Industry Experts Share Their Security Predictions for 2023

Insights on the trends all businesses need to look out for

By Multiple Authors

It’s no surprise that security is a major topic of conversation, with cyberattacks of all kinds increasing in frequency year after year. In today’s threat environment, it’s important that businesses are on top of the trends and know what they need to look out for, both now and down the road. So, we’ve collected commentary from experts in the cybersecurity field sharing their predictions for 2023 on a broad range of topics, from ransomware to credential-based attacks, so your organization can stay informed in the year to come.

Amit Shaked, CEO and co-founder, Laminar

1. Data security professionals will be viewed as business accelerators rather than inhibitors. Data security has traditionally been seen as a roadblock for other areas of the organization such as IT and operations. Unfortunately, it’s the nature of the job. Data security involves having to make sure every digital asset is kept out of the hands of adversaries and is adhering to policy. With the increase in data proliferation, that has become increasingly more difficult to do. However, it is critical for data to be available in order for businesses to conduct day-to-day operations. Data security is a key component in making that happen and, when done correctly, is not a hindrance. Luckily, in 2022, more organizations began to understand the significance of data visibility and security, particularly in public cloud environments. As a result, they began to rely more and more on data security professionals and looked at them as business accelerators. I expect this sentiment to continue in 2023 as cloud data security technologies evolve to help make data security professionals’ lives easier and advance the business.
2. The increase in unknown or “shadow” data will lead to more data leaks, risks for organizations. However, it will ultimately serve as a wake up call for CISOs to prioritize investments in data visibility and protection solutions. There is a dark side to digital transformation fueled by the public cloud. Every day developers and data scientists create, move, modify and delete data in service of positive business outcomes. And they leave a trail of unintentional risk in their wake. The activities that create the biggest advantages for cloud-based businesses are the same activities that introduce the most risk. As sensitive data propagates across the public cloud, risk grows. This is the Innovation Attack Surface – a new kind of threat that most organizations unconsciously accept as the cost of doing business. Massive, decentralized, accidental risk creation by the smartest people in your business. This unknown or “shadow” data has become a problem for 82% of security practitioners. Examples of it include database copies in test environments, analytics pipelines, unlisted embedded databases, unmanaged backups, and more. Because of its unknown content, it is at extra risk for exposure. Security teams can expect to see more instances of shadow data breaches in 2023. However, even though breaches caused by shadow data are set to increase, security teams are becoming more and more aware of the situation and committing to solving the problem. The emerging public cloud data security market proves that this is slowly becoming a problem at the forefront of CISOs minds, and knowing you have a problem is the first step to solving it. In 2023, CISOs will prioritize finding agile solutions that provide both visibility and protection into all of their cloud data to discover and remediate data exposure risk.
3. A new data security center of excellence will report to the CISO. All security must protect data, however not all security is focused on data. With data increasingly growing more important as a currency between businesses, as well as as a means of innovation, organizations are storing and sharing more of it than ever (and increasingly, in the cloud). The skills gap created by this will begin to be addressed in 2023 with the rise of a new data security center of excellence, reporting to the CISO. This center of excellence will bridge the gap between the CISO and the Chief Data Officer (CDO) to ensure an entity’s valuable data is secure. The data security center of excellence will have responsibility for the following four areas:
4. Constantly maintaining visibility of all sensitive data
5. Continuously protecting sensitive data
6. Controlling who has access to sensitive data
7. Ensuring that sensitive data adheres to the enterprise data security policy

This center of excellence, along with more data-centric, defense-in-depth security strategies will augment the important data governance and data privacy work that the Chief Data Officer typically oversees.

Raffael Marty, EVP and GM of Cybersecurity, ConnectWise

“It can be hard to get a handle on the constantly evolving cybersecurity threat landscape, but over the last year, certain trends have made themselves clear—and we can expect to see these trends continue into 2023. The year began hopeful with several organizations reporting fewer ransomware incidents in the first half of 2022 compared to 2021. Instead of fewer ransomware incidents occurring though, it may be that we saw fewer reported due to the shift in tactics used by many ransomware operators from targeting enterprises and major multinationals to smaller organizations that may not have a robust threat defense practice and therefore are less likely to report incidents, and/or don’t get the same level of media coverage as larger organizations when attacks do occur.

And—in a trend that’s been rising for years and shows no signs of slowing—these attacks are increasingly identity-based, with business email compromise making up a significant proportion of breaches.

