Locks and Security News: your weekly locks and security industry newsletter
17th April 2024 Issue no. 701

Your industry news - first

We strongly recommend viewing Locks and Security News full size in your web browser. Click our masthead above to visit our website version.

7 security predictions that businesses need to know in 2023

By Ulfar Erlingsson, Chief Architect at Lacework

Securing the cloud is a never-ending task that becomes more challenging each year as the cloud functionality continues to expand. New technologies and tools bring businesses many opportunities; however, if we don’t use them appropriately and securely, they can do more damage than good.

While we can’t pinpoint exactly what will happen in our industry next year, we’ve had many discussions with security leaders and experts that indicate what 2023 might look like for businesses. Here are a few of my security predictions along with recommendations to help you prepare for the obstacles and opportunities ahead.

1. The cloud will get more complex. We continually hear about the complexities of the cloud, and that’s not going to change any time soon because the cloud is only getting more complicated. Cloud capabilities will continue to expand, which is why you need security tools and processes in place as soon as possible. Some companies are just starting their move to the cloud and others are already well on their way, but they’re all learning about the many challenges that come with that transition. No business wants to completely halt operations as they migrate their tools and data from legacy systems, which means they need to learn how to develop software securely as they move. It’s an organizational change that’s difficult for businesses to undergo, but it’s well worth their efforts once they do. 

2. You will need to have the right tools and partners in place. It takes years for organizations to set up security teams and processes, and it’s not possible to build all of that from scratch in a short time frame. To move quickly but steadily, you need to choose the right tools with the right automation capabilities and create a clear plan with a specific scope. Many times, businesses are really strong in one area, and weaker in others, but they still try to get everything done themselves. To be successful, you need to understand your weak spots, and then find the right technology and partners to help you in those areas. When you do that, your teams can move faster and your business will be strong on all fronts.  

3. The role of CISOs will expand. The job of CISOs has massively expanded over the past few years—it’s not all about budget and the scale of operations anymore. You’re in charge of ensuring that your business is compliant, hiring the right people, implementing strong threat management, and getting vulnerabilities under control. To balance all of these responsibilities, CISOs will need to deeply understand the capabilities and strengths of their teams. Acknowledging a weakness is actually a strength that gives you an opportunity to find the right partner to advance your company proactively instead of using additional time and resources to build all of those solutions yourself. 

4. Proactive risk mitigation will be required. I’ve been seeing increasingly more business leaders express their desire to be secure from the beginning and prevent security issues from arising as opposed to only having aircover for when things go wrong. It’s exciting to see people motivated to take on a challenging task; this is likely a result of new, stricter security requirements, more security-focused insights and recommendations from advisory boards, and an overall better understanding of how preventing security issues is more cost-effective than remediating them. Instead of companies striving only to meet the minimum security requirements, I think we’ll continue to see them aiming for a higher level of risk mitigation. 

5. Shifting left will be essential and supply chain risk will be a major concern. I like to use the phrase “span left” instead of “shift left,” because we need to incorporate security from the beginning of the software development lifecycle, and there isn’t an endpoint. We watch how the software executes and make continuous improvements. Shifting left will be important because supply chain risk will continue to be a concern for all parties in the cloud—even if you think your own developers won’t make any mistakes, you can’t be sure that other parties won’t do something totally out of your control. You need to accept that there will be issues, and the sooner you can find and fix the ones that matter most, the better. In 2023, we’re going to see an increased need for companies to understand how software is used throughout their organization, where vulnerabilities exist, and how to prioritize them. 

6. Your security teams and developers will need to help each other understand the implications of their actions. Developers are constantly worried about breaking things when they push code into operations. When you help them understand the implications of the code they’re deploying, it will be easier for them to see the security aspects. For example, if you tell a developer that a specific piece of code will be used by arbitrary users at scale on front-end services, but other pieces of code are used only in a back-end service, they’ll understand why they need to pay close attention to that code on the front end. You need to let them know how things are operating to make them cognizant of the different risk levels. Security teams and developers are helping each other, and visibility is key to doing that successfully.

7. Securing your cloud will be impossible without comprehensive visibility. If you want to secure your cloud, comprehensive visibility of your cloud environment is most important. In this case, “visibility” means aggregating and presenting information about your cloud environment in a way that people can understand. You need to know what your assets are, how they’re configured, where they are located, and who can access them. Without that, you won’t see all of the changes that occur and you’ll be missing relevant context. Visibility gives you a better understanding of what you can do and how you can improve things, without missing the blind spots. 

Whether you’re a CISO, developer, security analyst, or business owner, you have an important role to play to keep up with the rapidly changing security landscape. Understanding your cloud environment, along with the risks that come with it, is essential to prepare yourself and your organization for the inevitable security threats we will face next year. To learn more about security threats that businesses are facing today and how you can protect yourself, check out the Lacework blog.

4th January 2023