Security 2023: Supply Chain Resilience, Talent and More

Every year Splunk’s leaders and technology experts assemble a set of predictions reports looking at the year ahead and beyond. Our chief strategy officer, Ammar Maraqa, introduced the reports yesterday and touched on each of the four editions. But I think the Data Security Predictions report is worth a deeper dive, because there’s a lot in there — and a lot at stake for security leaders.

The main theme of this year’s report is a word that comes up in a lot of my conversations: resilience. CISOs and business leaders describe a greater emphasis on overall business resilience, and they say that security leaders are playing a broader role than the classic function of “keep adversaries out.”

This trend has accelerated in the last few tumultuous years, but in my own career I’ve long seen it building. That’s not to say that a lot of “chief resilience officer” titles will be created in the coming years. But we’re already seeing that companies that intentionally merge cybersecurity and business resilience are designating a chief trust officer, because trust is an essential outcome of a truly resilient system.

Mostly smaller companies take that path, and I don’t think the new job title will catch on broadly. But the linking of resilience and security is here to stay. As are a number of the key challenges.

Supply Chains Get SBOM’d

One of the most important predictions in this year’s report is about how we’ll handle supply chain attacks. Generally, we’re going to see more investment around protecting the software supply chain and mitigating the effects a vulnerability can have across the entire tech industry.

For any organization, the process of figuring out whether a given supply chain vulnerability is hiding in your infrastructure or software offerings is a laborious task. A lot of teams are just emailing their vendors and waiting for a reply to the question, “Are you compromised? Are we?” If the flaw is likely to exist in many of the software products your organization consumes, it might take a month to get all those replies back.

As prominent supply chain attacks continue, it’s going to drive the industry to adopt the software bill of materials, or SBOM. This bill of materials details which components, such as a piece of open-source software, are embedded in a software product. When a certain version of a certain component is reported to be compromised, there’s no email; you just look at the SBOM and know where you stand. And you can turn to the task of remediation in minutes or hours, rather than in days or weeks.

I can’t overstate it: Wide adoption of SBOMs will revolutionize the software industry in terms of security and remediation.

Talent is Not a Resume Bullet

Automation holds a lot of promise, but you can’t automate away the entire talent shortage. Instead, smart organizations will continue to expand the search for talent to include a greater diversity of backgrounds. They’ll put an emphasis on talents (innate curiosity, problem-solving, a taste for adrenalin) versus learned skills (required experience or certifications).

I’ve had success with this approach. Some of my best red teamers had been English and philosophy majors, people without a computer science degree. Going forward, more organizations are going to adopt this approach toward entry-level talent. But the impetus doesn’t come from the hiring manager or the HR partner. This approach comes from the top, from CISOs who are tired of hearing “we can’t find any talent” and “we need people with 10 years of NSA experience to be tier-one analysts” in the same conversation.

And a Few Bonus Predictions

By the time I joined Splunk this fall, the Predictions reports were well under way, and I was focused on settling into my role as CISO. As I highlight key features in this year’s report (which also touches on ransomware and the expanding cybercrime economy, privacy, the impact of machine learning and more), I also have a few late thoughts of my own about the road ahead.

A primary driver of the focus on resilience is the permanent move, for so many organizations, to a hybrid-remote workforce model. Though many organizations may think they’ve essentially made the shift to hybrid-remote, this new model will drive a lot of decisions, innovation and budget.

Secondly, the issue of accountability is also likely to evolve. The U.S. Securities and Exchange Commission is taking a more forceful approach with public companies. The October conviction of Uber’s former chief security officer definitely caught the attention of security leaders across the industry. I think we’ll see more SEC action, and legislation that will change how incidents and risks must be disclosed in SEC 10-K filings.

Ultimately, moves toward greater transparency are good for the market, the software industry and security teams. Although it can seem that security teams always have to react to one crisis after another, I think we’re at a very good time in this industry. No one got into this field looking for a slow, sleepy pace, and I see the challenges as opportunities to learn and improve. Security is not about achieving a specific level of maturity and declaring that you’ve scaled the mountain. It’s about evolving in a constantly changing environment, and getting a little smarter, a little better, every day.

And that’s a future I look forward to.