For cybersecurity professionals, end of the year gives us an opportunity to measure the year’s programs against our expectations. By analyzing and understanding a program’s outcomes, surprises, disruptions and challenges, practitioners are better positioned to implement changes to help achieve security outcomes while meeting operational targets.
Cybersecurity as a whole is fluid. Use cases change frequently and so do our methods of addressing them. IT and security predictions used to be (and still can be) driven by sensationalism. But they can also serve a greater practical purpose by providing insights and observations that support better decision making when it comes to our cybersecurity programs.
Looking back at 2023, these are the recurring themes from my conversations with IT and security leaders throughout the year:
- IT spending was under the microscope: Budgets were squeezed this year, with a focus on efficiency of spend. At the end of the day, all leaders know they need to do certain things to achieve core security competencies. Today’s budget reality draws a parallel between the old and the new — the old being the Wild West, where companies were afforded with infinite budgets and no accountability, versus our current state, where leaders are accountable and must demonstrate value. We’ve finally hit a point where ROI on cybersecurity spend is actively pushed at the board level, down through the company. Budgets aren’t being slashed necessarily, but leaders must be able to explain technology use cases and demonstrate what they’ll achieve with the technology purchase, and why.
- Tools were consolidated: There’s been a lot of talk about tools consolidation, but little insight into how that would be achieved, until now. Companies are recognizing that the enterprise tech stack might not be for them. Enterprises have large budgets and headcount to manage multiple technologies. However, everyone who’s not enterprise-size is learning that without the appropriate resourcing budget, enterprise tools go to waste. Many of these tools aren’t ‘set it and forget it’. Leaders need skilled resources to operationalize these products and tie them in through the API layer. Many companies bought enterprise-focused tech because they wanted to achieve enterprise-grade security, but they’re learning that’s easier said than done.
- Compliance is tough: Compliance is an ongoing challenge and compliance stakeholders are looking for tools to help them manage it. Today’s market offers lots of compliance visualization platforms. While many of the platforms available are helping stakeholders set up policies and align to various frameworks, they don’t provide real-time prompts (or any prompts) to direct team efforts and help companies execute required compliance activities — compliance still involves more of a manual lift than stakeholders would like.
6 practical predictions that will impact IT and security planning into next year:
- IT spending and tools consolidation will be driven by CISO accountability and decision by committee — In the past, most technology purchasing decisions were made by the CISO or CIO. Nowadays we’re seeing more decisions made by committee and a team of sponsors. We’ve seen committees comprised of internal and external stakeholders; this committee mindset is an attempt to balance accountability and fiduciary duty. It’s becoming popular, and we certainly expect to see it mature over the next 3-5 years.
- Expect to see a consolidation in commodity products – Among other impacts, AI is radically changing the M&A marketplace in the cybersecurity industry. Major industry players will leverage AI to lower the use of human application and human error across certain capabilities (like penetration testing, awareness training, etc.). This will lower the cost of commodity products; price erosion will happen organically through consolidation. While the large players will be able to offer broad stroke technology, specific capabilities that align to unique use cases will be delivered through nimbler, niche providers.
- MSPs will continue to consolidate — Shifting liability trends and the continued skills shortage is driving more companies to MSPs. There is a fine line between MSP and MDR providers. Ultimately, MSPs are leveling up in terms of their sophistication and the capabilities they provide to meet growing customer demand.
- Compliance will drive technology purchases — Regulatory compliance is not going away, nor will it become leaner. Compliance is non-negotiable for all companies. All companies need to move beyond just checking a box, to demonstrating how they’re checking the box. It’s the difference between doing nothing and doing something. Compliance capabilities will drive technology purchases, but it’s a buyer beware situation: compliance shops are popping up everywhere, but many only offer policy management and don't do remediation. We expect that compliance platforms will become a hub to serve accountability, with spokes and prompts that trigger time-sensitive requirements like security audits and awareness training.
- Accountability will become a key buying driver— Compliance has created accountability cause and effect. If there's a breach and it's proven that there's non-compliance, regulators will pursue individual accountability, as we’ve seen in recent and well publicized cases. I predict that fiduciary duty will evolve to where a CISO’s fiduciary and criminally liable duty will set precedence for what happens later, altering breach liability. Downstream we’ll see this shift reflected in things like cyber insurance and third-party audits. CISOs will double down on these initiatives purely to support accountability and the idea of available evidence in a potential court scenario. This will radically change the risk landscape and what company perception of risk management looks like.
- Cyber insurance requirements will force companies to get creative — Increasing payouts have pushed providers to revise issuance and renewal policies, making it harder for companies to secure a policy in the first place. Expect to see many providers develop different tiers of insurance based on company sizes. We may also see the introduction of captive groups in specialized verticals like financial services that form based on very little or a no claims approach. Cyber insurance is like a parachute, a last defense in a remediation or recovery scenario — there’s no guarantee a provider will pay out a claim in the event of a breach. Like compliance, policy issuance can come down to a company’s ability to check the box versus demonstrating preventative controls to mitigate breach risk.
The Cavelo platform continuously scans cloud applications, cloud hosted servers, and on-premises servers and desktops to identify, classify, track, protect, and report on sensitive data, including PII. It automates data discovery and classification, producing an up-to-date and accurate data inventory that supports compliance, insurance, and regulatory preparedness.
Take a self-guided platform tour today and see how the Cavelo platform can support your 2024 initiatives.