Security in 2023: 6 trends for IT leaders

From continued supply chain concerns to challenges related to edge and AI/ML adoption, here are the top security trends to watch in the coming year
41 readers like this.
Shadow IT CIO

Here’s a New Year prediction you’re probably never going to hear: “IT security solved!”

Sure, maybe an overeager vendor or three might imbue their pitch with that kind of energy, but sensible IT pros know that’s an unrealistic state. There will always be cybersecurity threats and risks. That’s true this year, next year, and – unless humanity universally unplugs and returns to the agrarian, hunter-gatherer life – forever.

That’s because IT systems and the professionals that run them are fallible, always. And there will likely always be malicious systems and professionals that look to exploit that reality.

So it’s a new year – hello, 2023 – but IT security is certainly not a new or passing concern. It is a dynamic concern; the risks and attackers change continuously, even if some of the basics (like sharing or reusing credentials across multiple accounts) remain constant.

In that busy landscape, here are six trends IT leaders will be paying attention to in 2023.

1. Supply chain security remains a focal point – but the work is just beginning

The term “trend” sometimes suggests “new,” but in the IT security realm it’s just as likely to indicate a long-term – if not permanent – shift. Exhibit A: Software supply chain security. It was a hot security topic in 2022 and even before that. It’s going to be a continued area of focus in 2023.

Today’s software supply chains are as diverse as ever – software commonly gets built from other software – and so ensuring the security of those supply chains will need to be a long-term commitment.

What might be new in 2023? While people have certainly been talking a lot about software supply chain security, they have yet to necessarily back up the talk at budget time.

“Red Hat’s latest Global Tech Outlook report shows that software supply chain security remains a low security funding priority among IT decision-makers,” says Gordon Haff, technology evangelist at Red Hat. “This suggests that a good New Year’s resolution for many organizations is to come up with a good plan for dealing with supply chain security if they haven’t already done so.”

A silver lining: For many organizations, this might not require a budget-busting financial commitment – it’s as much a matter of leadership commitment, planning, and process improvement.

“This may not even require a large investment, but it does require a plan and processes to reduce risk going forward,” Haff says.

Also anticipate growing attention to the importance of Kubernetes security as a foundation for the broader software supply chain’s strength.

“There will be a lot more emphasis on Kubernetes supply chain security,” Alex Meijer, infrastructure lead at Corsha, told us recently. Meijer hopes to see increasing uptake of things like container image signing and verification.

[ Also read Kubernetes in 2023: 7 predictions for IT leaders. ]

Meijer’s colleague, infrastructure engineer Robert Batson, also sees promise in emerging tools – Batson points to the Admission Controller from Sigstore as an example – that “extend supply chain security to the clusters hosting the applications [and] will join the list of tools we bootstrap clusters with in order to handle things like observability and security in the traditional sense.”

2. A big year for NIST Cybersecurity Framework

Security pros are no doubt already aware of the U.S. government’s NIST Cybersecurity Framework, a set of publicly available standards and practices for managing cybersecurity risks and boosting an organization’s posture. But that doesn’t mean their employers necessarily follow it, especially if their industry or business doesn’t require it.

Cam Roberson, vice president at Beachhead Solutions, expects 2023 to be a big year for interest in and use of the NIST framework – even if it’s not mandated.

“More organizations are realizing that even if they aren’t necessarily bound by NIST, the framework still provides particularly comprehensive security guidance and best practices that apply to many other government-required mandates (like CMMC or DFARS) as well as to other industry-specific mandates (HIPAA and the like) where businesses must ensure continuous compliance,” Roberson says.

Organizations and teams that have been previously stuck on where to get started – security is a massive, continuous challenge – and how to take measurable action will find a roadmap of sorts in a framework like NIST.

“The five ‘core functions’ and the more than 100 subcategories that NIST provides go deep into how CIOs, CISOs, and security professionals can identify and detect threats, and then respond and recover from them as necessary,” Roberson says.

"NIST will continue to rise in 2023 as a cross-industry standard – perhaps becoming the de facto standard – that businesses can stand their security strategy up against."

The same potentially holds true for other widely available standards and tools, such as the CIS Kubernetes Benchmark or the MITRE ATT&CK Framework.

Roberson thinks the NIST Framework could become a go-to in 2023 because of its depth and breadth.

