Sensitive data discovery features prominently among new project plans; container security leads new spending

Our Information Security, Technology Roadmap 2023 study examines adoption, or plans for adoption, of various information security technologies and services, as well as spending plans for implemented security technologies.

The Take

Information security managers are moving in multiple directions at once as funding for security continues to improve despite spending constraints elsewhere, and as project schedules get back on track following the disruptive rush to enable and secure remote work during the pandemic. They are rethinking security architecture in the wake of what is increasingly a hybrid work model (both remote and in-office) at scale, and the continued focus on zero-trust network access reflects that architectural shift. They are reckoning with the increased security requirements of operating in the cloud, including expanding funding for container security products. Security operations remains an issue with increasing help from managed security services, and if implementing and fully leveraging machine learning was a challenge, generative AI is around the corner as a potentially disruptive but assistive technology.

Summary of findings

Sensitive data discovery and classification is the top-cited security technology that security managers plan to implement in the next 12 months.

This tooling enables the first steps in most data security programs: identifying potentially sensitive data, including data subject to regulatory requirements, and classifying data based on sensitivity or vulnerability. A related technology, data loss prevention (DLP), while certainly not new, also appears in 41% of security managers’ implementation plans.

Zero-trust network access is part of 43% of surveyed security leaders’ plans this year. From 2020 and beyond we have seen the greatest “at scale” test of remote work to date, and security managers largely found in 2020 that VPN architectures designed for wide access to corporate resources fell short in implementing a least-privilege approach to remote connectivity. Direct connections to applications with finer-grained access is an approach more aligned with IT architecture today, which goes beyond the traditional datacenter hosting models that were in place when VPN became a popular solution for remote access.

Container and Kubernetes security features prominently among implemented security technologies that will see increased funding. Forty-one percent of enterprises with products in place to secure containers and/or container orchestration will significantly increase spending on these solutions in 2023. This can involve the discovery and scanning of containers for misconfigurations, exposed secrets and security vulnerabilities, as well as identifying misconfigurations in orchestration platforms.

Third-party risk management also shows up in more than 40% of security managers’ plans this year. While this category is wide-ranging in terms of the tools that support it, prominent third-party incidents in the past few years have led security managers to consider how they identify and prioritize the remediation of risk among the technology supplier networks they depend on.

Software supply chain security (SSCS) and software composition analysis also feature in more than 40% of surveyed security managers’ plans. Not all enterprises have serious application development disciplines in place, which suggests that the percentage of implementation is much higher among enterprises that do. Both areas touch on open-source security, the importance of which was highlighted by the late 2021 discovery of a vulnerability in the widely used Apache Log4j. The definition of SSCS is evolving to encompass the aforementioned open-source security concerns, the integrity of code as it moves though developer pipelines, and the security of developer and DevOps toolchains themselves.

A Primer on Decentralized Digital Identity

Want insights on Infosec trends delivered to your inbox? Join the 451 Alliance.