APIs and zero trust named as top priorities for CISOs in 2023

Consolidating their organization’s tech stacks, defending budgets and reducing risk are three of the top challenges facing CISOs going into 2023. Identifying which security technologies deliver the most value and defining spending guardrails is imperative. 

Forrester’s 2023 security and risk planning guide provides CISOs prescriptive guidance on which technologies to increase and defend their investments and which to consider paring back spending and investment.  

Forrester recommends that CISOs fund proof of concepts in four emerging technology areas: software supply chain security, extended detection and response (XDR) and managed detection and response (MDR), attack surface management (ASM) and breach and attack simulation (BAS), and privacy-preserving technologies (PPTs).

Start by benchmarking security budgets 

Forrester grouped enterprises into two categories: those that spent up to 20% of their IT budget on security versus those that spent 20% or more. Compared to data from Forrester’s 2021 security survey, they found that cloud security spending grew the most in organizations that had security spending accounting for 20% or less of overall IT budgets. 

Security portfolios aren’t migrating to the cloud fast enough

Infrastructure leaders at U.S. enterprises have migrated 45% of their total application portfolio to a public cloud and anticipate 58% will have moved in the next two years. In addition, consensus estimates from several market surveys show that most enterprise security workloads are already on public cloud platforms. However, Forrester’s survey shows that security and risk management professionals surveyed are running behind on moving more security workloads to public clouds.  

On-premises security software is still the largest expense in a security budget

Forrester’s analysis combined maintenance, licensing and upgrade expenses with new investments for on-premises software to track spending in this category. In organizations that spend less than 20% of their IT budgets on security, 41% invest in on-premises security software. Organizations spending over 20% of their IT budget on security spend 38% on on-premises systems.  

Services are nearly 25% of all security spending

Given the complexity of integrating and getting value from internal security controls, spending on security services is growing today. Forrester finds that enterprises are turning to managed security services providers (MSSPs) to reduce costs, close the skills gap and supplement short-staffed security teams. As security cloud adoption increases, the need for specialized expertise will follow, continuing to fuel services security spending. 

Security technologies to invest in during 2023 

The global threat landscape is an always-on, real-time source of risk for every organization. Therefore, investing in cybersecurity is also an investment in ongoing business operations and controlling risk. The two factors are compelling CISOs to trim technologies from their tech stacks that can’t keep up with real-time threats. 

For example, CrowdStrike’s research finds that, on average, it takes just one hour and 58 minutes for a cyberattacker to jump from the endpoint or machine that’s been compromised and move laterally through your network. As a result, expect to see inventories of legacy security software being consolidated into the current wave of new technologies Forrester recommends CISOs invest in, which are summarized below. 

API security

CISOs need to pursue a least-privileged access approach to API security that limits sprawl and is consistent with their zero-trust framework.

“When considering API strategy, work with the dev team to understand the overall API strategy first. Get API discovery in place. Understand how existing app sec tools are or are not supporting API use cases. You will likely find overlaps and gaps. But it’s important to assess your environment for what you already have in place before running out to buy a bunch of new tools,” said Sandy Carielli, principal analyst at Forrester, during a recent interview with VentureBeat.

The rapid increase in API breaches is delaying new product introductions. Nearly every devops leader (95%) says their teams have suffered an API security incident in the last 12 months.

“API security, like application security overall, must be addressed at every stage of the SDLC. As organizations develop and deploy APIs, they must define and build APIs securely, put proper authentication and authorization controls in place (a common issue in API-related breaches) and analyze API traffic only to allow calls in line with the API definitions,” said Carielli.

“In addition, a common issue with organizations is inventory. Owing to the sheer number of APIs in place and the tendency to deploy rogue APIs (or deploy and forget) — many security teams are not fully aware of what APIs might be allowing external calls into their environment. API discovery has become table stakes for many API security offerings for this reason.”

Bot management solutions

Bot management solutions rely on advanced analytics and machine learning (ML) algorithms to analyze traffic in real time to determine intent. 

“Bot management solutions actively profile traffic to determine intent and perform protection techniques such as delaying, blocking or misdirecting traffic from bad bots,” Carielli said. “Examples of vendors in the bot management market are Akamai, Imperva and Human.” 

ICS/OT threat intelligence

Industrial control systems (ICS) and operations technology (OT) stacks are among capital-intensive industries’ most vulnerable threats. Security isn’t designed into the core platform, making them a frequent target of cyberattackers. Forrester points out that CISOs at manufacturing, utilities, energy and transportation organizations must consider adding ICS threat intelligence capabilities to protect physical and digital systems and assets. 

Cloud workload security (CWS), container security and serverless security

Securing cloud workloads and providing container and serverless security requires a cross-functional team trained in these technologies and ideally certified in advanced security techniques to protect them. Hybrid cloud configurations that rely on CWS are especially vulnerable and can leave compute, storage and network configurations of cloud workloads at risk. Container and serverless security are a work in progress for many security vendors today, with several saying this is on their product roadmap. 

Multifactor authentication (MFA)

Table stakes for any zero-trust network access (ZTNA) initiative and often one of the first areas CISOs implement to get a quick win in their zero-trust initiatives, MFA is a must-have in any cybersecurity strategy. Forrester notes that enterprises need to aim high when it comes to MFA implementations. They recommend adding a what-you-are (biometric), what-you-do (behavioral biometric), or what-you-have (token) factor to what-you-know (password or PIN code) legacy single-factor authentication implementations.

Zero-trust network access (ZTNA)

Virtual teams, the exponential increase in endpoints they’re creating and the infrastructure to support them are catalysts driving ZTNA adoption. Forrester observes that the convergence of networking and security capabilities continues to drive ZTNA adoption to fulfill the tenets of zero trust and zero-trust edge (ZTE) models. 

