Top Cybersecurity Trends: Truths and Tall Tales, 2023 Edition
At the end of each year, research analysts, security pundits, and security product vendors peer into their crystal balls and make predictions about the coming year.
Last year I published my “Top Cybersecurity Trends” article, and due to its popularity, I’ve decided to bring it back, complete with updates on the market and a little silliness to get you through the hectic holiday season.
Settle in with a sugar cookie and some eggnog and read on to see what, in my opinion (for whatever it’s worth), is and will continue to be trendy in 2024.
It’s that time of year again — the time when every security sage publishes about what will be hot in the industry in the upcoming year. These posts come in three primary forms. The first and most common are “predictions and trends” lists that simply assemble common security topics and/or try to elevate things every security pro should know. So far this month I’ve read in these types of articles that “mobile is a new threat,” “cloud is ‘potentially’ vulnerable,” and that we will see “targeted ransomware emerge.”1 Hey, Doc! It’s Back to the Future!
The second popular variety of these lists are those that aim to scare the bejesus out of people, especially non-security folks: “Everyone will be at risk of personal data exposure!” “State-sponsored warfare will target individuals!” While written with a modicum of truth attached to them, let’s hope FUD tactics finally die in 2024.
The third type focuses on vendor spokespersons sharing their “predictions and trends” that center around their organizations’ product(s). For this, I can’t fault the authors. Everyone’s anxious for airtime, and it’s employees’ responsibility to ensure that their company gets their fair share. Not to mention, if you work for a company and don’t believe in their product, I predict that you’ll want to look for a new job in the New Year.
As for me, I’ve been preaching that it’s all about getting the “security fundamentals” right. I’ve been saying it for years.2 I predict, therefore, I will continue to do so in 2024.
But, as I’ve positioned this as a “trends” report, and you’ve presumably come here to read what I think is going to be trendy, let’s look at a few areas that will remain pertinent for cybersecurity professionals in 2024.
Artificial Intelligence Everywhere
Believe it or not, 2023 wasn’t the first year artificial intelligence (AI) trended as a topic in cybersecurity. Companies have been conflating AI with machine learning for at least a decade, and vendor marketing teams have been sprinkling both terms into their collateral for a long time.
But with the launch of ChatGPT more than a year ago, businesses have more accessible AI-based or AI-like tools at their disposal, and the hype has gone through the roof. On the vendor side, we see frequent announcements about how AI and large learning models (LLMs) are enhancing and enriching existing products. On the end user side, employees are rapidly adopting AI tools that guarantee greater speed and efficiency — so much so that many businesses have had to rapidly publish acceptable use policies for how and where AI can be used in employees’ day-to-day work.
AI will, for certain, change the way in which people work and in which technologies process data, including sensitive and proprietary data. And while AI affords greater speed and efficiency for many tasks, we’re not at the “let the robots do their things” stage yet. We’re not even to the sentience stage yet.
As many technology professionals warn, we should proceed with caution when it comes to AI. But I predict that most companies will not proceed with caution when it comes to AI messaging.
Year-end conclusion: In 2024, we will see more and more companies declaring their use of AI as a core component of their products and services. Under the covers, much of the “AI” will actually continue to be machine learning, but the hype will heighten.
Cyber Crime Sophistication
While I recently joked to a security friend that I was tempted to write, “‘AI’ will be added to every cyber vendor marketing campaign” for every trend in this report, there are other trends that will loom. One of those is increasing cyber crime group sophistication. Now, the fact is, cyber crime groups do and will use AI to become more savvy over time. They are probably miles ahead of the rest of us already.
Even if they are not significantly far ahead with AI, in particular, they are reliably and regularly using automation and corporate practices (such as employing marketing professionals). Doing so ensures that their schemes are successively more realistic and plausible.
Year-end conclusion: With big budgets and trained professionals at the helm, threat actors will continue to improve their tactics and techniques in 2024, creating stealthy messaging and traps that will be hard to spot, even by present-day detection technologies.
Continued Tools Consolidation
While reports show that cybersecurity budgets are growing, recession fears and a slow funding market from the last few years have made businesses cautious about what they’re spending money on. Most enterprises maintain an overabundance of security tools deployed in their tech stack. In fact, a survey of RSA attendees revealed that 43% of security professionals “say their number one challenge in threat detection and response is an overabundance of tools.”
It’s no surprise, then, that 75% of security teams said they were pursuing vendor consolidation in 2023. It doesn’t take rocket science to see the perpetuation of this trend. As the tools market waxes and wanes, with vendors acquiring or building products that take an integration approach, it’s easier to flesh out redundancies. With the explosion of asset management vendors, businesses can more easily see where they have overlaps and use that data to sunset iterative technologies or ones no longer serving a defensible business purpose.
Year-end conclusion: Many security teams will pursue consolidation in an effort to optimize the tech they already have at their disposal. Any new tools acquired must support an integration approach, and (in addition to any technical benefits) they must serve the purposes of speed and accuracy.
