The global political unrest from last year is continuing to seep deep into the latter part of 2023, bringing with it serious ramifications for the security industry, just as Infosecurity Europe's community of cybersecurity leaders said it would four month ago in the build-up to the June exhibition in London.

However, with stricter regulations and developments in Artificial Intelligence (AI) and Machine Learning (ML), CISOs may be in a stronger position to minimise threats into next year, they were quick to point out.

At the time, the organisers of the information security event asked its network of CISOs and analysts to comment on the major trends they foresee shaping the next 12 months in cybersecurity, categorised by themes; Human Element, Threat Vectors, Legislation and Regulation, and the current news agenda.

Commenting on how one of the most topical issues from 2022 will affect cybersecurity next year, Maxine Holt, senior research director, Omdia, says: "The political landscape is fragile. New cyber weapons are being developed and used by governments. The likelihood of being accidentally impacted in the crossfire is increasing, particularly as most organisations now host their infrastructure with third parties, increasing the risk of a cyberattack. Nation-state cyber weapons have the ability to cause mass disruption to national infrastructure and critical third-party suppliers, but CISOs can only watch and take sensible precautions."

Looking closer at the technology within the industry, conversation around AI and ML in countering cybersecurity has been rife, causing conflicting views among those in the industry, but Munawar Valiji, CISO, Trainline, believes that "enhancements in AI and ML will help address human weakness in the cyber kill chain".

Steve Wright, partner, Privacy Culture, former Interim DPO Bank of England, is more mindful: "Whilst AI is revolutionising the data [cybersecurity] and data analytical landscape, AI may make it harder to understand when, and how, individual privacy and security rights apply to this data. It is more challenging to implement effective access and other control mechanisms for individuals to exercise those rights, so where the data is being utilised by AI - then appropriate safeguards and governance to address individuals' rights is essential. AI also triggers ethical and moral considerations. For example, AI/Machine learning systems must be used in a responsible and ethical way that deserves the trust of users and society."

LEGISLATION AND REGULATION
Examining the legislation aspect of AI, Wright believes CISOs should be worried: "More recently, the new EU AI Act divides AI systems into four categories based on the risk they pose and provides requirements for them accordingly. A risk-based approach must be adopted (which is business as usual for every CISO). Although some AI uses are prohibited, others are subject to hard requirements, and others are not caught by the regulation at all. So, the focus must be on data safety and the fundamental rights of EU citizens. The AI regulation imposes fines even higher than the GDPR's. So, it will naturally shape how AI systems are developed and deployed. Therefore, every CISO should be reading the text, conducting a risk assessment, and getting ready to justify why, and how, AI is used in 2023 and beyond."

Quentyn Taylor, senior director product, Infosecurity and Global Response, Canon EMEA, predicts that we will see significant changes in legislation, "both in the UK with a new Internet of Things legislation that's expected to be passed, as well as more globally, with huge amounts of legislation pending around the Internet of Things".

Holt believes that security will be embedded at a more fundamental level. "Security will be everywhere and pervasive. We hear talk of the security fabric, security mesh - call it what you will - essentially it means that security is part of everything that an organisation does and must think about. The geopolitical situation continues to be volatile and evermore consideration must be given to this at an individual organisational level. However, the bigger issue with pervasive security is about resilience and maintaining continuous organisational operations. Without consideration being given to security, when it comes to everything from innovation, compliance, expanding threat landscape, risk, and more, then organisations will not be as resilient as they need to be."

Maria Bada, behavioural science expert, AwareGo, believes the industry is seeing regulation efforts on a global scale. "We see the UK taking very positive steps with the Online Harms Regulation and Policy coming out. Also at the international level, there have been significant steps forward, not just around cybersecurity, but in relation to cyber-crime specifically. We now see countries actually focusing on specific ransomware related policies, which is a big step forward."

THREAT VECTORS
David Edwards, CEO, ZeroDay360, predicts that "the adoption of Zero Trust systems will be one of the biggest advancements of 2023". However, it is widely accepted among the network that the threat of ransomware will continue, he accepts.

Holt foresees that the threat of ransomware will be ever more aggressive and organised. "Long gone are the days of a moral code being applied to cyberattacks and pretty much every organisation is considered fair game, evidenced by the huge impact on the healthcare industry this year."

According to Edwards, 2023 will continue to see an ever greater move to targeting employees individually to leverage insider fraud. He elaborates: "Employees are easier targets at home and have access to critical business processes. Forcing employees to click on phishing emails, install programs or enable business email compromise will become an increasing trend."

BOUNDARIES BLURRED
This sentiment is shared by Wright, as he states: "Coming out of the global pandemic, hybrid working has created a greater risk of work information becoming mingled with personal information, as the boundaries between 'work-space' and 'private-space', and 'work-time' and 'personal-time', become increasingly blurred."

Valiji is less concerned, as he believes that "organisations will be investing heavily in improving user awareness - delivering thematic and tailored awareness programs".

WHAT LIES AHEAD? With the short-term future in mind, Troy Hunt, founder CEO, Have I been Pwned, predicts the evolution of passwords. "Very often, we hear of talk about passwords getting better, more feasible and usable by everyday people. I think we will still have more passwords in five years than we do now, because old passwords don't die, but I do think we're getting better at augmenting it. Take, for example, face ID and fingerprints to get into your phone. It's, of course, a very gradual process, but the undeniable trend of more devices, more online services, more people, more exchange of data, will inevitably result in more data breaches and so it'll be interesting to see how passwords, too, evolve."

From a personnel point of view, the future of cybersecurity is bright, believes Holt, who is pleased with the growing number of women in the industry: "From the in-person events I've attended, it was great to see so many women. We've still got a long way to go before we have gender parity in the workplace from a security perspective, but it is getting better. It's a real win and a big step forward, of course, but also demonstrates more recognition of security as a profession - something we desperately need at the moment."

Nicole Mills, exhibition director at Infosecurity Group, comments: "With the rebuilding of business and society after the pandemic, and the political situation between Ukraine and Russia, 2022 was certainly another year of historic events. While these events have definitely had an impact on the cybersecurity industry, it remains to be seen whether they will have quite as big an impact in [the remaining months of] 2023. Many believe they will, but, with the advent of Pervasive Security, more stringent regulations and increased familiarity in, and in some cases, adoption of AI and ML, CISOs are holding their own.

"These discussions we are having helped shape our content for Infosecurity Europe 2023 and we [continue to] look forward to generating some thought-provoking conversations on the growing trends in the industry and how organisations can, once again, look to overcome the many challenges that will inevitably come their way."