Security in 2023: 6 trends for IT leaders

Here’s a New Year’s prediction you’ll probably never hear: “IT security solved!”

Sure, maybe an overzealous vendor or three could fuel their pitch with that kind of energy, but sensible IT pros know that’s an unrealistic state of affairs. Cybersecurity threats and risks will always exist. This is true this year, next year, and unless humanity generally pulls the plug and returns to hunter-gatherer farming, forever.

That’s because IT systems and the professionals who run them are always fallible. And there will likely always be malicious systems and professionals trying to exploit this reality.

So it’s a new year – hello 2023 – but IT security is certainly not a new or passing concern. It is a dynamic concern; The risks and attackers are constantly changing, even if some of the basics (like sharing or reusing credentials across accounts) remain the same.

In this busy landscape, here are six trends IT leaders will be watching for in 2023.

1. Supply chain security remains a focus – but the work is just beginning

The term “trend” sometimes suggests “new”, but also indicates a long-term – if not permanent – change in the area of ​​IT security. Exhibit A: Software Supply Chain Security. It was a hot security topic in 2022 and even before that. This will also be another focus in 2023.

Today’s software supply chains are more diverse than ever – software is typically built from other software – and as such, ensuring the security of these supply chains must be a long-term commitment.

What could be new in 2023? While people have certainly been talking a lot about software supply chain security, they’re still desperate to back up the talk at budget time.

“Red Hat’s latest Global Tech Outlook report shows that software supply chain security remains a low priority for IT decision makers when it comes to security funding,” said Gordon Haff, technology evangelist at Red Hat . “This suggests that a good New Year’s resolution for many companies is to develop a good plan for dealing with supply chain security, if they haven’t already done so.”

A silver lining: For many organizations, this may not require a budget-busting financial commitment — it’s also a matter of leadership commitment, planning, and process improvement.

“This may not even require a large investment, but it does require a plan and processes to reduce risk going forward,” says Haff.

Also, expect growing attention to the importance of Kubernetes security as the foundation for the strength of the broader software supply chain.

“There’s a lot more emphasis on the security of the Kubernetes supply chain,” Alex Meijer, Corsha’s head of infrastructure, told us recently. Meijer hopes for more acceptance of things like signing and verifying container images.

[ Also read Kubernetes in 2023: 7 predictions for IT leaders. ]

Meijer’s colleague, infrastructure engineer Robert Batson, also sees promise in new tools – Batson points to Sigstore’s Admission Controller as an example – that “extend supply chain security to the clusters hosting the applications [and] will join the list of tools we boot clusters with to handle things like observability and security in the traditional sense.”

2. A big year for NIST Cybersecurity Framework

Security professionals are undoubtedly already familiar with the US government’s NIST Cybersecurity Framework, a set of publicly available standards and practices for managing cybersecurity risk and improving an organization’s posture. But that doesn’t mean their employers necessarily follow it, especially if their industry or business doesn’t require it.

Cam Roberson, vice president at Beachhead Solutions, expects 2023 to be a big year for interest in and use of the NIST framework — even if it’s not mandatory.

“More and more organizations are realizing that while not necessarily bound by NIST, the framework nonetheless provides particularly comprehensive security guidance and best practices that apply to many other government-mandated mandates (such as CMMC or DFARS) as well as other industries. specific mandates (HIPAA and the like) where organizations need to ensure ongoing compliance,” says Roberson.

Organizations and teams that haven’t known where to begin—security is a massive, ongoing challenge—and how to take measurable action will find a roadmap of sorts in a framework like NIST.

“The five ‘core capabilities’ and the more than 100 subcategories that NIST provides goes deep into how CIOs, CISOs, and security professionals can identify and detect threats, and then respond to and recover from them as needed,” says Roberson.

“In 2023, NIST will continue to rise as the cross-industry standard – perhaps even the de facto standard – against which organizations can compete with their security strategy.”

The same may also apply to other widely used standards and tools, such as the CIS Kubernetes Benchmark or the MITER ATT&CK Framework.

Roberson believes the depth and breadth of the NIST framework could make it a focal point in 2023.

