Every December, social media is flooded with cybersecurity predictions for the next year. With each passing year these predictions become — wholly predictable.
How many times have we heard some variation of:
- Attacks against ____ will increase.
- _____ attacks will continue to evolve and become more sophisticated.
- The rise of ____ will give attackers new ways to _____ (AI is the latest in this category.)
- Boards will finally get serious about security.
- The cybersecurity staffing crisis will continue.
The cybersecurity industry is stuck in a loop. It keeps predicting the same things, repeating the same stories, and advocating the same exhausted cliches expecting things to change. Every year attacks increase, new technologies will save and/or kill us, and executives are on the edge of finally accepting security as a serious issue. These predictions never come true.
Therefore, I present my anti-predictions for 2023 cybersecurity industry:
The Threat Landscape is Changing
In 2023, everybody will experience the same quality and quantity of attacks that we did in 2022. The technologies, personnel, and practices may change causing us to perceive security differently. However, the actual threats we face will remain mostly the same.
In fact, I believe that the threat landscape has remained static for the past 20 years. The threats of today are not dramatically different than 2003. Viruses and worms are now called ransomware, but they function largely the same. Hackers are still hunting for credentials and cracking passwords. The avenues of attack are mostly the same, email, websites, etc. Attacks cause more damage today, but that is relative. Everything is more complex and operating at a larger scale than 2003.
In 2023 we have more technologies to detect threats and more words to define them, but the actual threats are the same.
Executives Will Start Taking Security Seriously
One thing you can always count on when there is a big data breach is social media channels filled with “thought leaders” exasperated at how leadership ignored such obvious security problems. These insufferable Captain Obvious crusaders cannot comprehend how people can be so irresponsible.
The reason for executive inaction is simple, it is easy to blame somebody else. When a breach happens, the board or CEO can line up the IT department and blame them. They can then make a promise to fix everything. (See: Solarwinds case for proof of this.)
Information security is an esoteric threat to executives. They know it exists, but they cannot quantify it with clear consequences. They know it is serious, but they do not know how to dimmish the threat. They know harm is possible, but it is easy to dismiss it as somebody else’s problem.
As such, they fall back to the next item on this list.
Companies will Commit to Stronger Security Defenses
No, they will stick with “good enough” security.
It is not that executives do not care at all about security. They care up until the exact point they are on par with everybody else. This is the “good enough” approach to cybersecurity. Companies focus on doing what is an “industry standard” rather than doing what is necessary.
This is why executives are obsessed with copying what other company’s are doing. They reason that if a product is good enough for a big company, like Netflix or Apple, then it must be good for everybody. This ignores the fact that technology is useless unless it is implemented and managed properly.
Companies keep throwing technologies at security problems and consistently fail to operationalize those technologies. That is because doing the operationalization work is complex, unrewarding, tedious, and does not get you likes on LinkedIn. This is a positive feedback loop: bad security, begets more tech, begets more complexity, begets weaker security, and return to start.
Or as RoboCop’s Dick Jones says, “who cares if it works.”
We Will See a Megabreach that Cannot be Ignored
We are already ignoring them.
2023 will undoubtedly see plenty of data breaches. They will get plenty of coverage and then fade from memory. This is partially due to breach fatigue, but also because breaches are not that serious to most companies. They cause a brief period of turmoil, and then are quickly forgotten.
The recent Lastpass breach is a good example. While some of us dumped Lastpass, thousands shrugged off the news. It is too difficult, time consuming, and complex for most organizations to replace them. Once a technology is entrenched in organizations, removing it is painful.
Megabreaches are also so common these days, that they have lost their impact. There is little we can do to stop them.
Security Staffing will See Improvements
Cybersecurity does not have a staffing problem; it has a staffing crappy jobs problem. There are ample people out there who want to pontificate about all their grand theories of security. What nobody wants to do is actually run anything.
This is because working blue team defense in cybersecurity is like being the janitor’s assistant’s intern. All the miserable work (such as compliance implementation) is dumped on you. The executives treat you with contempt. If you report any serious issues, you are either ignored or retaliated against. When there is a breach, you are blamed, fired, and humiliated. Meanwhile, you are expected to know how to secure everything, everywhere, with flawless perfection.
The cybersecurity industry is top-heavy with self-important thought leaders who are unable or unwilling to get their hands dirty with the operational realities of security. The industry keeps venerating these people, while ignoring the regular folks who grind away everyday keeping things safe.
This also causes skilled security people to seek out careers that are safer, such as penetration testing. Oddly enough, breaking into environments is a more rewarding job than protecting them.
Bitter, Party of One
Okay, maybe all of this sounds a little bitter.
I point out these problems because I know they are fixable. I have seen organizations with strong, effective information security programs. I have met some brilliant operators who can single-handedly solve vexing problems. I believe…no…I KNOW there is a brighter future for security.
That brighter future is frustratingly difficult to achieve when there are so many impediments to success. Annual cybersecurity predictions are only perpetuating these problems.
The Brighter Future
Let’s set the cynicism aside and think about what we could do differently this year. Here are some of my ideas:
- Stop buying new technologies, or settle on new ones and plan to stick with them at least a few years.
- AI will not solve everything. It is merely a new tool. It must be mastered like any other tool.
- Hire people that are slightly unqualified for security roles. Grizzled “experienced” people often come with a ton of baggage.
- Focus security on operationalizing and automating every aspect of security.
- Stop making excuses and move all your workloads to the cloud. Containerize as much as you can.
- Pay your operators more so you can attract the smart ones. Hire more of them so they can learn from each other. Reward the creative ones.
- If you hire a managed security provider, hold them accountable. If they cannot deliver, fire them quickly and replace them
- Focus on changing faster, making people more comfortable with change, and making your environment able to change at a moment’s notice. Ability to change = effective security.
- You are not going to educate your users. Users are human and all humans do stupid things. If your company cannot handle human stupidity, then you will never be secure. Human stupidity is a constant. Build systems that can withstand constant interactions with stupidity.
- If you do not have a person on staff who can write (decent) documentation, get one. Now. Document everything. Follow it.
These are only a few ideas. I would love to hear your ideas. That is where real answers begin to emerge. When we accept that something is not working and want to make it better.
I predict in 2023 cybersecurity will make many of the same mistakes. I also predict, a few people will start to see a brighter future. They will become agents of change. They may be disliked and even feared. Yet, they will make a difference.
Making a difference is all any of us can hope for in the coming year.
This article was revised on 11/24/2023 to be a little less cynical.