected that nation-state actors will use that to their advantage to broaden their attacks. 

China, for example, is often interested in obtaining intellectual property from high-tech targets, and there is concern that other Russian groups will carry out large-scale covert foreign intelligence gathering activities, spurred by concerns about Russia’s general standing in the world.

Certain sectors or countries have always been at greater risk of state-sponsored attacks, but 2023 may be the year that risk against critical infrastructure sectors, government, and high-tech companies escalates — especially if a nation-state sees outside interference.

Consumers will drive security and privacy measures

Consumers have made the digital transformation, with nearly three-quarters of their interactions with a company happening digitally. They are also becoming more concerned with how a company treats their personal data. 

That’s why Criss Bradbury, Deloitte’s US Data and Privacy leader for cyber and strategic risk, believes in 2023 data centric security and privacy will be the foundation for how businesses build their brand.

“Digitization of business means that organizations are increasingly having more direct relationships with consumers — and as a result, are collecting more data across various channels,” said Bradbury.

With new and upcoming laws/regulations and increasing scrutiny by authorities and alarming headlines over recent years, consumers are becoming more aware about what organizations do with their data and how they respect consumers’ privacy and choices. 

Consumers will begin to demand transparency surrounding their data security and privacy programs, eventually making their choices based on which company is doing the most to protect their personal information.

“We see trusted data use as being one of the primary ways that organizations can either build or lose consumer trust,” said Bradbury. 

If organizations don’t have a strong grasp of how consumers’ data is processed, they will struggle to protect or enhance consumer trust and they will eventually risk harming their corporate brand.

“Organizations should define what trust means to them, develop key metrics to track customer sentiment related to trust, and measure how their actions and initiatives impact that sentiment over time,” said Bradbury.

Final notes on the board

These are trends with very human costs, whether it be potential cyberattacks from state-sponsored threat actors who want to take down critical infrastructure or consumers who fear becoming the victim of identity theft due to a company taking shortcuts with their security. 

Michael Mumcuoglu, CEO and co-founder at CardinalOps, thinks 2023 is likely to be the year executives, boards, and auditors demand better cyber reporting around business risk.

“These critical stakeholders will increasingly be asking CISOs to report on their defensive posture with respect to attacks that can have a material impact on the organization,” said Mumcuoglu.

The rising threat of flawed software will get even worse, as common vulnerabilities and exposures (CVEs) will average more than 1,900 per month, according to a report released by insurance provider Coalition.

The monthly total will include 270 high-severity and 155 critical vulnerabilities, which often give attackers the ability to remotely take control of computer systems.

The San Francisco-based company said 94% of organizations scanned in 2022 had at least one unencrypted service that was exposed to the internet.

The report opens a window into the role vulnerabilities play in exposing organizations to sophisticated threats. 

Log4j, which was disclosed in December 2021, demonstrated how unpatched vulnerabilities can expose the most advanced computer systems to attacks from criminal and nation-state adversaries looking for opportunities to exploit flawed applications. 

The increase is likely because researchers are investing more to uncover vulnerabilities and organizations are also conducting more audits to find flaws in software. 

“This overwhelming number of CVEs can be challenging for IT and security professionals to analyze meaningfully,” Tiago Henriques, VP of research at Coalition, said via email. “The incredible volume makes tracking increasingly tricky and the database is growing at an alarming rate.”

Most CVEs are exploited within 30 days of public disclosure.

Remote desktop protocol remains the most commonly scanned protocol, according to the report. In addition Elasticsearch and MongoDB database have high rates of compromise, with each showing up in a large percentage of ransomware attacks. 

Coalition based the report on a combination of information gathered through underwriting and claims data, scans of 5.2 billion IP addresses and a global network of honeypots, which are sensors that provide critical information on attacks. 

Pressure is rising on budgets amid concerns about an economic downturn and CISOs will need to convince board members and the C-suite that cyber resilience will help improve the bottom line, according to Forrester. 

Corporate boards and the C-suite still largely view cybersecurity as a cost center, raising the possibility that critical investments will be rolled back or eliminated as companies make cuts. 

But CISOs need to make the case that cyber resilience will help generate customer trust and loyalty. It falls on them to illustrate cuts to the security budget will put the company at risk of regulatory scrutiny, higher insurance premiums and the risk of losing customers to rival firms.