“The risk of breaches and compliance gaps is just too high, and NIST will continue to rise in 2023 as the cross-industry standard — maybe even the de facto standard — against which organizations can compete with their security strategy,” says Roberson. “We will see that many more organizations will strive to achieve NIST compliance.”

3. As edge computing grows, so does the need for edge security

As new (or newer) IT paradigms just become normal – the cloud being one of the most prominent examples of the last decade or so – the security of the paradigm inevitably also becomes critical. (See also: cloud again.)

With edge computing strategies on the radar — or already in the works — of many IT leaders in the coming year, edge security will almost certainly garner more attention.

Like the cloud before it, edge computing is not inherently “less secure” than centralized models—it just introduces new or different risks and challenges.

As Jeremy Linden, senior director of product management at Asimily, said last year, “Edge computing can create more complexity, and this can make it harder to secure the entire system. Still, edge computing is no less inherently secure.”

Rather, edge security basically requires what any IT security domain requires: proper planning and prioritization. 2023 will be an important year to lay that foundation.

Also check out our latest collection – 11 Resources to Advance Your Edge Computing Journey in 2023 – to give your edge planning a boost.

4. The same applies to AI/ML workloads

Put simply, you could replace “edge” with “AI/ML” above to illustrate the same principle: as more companies deploy more (and more) ML models and other forms of AI in production, those workloads become juicier ( and juicy) target for cyber attackers. AI/ML was the hottest trend of all; AI//ML security doesn’t, but that should change in the coming year.

Christopher “Tito” Sestito, co-founder and CEO of HiddenLayer, expects CISOs and other IT leaders in particular to extend a Zero Trust approach and implement its principles and practices for AI/ML.

“2022 was a year of increasing government oversight of AI/ML security as well as accelerating ML attacks via automated attack tools,” says Sestito. “The result will be more demands on CISOs to protect their AI/ML”

Sestito adds that resources like the MITER Adversarial Threat Landscape for Artificial Intelligence (ATLAS) framework “will allow CISOs and their teams to quickly assess and implement required security controls that can be immediately integrated into their existing Zero Trust frameworks “.

5. The year is 2023: Do you (still) know where your security providers stand?

We’re all about IT and IT leadership, not stock market forecasts or macroeconomic analysis. But if you visit any financial news site or feed even infrequently, the headlines haven’t been all sunshine and roses lately.

Within this bigger picture, there is a general feeling that 2023 could bring consolidation and changes to the tech industry.

“Many market observers believe that in 2023 there will be a market shakeout of technology providers that do not have a strong value proposition and no revenue stream,” says Haff. “IT decision makers should evaluate whether their vendors have a strong market position.”

This is a common truth, but particularly relevant in the IT security arena, where the vendor market has expanded tremendously in recent years, particularly in the cloud/cloud-native space.

“This certainly includes the security space, which has seen an explosion of startups doing cloud-native security in ways that are often overlapping and relatively undifferentiated,” says Haff.

Vendor management is part of the role of every IT executive; 2023 could be worth keeping an even closer eye on the portfolio, especially when it comes to security tools.

6. High-performing security organizations build their own talent pipelines

The shortage of IT security professionals — typically a gold medalist in any broader discussion of the challenges of recruiting and retaining tech talent — is old news.

A recent trend is that strategic IT leaders and organizations aren’t just sitting by and waiting for someone else to solve that particular problem. They invest in their own security talent pipelines, making sure they reach the widest audience.

“We anticipate that high-performing companies will continue to focus on diversifying the cyber workforce through programs that target underrepresented groups,” Sestito says. “These companies recognize that their ability to grow beyond the marketplace, solve complex challenges, and win and retain customers depends on an engaged and diverse workforce worldwide, and will invest accordingly.”

Sestito notes that this is not a time-bound trend either. Indeed, expanding the cybersecurity talent pool is a long-term strategy that will not be solved with lip service.

“This is not a one-year HR strategy,” says Sestito. “Rather, it’s a company-wide cultural shift that will require many years of attention and commitment.”

[ New research from Harvard Business Review Analytic Services identifies four focus areas for CIOs as they seek more flexibility, resilience, and momentum for digital transformation. Download the report now. ]