“The risk of breaches and compliance holes are just too high, and NIST will continue to rise in 2023 as a cross-industry standard – perhaps becoming the de facto standard – that businesses can stand their security strategy up against,” Roberson says. “We’ll see many more organizations put in the effort to get NIST compliance.”

3. As edge computing grows, so does the need for edge security

As new (or newish) IT paradigms become simply normal – cloud being one of the most prominent examples of the last decade or so – the security of the paradigm inevitably becomes critical, too. (See also: cloud, again.)

With edge computing strategies on the radars – or already in the works – of many IT leaders in the year ahead, edge security is almost certain to command more attention.

Like the cloud before it, edge computing isn’t fundamentally “less secure” than centralized models – it just introduces new or different risks and challenges.

As Jeremy Linden, the senior director of product management at Asimily, told us last year: “Edge computing can create more complexity, and this can make securing the entire system more difficult. Still, there is nothing inherently less secure about edge computing.”

Rather, edge security will fundamentally require the same thing that any IT security domain requires: proper planning and prioritization. 2023 will be an important year for laying that foundation.

Also, check out our recent collection – 11 resources for advancing your edge computing journey in 2023 – to give your edge planning a boost.

4. The same applies to AI/ML workloads

In a simplistic sense, you could replace “edge” above with “AI/ML” to illustrate the same principle: As more companies run more (and more) ML models and other forms of AI in production, those workloads will comprise a juicier (and juicier) target for cyber attackers. AI/ML has been the trendiest of trends; AI//ML security has not, but that should change in the year ahead.

Christopher “Tito” Sestito, co-founder and CEO of HiddenLayer, specifically expects CISOs and other IT leaders to extend a Zero Trust approach and implement its principles and practices for AI/ML.

“2022 was a year of increasing government oversight into AI/ML security as well as accelerating ease of ML attacks via automated attack tools,” Sestito says. “The result will be more demands on CISOs to protect their AI/ML”

Sestito adds that resources like the MITRE Adversarial Threat Landscape for Artificial Intelligence (ATLAS) framework “will enable CISOs and their teams to quickly assess and implement required security controls that integrate immediately with their existing zero-trust frameworks.”

5. It’s 2023: Do you (still) know where your security vendors are?

We’re all about IT and IT leadership, not stock market prediction or macroeconomic analysis. But if you check any financial news sites or feeds even irregularly, the headlines haven’t been all sunshine and roses lately.

Within that big picture, there’s a general sense that 2023 may bring consolidation and change in the technology industry.

“Many market watchers believe that 2023 will see a shakeout of tech vendors who don’t have a strong value proposition and revenue stream,” Haff says. “IT decision-makers should evaluate whether their vendors have a strong market position.”

That’s a general truth but especially relevant in the IT security domain, where the vendor marketplace has expanded enormously in recent years, especially in the cloud/cloud-native space.

“This certainly includes the security space which has seen an explosion of startups doing cloud-native security in often overlapping and relatively undifferentiated ways,” Haff says.

Vendor management is a part of any IT leader’s role; in 2023 it may be worth keeping an even closer eye on the portfolio, especially when it comes to security tools.

6. Top-performing security orgs build their own talent pipelines

The IT security skills shortage – typically a gold-medal winner in any broader discussion around the challenges of recruiting and retaining tech talent – is old news.

A more recent trend is that strategic IT leaders and organizations haven’t just been sitting idly by waiting for someone else to solve that particular problem. They’re investing in their own security talent pipelines and making sure they are reaching the widest audience.

“We predict continued focus by top-performing organizations on diversifying the cyber workforce via programs targeted at underrepresented groups,” Sestito says. “These organizations realize that their ability to outgrow the market, solve complex challenges, and attract and retain customers is dependent on having an engaged and diverse workforce globally and will invest accordingly.”

Sestito notes this isn’t a time-boxed trend, either. Actually expanding the cybersecurity talent pool is a long-term strategy, not something solved with lip service.

“This is not a one-year HR strategy,” Sestito says. “Rather, this is an organization-wide cultural shift that requires many years of attention and commitment.”

[ New research from Harvard Business Review Analytic Services identifies four focus areas for CIOs as they seek more flexibility, resilience, and momentum for digital transformation. Download the report now. ]

Kevin Casey writes about technology and business for a variety of publications. He won an Azbee Award, given by the American Society of Business Publication Editors, for his InformationWeek.com story, "Are You Too Old For IT?" He's a former community choice honoree in the Small Business Influencer Awards.