“Linking security to revenue — or the loss thereof — is critical to defending the security budget and establishing security as a core competency, and the cost of doing business,” Jess Burn, senior analyst at Forrester, said via email.

The concerns raised in the report, a planning guide for security and risk this year, echo a number of other indicators that cybersecurity budgets are coming under scrutiny. 

The Neustar International Security Council showed less than half of companies surveyed across the globe said they were getting adequate budget allocations to support their cybersecurity needs, according to a report released last week. 

Earlier this month, PwC released a report showing about half of global CEOs planned to increase their investments in cybersecurity or data privacy, adapting supply chains or expanding their geographic footprint. 

“That being said, CISOs are trying to be good stewards of the level of investment by optimizing their technology footprint and leveraging automation to do more with less,” Joe Nocera, PwC partner leader, cyber, risk and regulatory marketing, said via email. 

Hype around investing in cybersecurity is giving way to talk of economic headwinds and cybersecurity, seen as a cost center, is closely watching the budget chopping block. 

This turmoil in 2023 is expected to adversely affect the cybersecurity vendor landscape, spurring a spree of consolidation. One CISO even equated some of the potential market movement to a fire sale.  

Even when resources are tight, cybersecurity executives are expected to fall in line with regulation. From the CISO’s desk, there is also a lot of attention on what due diligence means following the guilty verdict of Uber’s CISO last year.

Cybersecurity Dive asked researchers and analysts what they expected to see hit the business of cybersecurity this year. Below is how four experts responded: 

(Responses have been edited for length and clarity)

Mauricio Sanchez, research director at Dell’Oro Group:

Vendor and solution consolidation will continue. Large vendors with positive market momentum will get bigger as they subsume the smaller fish in the market

Security budgets will remain largely unaffected in 2023 because security is a board-level conversation and has budget priority. Besides not wanting to make headlines due to a breach, the conviction of Uber CISO sent shockwaves on what due diligence means.

Even as security budgets remain unaffected, how budgets are spent will continue to change. Organizations will focus less on traditional security infrastructure — say firewalls — and more on cloud-delivered, SaaS-based security for securing hybrid work and cloud applications.

Mary Galligan, Deloitte’s U.S. cyber crisis management leader

As the cyber threat landscape continues to evolve and grow more sophisticated, the role board of directors play in cyber risk oversight is becoming increasingly important.

As organizations prioritize customer trust alongside continued growth, the board can help position cyber as a strategic enabler to foster stronger relationships across customers, vendors, employees, and shareholders.

Recognizing the value a robust cybersecurity posture can directly have on financial impact allows boards to more effectively oversee cybersecurity risk management activities. 

Recent SEC proposals emphasizing governance, risk management, strategy and timely notification to investors should encourage leaders to consider evolving and shaping their current and future business models with cyber risk and the board at the center of these initiatives.

Rick Holland, CISO and VP of strategy at Digital Shadows:

The economic headwinds will drive turbulence in the cybersecurity vendor landscape. Some vendors will raise down rounds, while others will go out of business now that the era of free money is over.

Security buyers must conduct due diligence when considering cybersecurity startups. Yesterday's cool new vendor could be tomorrow's fire sale.

The economy will also drive consolidation, there are over 4,000 cybersecurity vendors out there, and many of those that do survive will become features in other vendor's platforms. 

Lucia Milică, Proofpoint’s global resident CISO:

In speaking with my peers, I see the role of the CISO gaining even more prominence next year. The number of successful cyberattacks and widespread damage they have wrought is reaching a boiling point with new regulatory scrutiny.

Proposed reporting requirements from the U.S. Securities and Exchange Commission will force public companies to be much more transparent and strengthen their cyber defenses. All this will fall on the CISO.

There will be new responsibilities along with blame should a breach occur, as evidenced by the recent guilty verdict for the former Uber CISO. Our industry was already struggling to recruit qualified professionals so decisions like that present even greater challenges.

With the CISO now in the spotlight, the relationship with their boards must change. ... 

The mounting pressures of potential personal liability will only increase the strain in the board-CISO relationship, with huge implications for an organization’s security. The main disconnect is that both parties don’t speak the same business language.

