Every December, the annual flood of cybersecurity predictions washes across social media. With each passing year these predictions remain wholly predictable.
How many times have you heard some variation of:
- Attacks against ____ will increase
- _____ attacks will continue to evolve and become more sophisticated
- The rise of ____ will give attackers new ways to _____
- Boards will finally get serious about security
- The cybersecurity staffing crisis will continue
Since I exited my company, I gained a fresh perspective on the cybersecurity industry. Liberated from the daily torments of running a company, I reflected on what did and did not work.
What I see is an industry caught in a loop. It keeps predicting the same things, repeating the same tired stories, and advocating the same exhausted cliches expecting things to change. Every year attacks increase, new technologies will save and/or kill us, and executives are on the edge of finally accepting security as a serious issue. These predictions never come true. I am confident that many of these same predictions will repeat next December.
Therefore, as I am unencumbered with accountability, I present my anti-predictions for 2023 cybersecurity industry:
The Threat Landscape is Changing
No, it is not.
In 2023, everybody will experience the same quality and quantity of attacks that we did in 2022. The technologies, personnel, and practices may shift causing us to perceive security differently. However, the actual threats we face will remain largely the same.
In fact, it is my belief that the threat landscape has remained static for the past 20 years. The threats that computer and infrastructure systems face today are not dramatically different than 2003. Viruses and worms are now called ransomware, but they function largely the same. Hackers are still hunting for credentials and cracking passwords. The avenues of attack are mostly the same, email, websites, etc. Attacks cause more damage today, but that is relative. Everything is more complex and operating at a larger scale than 2003.
In 2023 we have more technologies to detect threats and more words to define them, but the actual threats are the same.
Executives Will Start Taking Security Seriously
One thing you can always count on when there is a big data breach is social media channels filled with “thought leaders” exasperated at how leadership ignored such obvious security problems. These insufferable Captain Obvious crusaders cannot comprehend how people can be so irresponsible.
The reason for executive inaction is simple, there are minimal consequences for irresponsibility. How many CEOs have lost their job due to a data breach? One, two? The number is extremely low. While these incidents may have significant financial impact, that impact can be easily dismissed and blamed on the CISO or other security staff.
Information security is an esoteric threat to executives. They know it exists, but they cannot quantify it with clearly discernable consequences. They know it is serious, but the answer is always the same: buy more stuff.
As such, they fall back to the next item on this list.
Companies will Commit to Stronger Security Defenses
No, they will stick with “good enough” security.
It is not that executives do not care at all about security. They care up until the exact point they are on par with everybody else. This is the “good enough” approach to cybersecurity. Companies focus on doing what is an “industry standard” rather than doing what is necessary.
This is why executives are obsessed with copying the “big boys.” The reasoning is that if a product or practice is good enough for a big company like Netflix, then it must be good enough for us. I am convinced that if Netflix installed a box of wires that screamed obscenities at IT staff all day, and wrote a blog about how this improved their security, executives all over the world would be lining up to install CurseStrike XL!
Companies keep throwing technologies at security problems and consistently fail to operationalize those technologies. That is because doing the operationalization work is complex, unrewarding, tedious, and does not get you likes on LinkedIn. This is a positive feedback loop: bad security, begets more tech, begets more complexity, begets weaker security, and return to start.
To quote Dick Jones, Senior Vice President of Security at Omni Consumer Products, “Who cares if it works or not!”
We Will See a Megabreach that Cannot be Ignored
We are already ignoring them.
2023 will undoubtedly see plenty of data breaches. They will get plenty of coverage and then fade from memory. This is partially due to breach fatigue, but also because breaches are not that serious to most companies. They cause a brief period of turmoil, and then are quickly forgotten.
The recent Lastpass breach is a good example. While some of us dumped Lastpass, thousands shrugged off the news. It is too difficult, time consuming, and complex for most organizations to replace them. Once a technology is entrenched in organizations, removing it is painful.
Megabreaches are also so common these days, that they have lost their impact. There is little we can do to stop them.
Security Staffing will See Improvements
Every year, with the absolute precision of an atomic clock, there is a flood of security blogs that proudly proclaim this will be the year security solves the staffing issues. The solution usually requires subscribing to their product.
And with even greater precision the problem remains unresolved a year later.
Cybersecurity does not have a staffing problem; it has a staffing crappy jobs problem. There are ample people out there who want to pontificate about all their grand theories of security. Where there are shortages is in security operations.
This is because working blue team defense in cybersecurity is like being the janitor’s assistant’s intern. All the miserable work (such as compliance implementation) is dumped on you. The executives treat you with contempt. If you report any serious issues, you are either ignored or retaliated against. When there is a breach, you are blamed, fired, and humiliated. Meanwhile, you are expected to know how to secure everything, everywhere, with flawless perfection.
The cybersecurity industry is top-heavy with self-important thought leaders who are unable or unwilling to get their hands dirty with the operational realities of security. Everybody has some grand theory of security which invariably boils down to “defense in depth.” Open up the conference sessions for RSA, BlackHat or any big conference. What do you see? Same tired old presentations: anatomy of an attack, trends in ransomware, the changing face of blah blah. Same people, same boring ideas, same grandstanding. You have to dig deep into the technical sessions to find real educational content, such as how to automate security, clean up after an attack, and make your SIEM do what the vendor promised it would do.
Bitter, Party of One
At this point, you are probably thinking: “Andrew, you are a cynical jerk!”
Yeah. There is a bit of truth to that. This is how I am wired. I have this insatiable drive to study broken things. I want to fix them. I want to return them to a non-broken state. The only way I know how to handle this drive inside me is to talk about it. I am keenly aware that this behavior is repulsive to some people.
I point out these problems because I know they are fixable. I have seen organizations with strong, effective information security programs. I have met some brilliant operators who can single-handedly solve vexing problems. I believe…no…I KNOW there is a brighter future for security.
I want to be an agent of change. Unfortunately, being an agent of change often makes you look and sound like a jerk. In fact, the line between being a visionary agent of change and an impulsive, disrespectful jerk are alarmingly thin.
The Brighter Future
Let’s set the cynicism aside and acknowledge that these predictions are broken. That we need to do something different.
Here are some of my ideas that could make a difference:
- Stop buying new technologies, or settle on new ones and plan to stick with them at least five years.
- Hire people that are slightly unqualified for security roles. Grizzled “experienced” people often come with a ton of baggage.
- Focus security on operationalizing and automating every aspect of security.
- Stop making excuses and move all your workloads to the cloud. Containerize as much as you can.
- Pay your operators more so you can attract the smart ones. Hire more of them so they can learn from each other. Reward the creative ones.
- If you hire a managed security provider, hold them accountable. If they cannot deliver, fire them quickly and replace them
- Focus on changing faster, making people more comfortable with change, and making your environment able to change at a moment’s notice. Ability to change = effective security.
- You are not going to educate your users. Users are human and all humans do stupid things. If your company cannot handle human stupidity, then you will never be secure. Human stupidity is a constant. Build systems that can withstand constant interactions with stupidity.
- If you do not have a person on staff who can write (decent) documentation, get one. Now. Document everything. Follow it.
These are only a few ideas. I would love to hear your ideas. That is where real answers begin to emerge. When we accept that something is not working and want to make it better.
I predict in 2023 cybersecurity will make many of the same mistakes. I also predict, a few people will start to see a brighter future. They will become agents of change. They may be disliked and even feared. Yet, they will make a difference.
Making a difference is all any of us can hope for in the coming year.