Defending against these trends, we can expect to see governments and the private sector at large growing more serious about holistic and standardized defense approaches, such as following NIST guidelines. From a security product perspective, we have already started seeing a trend toward consolidation of solutions. Less point products, more automation with tightly integrated platforms and solutions. Efforts like Zero Trust Architectures and continuous validation and verification will be the name of the game in 2023 as MSPs and others get increasingly serious about the scale and intensity of the threat they’re facing on a minute-by-minute basis.

The statistics bear this out: 78% of business leaders say their organization is set to increase investment in cybersecurity in the next 12 months, according to research findings of the 2022 Vanson Bourne Report. Meanwhile, the SMB market is predicted to spend much more on cyber detection, response, and automation next year, according to the 2022 ConnectWise MSP Threat Report.

Given the increased sophistication and motivation of attackers, the ever need for integrated cyber solutions, and constantly changing external drivers (technology changes, regulatory mandates, talent shortage, etc.), we expect to see the service business grow in popularity. SOC (and also NOC) services will help MSPs scale their businesses by eliminating repetitive and unprofitable tasks, so that the MSP can focus on high-value, high ROI activities.

Steve Moore, Vice President, and Chief Security Strategist, Exabeam

“The greatest observable trend to note as we move into 2023, is the increased use of credentials in cyberattacks, for both initial and persistent access. Currently, more than half of all attacks happen through stolen credentials. This number will increase for initial access, and go higher still for persistent access.

Adversaries are experiencing continued success without using malware to gain access and sign-in. From there, they are able to use internal credentials and tools against the defender.

Additionally, with geopolitical changes in the world, we will see an uptick in individual businesses falling victim to nation-state attacks. We can expect the lines to blur between espionage and criminal activity, as information and attack techniques are shared. Loyalists to certain nations will continue to offer cooperation to these international hacking efforts.

As a result, I think we’ll see more governments attempting to create publicly known offensive capabilities, in efforts to tear down criminal groups physically and technically.  These takedowns of criminal networks take great diplomacy; with both speed and patience and with active coordination of local and federal law enforcement.”

Neil Jones, director of cybersecurity evangelism, Egnyte

“For the first time in a long while, cybersecurity is being viewed as a strategic investment rather than a budgetary line-item. I anticipate this trend to accelerate in 2023. By following effective cybersecurity practices like the implementation of ongoing, company-wide cybersecurity training, maximizing endpoint security, and limiting access to data on a ‘business need to know’ basis, organizations can alleviate downtime and improve employee productivity. Over the long haul, cyberattack prevention is almost always less expensive than passively waiting for an attack to occur. At a time when businesses are managing expanding data volumes, cybersecurity must be an always-on company priority.”

Aaron Sandeen, CEO and co-founder, CSW

As organizations struggle to navigate an unsteady economy with increasing inflation, higher interest rates, and a potential recession, many are undergoing significant layoffs and hiring restrictions. Companies are substantially reducing expenses in an effort to survive the uncertainty, including IT and cybersecurity budgets, which will ultimately have an impact on the cybersecurity industry.

As a result of the weak economy, organizations will lack the people and resources to maintain their cybersecurity defenses, which will provide bad actors an opening. With a wider range of attack vectors available in 2023, cyberthreats will advance in sophistication and harm.

Alongside dwindling resources, there is a mass amount of increasing data, with experts expecting 94 zettabytes of data worldwide by the end of the year. Making sense of the data you have is becoming more and more crucial at a time when enterprises must deal with a flood of sensitive data. Because of this, I believe the driving force behind cybersecurity initiatives in 2023 will be predictive intelligence coupled with actionable insights. Better cybersecurity is achieved by combining raw data with contextual threat intelligence that is updated continuously using automation, AI, and ML, as well as expert validation.