CISOs must learn to tell the story of cybersecurity vulnerabilities and risks in a way that resonates with leadership. These conversations must take place regularly and in the language of business, rather than the tech jargon of security.

Consider cyberthreats variations on a theme — the new and novel are rare. 

Instead, at their core, many of the top cyberthreats organizations encounter stem from human error and mistakes. That's why experts are quick to call out the perils of phishing and spear phishing attacks. 

Those initial mistakes can serve as a bridge to a larger incident. 

Cybersecurity Dive asked researchers and analysts what cyberthreats they expect to emerge this year and if they have any predictions on what attacks we'll see. Is there a trend or prediction you think we should highlight? Email us at [email protected]

(Responses have been edited for length and clarity)

Rick Holland, CISO and VP of strategy at Digital Shadows:

Don't expect massive change regarding next year's cyber threats. The threat landscape doesn't dramatically change year over year — it doesn't have to. Why reinvent the wheel when targeting the same unpatched applications and misconfigured remote services work so well? 

Extortion will continue, actors will target vulnerable supply chain partners, malicious crypto apps will steal millions, and hacktivists will continue to support their causes. All of this has happened before. All of this will happen again.

Geopolitics has driven the threat landscape since the dawn of time and will continue to do so in 2023. The implications from the Russia/Ukraine war and the China/Taiwan tensions aren't outliers, new flashpoints will emerge, and there will be implications for cyberspace.

Nicole Darden Ford, CISO for Rockwell Automation:

With rising geopolitical tensions, we expect cyberattacks to continue as a weapon of choice and critical infrastructure as a growing target. 

This is all the reason, public and private entities should follow cybersecurity guidance by government entities, such as CISA, to mitigate risks.

Mauricio Sanchez, research director at Dell’Oro Group:

Ransomware/data exfiltration will remain prevalent threat vectors via end-user compromise (classic phishing attacks) and IT misconfigurations.

Nation-state supported attacks will increase. The perennial attacks from North Korea and Iran will be joined by an increased number from Russia and China.

Attacks against OT/IoT will increase leading to another Colonial Pipeline class event.

Michael Diamond, technology analyst at Futurum Research:

From a cyberthreat perspective, of course, not all attacks and motivations are created equal. I think for mainstream attacks, I would still put phishing or spear phishing attacks at the top of my list since they are easy to deploy, effective and the path of least resistance. 

Fundamentally, we are still answering myriad emails and texts a day and attackers have become more sophisticated. 

Also, as more organizations are trying to permeate more analytics across the organization in reporting and platforms, the risks are higher since the sheer amount of data that is out there at their fingertips is greater than ever before. 

Chester Wisniewski, principal research scientist at Sophos:

Looking forward into 2023 has me very concerned with what developments we see with the malicious use of machine learning technologies. The criminals have largely been too lazy to embrace and abuse many of the existing solutions offered by modern artificial intelligence, but I think we may be turning a corner. 

In fact, the publicly available models like Dall-E and ChatGPT3 require no effort to abuse, which I suspect means that they will be quickly adopted by criminals if they can help advance their aims. 

I’m not sure they can all be armed — Dall-E isn’t particularly useful outside of creating memes and clipart for PowerPoint decks — but ChatGPT3 could easily be weaponized to help criminals write more convincing phishing and business email compromise scams. 

The majority of user training has focused on users looking for clues that the perpetrators are not likely native English speakers, but ChatGPT3 gives criminals a freely available tool to help eliminate that suspicion for many users.

Other than that, ransomware, blah blah blah, crypto scam, yada yada yada.

Jon Geater, chief product and technology officer at RKVST:

Software vendors can no longer hide their shortcomings, and software users can no longer hide from their responsibilities if they choose to deploy something inappropriate. 

Although there’s still a way to go, we are definitely now on a road on which the digital supply chain is recognized as being as critical as the physical one: Suppliers must supply quality, and consumers must take control of their own risk.

Regarding supply chain attacks, most of the problems come from mistakes or oversights originating in the supply chain which then open the target to traditional cyberattacks. 

It’s a subtle difference, but an important one. I believe that the bulk of discoveries arising from improvements in supply chain visibility next year will highlight that most threats arise from mistake, not malice.

