In the ever-evolving landscape of cybersecurity, the focus has shifted from technology to people. Recognizing that human factors are both the Achilles heel and the key to solving cybersecurity challenges, the industry is exploring unconventional models to leverage human talent while maintaining the human element. The digital era, where even manual processes are intertwined with digital aspects, calls for a delicate balance between security and mission effectiveness.

As we peer into the future, eight major predictions for 2023-2024 stand out. From privacy regulations to the democratization of technology, these predictions paint a comprehensive picture of the cybersecurity landscape. Let’s delve into these predictions and explore the potential implications.

1. Privacy as a Competitive Advantage

Prediction: By 2024, most consumer data will be covered by privacy regulations, yet fewer than 10% of organizations will have effectively utilized privacy as a competitive advantage.

Privacy, often viewed as a mere compliance obligation, is poised to become a strategic advantage for enterprises. The analogy of weaponizing privacy beyond regulatory requirements to enhance competitiveness is drawn. Companies like Apple, prioritizing privacy as a value proposition, showcase how trust in handling sensitive data can lead to customer loyalty and market dominance. The critical action is to focus on privacy, understand user experience, and develop a strategy that differentiates the organization based on privacy and cybersecurity.

2. Cybersecurity Leadership and Talent Risk

Prediction: By 2025, nearly half of cybersecurity leaders will change jobs, with 25% transitioning to entirely different roles due to work-related stressors.

The stressors in cybersecurity leadership, exacerbated by the constant threat of cyberattacks and regulatory pressures, have prompted a shift from continuous defense to strategic business offense. The metaphor of becoming the “pit crew” emphasizes agility and resilience to operate in contested environments. The call to build cybersecurity talent within the business, prioritize cultural shifts, and engage with enterprise architects underscores the need for a proactive and strategic approach.

3. Cyber Risk Quantification Reconsidered

Prediction: About half of cybersecurity leaders will attempt and fail to utilize cyber risk quantification for guiding enterprise decision-making.

Challenging the conventional approach of cyber risk quantification, we advocates for a focus on harm quantification. Identifying denial, exfiltration of data, and tampering with data as the three main forms of cyber harm, the emphasis is on preventing and mitigating harm. The guidance is to use cyber risk quantification sparingly, pivot to an outside-in view, and leverage business impact assessments to build strategies around protecting assets and mitigating harm.

4. The Journey to Zero Trust

Prediction: By 2026, only 10% of large enterprises will have a well-established, mature, yet potentially challenging zero-trust program in place, compared to less than 1% today.

Expressing disdain for the term “zero trust,” we recommends embracing a concept called “zone defense.” Inspired by pace layering, this approach aligns cybersecurity strategies with the pace of change in the business, creating defensive zones around critical elements. Prioritizing zero trust for critical business cases, mission, or value chains and combining it with other architectural hygiene factors is proposed for successful implementation and board approval.

5. Exposure Management and Weak Signal Detection

Prediction: By 2026, over 60% of threat detection, investigation, and response capabilities will utilize exposure management data to validate and prioritize identified threats, a significant increase from the current less than 5%.

Exposure management data, representing weak signal detection in an environment where organizations no longer own all their architecture, calls for an ecosystem-based approach. Expanding visibility both inside and outside the enterprise and implementing a continuous threat and exposure management program are key actions. The upcoming zone defense model aims to guide the integration of tools and capabilities for effective weak signal detection.

6. Cybersecurity Expertise in Board Governance

Prediction: By 2026, 70% of boards will include one member with cybersecurity expertise.

With regulatory bodies emphasizing the need for a responsible officer for cybersecurity, boards are expected to include cybersecurity experts. The call is to promote greater cybersecurity wisdom and insight to boards, preparing for challenging questions from board members who deeply understand cybersecurity. The goal is to stay ahead of regulatory requirements by elevating cybersecurity discussions at the board level.

7. Decentralization of Technology Creation

Prediction: By 2027, 75% of employees will acquire, modify, or create technology outside IT’s visibility — up from 41% in 2022.

The democratization of IT, where business users create and modify technology outside IT’s purview, poses challenges and opportunities. Acknowledging the expansion of the attack surface, we proposes working with early adopters and users using low-code and no-code systems. By installing cyber judgment in these users, they become an extension of the cybersecurity force, contributing to both the problem and the solution.

8. Human-Centric Security Practices

Prediction: By 2027, half of large enterprises will adopt human-centric security practices to minimize security-induced friction and maximize control adoption.

Recognizing that 90% of users admit to violating controls, the emphasis is on creating seamless user experiences where controls are integrated. The metaphor of an “Xbox-like experience” is introduced, where users do not experience control boundaries. While removing all controls poses a moral hazard, the suggestion is to focus on low-effort, high-experience controls to minimize friction and maximize control adoption.

In conclusion, these predictions offer a roadmap for navigating the evolving landscape of cybersecurity. By addressing privacy strategically, redefining leadership approaches, reconsidering risk quantification, embracing zero trust, leveraging exposure management data, enhancing board governance, adapting to technology decentralization, and adopting human-centric security practices, organizations can stay resilient and proactive in the face of emerging cyber challenges. As we embark on this journey, the key lies in continuous adaptation, collaboration, and a forward-thinking approach to cybersecurity.