Tim Prendergast, CEO, strongDM

“Looking into next year, I think we will see the security market continue to build toward practical applications of zero trust philosophies, as the industry gets its feet under itself in terms of figuring out how to talk with customers about what ‘zero trust’ means and how it is supposed to work. For their part, I think customers are reaching a tipping point of being very well-educated in this market, and I think that will cause established companies to reposition product portfolios into a focused ‘zero trust’ messaging platform, to address the customer opportunity. In 2023 the talk will continue around a pending recession, but we remain hopeful that things will turn around by 2024. People will begin investing in startups again that are innovating in this space. We may see a lot of private equity or mergers and acquisition continue to drive the security space. There will be a definite shift in how people are looking at this chessboard. I want to offer simple advice for businesses in the new year, especially in a downturned economy. Be a good steward of the capital you have in front of you. I think many companies got into the habit – due to investors and plentiful cash at low-interest rates – of thinking that you can always get another round of funding. In a bear market, you realize that’s not a possibility, so you must go back to the fundamentals of business. Be profitable, and focus on incrementally growing the business. Support the investments you’ve made and focus on optimizing your processes that can keep the pipeline busy without over-complicating it all. For example, with free-flowing cash, a lot of people were like, ‘Let’s go, attack 25 different markets!’ Instead, focus on the core markets your business does really well. I think people were really getting a bit over their skis and trying to do too much at once. In 2023, the market will see businesses taking more of an iterative approach to building out the business, its markets and products. Every year is a good year to build on solid fundamentals, and 2023 will be a year for organizations to be smart, and not get over their skis. One of the biggest trends that will absolutely continue into 2023 is the decentralization of the traditional corporate headquarters. We have emerged from the pandemic into a new working reality which is that the best people live where they want to live. This has led businesses to the compromise of creating a place where they can work and be contributing to the company’s goals but also, they can be happy and have a fulfilling personal life. I think that the cliche work-life balance that so many people have struggled with for so long has finally gotten to a place where it feels attainable with a decentralized workplace. No one wants a job where they occasionally get to have a life, too. I think that’s a fair expectation. There are also other benefits to being decentralized, especially when you look at the distribution of people in city centers, traffic is horrible and it’s not great for the environment. People being able to work from wherever they happen to be, but still have opportunities for occasional on-site or human interaction is the future. People want their time to be spent in meaningful ways, not just filling seats in the office between eight and 6 p.m. I don’t think that’s a reality. We have the technology to have productive conversations and get a lot of work done. In the end, I think that’s better for the economy and the planet. It’s why we’ve always been a remote-first business – because as a company that sells a SaaS solution, we don’t need to physically be in the same location to build our product.”

Surya Varanasi, CTO, StorCentric (www.storcentric.com):

1.)   The ransomware threat will continue to grow and become increasingly aggressive – not just from a commercial standpoint, but from a nation-state warfare perspective as well. Verizon’s 2022 Data Breach Investigations Report, reminded us how this past year illustrated, “… how one key supply chain incident can lead to wide ranging consequences. Compromising the right partner is a force multiplier for threat actors. Unlike a financially motivated actor, nation-state threat actors may skip the breach altogether, and opt to simply keep the access to leverage at a later time.” For this reason, channel solutions providers and end users will prioritize data storage solutions that can deliver the most reliable, real-world proven protection and security. Features such as lockdown mode, file fingerprinting, asset serialization, metadata authentication, private blockchain and robust data verification algorithms, will transition from nice-to-have, to must-have, while immutability will become a ubiquitous data storage feature. Solutions that do not offer these attributes and more won’t come even close to making it onto any organization’s short-list.

2.)   Consumer attitudes towards online security and privacy will heighten. A key driver here will be that while enterprises getting hacked and hit by ransomware continue to make the headlines, cybercriminals have begun to hit not just enterprise businesses with deep pockets, but SMBs and individuals. SMBs and individuals/consumers are actually far more vulnerable to successful attacks as they do not have the level of protection that larger enterprises have the budgets to employ. As work from home (WFH) and work from anywhere (WFA) remain the paradigm for many across the data/analytics field, they will require data protection and security solutions that can also protect them wherever they are.

In the coming year, The ideal cybercrime defense will be a layered defense that starts with a powerful password, and continues with Unbreakable Backup. As mentioned, backup has become today’s cyber criminals’ first target via ransomware and other malware. An Unbreakable Backup solution however can provide users with two of the most difficult hurdles for cyber criminals to overcome – immutable snapshots and object locking. Immutable snapshots are by default, write-once read-many (WORM) but in the coming year, sophisticated yet easy to manage features like encryption where the encryption keys are located in an entirely different location than the data backup copy(ies) will become standard. And then to further fortify the backup and thwart would be criminals in the coming year we will see users leveraging object locking, so that data cannot be deleted or overwritten for a fixed time period, or even indefinitely.