The global cybersecurity workforce grew to encompass 4.7 million people, reaching its highest-ever levels, according to (ISC)2 2022 workforce study. That’s the encouraging news. 

However, the same study found that there is still a need for more than 3.4 million security professionals, an increase of over 26% from 2021’s numbers. This reverses a trend seen in (ISC)2's 2021 study, where the number of open cybersecurity jobs actually dropped over a two-year period.

Will the 2022 trend continue in 2023 or was this year just a blip in what had otherwise been promising employment news from the start of this decade? 

“I believe the cybersecurity talent gap will remain an ongoing challenge in 2023,” said Caroline Vignollet, SVP of research and development at OneSpan.

The core problem, adding to the security gap, remains unchanged. The demand for cybersecurity is greater than ever, due to an evolving threat landscape with attacks that are more difficult to detect and defend. But the available potential workforce isn’t keeping pace with that demand, largely because of a lack of interest from young people entering the job market. 

“Over the years, working in the cybersecurity industry has unfortunately been positioned as an unfavorable experience, which has resulted in the younger generation showing less interest in it,” said Vignollet.

The youth gap

Industry can blame the lack of interest among today’s college students and recent graduates on insufficient curriculum in STEM studies, said Taylor Ellis, customer threat analyst at Horizon3ai. 

Too many current and former students lack the adequate skills in math and science, Ellis said, which prevents them from qualifying for advanced programs in technology that could steer them towards cybersecurity careers.

“As a result, many managers report that the main problem with closing the talent gap has more to do with skills rather than with the recruiting of cyber professionals,” said Ellis. 

Too many organizations hiring cybersecurity talent are looking for unicorns — those candidates who are able to check off every single box on the application form. Instead, it is more important to remember that technical skills can often be taught. 

What those looking for cybersecurity staff should look at in individual applicants are the soft skills, which tend to come naturally rather than through classroom education.

“The technical/soft skills combination is often what companies need to foster continuous strengthening of their cybersecurity posture,” said Ellis.

Having high adaptability that comes with this mix of technical and soft skills is crucial in the cyber industry. While an individual may be talented in one niche, they will eventually be asked to take on new duties as technologies emerge. 

For example, a new hire may have experience in cloud security, but working in the cloud is rapidly expanding to include areas such as artificial intelligence, blockchain and IoT.

“When recruiting for cybersecurity positions, it is important for businesses to think about an individual’s level of adaptability and flexibility when handling technical issues,” said Ellis. 

Companies should be looking for personnel who also have the determination and drive to learn from both their managers and other sources. This includes recruiting personnel who have experience performing technical skills on their own (self-taught is often the most valuable) and those with a strong aptitude for problem solving and trial and error.

As long as candidates are pigeon-holed into narrow educational paths, both at a corporate level and at the educational level, it will be more difficult to attract young people into the field.

What universities are doing

While many organizations have begun to look from within to train and promote current employees to take on cybersecurity roles, colleges will have to address the larger talent gap. The problem is that cybersecurity is a relatively new field and higher education is slow to evolve when it comes to new curricula. 

“Universities and their structure are built on research and rigor,” Will Carlson, senior director of content with Cybrary. This can often mean that they struggle to apply that model to emergent fields such as cybersecurity.

But another problem in higher education looms: There is a shortage of university professors willing and able to teach cybersecurity to students. 

“With the competitive increase in salary pay for the past ten years, many qualified cyber professionals prefer to work full-time in the private sector rather than teaching nights at college,” said Ellis.

But there is hope on the horizon. More universities are implementing courses specific to cybersecurity, and a growing number of cybersecurity professionals recognize that teaching, even on a part-time basis, improves their personal reputation within the industry and can lead to better opportunities. 

Universities are partnering with the corporate sector, which allows students to practice their technical skills in a realistic cybersecurity setting. These hands-on experiences will help students and provide companies with more talent to fill open jobs. In addition, the federal government is taking steps like the National Cyber Workforce and Education Summit that was held at the White House earlier in 2022. 

But it will take time for these initiatives to take root. 

“I would relish this prediction being wrong, but I believe we'll be lucky to see the skill gap remain flat in 2023,” said Carlson.