The cybersecurity arms race is accelerating. That’s the clear lesson of 2022 for those of us committed to protecting organizations from the perils of cyberattacks. We grow smarter and more capable by the day — and so do the threat actors.

Protecting and enabling an enterprise requires a mix of prediction, agility and diligence. While no organization is impervious to attack, and “expect the unexpected” is the only surefire prediction we can make, here are five areas where IT leaders should focus as you prepare for 2023 and beyond.

  1. Post Quantum and Cryptography Will Pose New Challenges
  2. Consumer Identity Protection Will Lead to New Strategies
  3. Increasing Cloud Complexity Will Accelerate Adoption of Automated Tools
  4. Technology Evaluation Strategies Will Create a New C-Level Role
  5. New Roles for Board Members in Cybersecurity

 

  1. Post Quantum Computing and Cryptography Will Post New Challenges

The good news: quantum computing is almost here to solve problems for humanity. Computations that once took years will be completed in minutes using quantum computers that run at 158,000,000 times the speed of conventional computing. This promises massive ecological, financial, medical and educational benefits to the world.

The bad news: you guessed it, threat actors are also becoming quantum savvy. Hackers will be able to break previously impenetrable encryption. While quantum technology is not expected to become widely available until at least 2025-27, it is still an imminent threat. Hackers of all kinds — state-sponsored, money-motivated and ego-driven — are stealing encrypted data and saving it for a time when they do become quantum-powered. “Harvest now, decrypt later” will become a common buzzword in the boardroom. And the most security-savvy organizations will start their journey to quantum-safe algorithms today.

Multiple industry thought leaders — including Gartner, NIST/DHS and McKinsey – are already urging organizations to adopt quantum-safe algorithms immediately. In the United States, the White House and National Security Agency (NSA) have already issued directives with required actions in the next 6-12 months. In the payments industry MasterCard is working towards becoming more quantum resistant.

Our Take: We’re advising our customers to assess and inventory their cryptographic assets, assess their public key infrastructure, and digital identity framework and data protection risks. Map out a migration plan and timeframe, and review your governance against best practices and compliance requirements. Finally, assign security team owners to track the evolution of quantum computing. For executives in the payments industry, post quantum readiness assessments and payment enablement solutions can guide your planning. Entrust has resources that can help.

  1. Consumer Identity Protection Will Lead to New Strategies

In mid-2022, Meta began the process of settling a lawsuit that claimed it illegally sold consumer data to the political analytics firm Cambridge Analytica. In the fall, Google paid more than $392M to settle a lawsuit with 40 U.S. states. And in early November, a consumer group sued Apple alleging that its applications still track consumers after they explicitly turn off tracking. Currently, Amazon is currently being sued by a consumer group that claims Alexa-enabled devices illegally recorded private conversations, then monetized the collected data.

How consumer marketers, government agencies, financial institutions and other organizations navigate data privacy issues will be a central topic throughout 2023. Security leaders worldwide – and increasingly the C-suite – will be tasked with unraveling a consumer conundrum: while evidence mounts that consumers are concerned about the privacy of personal data, multiple surveys indicate that about 4-in-5 consumers are willing to share personal information in exchange for enhanced value or experiences. Global rules and regulations make the terrain even more difficult to navigate, as organizations collecting and monetizing data must carefully navigate GDPR, CPRA and a sea of like-minded regulations emerging at national and state levels.

Our Take: There are ways for organizations to both leverage and protect consumer data in a way that’s beneficial to all. In addition to assuming a zero trust stance to protect data and privacy, senior leaders should ensure that they build strategies around three key principles: transparency, value and choice.

  • Transparency requires organizations to be unquestionably clear about the types of data they’re collecting, how they plan to use it and with whom they plan to share it.
  • Value refers to making the decision to share data a profitable one for consumers.
  • Choice allows consumers to determine precisely what data they share and when they share it.
  1. Increasing Cloud Complexity Will Accelerate Adoption of Automated Tools

Recent enterprise efforts to drive digital transformation pushed more than two-thirds of all workloads into the cloud. Along the way, many enterprises also needed to accelerate innovation, connect with customers, transition to hybrid work and account for the disruption of a global pandemic. The results are mixed and often complex.

