2023 Review: Reflecting on Cybersecurity Trends

Every year, experts weigh in with predictions of what the big cybersecurity trends will be—but how often are they right? That’s the question Trend Micro’s Greg Young and Bill Malik asked recently on their Real Cybersecurity podcast, looking at what forecasters got wrong on a wide range of topics, from AI to human factors.

By: Greg Young, William MalikDecember 07, 2023Read time: 5 min (1305 words)

With the season of ubiquitous year-ahead predictions around the corner, Trend Micro’s Greg Young and William Malik decided to look back at 2023 and see which forecasted cybersecurity trends came to pass and which, um, didn’t. The latest episode of their Real Cybersecurity podcast calls out a handful of particularly notable flops—and gives some thought to the implications for 2024.

Don’t believe (all) the AI hype

All eyes were on AI at the start of 2023 given the explosive uptake of ChatGPT. The feariest of fearmongers warned cybercriminals would use generative AI to conjure up new kinds of ultra-nefarious threats, but that didn’t end up being the case.
That’s largely because generative AI isn’t actually creative. While it often seems to be producing novel material, all it can really do is synthesize pre-existing data. If enough entries in a data set insist that 2 + 2 = 16, an AI model will accept that as true and generate flawed outputs. That constrains both AI’s inventiveness and its usability for cybercrime.

“[AI is] only as smart as the information it’s fed. It takes 10 known things and then triangulates the geographic center of mass of that place. It doesn’t go and say, ‘This is the 11th in the series.’ It tells you what you already know.”
William Malik, Real Cybersecurity podcast

Generative AI did play a role in beefing up existing attack modalities such as phishing in 2023. Those enhancements pose—and will continue to pose—challenges for cybersecurity teams. AI-boosted attacks are bigger, faster, stronger, and smarter than their conventional counterparts while requiring less human intervention. They allow cybercriminals with limited skills to mount effective and lucrative attacks easily.

Given the uncertainty about AI and its potential risks, there was a lot of regulatory talk throughout the year. And talk. And talk. Meaningful efforts to regulate AI, on the other hand, proved to be slow-moving. President Biden issued an Executive Order on October 30 establishing new standards for AI security and privacy protection, but by and large the industry continued to follow its own code of conduct. With AI advances outpacing policy development, it’s not clear what kinds of regulatory progress might be made in 2024.

Blockchain – what is it good for?

Even if AI didn’t bring about cyber-Armageddon (or at least, hasn’t yet), it was definitely on the ascendant this past year. By contrast, as a cybersecurity trend, blockchain headed in the other direction.

Once heralded as the Second Coming of cybersecurity technologies, blockchain has basically carved out a niche as the optimal way to secure high-value transactions between strangers. The problem is very few strangers engage in high-value transactions—legitimate ones, anyway. And since the value has to be at least five-figures high for blockchain to make financial sense (and to justify the computational and energy intensity involved), traditional security frameworks remain more practical for almost everything outside of safeguarding digital currencies.

Why is tool sprawl still a cybersecurity trend?

Enterprises and the cybersecurity industry have been sounding the alarm over tool sprawl for a few years now. And they kept sounding it in 2023.

Depending on which survey you read, the average organization has anywhere from 20 to 50 discrete cybersecurity solutions deployed—too many for already overtaxed teams to manage, and more even than there are actual cybersecurity disciplines, suggesting significant redundancy.

The consequences of tool sprawl are becoming harder for organizations to live with: excessive uncorrelated alerts that compromise cybersecurity efficiency; redundancies that cost both real dollars and productivity; and unbridled complexity, which is the outright enemy of security.

While few organizations fully conquered this longstanding problem in 2023, and while analysts fully expect more specialized cybersecurity tools to hit the market in the years to come (especially those enabled by AI), there is at least growing awareness of the need for cybersecurity consolidation.

Consolidation has potential to radically simplify cybersecurity operations by allowing organizations to adopt open platforms that can integrate a mix of third-party offerings while reducing the number of tools and vendors they have to deal with. This is a cybersecurity trend that could—and should—gain momentum in 2024.

Humans are not the weakest link

It’s always a sign of progress when people abandon received truths for sharper insights. To paraphrase Ben Franklin, “If everyone is thinking the same, nobody’s thinking much.” Sadly, when it comes to cybersecurity awareness and skills, some dogged “same-olds” persisted in 2023, including the worn-out idea that humans are the weakest link.

In fact, it’s become clearer with time that the blame for human weak links lies squarely with organizations, which have done a generally poor job of raising their teams’ cyber-awareness. Fortunately, there does seem to be growing understanding that, as threats increasingly target users, people can—and indeed need to—be the strongest links.

Raising cyber awareness is one half of the solution. The other is making it safe and acceptable for employees to report mistakes that put organizations at risk. Shame and blame are only and always barriers to transparency and continuous improvement.

Closing the skills gap: A cybersecurity trend in desperate need of fixing

If a culture shift is needed to strengthen cybersecurity at the individual level, it’s doubly or triply critical when it comes to the skills shortage that persisted throughout the year. Organizations are desperate to fill an estimated 3.5 million positions worldwide even as hundreds of thousands of qualified cybersecurity professionals are looking for work.

Part of the problem is that too many job postings are imprecise and unrealistic, requiring familiarity with every imaginable aspect of cybersecurity—and in some cases calling for a decade of experience in areas that aren’t even 10 years old—when really what’s needed are specific capabilities for defined functions.

Organizations have to get clearer on what they’re looking for, hire for the role, and then create internal opportunities for people to be exposed to new domains so they can develop and expand their repertoires of skills over time. Cross-training is critical. It doesn’t dilute focus: it broadens individual capacity.

“HR and IT is a pretty rough road, and for some reason cybersecurity is the roughest of them all.”
Greg Young, Real Cybersecurity podcast