Public cloud security challenges. Many companies aspire to fully move to the public cloud, but in practice, many are only midway through that process. This means that many CISOs have to navigate the security challenges of hybrid-cloud architecture, and in 2023, maintaining and securing a sprawling footprint will be a top priority.
They’ll need to track and secure data as it moves between on-premise data centres and the cloud, and ensure that the data stored on the cloud meets applicable compliance standards. Even if CISOs aim to become “cloud-native,” legacy security solutions may impede this transition by requiring an on-premise presence, so identifying and removing these solutions will be a gradual but necessary process. Finally, CISOs should recognise that moving to the public cloud means they can’t control 100% of their risk, as it’s up to the cloud provider to disclose zero-day vulnerabilities. Each CISO will need to figure out how to account for this uncertainty, and decide how much risk is acceptable.
The need for asset visibility on the edge and in the cloud. CISOs who enjoyed high asset visibility within traditional corporate networks are facing changes amidst digital transformation initiatives. As companies modernise their tech stacks, their assets will be decentralised, with ephemeral cloud-based instances and infrastructure-as-code that can instantly provision new virtual systems, not to mention the risk of SaaS products that can plug into an environment, extract data, and expand an attack surface. Additionally, the desire for greater resilience and better performance will result in more edge infrastructure being deployed.
CISOs value control, but they can only control — and secure — what they see. They need a single point of visibility into assets at the edge and in the cloud. It will be an uphill battle (but an essential one) to find ways to detect and protect assets in dynamic environments in real-time. Security teams can’t play their part if they don’t know what assets are vulnerable and require protection.
SBOMs catalyse increased software supply chain scrutiny. Software Bill of Materials [SBOMs] — lists of all the third-party components a certain piece of software uses — will become an industry standard for software vendors in 2023. In the US Biden’s SBOM executive order in May 2021 and subsequent memorandum in September 2022 played a major role in this, but so has the sheer utility of having an SBOM in place. SBOMs offer much greater accountability than the questionnaires companies typically send vendors, allowing for more detailed insights into their software supply chain. If zero-day threats occur, you can see which vendors have compromised components, and then contact them to see how they are addressing the situation.
That said, SBOMs will lead to new challenges. Greater scrutiny of the software supply chain will trigger challenging conversations regarding any software you create or use, as your partners develop more rigorous demands about the software components you source. Vendors will become more rigorous in keeping security measures up to date, but it won’t be feasible to remove every suboptimal software component immediately. CISOs will need to think tactically about the risk of a certain component versus the disruption caused by replacing it.
Sunsetting pre-pandemic investments becomes a priority. For the last few years, many companies held out hope that the distributed workforce would eventually shift back to on-
premise work. It’s clear that remote and hybrid work is here to stay, and traditional on-premise security technology that assumes a centralised workforce, like VPN concentrators, is no longer a sound investment. In 2023, conversations about sunsetting traditional technology will reach even the most hesitant companies, as traditional sensors and technologies can no longer provide the fidelity or resilience required for a distributed environment. Instead, expect a shift towards endpoint-focused, rather than network-focused, traffic monitoring and tools like cloud access security brokers (CASBs).
Third-party security and asking the right questions. No matter how companies secure their data, third parties will always be a liability. In 2023, CISOs will need to streamline how they assess third parties at scale. To determine third-party risk, CISOs should consider how third parties access their company’s data, how they protect that data, and what the implications of each third party getting breached might be.
While there are several ways to assess third-party risk, such as vendor security rating tools, security questionnaires, and third-party attestations, the challenge is that most approaches are not highly effective. Until there is a universal approach to proving that every provider is secure, third-party security will occupy quite a bit of CISOs’ schedules and headspace.