2023 #CISOPredicts: Jonathan Jaffe, CISO at Lemonade Insurance
Members of Silicon Valley CISO Investments (SVCI) offer their take on the challenges and trends that will shape 2023.
As Chief Information Security Officers (CISOs) across industries including tech, insurance, and retail, we have the benefit of sharing (and comparing) our perspectives on a variety of hot-button issues. As members of Silicon Valley CISO Investments (SVCI), we also get a front seat to the most recent cybersecurity innovations by advising and investing in the next generation of startups—and using our decades of expertise to help them thrive.
From where we sit in the C-suite, here’s our take on the trends and challenges that will shape 2023:
CISO, Lemonade Insurance
API exploits will be the new black
2021 was about business communication exploits (phishing, smishing, etc.) 2022 was the year of supply-chain attacks. In the spirit of keeping headlines exciting, 2023 will be about API exploits.
All new applications consist of microservices, and monolithic applications are being refactored into them as well. Microservices talk to one another through APIs. A typical company now has hundreds of APIs. Soon, it will be thousands. Additionally, business partnerships increasingly depend upon exposing APIs to one another over the internet. APIs are already ubiquitous, and the sprawl is increasing.
Managing APIs becomes harder as they proliferate. Securing them is harder still. Because of their relative newness, they are not battle-hardened. Where network and OS security are commodities, we don't have decades of experience protecting APIs. The most inventive exploits have yet to happen. That time is coming, and soon.
Because of the lack of history of API exploits, and the pressure to develop more APIs more quickly, developers aren't pressed to secure them and don’t have the knowledge to do so. Similarly, security leaders struggle to make the case for introducing API security products and processes because doing so might interfere with development speed and application performance.
APIs give attackers the reach to grab the brass rings of data exfiltration, data corruption, and denial of services, the dominant methods used to enrich themselves. We’re already seeing how easy it is to get an internal API to cough up data to an external hacker. In our immature world of API security, it takes almost nothing to dump a database of millions of consumer records, and then extort bags of money from the victim.
All of this will culminate in the year of API exploitation. My guess is: 2023 will show us that API-related security breaches compete with, or even surpass, supply-chain attacks. API exploits will be the new black.
Keep following to read additional takes on 2023 by SVCI CISOs!