Brian Dunagan, Vice President of Engineering, Retrospect (www.retrospect.com):

1.)   Freedom and flexibility will become the mantra of virtually every data management professional in the coming year. In particular, data management professionals will seek data mobility solutions that are cloud-enabled and support data migration, data replication and data synchronization across mixed environments including disk, tape and cloud to maximize ROI by eliminating data silos. We will likewise see an uptick in solutions that support vendor-agnostic file replication and synchronization, are easily deployed and managed on non-proprietary servers and can transfer millions of files simultaneously – protecting data in transit to/from the cloud with SSL encryption.

2.)   Ransomware will remain a huge and relentlessly growing global threat, to high profile targets and to smaller SMBs and individuals as well. There are likely a few reasons for this continuing trend. Certainly, one is that today’s ransomware is attacking widely, rapidly, aggressively, and randomly – especially with ransomware as a service (RaaS) becoming increasingly prevalent, looking for any possible weakness in defense. The second is that SMBs do not typically have the technology or manpower budget as their enterprise counterparts.

While a strong security defense is indispensable, we will see that next year security leaders will ensure additional measures are taken. Their next step will be enabling the ability to detect anomalies as early as possible in order to remediate affected resources. Large enterprises, SMBs and individuals alike will need a backup target that allows them to lock backups for a designated time period. Many of the major cloud providers now support object locking, also referred to as Write-Once-Read-Many (WORM) storage or immutable storage. Users will leverage the ability to mark objects as locked for a designated period of time, and in doing so prevent them from being deleted or altered by any user – internal or external.

Justin McCarthy, co-founder and CTO, StrongDM

“In 2023 I believe we’ll see rebellion against systems that aren’t respectful with our time. Systems that generate ample noise and minimal signal. When it comes to the demands on our attention in 2023 and beyond, less is more.

Security technology is one area that has been requiring too much of our attention and energy for too long. It’s frustrating because there’s so much friction where it isn’t necessary. There’s a better way but consumers of security technology will have to demand it and developers and engineers have to work on it.

One small example: authentication. As we move into 2023 we’ll look to WebAuthN, Passkeys, and other passwordless systems to improve the user experience and reduce the burden on IT teams. That’s where we’ll really start to feel the difference. And with this feeling will come elevated expectations that then get transferred to every other aspect of our IT systems and security environments. Hopefully, it will push us to ask why it can’t be simplified?”

Richard Bird, Chief Security Officer, Traceable

1.) “In terms of trends we need to shine a light on, 2023 will be the year that the leaders in the majority of companies, organizations and agencies around the world wake up on any given morning and think, ‘Whoa, I have a security problem!’ As we close out 2022, most enterprises either don’t realize the size of the risk they currently face with their unsecured and largely unmanaged API ecosystem or they are willfully ignoring the risks by believing that API gateways and web application firewalls are protecting them. We should be very happy that the current state and maturity of API security affords us the opportunity to get it right in 2023. API security is a greenfield within most companies and organizations today, which means we are in a moment where we can choose tools, processes and frameworks that will deliver huge improvements in security and risk mitigation. The alternative, if we don’t capitalize on this moment, is that in 2024 and beyond API security tactics and performance will be dictated and demanded of us by regulators and we will no longer have the flexibility and agility to meet these challenges without the overhead of compliance pressures.”

2.) “2023 will be the break-out year for API security as a focus area for many of the Fortune 1000 companies. The lack of control, security and governance around APIs isn’t just exposing companies to serious risks, but also to massive amounts of operational inefficiencies caused by APIs being developed and deployed independently across multiple devops teams. This means that there are huge numbers of “zombie” APIs, abandoned, but never removed from a company’s systems. There are costly redundancies due to the inability for companies to enforce and inform DevSecOps on internal standards for API creation and deployment. Without visibility into the API ecosystem at a company, you can bet that money is being wasted on the creation of redundant APIs happening nearly every day. That redundancy comes at a cost, inefficiency isn’t free.”

3.) “In 2023, API security will drive realizations and revelations by enterprises that go beyond the threat and risks of APIs. API security is dependent on the discovery and collection of the APIs that a company is exposed to. Once organizations take that step, they quickly realize that the entire operational framework of their API management is problematic. There is very little in the form of standardization and governance for APIs in most companies, which means that there are huge amounts of inefficiency and costly redundancy across those same APIs. API security in 2023 will create a broader understanding of not only the risks a company is facing, but also the costly consequences of a broadly unmanaged function within their organizations.”