Managing and tracking our new digital realities across multiple cloud environments makes proper management, security, and cost control a highly complex task. Most of us can’t accurately account for all the workloads, VMs, containers, keys and crypto that exists in our digital sprawl. Most of us aren’t great at controlling who has access to all of those immensely valuable and proprietary digital assets. Skills and resource gaps that exist in most organizations make this cloud reality difficult — and costly — to manage. In fact, a recent study found that the average organization now has 76 security tools to manage, up 19% from just two years ago.

Our Take: Enterprises will increase adoption of management tools and automated processes to bring order, security and cost control, to their hybrid (multi-) cloud infrastructures. The right automated tools can bring new levels of efficiency to the secure management of users, machines, applications and data across cloud environments of all sizes. Enterprises will also look to vendor consolidation as a key strategy. Business leaders will look at using as few vendors as possible to simplify vendor management and mitigate costs and risk Almost 75% of organizations are pursuing security vendor consolidation to improve their risk posture according to recent Gartner research.

  1. Technology Evaluation Strategies Will Create a New C-Level Role

Not long ago, IT made technology buying decisions. Larger decisions were often reviewed by a member of senior leadership. But the process was mostly conducted entirely by technologists.

Now, digital infrastructures are the core revenue and innovation engines for almost every enterprise. Part of this transition is the emergence of new buying groups and new technology evaluation processes within organizations. In fact, technology evaluation and acquisition teams are now comprised of 7 to 10 decision makers, each from a different discipline with the enterprise. Each of these members — from engineering, legal, HR, finance, manufacturing, sales, IT and other groups — comes to the table with his or her own set of buying criteria, preferred products and favorite partners. With this many divergent sets of needs and opinions, there is always healthy – or sometimes not-so-healthy — conflict that needs to be resolved by aligning decisions with overall business goals. These decisions are becoming more and more core to the success for the business. Of course, every new technology acquisition expands an organization’s attack surface and potentially adds new vulnerabilities.

Our Take: We expect to see more enterprises add the role of Chief Risk Officer to their senior leadership teams. In addition to optimizing ROI and mitigating cybersecurity risks, people in in this role will be tasked with ensuring that Environmental, Social & Governance (ESG) goals are embedded in technology buying decisions.

  1. An organization’s security posture is becoming a board-level priority.

The potential for operational interruption, financial loss and brand damage have moved the enterprise security posture to the top of most board agendas. Most corporate board members understand the ubiquity of cyberattacks. It’s no longer a matter of if, it’s clearly a matter of when an enterprise will suffer a data breach, ransomware event or another type of attack.

Our Take: We believe we will see boards take three key actions in 2023:

(1) Embedding cyber risk in strategic plans. As enterprises become more connected to consumers, citizens and business partners, there is increased benefit for the enterprise — and increased risk. Most major strategic decisions will include a comprehensive assessment of those risks, along with mitigation and response plans.

(2) Strategic Funding of Cybersecurity Initiatives. These funds were historically expected to come from the general IT budget, which meant security initiatives were almost always underfunded. In 2023, we expect boards will identify a specific — and healthy — budget for cybersecurity in order to mitigate risk and drive growth.

(3) Maintain Awareness of Cyber Resilience. If a data breach or ransomware event occurs, board members and senior leaders will be the ones answering difficult questions from customers, investors, media and business partners. This will lead board members to become more conversant in cybersecurity topics and we believe they will insist on regular updates that include both historical reports and detailed plans for staying ahead of evolving threats.

 

There’s a lot to chew on here and it’s going to take strategy and action from across the IT and business community to meet these challenges. So, let’s keep the discussion going. Email your 2023 predictions to [email protected]. We’ll be talking about predictions and challenges on the Cybersecurity Institute podcast soon.