Threat exposure management. Identity fabric immunity. Cybersecurity validation. Cybersecurity platform consolidation. Security operating model transformation. Composable security. Human-centric security design. Enhancing people management. Increasing board oversight.
These are Gartner’s top cybersecurity trends for 2023. Notable in the list is the frequent referral to the human aspect of cybersecurity. It continues to validate that often-used maxim that humans are the weakest link to information security – directly or indirectly.
“The renewed focus on the human element continues to grow among this year’s top cybersecurity trends,” says Gartner senior director analyst Richard Addiscott. “Security and risk management leaders must rethink their balance of investments across technology, structural and human-centric elements as they design and implement their cybersecurity programs.”
With networks at the centre of connectivity, FutureCISO touched base with Craig Lawson, VP analyst at Gartner for his take on the state of network insecurity in 2023.
What are the types of attacks that organisations must look out for, that may hinder their ability to deliver quality content and seamless experience to their users?
Craig Lawson: Organisations today face a higher volume of attacks, but often can be classified down into a smaller set of categories.
Malware – Ransomware is a prime example of malware that remains successful for threat actors to this day. It also tends to garner a high profile because of its ability to destabilise a whole company when successful in very noticeable ways to all the employees.
Credential abuse – Phishing is probably the best example of credential abuse as it’s very effective for attackers; has relatively low levels of resources for attackers to have when leveraging it; and can concurrently lead to significant losses for organisations.
Vulnerabilities – Vulnerabilities and the exploitation of them are still a primary driver of the threat landscape, which hasn’t changed over at least the last 20 years. What many find counterintuitive, however, is that it’s consistently only a small number of vulnerabilities that do the most damage, and these are vulnerabilities that are already known. Yes, genuine zero days exist and do indeed work, but they don’t represent though the risk/hype that they have received over the years.
"Applying threat quantification techniques, like Gartner’s Risk-Based Vulnerability Management, has proven to be very effective at helping not just understand an organisation’s threat landscape, but also improving the efficiency and effectiveness of their security operations program to deliver a better level of overall resilience."
Craig Lawson
Nation-State Activity – Regardless of many views, nation-states have become more active against a broader set of enduser organisations over the last five years than ever before. Geopolitics is here and unfortunately, it looks like it’s here to stay in cybersecurity. End users in most vertical industries must consider these daily operations implications.
In line with the rise of hybrid work and increased reliance on cloud-based services, how has the enterprise cyber-attack surface developed? Why are the traditional measures of securing access no longer sufficient?
Craig Lawson: While things have changed in some regards, many principles remain the same. Attackers are still looking to gain (or deny) access to your data, steal identities, exploit vulnerabilities and so on. However, the unrelenting shift to cloud services and the move to sustained remote working have caught a lot of organisations and security vendors off guard to a degree.
Newer and disruptive categories like cloud access security brokers (CASB), security service edge (SSE) and cloud-native application protection platforms (CNAPP), are a few examples of technologies to help with these big shifts.
We’re also seeing many end-user organisations investing and skilling up their staff to be more conversant on cloud initiatives and importantly the security aspects required to keep their organisations secure.
How can organisations strike a balance between having a mindset of zero trust and maintaining the productivity of employees?
Craig Lawson: We have seen a prodigious amount of “zero trust washing” in recent years, creating a lot of confusion for users. At a high level, the following three initiatives are excellent for pragmatically bringing zero trust to life for most end-users without overbalancing and falling victim to the law of diminishing returns:
- Identifying capabilities for stronger authentication is critical to zero trust. Getting this right is important for any zero trust initiative as it underpins everything else organisations will be doing later on when pursuing this type of architecture.
- Pushing zero trust to users and devices is another big win as threats continue to focus on end-users. Technologies that enable adaptive access control and end-user/device segmentation work well here. In almost all cases end-users can take the time/budget spent on older legacy web security and remote access to more modern zero trust-enabled solutions.
- Pushing zero trust into workloads is important as many end-user environments bend towards being “flat”, where once inside you are able to connect to all internal resources carte blanche. Look at projects like “micro-segmentation,” implementing controls starting with the most critical workloads for greater overall protection.
This is a bit like adding more bulkheads in a ship per se, where you are looking to improve resiliency pragmatically without over-extending effort/budget versus the risks being addressed.
What are the solutions and capabilities that organisations can consider in securing their network access?
Craig Lawson: The caveat is that each organisation is different, and needs vary, as does budget and levels of maturity.
As a general rule today, Gartner recommends pursuing a zero trust architecture that includes remote access. An excellent example of this is security service edge (SSE), which is a modern converged technology that can govern all usage of the internet, cloud services and remote access, including from unmanaged devices.
They also have threat prevention, enterprise-grade data security and advanced analytics features as additional layers to make sure that once access is granted, it is constantly assessed and trust/access dynamically adjusted.