4.) “The pathway to self-awareness and self-learning about API security starts with taking a simple step; exercising intellectual honesty. API security and operations isn’t something new. It is an extension of the best practices that have always been demanded in the digital world. If you believe you don’t have an API security problem because you don’t use a lot of APIs or because you leverage an API gateway or web application firewall, you’re not being intellectually honest. Every day, in highly publicized events, the attack surface and vulnerabilities of APIs is being clearly communicated to the market. Believing that APIs won’t be opportunistically exploited by bad actors just isn’t supported by data, evidence and the history of technological evolution. The time to learn and move on API security is now, not two years from now when the seriousness of the risk is fully understood.”

Tyler Farrar, CISO, Exabeam

Nation-state attacks/geo-political matters:

“Nation-state actors will continue cyber operations in 2023; whether these attacks increase, decrease, or stay the same ultimately depends upon the strategic objectives of each campaign. Based on the current geopolitical climate, I think we can expect these cyberattacks to increase across the major players. For example, Russia’s failure in Ukraine exposed its weaknesses to the world, but its attacks are likely to continue against Ukraine, including operational disruption, cyber espionage, and disinformation campaigns. It would be unsurprising for the attacks to expand beyond Ukraine too, as Russia’s leader attempts to prove Russia is not weak. Likewise, cyber espionage is a key tactic in China’s strategy for global influence and territorial supremacy, and I think we can expect these operations to increase, particularly across private sector companies.

In 2023, state policies will directly influence cybercriminal and hacktivist communities to obfuscate sources and methods, increasingly blurring the lines between nation-states, cybercriminals, and hacktivists. Cybersecurity teams would be wise to remain flexible with respect to threat actor attribution.”

Impact of economics on security:

“The economic downturn, and in particular inflation, has – and will continue to have – a significant impact on security spend, likely forcing reductions and leveling impacts to  organizations and to threat actor behavior. The key to defense for these organizations is doubling down on cyber talent and security tools. Meanwhile, security organizations should aim to consolidate legacy technology platforms, decreasing redundant tooling, in addition to controlling cloud spend, to manage high operational costs and complex integrations.

I think this is a good time to remind organizations that zero trust is simply a security framework, not a tool. It is not a ‘single solution,’ but rather a framework used to secure data in a modern digital enterprise. Zero trust is also not overhyped, despite some opinions to the contrary. It has become a critical step towards mitigating cyber risk, detecting malicious behavior, and responding to security incidents. By requiring users and devices to be authenticated, authorized, and continuously monitored for a ‘trusted’ security posture before access is granted, zero trust can contain threats and limit business impacts when a breach does occur.”

Credential-based attacks and evolving threats:

“We’ve seen the classic Cat and Mouse Game before: as credential-based attacks evolve, so too do cyber defenses. Threat actors will continue to leverage tried and true methods like social engineering, initial access brokers, and information stealer tools to carry out their objectives. Where multi-factor authentication stands in the way of compromising an account with stolen credentials, we can expect cyberthreat actors to implement new techniques to bypass this particular layer of defense. I think this will lead to an expansion of passwordless authentication solutions, to combat the attackers.

We can also expect to see more malicious attacks, as anyone can play this game. A broader set of threat actors will join in to conduct cyber operations in 2023. They have financial motivation, government mandates to justify their cause, not to mention bragging rights that increasingly attract a younger group of threat actors.”

Protecting brand as much as infrastructure:

“During the past year, we witnessed several high-profile breaches, where organizations suffered severe brand damage. This resulted in a shift from data recovery to reputation management when faced with a ransom. I expect to see threat actors shift their strategies to exploit this fear through extortion vs. ransomware in the year ahead.

Further, threat actors will continue to take advantage of weaknesses in the software supply chain, which will become the number one threat vector in 2023. Organizations should create a vendor risk management plan, thoroughly vet third-parties and require accountability, to remain vigilant and align to cybersecurity best practices. This is critical too, as cyber insurance claims have exploded. We can expect to see insurance companies lowering their risk appetite and reducing client coverage in 2023. If your organization is in the market for a policy, expect to pay a hefty premium, or face a rigorous review of the organization’s security posture, as insurance companies increase their due diligence to avoid liability.”

Arti Raman, CEO and founder, Titaniam

“In 2022, we saw a continuous flood of ransomware attacks, which spawned the increasing adoption of Ransomware as a Service (RaaS). The threat actors behind these attacks have honed their skills in ransom negotiations and extortion processes, creating a playbook they can use to go after nearly any organization. Because of this, the number of ransomware attacks we’ll see in 2023 will only continue to rise and move downstream.

