2022 was the most challenging year for everyone involved in the cybersecurity industry. Throughout the year, ransomware attacks continued to be one of the biggest threats worldwide. From nation-states engaging in cyberattacks to substantial data breaches at technology (Twitter), health (Medibank), and telecom (Optus) companies, among others, 2022 saw a full spectrum of hacking in which bad actors were able to penetrate the networks, compromise the servers, and then move laterally through the network to find high-value data to steal.
As cyberthreats continue to grow in number, attacks are becoming increasingly more sophisticated due to threat actors using the advanced learning capabilities of artificial intelligence (AI) and machine learning (ML). AI-powered threats continue to raise the bar for IT, security, risk, and compliance leaders in their efforts to strengthen cyber defenses. This expanding threat landscape will require companies and government agencies to move away from point security solutions and adopt transformational security paradigms like zero trust architecture that fully integrate their business processes, applications, and services to deliver comprehensive security against cyberattacks.
Here are the 10 zero trust predictions that organizations will likely experience in 2023.
1. Complex supply chain security risks will continue to impact organizations
Today’s hyperconnected global economy has driven organizations to heavily depend on their supply chains for components within the physical and digital products they require to run their day-to-day operations. Further, emerging supply chain challenges linked to geopolitical risk have caused hardware shortages, cost increases, licensing changes, and capacity limits.
To mitigate such disruptions, organizations would need to adopt a holistic approach to their security, which includes shifting away from point-in-time third-party assessments toward real-time monitoring of third-party risks and vulnerabilities in inbound packaged software and firmware components. They would also need to deploy stronger identity and access management (IAM) capabilities and accelerate the adoption of a zero trust architecture to better enforce authorized access to systems and data by partners and employees and reduce the consequences of a transaction with a compromised third party.
2. Zero trust will become a board topic
With risk exposure (company reputation, revenue, and growth) being a top issue for cybersecurity, expect boardrooms to make cybersecurity a top priority in 2023. Board members will become much more persistent and intentional about cyber risk preparedness and move from quarterly or annual updates to routinely contemplating cyber risk across all areas of the business and management’s efforts. Board directors will demand deeper insights into a company’s level of preparedness and constantly evaluate an organization's cyber insurance liability coverage against a cyberattack.
3. Organizations will create a zero trust ‘Czar’ role
As organizations move to the cloud, they are embracing zero trust to drive their secured digital transformation, with Secure Access Service Edge (SASE) emerging as the preferred approach. The challenge, however, is that in many organizations, responsibility for networking and security live in different parts of the organization and these groups often rely on different vendors in their respective areas. Breaking down the silos between security and networking teams and choosing the right tools, products, and vendors to align with desired business outcomes will be critical to implement zero trust. As pressure to implement zero trust intensifies, a zero trust ‘Czar’ role is likely going to emerge in the organizations. This individual will have the responsibility to lead the organization on its zero trust journey. This person will be responsible for bringing networking and security teams together with the common goal of implementing zero trust within the organization.
4. Organizations will increasingly adopt Universal ZTNA for hybrid work
A recent survey found that nearly a third of employees plan to work remotely full-time, with another 27% anticipating that they’ll work remotely for at least part of the time. As hybrid work becomes more pervasive, interest in zero trust network access (ZTNA) solutions will also increase. The shift to perimeter-less technology will accelerate to a model where users need just commodity internet to securely connect to everything from the office, at home, at airports, and at hotels. To achieve this, organizations will increasingly look to adopt ZTNA universally to secure both remote workers and on-premises and branch locations. This will not only ensure consistent policies across all users, but also will reduce cost for organizations and fulfill the work-from-anywhere model that is powered by zero trust.
5. The cyber talent shortage will continue to pose a challenge to the wider adoption of modern security practices in organizations
One of the main challenges of the economic downturn will be the worsening of the cyber skills gap. As economic uncertainty increases in 2023, many organizations will pause hiring new talent, or even cut existing employees. Even though organizations will invest in more security monitoring and analytics tools—many of which are open-sourced—they would still need to invest in staff who have the expertise to configure and use these tools to their full potential. As such, the cyber talent shortage will continue to pose a major challenge for organizations to adopt more modern security practices for the foreseeable future.
6. Adoption of security services orchestration framework (or something similar) will increase
Organizations are increasingly finding it difficult to overlay security controls onto enterprise IT, whether on-premises or in the cloud. It is becoming more difficult for them to know what security features products have and what their applicability is to particular environments and services. From niche widgets that offer singular capabilities or coverage to broader security platforms, organizations are inundated with disparate security tools that are not compatible, operate in silos, and require too many specialized resources to manage. This often results in security gaps, inconsistent security policies, and increased vulnerabilities to cyberattacks.
As a result, organizations will consider adopting a new security services framework/architecture that will aggregate and synthesize signals from across the broader tools landscape within the organization to develop smart context in order for organizations to make the best-informed policy decisions in case of an attack. This would include integrating device posture from the endpoint protection solutions, SIEM tools, threat intelligence feeds, and others to continually enhance the security engine to analyze risk and enforce policy.
7. DevSecOps will become business critical
The continuous growth and diversity of API and application deployments has created an extensive attack surface for malicious actors. To protect themselves effectively without impacting velocity, organizations will accelerate the adoption of “shift left” security, and automate it into application delivery processes using DevSecOps techniques. Shift left moves security into the CI/CD pipeline and integrates it into the application development minimizing the likelihood of vulnerabilities and other security weaknesses from being introduced to production environments. Tools like API threat detection, CNAPP, and others that support modern deployment environments will significantly increase security by enabling standardization and deeper layered defenses.
8. Data-centric security and privacy will become imperative to building brand and customer trust
Nearly 72% of an organization’s customer engagements are digital. This has heightened expectations from customers to have greater control over their data and increased transparency about organizations’ policies. However, keeping track of this data has not been a top priority for many organizations, so there is very little visibility into it. As a result, there will be a growing sense of urgency for organizations to enable dimensions of trust and to embrace data privacy, security, and compliance as mechanisms to bolster traditional methods for strengthening customer experience and brand perception.
9. Automated responses will become core for the cyber-resilient business
The evolving cyberthreat landscape will continue at the pace of cyberattacks on organizations and holding them captive for massive ransoms. With this increase, organizations will continue to make significant investments in their situational awareness, threat-based security monitoring, incident response, and crisis management practices. However, most organizations are still over-reliant on people, which slows down detection and response. With an increasing shortage of cybersecurity professionals, organizations will prioritize fully automated response technology, as the impacts of a successful breach far outweigh the risks of adopting these newer technologies. This, in turn, will free their people up to focus on more critical security projects and make their business more cyber resilient.
10. Threats to operational technology (OT) in manufacturing and other environments will increase
Cybersecurity threats to operational technology (OT) in manufacturing and other environments will significantly increase in 2023. Cyberattackers will weaponize operational technology (OT) environments to attack hardware and software that control industrial processes and secure OT networks. Skilled workforce shortages and overlapping IT and OT environments will make cyber incident containment difficult. Organizations will need to implement cyberthreat identification, detection, and prevention controls to address OT security risks by taking steps inclusive of increasing visibility to devices, implementing OT network segmentation, correlating security information from OT and IT networks tightly, and establishing security response processes that address both these environments.
Interested to learn more about how to optimize and adopt Zero Trust for your organization in 2023? Click here for Zscaler’s perspectives.
This blog is part of a series of blogs that look ahead to what 2023 will bring for key areas that organizations like yours will face. The next blog in this series covers cloud security predictions for 2023.