The cybersecurity industry will undergo some significant changes in 2023. As more systems get connected, we can expect to see more outages. We probably won’t see a “digital Pearl Harbor,” but we will see more breaches, impact, and fear. How will this reshape the cybersecurity industry in the year ahead?
Consolidation across the infosec industry
Since the infosec sector is “hot,” investment has poured into it as everyone tries to get in on the action. In every area, there are multiple tools; they can’t all succeed. Furthermore, big players will likely shore up their offerings by buying small players. This happens across tech, and as (if) the recessions start to bite, it’s a good time to pick up some bargains. Further, some of the tools aren’t particularly good; all fill a far too tiny niche to gain any real traction. Finally, as budgets crunch, there are likely to be some casualties.
The cybersecurity hiring market will have a reality check
As with number one, infosec jobs are also “hot” and have been for a while. A shortage has led to various certifications appearing – all claiming to help you land that dream job – many of which aren’t very useful in the real world. Tied to this, as budgets shrink, crazy salaries will no longer be paid, which is probably going to mean people think certs are a way to return to the crazy salary, and we end up with this vicious cycle. We have many people in infosec, some of whom need more training/experience for their job. They don’t have it, so they introduce more risk (by making incorrect decisions), which further increases this problem.
Attack surface management tools will vanish
Attack surface management was nice and “buzzwordy”, but it will be consumed by other tools, which do 90% of what those platforms do now. Not to sound cynical, but I suspect most of these are bandwagon plays by VCs to make a quick buck. The tools add one or two features the standard tooling doesn’t have. Hopefully, that’s enough reason for someone to buy those companies. I’m not saying all the products in this space are bad, but I’m wondering how much value they add or why we need to carve this out as a distinct product.
More people will return to the office
Return to the office is inevitable – offices cost money, companies need to get a return from them, and serendipity of ideas doesn’t occur over Zoom. For the past two years, remote access has been critical for companies, and we saw it rise in the areas clients were concerned with. People will return to the office and priorities will likely shift. This, in turn, is likely to lead to remote access systems needing to be patched more vigorously.
The government will introduce more regulations
The government has many good ideas, but unfortunately, they are mainly influenced by all the big players, which means we get practical stuff for 5% of companies. Right now, SBOM (software bill of materials) is very popular, and as per the first point, we already see tools in this space. It’s a good idea for open-source software with libraries we can find, CVEs published for them, etc. But for giant pieces of commercial off-the-shelf software, I’m not sure that’s so easy. Also, that’s going to be a serious overhead for smaller software manufacturers.
At the same time, we will probably see more legislation introduced, some of which might help but needs to be grounded in reality. The private sector will get wind of these and try to “head them off at the pass” (we know of this happening in the past). In the long run, this doesn’t help either since those initiatives end up being for-profit exercises and therefore pay-to-play.
For example, we had some valuable intelligence for an entire sector, went to the organization responsible for sharing info, and offered to provide it for free (literally write it an email, and they can share it). But we were told we could only share the info if we paid $20k to speak at a conference. So, I want to tell you how someone will set your house on fire, but I can only do that if I pay your homeowners association.