To combat these attacks, organizations in 2021 and 2022 heavily invested in prevention, detection and backup technology. However, in 2023 that may not be enough. As threat actors get more creative and innovative with their malicious attacks, data security professionals also need to embrace newer, more innovative and effective technologies to defend their systems.

In fact, a recent report found that more than 99% of security professionals are searching for better data protection tools to protect themselves from ransomware and extortion. Similarly, 70% of participants in a different report indicated they experienced data theft at some point during the previous 12 months. Of those respondents, 98.6% believe a more modern data security solution could have prevented their data theft.

While no prevention technology can guarantee 100% protection, new technology must focus on assumed breach concepts and providing more guardrails. By analyzing what made successful breaches successful, we as a cybersecurity community can take the first step toward a technological shift that will revolutionize how we fight back against ransomware.”

Gal Helemski, CTO and co-founder, PlainID

“In 2023, identity-first security will gain more focus and adoption. Already we see increasing growth in the identity space as the importance of identity as the new security perimeter is sinking in. Identity solutions would expand their support, especially in the cloud, and provide deeper levels of control. An essential part of that would be understanding Authorizations and the link between the identity world and the security of data and digital assets.

Authorization manages and controls the identities’ connection to digital assets (such as data). That is a fundamental part of identity-first security. It starts with the authenticated identity and continues with the controlled process of what that identity can access. Full implementation of identity-first security can’t be achieved without an advanced authorization solution that can address all required technology patterns of applications, APIs, microservices and data.

I believe most security leaders are still focused on the perimeter of their digital enterprise, which needs to change. Identity-first security can’t end at the gate. Identities and their access should be verified and controlled on all levels, access points, network, applications, services, APIs, data and infrastructure.

Already we are seeing that an increasing number of technologies and cloud vendors are offering the policy option in addition to the traditional entitlement and role-based method. This is a very positive step towards simplification of this challenging space.“

Jeff Sizemore, Chief Governance Officer, Egnyte

“Secure data enclaves will drive infrastructure spending in 2023 as companies understand how to better manage their content amid increasing cyber threats. Much like a safe or vault, secure enclaves allow organizations to protect their highly sensitive data – such as intellectual property, Controlled Unclassified Information (CUI) and Personally Identifiable Information (PII) – in a controlled environment where authorized users can collaborate. In a world where not all data is created equal, I anticipate that we will see increased adoption of secure enclaves across business disciplines in the new year, enabling organizations to handle their sensitive content more effectively.”

Prashanth Nanjundappa, VP, product development, Progress

“As organizations look ahead to 2023, automation will be a priority in maximizing shifting left principles and maintaining high security standards. Building strong, secure products throughout the software development life cycle requires continuous security integration in the delivery pipeline. Silos between developer, business development and testing teams have historically created gaps in the feedback loops leading to a slower product rollout. However, with the increased adoption of DevSecOps principles for continuous testing and deployment, teams across all business units will begin to codify their shift left practices with automation and increase communication in an effort to reduce failure. We can expect to see how such automation will further accelerate the adoption of DevSecOps. Compliance automation tools will play a key role in strengthening security and compliance policies across applications and infrastructure.”

Kathryn Kun, director of information security, Forter

“Every year we talk about how we see the sky is going to fall. This year, I want to talk about how we are going to help hold it up. Instead of predictions, I want to focus on what we hope to learn from and grow towards as an industry.

I hope we can support a focus in engineering for the safety of people  beyond our end users. I hope we can work towards a broader definition of security beyond controlling data and access, to ensuring that our choices keep the people represented by that data safe. All of our interconnections are not vulnerability to be avoided, but technical systems reflecting social and political reality, and that complexity is also strength and opportunity.

I hope we can build processes for ourselves and our colleagues that will be a source of calm support in times of crisis and change. The security profession is well placed to handle complexity and help support our colleagues and our businesses through surprises. Turbulent waters are what all of our skills and predictions and warnings are for, and our place is to ensure reliable performance within an ever-changing environment.

I hope we can be a source of trusted advice to our colleagues across the business, and live up to the responsibility of bringing specialized technical knowledge into useful and usable reach for our wider teams.

I hope we can make more tools more useful and visible to non-security audiences. We have learned and understand a lot about reliability and trust, and I want to scale those understandings and share them with decision makers from junior engineers to executives.”