Gartner VP: These Are The Security Trends To Watch In 2023
Paul Furtado, VP analyst at Gartner, says it’s about the attack surface, identity and supply chains.
Paul Furtado, VP analyst at Gartner (Photo by Tom Allen)
“Business thinks IT has a crystal ball, but the truth is the CISO doesn’t always know what’s going on.”
That was the conclusion of Paul Furtado, VP analyst at Gartner, speaking at MES IT Security in Indianapolis this week.
There are some persistent security challenges - the skills gap, shadow IT, hybrid work - but Furtado focused on the newest threats facing security teams in 2023, along with an action plan to address each one.
Expanding Perimeter
While attacks are evolving, one of the biggest threats today is the expanding perimeter/attack surface.
Furtado pointed out that security regulations “don’t differentiate between cloud, on-prem or SaaS - they just care about the data.”
Action plan
* Perform attack surface gap analysis - “A regulator’s not going to give you a free pass because you say, ‘I didn’t know we were using that application.’”
* Evaluate attack surface management technologies to visualize external digital footprint.
* Consider pen testing, breach simulation, etc to provide regular assessments.
* Test your response.
While most people - including Furtado, later in his presentation - recommend bringing business and IT together, he recommended keeping conversations about responses to a security separate.
“As soon as you start talking tech you’ve lost the board, and once you start talking about cyber insurance and marketing you’ve lost your tech team.
“It’s the same scenario but two different people.”
Identity Threat Detection And Response
“Identity is the new perimeter,” said Furtado. “[It] is the crux of your network, the core of your network, and you need to have very strong identity discipline in your environments.”
Weak identity discipline leads directly to things like credential compromise, which is still one of the main reasons companies are breached.
Action plan:
* Prioritize the security of identity infrastructure with tools to monitor, protect, detect and remediate.
* Use the MITRE ATT&CK framework (or similar) to correlate ITDR techniques with common attack scenarios.
* Invest in foundational IAM security best practices like least privilege.
* Modernize IAM infrastructure using current and emerging standards.
“We’re seeing more and more organizations struggling simply from the fact that they don’t do a good job with fundamentals. They don’t do necessarily a good job of adapting their current models to be leveraged across their entire environment.”
Digital Supply Chain Risks
Businesses have become increasingly dependent on their digital supply chain, to the extent that if a critical vendor like Salesforce, Microsoft or Amazon were to crash some firms would have no recourse.
“Does your organization really understand the risks associated with your vendors?” Furtado asked.
More to the point, do your teams understand the risks they are associating with your business by bringing new tools into the organization?
Action plan:
* Develop a joint governance model with business stakeholders, who need to understand the risk of making some decisions.
* Classify major digital supply chain partners by their importance to the business.
* Require regulated or high-risk partners to provide evidence of security best practices. Anyone can say they’re ISO27001 certified or have a SOC2, but sometimes those are exaggerations at best. Look at their security reports.
* Build detection and resilience capabilities for mission-critical supply chain partners, i.e. Salesforce.
“If a vendor tells you they’ll inform you of any security risk in your environment, you say ‘No - tell me of any risk in your environment.’“
Cybersecurity Products Are Consolidating
This should be no surprise to anyone. Vendors are expanding into new areas as they chase new business, and there’s plenty of technology and capability overlap. That often leads to confusion when it comes to capabilities.
“[Vendors] are going to put their own marketing spin on it, they’ll come up with their own terms. You need to make sure [the tool] does what you need.
“Sorry if I offend any vendors, but you’re doing it!”
The example he gave was XDR, which everyone says they’re doing but it may be in a very limited and specific way.
Action plan:
* Inventory and group solutions by the security problem they solve.
* Evaluate products that could be enhanced by shared data management, common policies enforcement and integrated workflows.
* Highly scrutinize isolated security products.
* Budget for, and acquire, professional services assistance for consolidation projects to augment staff.
“This is not something you can afford to get wrong. It’s not something you want your staff to be learning on the fly, because a small little configuration mistake can leave a big gap.”
Cybersecurity Mesh
Leading on from the last point is Gartner’s concept of the cybersecurity mesh, a framework of tools that work together to build a comprehensive security posture.
The company’s exact definition is “a collaborative ecosystem of tools and controls to secure a modern, distributed enterprise.”
Vendor consolidation will help with this a little, but really - especially for SME firms without a dedicated security team - you should look at tool consolidation to drive operational efficiency.
Action plan:
* Focus modernization efforts on composable security tools.
* Evaluate products that are interoperable through established and emerging standards.
* Evolve your IAM infrastructure to operate as an identity fabric.
Open APIs are Furtado’s personal bugbear when it comes to interoperable tools.
“An open API is not a connection. An open API is work for you… If you think you’re using a leading product and you’ve got a vendor that you want to bring for that, it’s great. They have an open API? You’re not in development ops. They’ve got the resources, leverage them to build those interfaces for you.”
Cybersecurity Leadership Is Decentralized
Not all security decisions rest with the CISO anymore, or even with the IT team. But do the other people who are making those decisions understand security?
“Do they understand what this means? Do they know what questions to ask, when they’re going through and evaluating tech or deciding that’s what they want to bring in? Some of them can’t even spell IT.”
It’s down to IT teams to help these people and provide them with the ability to make good decisions, because the reality is, “We’re not going to be able to move away from the decentralization of IT. The reality is it’s going to go up.”
Action plan:
* Empower distributed security leaders to make their own informed risk decisions.
* Foster cyber judgement throughout the business.
* Empower local governing bodies with decision rights, instead of defaulting to top-down decision-making.
Human Factors Require A Reframing Of Security Awareness Programs
Everyone learns differently, so we need to take a multi-modal approach to security training. Some people might learn better by reading a document, others will respond better to video. Still others need something interactive. You need to find out how your employees learn best.
This is especially important when you’re trying to change security culture. The best way of doing so? “Don’t make it all about the business.”
If people have bad cyber habits at home, they’ll bring those to work with them - so give them a reason to change their habits at home.
Furtado gave an example of one security leader who had “given up” on MFA. Instead, ”He came up with a personal payroll protection program that basically said, in order for you to make a change to your HR record you’re going to get a message on your phone. Only after you authorize it can you go in and change that banking information. So, we’re protecting your payroll.“
That program - really MFA by another name - had an adoption rate of 90%.
“When you make it about the individual, that’s going to resonate more… If we want to change the culture, we have to deal with the human animal.”
Action plan:
* Develop culture change that equips users with cyber judgement skills.
* Investigate use of organizational change management best practices and social science principles, such as culture hacks - “It doesn’t always have to be about the IT guy.”
* Collaborate with business leaders on culture-changing activities.
* Adopt new training methods like gamification, in-the-moment nudges, real-world phishing simulation and outcome-driven metrics.
The future of defense might be unclear, but bringing in some business focus will make protection easier - for the organization, the IT team and even the users.
Furtado ended with his advice to security leaders who were still struggling to secure investment from their leadership teams:
“Treat cybersecurity as a business risk that needs business-led investment. We need to be able to defend that investment.”
This article originally appeared on CRN’s sister site, Computing.