Cyber Insurance and Regulation Increases
Cyber insurance is the fastest-growing subsector of the insurance market, and for good reason. Businesses’ attack surfaces are expanding all the time, and organizations fear financial losses due to the disruption a compromise can cause. In some cases, banks and other funding sources are requiring the businesses they’ve invested in to obtain cyber insurance, even if the laws and regulations do not yet say so. But that could be changing.
For instance, the new SEC regulation just hit on December 15, 2023. Though the rule focuses on disclosure and does not specifically mention cyber insurance, there is a requirement to disclose “material damages,” read: financial damages. One of the best ways to mitigate financial damage? Insurance coverage.
With a steady increase in the number of cyber-specific rules and regulations hitting the industry, companies are preparing to proactively protect themselves financially and comply with pending policies.
Year-end conclusion: Regulation and cyber insurance will become intertwined in 2024; many cyber insurance companies are already requiring the implementation and use of monitoring and detection tools as a prerequisite for coverage. And many companies are having a hard time meeting these requirements. But as the market matures, and the cost of cyber crime increases, expect to see a co-mingling of these fields.
Exposure Management Overshadows Vulnerabilities
“Exposure management” and “proactive security” are starting to emanate from the primary industry analyst firms and, of course, that means it’s making its way into vendor marketing. But, even though it’s buzzy or hype-y, I think this one has some legs. Not the buzzword, just the concept.
Why? Because companies have been focused for a very long time on vulnerability management. And while vulnerability management is an absolutely necessary element of a security program, fixing vulnerabilities is an action a company must take to decrease its exposure to risk — risk of compromise, risk of data leak or loss, risk of system disruption, etc. And the main goal of a security program is — or should be — risk reduction. Whatever we do in cybersecurity, it should be in service of risk reduction. Not just cyber risk reduction, mind you, but business risk reduction.
Before you can get to risk, though, you have to know your exposures, and those extend beyond vulnerabilities.
Exposure management and proactive security aren’t new concepts. All that’s happening now is the creation of a term/category/buzzword.3 And while I am generally not a fan of creating buzzwords for invention’s sake, I think it’s a good idea to codify what the concept is so that security teams can wrap their heads around what needs to be done to reduce risk.
Year-end conclusion: “Exposure management” will be incorporated into nearly every cyber vendor’s marketing message. The analyst firms will publish documents about the importance of exposure management, and include top companies in those reports. Comparisons between disparate companies will confuse buyers into thinking “exposure management” is a tool that can be deployed rather than a foundational concept.
Now what?
Like last year, I’ve gone through a few serious topics in the above text. And, while I trend toward verbose, I want to wrap up this post with the insights of a few of my security friends who are much smarter and more interesting than I am. Enjoy their not-so-serious and/or serious-but-concerning predictions and trends for 2024.
This is an end-of-year post. Have some fun with it! And maybe we’ll do this again twelve months from now.
Ben Rothke, Senior Information Security Manager, Experian
I predict all of the core information security problems and issues Cliff Stoll encountered in the late 1980s will occur in 2024.
Josh Marpet, CEO, MJM Growth
I predict that ransomware will mutate through natural selection and become “AnnoyingWare.” It will sing Christmas carols incessantly, and do it to a mariachi beat.
Chris Nickerson, Founder, LARES Consulting
I predict that the AI/Anti-AI movement will neutralize the hipster buzzword marketing movements of the 2024 mass adoption security technology index.
Tim Krabec, Principal Information Architect
Companies will complain about the 30 billion shortage of cybersecurity professionals but refuse to change job descriptions that increasingly insist applicants be “security unicorns” with 15+ years of experience and total mastery of every security vendor product deployed in the employer’s infrastructure.
HR departments and recruiters will also continue to use AI to review job applicants, thereby forcing candidates that are better at buzzwords than technology onto security hiring managers.
Ira Winkler, Field CISO and Vice President, CYE
I predict that the crimes committed by security influencers will double.
I predict that the organizations that predict cybercrime and skills shortage numbers will triple their predictions without any supporting data.
I predict that nobody will go back and see how well the predictions did, allowing people with bad takes on cybersecurity to continue to influence the market next year.
To that end, I predict cybersecurity industry predictions will grow by 2000% next year.
And last but not least, a prediction that is more scary than silly…
Jennifer Minella, Founder and Principal Advisor, Network Security, Viszen Security
I predict the use of human user vulnerability “scanning,” analysis, and enumeration using AI/ML. This analysis will be based on users’ profiles and behavioral analytics, and will include inputs far beyond on-screen actions, such as inputs from all publicly accessible data points that don't violate privacy.
These are real quotes from December 2023. Names and identifiers have been removed in order to protect the identity of these individuals and organizations.
This is similar to what happened with zero trust: the concept was introduced years before anyone started to apply it to their security programs. And since organizations are still not fully in with zero trust, I don’t expect exposure management to be a quick and easy fix.