In a recent debate hosted by Sounil Yu on cybersecurity predictions for 2023, security leaders Kelly Shortridge, Fernando Montenegro, and Claude Mandy disagreed on plenty. But one prediction, from Sounil himself, resulted in near total agreement: in 2023, security leaders will give up on users as a line of defense.
Sounil told the panel, “My prediction is that we basically give up on the user as a line of defense. I think the fact that a lot of us counted on things like MFA to be phishing resistant, only to realize that attackers will find some clever way to still trick the user. And over 2023, I think we, in the security industry, are just going to design our security controls to not rely upon the user at all as a control.”
This is not to say end user security awareness isn’t important, but that CISOs and other security leaders will not be able to rely on end users as a final line of defense, or scapegoats, in the case of a breach.
MFA and phishing simulations are ‘a crutch’
Sounil pointed out that the undermining of MFA as a security control (in part due to the Twilio and Uber breaches this year) is a big reason he believes security teams will rely less and less on users. Aside from this example, Sounil argued that other user-focused security controls are either fragile or useless, one example being phishing simulations as a training and reporting mechanism:
A lot of us hate phishing simulations, right? And many of us in security don't feel like it's a really effective control either. So why do we keep doing it, especially when we have potentially better options to just take the user completely out of the equation?... Because it's a crutch. We're using it as a crutch, thinking that we could potentially have the user be our line of defense. But, you know, there are days when we fail as security professionals too, right?
The rise of security awareness and CISO accountability
When did users become ‘security controls’ anyway?
Kelly Shortridge, author of Security Chaos Engineering and Senior Principal Product Technologist at Fastly, pointed out the correlation between CISO accountability to the board and the rise of security awareness as a control measure:
When I started to go back and look at the rise of security awareness training, it's very correlated to when CISOs started being held accountable by the board. It's a lot easier if you're being interrogated by the board, to say, ‘Well, it's these employees, they just don't understand the security, it's the employees fault.’
If you say, well, it's on the users to do this, then you are shifting the accountability. Right? I think it's a very clever strategy for CYA. So I think ‘gives up’ is going to be accurate because CISOs are realizing they can't shove things onto the user.
Like my view is the users are the victims and we're now blaming the victims. It's just it's messed up.
In 2023, building robust security programs is the only real solution
Fernando Montenegro, Senior Principal Analyst at Omdia, clarified his opinion on Sounil’s prediction, stating that he’s a bit more optimistic about the role of users in a security program:
I don't know if it is that security gives up on the user as a line of defense, or if it is that security understands the role of the user in security architecture. I'll be positive here. If security understands that the user is fallible, that the user is subject to human things like they're bored, they're tired… so the organization ‘gives up’ on the user only in the sense that it doesn't necessarily depend on the user.
Claude Mandy, Chief Evangelist of Data Security at Symmetry Systems, agreed:
I'm going to propose a little tweak to your prediction, Sounil. What I think the problem is security sees the user sometimes as the only line of defense. Like there's literally only the password and an MFA and the user between that and boom. If that's your security model to protect your data, that's probably not the right place to start.
So what should security leaders do, in anticipation of this trend? Focus on building a security program that does not rely on users as a primary security control. There’s still plenty of need for security awareness, user accountability, and basic controls like MFA. But they will become far less effective on their own.
More than a dozen additional predictions for 2023
This panel debated more than a dozen 2023 security predictions, which you can learn about by watching the panel or reading the transcript any time, right here.