What We See for 2023—Predictions for Cloud Security & Beyond

As the new year draws closer, we’ve asked our experts here at Netskope to see what they have on their radar for 2023. Similar to years past, we’ve broken these predictions out into “Long Shots,” more out-there predictions we think could potentially happen in the next year, and “Trending Topics,” predictions around topics you may have seen discussed a bit this year but digging into how we expect them to evolve. Here’s what our experts see for 2023:

Long Shots

Preparing for a “quantum” world

Organisations will start to prepare for a quantum world in 2023. During 2022, guidelines and standards were made available for quantum-resistant algorithms, and this means organisations need to start thinking about things like post-quantum cryptography challenges. While it’s a way off, regulatory groups like NIST and ENISA are urging organisations to start their programs now to make sure they are prepared. -Neil Thacker, CISO, EMEA

Omnidirectional risk analysis for supply chain visibility

Inventories of publicly exposed assets or services used to define attack surface can be measured and evaluated to collect a variety of data points that can help paint a picture of risk, highlight patterns of hygiene, or even provide corollary information that a new market, product, or business geography may be introducing new risks that aren’t in plain sight. Marrying deeply contextual business data (workforce/financial/geographic/etc) to other data that is reflective of cyber & digital risks in existing operating environments and that of their business supply chain (3rd/4th/5th party risks) will provide an opportunity for innovation in risk management, with new risks emerging as a result of this analysis. -Nate Smolenski, CISO, Head of Cyber Intelligence Strategy

The rise of “confidential computing”

Confidential computing is a rising industry initiative around securing sensitive data and applications, running them in secure environments to prevent unauthorized access. While the technology is still in its nascency, I think we will see confidential computing gain significant impetus as organizations re-evaluate their technology and security stack, and will become a key investment focus in most security/technology budgets in either 2023 or 2024. -David Fairman, CSO APAC

Credential attacks abusing OAuth will go beyond just phishing attacks.

Attackers continue to see the benefits that come from abusing OAuth in attacks, whether that’s  the ability to bypass MFA, permanent access, and taking advantage of lagging security controls. But in 2023 they will move beyond just phishing and begin to include brute-force attacks, token theft, and SSO attacks. As a result, organizations should start to become more proactive and aware of the risk posed by the surprising number of third-party cloud apps in their environments that have implicit access paths to sensitive data, as a result of dynamic access granted to end-users via OAuth. We will likely see vendors start to respond with basic detection and preventative controls but continue to lag behind attacker techniques –Jenko Hwong, Principal Engineer, Netskope Threat Labs

Attitudes toward the “industrial metaverse” will begin to shift

Our collective attitudes towards the “industrial metaverse“ will begin to shift in 2023. Instead of being seen as something esoteric, we will see wider recognition that its key components—the digital shop floor (used interchangeably as a “digital twin“ by some) in combination with supply chain automation and optimisation through AI/ML models—are real and relevant, bringing new cybersecurity challenges with it. And with this new attitude toward the industrial metaverse comes the opportunity to drive a deep technological shift as a business change initiative. -Ilona Simpson, Chief Information Officer, EMEA

Coming out of the pandemic offers the opportunity for community over tribalism on the internet

The original internet abhorred tribalism; today’s internet enforces it. Institutions of flesh and steel seek to impose their strictures of physicality on humanity’s capacities to speak anywhere and to listen everywhere. Does this mean we are forever doomed to inhabit a splinternet? No, not nearly. As the pandemic recedes (in our attitudes, at least), our dual citizenship online and in real life re-emerges. It is altogether fitting and proper in that grounding where fresh speakers and earnest listeners exchange new notions that nobly advance the return of a place welcome and open to all, a place where speaking and listening enjoy equal regard. My sincere hope is that the coming year or two will evoke community over tribalism. -Steve Riley, Field CTO

Trending Topics

Economic uncertainty will lead a shift to an “as-a-service” model

In 2023, I think we will see more companies performing internal rationalization of applications and processes with the idea of creating new operating models. A lot of that focus will be around evaluating buying the outcome as opposed to the traditional build model, leading more companies who have been slow to evolve to begin embracing the cloud operating model. Instead of another tech refresh, they will look for ways to move infrastructure and services into “as-a-service”, moving them further away from Capex on to an Opex consumption model. This will allow companies to conserve as much cash as possible which they will need through any potential business downturns. -Gerry Plaza, Field CTO

Social media shake-ups will lead to increase in phishing and scams

With rumors of TikTok being banned and the privatization and layoffs at Twitter, attackers are likely to seize on the uncertainty with phishing and scams. These will occur both on those social media platforms, (especially if those platforms reduce the attention given to moderation) and on other fledgling platforms seeking to rise in popularity that are lacking the moderation and response maturity of established social media platforms. -Ray Canzanese, Director, Netskope Threat Labs

New rules around disclosing cybersecurity incidents will drive increased security presence in the boardroom

New SEC rules around reporting and disclosing cybersecurity incidents will drive more organizations to hire security expertise to serve on their boards. These new rules will result in more questions around security from the board with a much greater level of precision. To meet this need, security teams will need to improve their metrics and communication techniques to effectively work with the board. -James Christiansen, VP and CSO, Cloud Strategy

The rising need for quantified risk reduction plans

Companies, specifically boards, will want more data-driven, quantified plans for risk reduction. The challenge will be for CISOs to demonstrate that they are getting the biggest risk buy down for every dollar they spend. Arbitrary metrics and qualitative assessments will not be enough. As a result, there will be more of a focus on empirical evidence driven by data. -David Fairman, CSO APAC

Burnout and mental health will become a higher priority

Historically, we have “lived” through big changes in business with disruptions from technology, economy and geopolitics; now we “blink” through change with those same disruptions and more. As a result the mental health of our already stretched workforce now is being challenged to handle the “change curve” at an accelerated rate in both the workplace and at home. Imagine a surfer in the ocean with a wave breaking on him/her every five seconds…that would keep them from ever riding a wave. The mental health of the workforce will have to become a top priority for all businesses going forward or there is considerable risk of cascading business failures. There will be a continued focus on this in 2023.  -Nate Smolenski, CISO, Head of Cyber Intelligence Strategy

For more on what we’re anticipating in 2023, keep an eye out for a follow up blog with more thoughts from the Netskope Threat Labs team coming on Tuesday 11/22.