As we say farewell to 2022 and look ahead to 2023, which hot trends will prevail? According to Gartner, Bain and Company, PwC, and CISO friends of Dazz, we’ll see these three: fast growth in cloud security, more rigor at the C-level for cyber risk management plans, and best practice adoption beyond checklists like NIST and ISO 27002. (One best practice I’ve been chatting about with former Chief Trust & Security Officer Emily Heath is modernizing remediation for the cloud era and eliminating “swiss cheese” in the software development lifecycle. More on this later…)
1) Fast Growth in Cloud Security
In October, Gartner predicted cloud security will see the fastest growth over the next two years, attaining a 26.8% growth rate in 2023, as a result of three influential factors: the increase in remote and hybrid work, the transition from virtual private networks (VPNs) to zero trust network access (ZTNA), and the shift to cloud-based delivery models.
According to Ruggero Contu, senior director analyst at Gartner, “The pandemic accelerated hybrid work and the shift to the cloud, challenging the CISO to secure an increasingly distributed enterprise.” Furthermore, “Demand for technologies and services such as cloud security, application security, ZTNA, and threat intelligence has been rising to tackle new vulnerabilities and risks arising from this exposure.”
Cloud-forward CISOs like Mike Towers, Chief Digital Trust Officer at Takeda, and Joe Silva, Global CISO at JLL, are blazing the way in building comprehensive strategies for cloud security, including the adoption of Dazz for pipeline visibility from “code to cloud,” better collaboration between security and development teams, and faster, more efficient remediation of vulnerabilities.
According to Mike, “Dazz is able to get issues to our developers more quickly, identify misconfigurations for direct remediation, and aggregate aspects of development security that were previously fractured and inconsistent.” Clearly, automated visibility and cloud remediation is a powerful addition to any cloud center of excellence.
2) CEOs Give CISOs More Authority to Drive Security Collaboration
PwC’s 2023 Global Digital Trust Insights Survey revealed that C-level executives and boards of directors say a catastrophic cyberattack is the top scenario in their 2023 resilience plans, and 38% expect more serious attacks in the cloud in 2023. CEOs who participated in the survey also said they wanted to give CISOs more authority to drive collaboration on security next year (46% of CEOs and 49% of CEOs in previously breached companies.)
To put better collaboration in action, PwC suggests the following ways for the C-suite to work better together:
- CIO: Enable DevSecOps in application development, as well as thorough pre-launch testing. Remediate misconfigurations from both users and automated deployments.
- CISO: Establish and enforce policies and procedures for securing applications and data, vulnerability and penetration testing, regular patching, continuous compliance monitoring, and security event and incident monitoring (SIEM).
- CTO: Require that cloud service providers and third parties provide dashboards and tools to detect misconfigurations across their environments.
- CDO: Confirm that apps comply with privacy requirements and that customer data is partitioned and encrypted for better protection. Put into place solutions that encrypt data at rest, in transit and while in use.
This list is helpful; however, one of the best ways to foster collaboration is to put yourself in your peer’s shoes—and be thoughtful, concise, and actionable. For example, our CISO customers are working with us to reduce alert and tool fatigue, get teams working off the same trusted data, and empower constituents to fix issues themselves as part of their everyday practice. Since Dazz helps security teams “shift left” and reduce noise to code fixes, security teams can essentially bring in the platform and get out of the way. The full team—CIO, CTO, CISO, and CDO—is able to understand their exposure to risk and translate it to their own language, since Dazz provides context across code, containers, clouds, and more. (Cheers to the CISO!)
3) Best Practices Beyond Frameworks: No More Swiss Cheese
Bain and Company’s recent analysis of its cybersecurity best practices survey shows that security leaders are underestimating the risks of not adequately focusing on attaining cybersecurity best practices. The analysis revealed that on a cybersecurity maturity scale of 1 to 5, a typical company is likely to rate only 1.5 to 2.5, which is significantly below a best-practices level of risk management.
Bain and Company also notes in the report that “industry frameworks such as NIST and ISO 27002 are an essential building block of cybersecurity. But to protect themselves fully amid such global instability, companies need to go beyond checklist-focused implementation of the best practices enshrined in these frameworks.”
While these older frameworks are helpful, they are not as modern as the way businesses are operating today in the cloud. There is a new and better way to manage risk in cloud-native environments. One that is automated versus manual, centralized versus distributed, fast versus slow, prioritized versus overwhelming. That way—you guessed it—is with Dazz.
Today, when alerts are fired off from a detection tool like Wiz or Snyk, the security team has very little visibility into which ones matter the most for risk exposure, nevermind finding the code owners to address them. Dazz connects to the existing components in the software development lifecycle, maps its elements, and overlays security issues on top. It uniquely analyzes data to backtrack each security issue to its source. The Dazz Remediation Cloud understands which specific cloud resource caused the security issue being seen in the cloud security tool and traces the cloud resource back to the specific pipeline that was used to deploy it. By fully examining the pipeline, we are able to understand which vulnerable artifact was deployed, and what triggered its build. By connecting to the source code, we are able to analyze the specific commit and developer that applied the change and ultimately provide context on the root cause for fast, efficient remediation. In short, we shift security left and create a new best practice for teams to continuously remediate and build secure cloud applications.
And that means…no more swiss cheese in cloud remediation and the software development lifecycle!