Security analytics platforms

Legacy rules-based security information and event management (SIEM) platforms aren’t keeping up with the scale and speed of real-time threats today. As a result, SIEM platform providers are integrating security analytics (SA) into their platforms that combine big data infrastructure, security user behavior analytics (SUBA), and security orchestration, automation and response (SOAR). Combining these technologies makes it possible to identify insider threats using behavioral analytics, while SOAR provides improved visibility and control over orchestrated processes and automation.

Crisis response simulations and purple team exercises

Forrester recommends that IT and security leaders regularly participate in cybersecurity crisis simulations, including the executive leadership team members and the board of directors. These exercises run executives through breach, ransomware and cyberattack scenarios and help identify communication and information gaps before an event. 

Avoid spending on standalone controls and legacy tech 

Forrester recommends that CISOs reduce their investments in standalone and legacy, on-premises security controls. For example, the more isolated a data loss prevention or security user behavioral analytics system is, the more likely it will slow down response times and allow cyberattackers to move laterally across a network.

Standalone data-loss prevention (DLP)

Forrester notes that DLP is now integrated as a feature capability in email security and cloud security gateways, cybersecurity suites and platforms like O365. Having DLP integration at the platform level makes it easier for organizations to acquire and enable DLP as a feature of a broader solution to address compliance needs.

Standalone security user behavior analytics (SUBA)

Since being introduced, SUBA has become more integrated into SA platforms, as noted above. In addition, Forrester notes that standalone SUBA systems are being sold alongside DLP to provide additional user contextual intelligence. As a result of these factors, SUBA’s viability as a standalone technology is limited.

Managed security services providers (MSSPs)

Managed detection and response (MDR) providers are better equipped to protect organizations against the onslaught of real-time attacks today than MSSPs are. According to Forrester, MSSPs have devolved into “alert factories sending templated emails about alerts to clients that failed to provide context or accelerate decision-making.” Redirecting spending on MSSPs to MDRs and security-operations-center-as-a-service (SOCaaS) providers is a better decision based on Forrester’s planning guide recommendations. 

Indicators of compromise (IOC) feeds

IOC feeds are another feature that’s being integrated as a component of enterprise firewalls, endpoint detection and response and SA platforms. Forrester recommends that CISOs reduce or eliminate spending on IOC feeds. Instead, look to security platform vendors to provide IOC feeds as a value-added service in existing contracts. 

Legacy, on-premises network security technologies

According to Forrester, CISOs should avoid investment in on-premises network access control (NAC) except for specific IoT/ICS/OT use cases. Instead, CISOs need to consider how ZTNA, combined with software-defined perimeters, can provide more effective enterprise-wide security and risk reduction.

New security technologies worth evaluating  

Four emerging security technologies are worth pursuing through the proof of concept phase. The four technologies include:

1. Software supply chain security

“A software supply chain attack occurs when a customer installs or downloads compromised software from a vendor, and an attacker leverages the compromised software to breach the customer’s organization. Adopting zero-trust principles with all software, including third-party software, can help to mitigate the risk of a supply chain attack,” Janet Worthington, senior analyst at Forrester, told VentureBeat. 

“For example, an organization might purchase antivirus software which requires elevated privileges to be installed or operate. If an attacker gains access to the compromised software, the elevated privileges can be utilized to access the organization’s sensitive data and critical systems,” she said.

It’s advisable during the procurement process to work with vendors to ensure that their software adheres to the zero-trust least-privilege principle and uses a secure software development framework (SSDF). 

“Having a zero-trust architecture to build software supply chain security is essential. In order to prevent lateral movement, in the event of a compromise, implement a zero-trust architecture where all users, applications, services and devices are continuously monitored and their identity validated. Also, consider microsegmentation to create distinct security zones and isolate applications and workloads in data centers and cloud environments,” Worthington said. 

2. Extended detection and response (XDR) and managed detection and response (MDR)

XDR tools provide behavioral detections across security tooling to deliver high-efficacy alerts and additional context within alerts. XDR enables security teams to detect, investigate and respond from a single platform. MDR service providers are known for providing more mature detection and response support than XDR suites, and can help augment security teams facing ongoing labor shortages. MDR service providers are also evaluating adopting XDR technologies to complement their threat-hunting and threat-intelligence services. 

3. Attack surface management (ASM) and breach and attack simulation (BAS) 

ASM solutions are a new technology that enables organizations to identify, attribute and assess the exposures of endpoint assets for risks ranging from external vulnerabilities to misconfigurations. BAS has emerged to provide an attacker’s view of the enterprise with deeper insights into vulnerabilities, attack paths and weak/failed controls. Both solutions assist security and IT ops teams in prioritizing remediation efforts based on the asset’s value and severity of the exposure. 

4. Privacy-preserving technologies (PPTs)

PPTs include homomorphic encryption, multiparty computation and federated privacy. They enable organizations to protect customers’ and employees’ data while creating and iterating machine learning models or using them for anonymized predictive analytics projects. PPTs show potential for enabling high-performance artificial intelligence (AI) models while satisfying privacy, ethics and other regulatory requirements. 

Real-time threats require constant investment 

Staying at competitive parity with cyberattackers and becoming more adept at real-time attacks is the challenge every CISO will face in 2023 and beyond. Knowing which technologies to prioritize is invaluable for protecting an enterprise’s IT infrastructure. 

Scaling back spending on standalone and legacy on-premises network security technologies frees up the budget for newer technologies that can meet the challenge of real-time threats. Forrester’s recommendation of four emerging technologies for proof-of-concept investing reflects how quickly attack strategies are progressing to capitalize on enterprise security stacks’ weaknesses.

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.