Amongst the key trends, Roger Spence, Director of Client Services and Michael McKinnon, CIO at Tesserent warns that “digilantism” may be on the rise in 2023, securing digital assets and cryptocurrency will be a key focus, and the cost of compliance may reach breaking point for many organisations.
Additionally, Australia may consider a “Cyber Militia”, as a way to bolster our cyber defences at the national level during times of crisis, similar to how we maintain a regular Army Reserve in a part-time military capacity.
Innovative ways to address the cyber skills shortage
The Australian Minister for Cyber Security, Hon Clare O’Neil, has been explicit in her public goals for Australia to be the safest cyber nation on Earth. In 2023, industry and government will need to focus on innovative ways to address the shortfall in highly skilled cyber professionals.
This may involve a genuine national discussion about the focused skilled migration programs for cyber practitioners, greater emphasis on formalised personnel transfers within Five Eyes, QUAD and AUKUS nation states and funding initiatives such as an extension to the current ADF Cyber Gap Program which is set to end in 2023.
Additionally, we may see fee relief for cyber-related tertiary training, like what we’ve seen with nursing and other disciplines.
Digilantism vs. Cyber Militia
Against the backdrop of the Australian Government’s ramping up of “hacking back” largely in response to the Medibank data breach, the private sector is reminded that unless you’re working for the Department of Defence such activity is illegal, not to mention unethical (as defined by virtually all cybersecurity industry codes of conduct).
With growing frustration in the community including personal vendettas arising from the swathe of compromised data being leveraged by scammers, security researchers in 2023 may be tempted into digilantism, a form of hacking back, despite better advice not to. Coincidentally, given the severe skills shortage in cybersecurity generally, it’s entirely plausible that the Australian Government in coming years may call for volunteers in times of need, under the banner of a state-backed cyber militia.
Securing digital assets and cryptocurrency
While the cryptocurrency industry despite broad media coverage actually remains tiny (in terms of market capitalisation of only USD $900 billion) compared with global economic markets (around USD$120 trillion, or over 130x larger), recent developments with the collapse of the international exchange FTX highlight again the challenges of securing digital assets that rely on custodial management of private encryption keys.
Few people understand the intricacies of cryptography, and put too much trust in other parties in these notionally decentralised systems, mostly due to the complexity and lack of good solutions when self-managing private keys. New players are likely to emerge in 2023 and beyond around the increased use of secure hardware wallets and generally making this problem more accessible to the masses, but in reaction, more attackers are likely to target custodial exchanges and any third parties holding keys for others.
Compliance cost breaking point
Many Australian organisations are experiencing unprecedented pressure on spending related to ensuring compliance to all legal, contractual, and regulatory mandates; whether it’s APRA, ASIC, PCI-DSS, ISO27001, or “third party security questionnaires” that now justify the existence of many compliance teams. With the Australian Government threatening more fines for organisations that might suffer a data breach, the challenge is where preemptive spending will be directed in 2023 – should it go towards legal protections and larger compliance teams, or towards tangible initiatives that can genuinely lower the risk, or somewhere in the middle?
Some experts, especially in the financial sector, have suggested that banking might not be profitable at all in the future if compliance burdens continue to expand at the rate they have in the last decade; and many other organisations are experiencing the same effect. Tesserent predicts that we’ll see some kind of reset or pushback emerging in 2023 as businesses realise that compliance must be easier, not harder. Perhaps through choosing smarter partners in cyber, and leveraging technology to automate compliance systems.
Acceleration of identity management coupled with data loss prevention
With a growing focus on Zero Trust technology solutions and architectures, identity management will become the weakest link to address in 2023. Users will become the credential. Proof of identity won’t rely on traditional authentication methods but will, instead, look for ways to prove that the user is who they really claim to be. Solutions that boost current approaches to multi-factor authentication, especially leveraging verified biometric/facial recognition technologies, will start to become the minimum standard in mature organisations and a benchmark for aspiring ones.
To combat inevitable cyber breaches, data loss prevention solutions will become more widespread and leverage artificial intelligence and machine learning to accelerate data categorisation and classification to minimise potential damage and reduce data leakage. Data classification systems will become more sophisticated in order to determine what data is valuable and vulnerable. And systems will become more adept at detecting data leakage through more channels such as social media and encrypted paths, possibly leveraging polymorphic encryption in 2023.
Take no prisoners
CISO’s are the subject of many industry jokes with alternative suggestions on the role’s acronym “Career Is Soon Over” rising as a popular one. It highlights the risk of extreme accountability this role requires often to breaking point, and in the new year, in light of recent breaches in Australia and New Zealand, we’re no doubt likely to see a much more feisty and determined vigour from cybersecurity leaders. There is no more time left for not taking immediate action, and letting teams get away with a lack-lustre response to addressing serious cyber risk. Maybe the acronym will mean “Complacency Is Sent Overboard” in the future.
Quantum computing still in infancy
Quantum computing is emerging, but will still be in a nascent state in 2023, but is one to watch for future developments. We are several years away from something of direct concern, but smart CISO’s should keep a watchful eye on this space.