Risk Management
2023 Review: Reflecting on Cybersecurity Trends
Every year, experts weigh in with predictions of what the big cybersecurity trends will be—but how often are they right? That’s the question Trend Micro’s Greg Young and Bill Malik asked recently on their Real Cybersecurity podcast, looking at what forecasters got wrong on a wide range of topics, from AI to human factors.
With the season of ubiquitous year-ahead predictions around the corner, Trend Micro’s Greg Young and William Malik decided to look back at 2023 and see which forecasted cybersecurity trends came to pass and which, um, didn’t. The latest episode of their Real Cybersecurity podcast calls out a handful of particularly notable flops—and gives some thought to the implications for 2024.
Don’t believe (all) the AI hype
All eyes were on AI at the start of 2023 given the explosive uptake of ChatGPT. The feariest of fearmongers warned cybercriminals would use generative AI to conjure up new kinds of ultra-nefarious threats, but that didn’t end up being the case.
That’s largely because generative AI isn’t actually creative. While it often seems to be producing novel material, all it can really do is synthesise pre-existing data. If enough entries in a data set insist that 2 + 2 = 16, an AI model will accept that as true and generate flawed outputs. That constrains both AI’s inventiveness and its usability for cybercrime.
“[AI is] only as smart as the information it’s fed. It takes 10 known things and then triangulates the geographic centre of mass of that place. It doesn't go and say, ‘This is the 11th in the series.' It tells you what you already know.”
William Malik, Real Cybersecurity podcast
Generative AI did play a role in beefing up existing attack modalities such as phishing in 2023. Those enhancements pose—and will continue to pose—challenges for cybersecurity teams. AI-boosted attacks are bigger, faster, stronger, and smarter than their conventional counterparts while requiring less human intervention. They allow cybercriminals with limited skills to mount effective and lucrative attacks easily.
Given the uncertainty about AI and its potential risks, there was a lot of regulatory talk throughout the year. And talk. And talk. Meaningful efforts to regulate AI, on the other hand, proved to be slow-moving. President Biden issued an Executive Order on October 30 establishing new standards for AI security and privacy protection, but by and large the industry continued to follow its own code of conduct. With AI advances outpacing policy development, it’s not clear what kinds of regulatory progress might be made in 2024.
Blockchain – what is it good for?
Even if AI didn’t bring about cyber-Armageddon (or at least, hasn’t yet), it was definitely on the ascendant this past year. By contrast, as a cybersecurity trend, blockchain headed in the other direction.
Once heralded as the Second Coming of cybersecurity technologies, blockchain has basically carved out a niche as the optimal way to secure high-value transactions between strangers. The problem is very few strangers engage in high-value transactions—legitimate ones, anyway. And since the value has to be at least five-figures high for blockchain to make financial sense (and to justify the computational and energy intensity involved), traditional security frameworks remain more practical for almost everything outside of safeguarding digital currencies.
Why is tool sprawl still a cybersecurity trend?
Enterprises and the cybersecurity industry have been sounding the alarm over tool sprawl for a few years now. And they kept sounding it in 2023.
Depending on which survey you read, the average organisation has anywhere from 20 to 50 discrete cybersecurity solutions deployed—too many for already overtaxed teams to manage, and more even than there are actual cybersecurity disciplines, suggesting significant redundancy.
The consequences of tool sprawl are becoming harder for organisations to live with: excessive uncorrelated alerts that compromise cybersecurity efficiency; redundancies that cost both real dollars and productivity; and unbridled complexity, which is the outright enemy of security.
While few organisations fully conquered this longstanding problem in 2023, and while analysts fully expect more specialised cybersecurity tools to hit the market in the years to come (especially those enabled by AI), there is at least growing awareness of the need for cybersecurity consolidation.
Consolidation has potential to radically simplify cybersecurity operations by allowing organisations to adopt open platforms that can integrate a mix of third-party offerings while reducing the number of tools and vendors they have to deal with. This is a cybersecurity trend that could—and should—gain momentum in 2024.
Humans are not the weakest link
It’s always a sign of progress when people abandon received truths for sharper insights. To paraphrase Ben Franklin, “If everyone is thinking the same, nobody’s thinking much.” Sadly, when it comes to cybersecurity awareness and skills, some dogged “same-olds” persisted in 2023, including the worn-out idea that humans are the weakest link.
In fact, it’s become clearer with time that the blame for human weak links lies squarely with organisations, which have done a generally poor job of raising their teams’ cyber-awareness. Fortunately, there does seem to be growing understanding that, as threats increasingly target users, people can—and indeed need to—be the strongest links.
Raising cyber awareness is one half of the solution. The other is making it safe and acceptable for employees to report mistakes that put organisations at risk. Shame and blame are only and always barriers to transparency and continuous improvement.
Closing the skills gap: A cybersecurity trend in desperate need of fixing
If a culture shift is needed to strengthen cybersecurity at the individual level, it’s doubly or triply critical when it comes to the skills shortage that persisted throughout the year. Organisations are desperate to fill an estimated 3.5 million positions worldwide even as hundreds of thousands of qualified cybersecurity professionals are looking for work.
Part of the problem is that too many job postings are imprecise and unrealistic, requiring familiarity with every imaginable aspect of cybersecurity—and in some cases calling for a decade of experience in areas that aren’t even 10 years old—when really what’s needed are specific capabilities for defined functions.
Organisations have to get clearer on what they’re looking for, hire for the role, and then create internal opportunities for people to be exposed to new domains so they can develop and expand their repertoires of skills over time. Cross-training is critical. It doesn’t dilute focus: it broadens individual capacity.
“HR and IT is a pretty rough road, and for some reason cybersecurity is the roughest of them all.”
Greg Young, Real Cybersecurity podcast
Enterprises aren’t the only ones who need to adjust. Workforce development requires a three-legged stool of industry, government, and academia, yet the current reality is a bunch of “one-legged stools”—pogo sticks—bouncing off in their own directions.
Academia in particular needs better connectivity with industry to understand its context and requirements so that schools prepare graduates for the kinds of workplaces they’ll be going into. In many cases today, that understanding is absent.
Where do this year’s cybersecurity trends leave us?
Organisations may (and should) continue to amp up cybersecurity awareness training, but closing the skills gap—a global and longstanding problem—is going to require fresh, collaborative approaches.
As companies enter 2024 with a backlog of positions to fill, cybersecurity consolidation has the potential to help overcome at least some of the gaps. At the same time, it will simplify cybersecurity operations in ways that strengthen organisations’ overall defences.
Automation and well-defined uses of generative AI can be expected to support the consolidation effort, and will be important countermeasures as bad actors’ uses of AI continue to evolve. Blockchain will likely settle into its niche cryptocurrency role, though there may be other similar applications where it ends up with value to bring, such as issuing and managing secure documentation.
Looking back at 2023, one thing is clear: when it comes to determining cybersecurity trends, ultimately only time will tell.
Next steps
For more Trend Micro thought leadership on cybersecurity trends, check out these other resources:
- Real Cybersecurity Podcast Episode 71 with Greg Young and William Malik
- Critical Scalability: Trend Micro Security Predictions 2024