As 2023 draws to a close, it’s time to revisit the cybersecurity predictions we made last year. Our previous blog outlined sixteen 2023 cybersecurity predictions. The predictions were based on prevailing data security trends at the time, spanning regulatory changes, cloud adoption, and security strategies. Let’s take a retrospective look to see where our forecasts hit the mark. More importantly where the industry took us by surprise. This will not only reflect the precision of our foresight, but also offer insights into the current state.
2023 Cybersecurity Prediction Evaluation Method
We based our predictions on a blend of industry trends and the expert insights from the Symmetry team. To evaluate their accuracy, I have scoured internal data, the latest analyst reports, other well respected vendor reports, and analyzed regulatory developments. With each prediction, I’ve provided an assessment that indicates whether the prediction was accurate, partially met, or missed. For some longer term predictions, we assess whether our confidence level has increased, decreased or remains unchanged.
The #TLDR
In hindsight, we haven’t done too badly at all. Of the 8 predictions ending in 2023, 4 were validated as accurate, and 3 were partially met. Only 1 of 8 was a complete miss. Based on the confidence levels, we expected to get 5 correct.
| Prediction | Timeframe | Confidence Level | Assessment |
| Prediction 1: By December 2023, 20% of CISO’s will include a specific line item for data security in their strategy and budgets that includes headcount and technology. | 2023 | 73% | Partial |
| Prediction 2: Through 2023, internationally recognized security regulatory and compliance requirements will formalize definitions of Zero Trust that extends to data (“Zero Trust for Data” to ensure least privilege is continually assessed). | 2023 | 58% | Partial |
| Prediction 3: Through December 2024, the percentage of organizations that trust their security staff to maintain a strong security posture from less than half (45%) to over 60% as business awareness and engagement increases, and confidence increases in their ability to secure data in the cloud. | 2023 | 65% | Confidence Level Decreased |
| Prediction 4: By December 2023, the concepts of data blast radius and quantifiable data breach exposure will be used in over 20% of public data breach notifications. | 2023 | 55% | Missed |
| Prediction 5: By December 2024, cyber insurers will no longer rely on insured declarations alone to estimate the impact of potential losses, and use tools to aggregate potential losses based on quantifiable data breach exposure or data blast radius per user. | 2024 | 50% | Confidence Level Decreased |
| Prediction 6: Through 2023, organizations will increasingly look and invest in tools that reduce the potential for data leakage; rather than solely detecting leakage of data, resulting in a 10% reduction of spend in traditional enterprise DLP tools. | 2023 | 68% | Partial |
| Prediction 7: Through 2023, regulations like SEC rule 206 (4) – 9 will encourage radical transparency – resulting in a 20% decrease in the lag time between disclosure of a breach and preliminary analysis of the impact to customers. | 2023 | 56% | Accurate |
| Prediction 8: Through 2023, organizations fined by one international privacy regulator will be fined again by at least two other international privacy regulators for the same issue. US states will start to adopt similar approaches as modern data privacy laws expand across US states. | 2023 | 57% | Accurate |
| Prediction 9: By June 2024, at least one large organization will be fined by a corporate regulator for their ongoing poor data governance and inability to demonstrate understanding of where their data is and how it is secured. | 2024 | 66% | Accurate |
| Prediction 10: By December 2023, 70% of organizations with one cloud deployment will deploy on a second cloud environment. | 2023 | 67% | Accurate |
| Prediction 11: Through December 2023, the approaches and standards for permissions management will continue to deviate for each cloud, resulting in a 30% increase in cloud identity and entitlement management usage to manage permissions at the user and data object level. | 2023 | 76% | Accurate |
| Prediction 12: Through December 2024, CISO’s that have adopted vendor consolidation approaches will look to layer in additional best of breed solutions as standalone vendors adopt more open interfaces. | 2024 | 69% | Confidence Level Decreased |
| Prediction 13: By 2025, data security posture management (DSPM) vendors that offer solely a static analysis of permissions on data objects will fail as cloud security posture management (CSPM) vendors and other vendors add these capabilities to their platforms. | 2025 | 72% | Confidence Level Increased |
| Prediction 14: By 2028, adjacent markets for cloud security posture management (CSPM), cloud infrastructure entitlement management, and data security posture management (DSPM) will blur with platform vendors offering capabilities that meet the infrastructure, data and identity needs on a single platform. | 2028 | 76% | Confidence Level Increased |
| Prediction 15: By December 2024, privileged access management and identity governance and administration tools will consider security posture into policy decisions when granting privileged access and assessing ongoing need for permissions. | 2024 | 62% | Confidence Level Decreased |
| Prediction 16: By December 2024, All market leading identity providers will have acquired or invested in both a data security posture management (DSPM) solution, and a cloud infrastructure entitlement management solution. | 2024 | 74% | Confidence Level Increased |
Prediction-by-Prediction Analysis
Prediction 1: By December 2023, 20% of CISO’s will include a specific line item for data security in their strategy and budgets that includes headcount and technology. Confidence Level: 73%
The market for data security has certainly matured in the last 12 months. There has been dramatic increase in budgets ande demand for data security platforms and purchase of DSPM products like ours. However the economic conditions have hampered CISO budgets, particularly around growth in headcount. A recent analysis of LinkedIn Job ads shows just over 150 data security specific roles.
Our Assessment: Partial
Prediction 2: Through 2023, internationally recognized security regulatory and compliance requirements will formalize definitions of Zero Trust that extends to data (“Zero Trust for Data” to ensure least privilege is continually assessed). Confidence Level: 58%
CISA, DISA and the DOD all have robust definitions and considerations for data within their Zero Trust models. These definitions have now been mandated for federal agencies to comply with. Unfortunately regulatory and compliance requirements outside of the US federal market have not followed suit. At least not in the timeframe we expected in our original cybersecurity prediction.
Our Assessment: Partial
Prediction 3: Through December 2024, the percentage of organizations that trust their security staff to maintain a strong security posture from less than half (45%) to over 60% as business awareness and engagement increases, and confidence increases in their ability to secure data in the cloud. Confidence Level: 65%
Sadly we couldn’t find any data to support our 2023 cybersecurity prediction. The intense and sometimes misleading media coverage of high profile incidents has certainly not helped. It has more likely resulted in an industry wide decrease of confidence and trust in security staff. Despite this industry wide decline in confidence, feedback from our customers indicates that their stakeholders are more confident in the cloud controls. This is only possible by providing fine grained visibility into the location and security posture of the organization’s data,
Our Assessment: Confidence Level Decreased
Prediction 4: By December 2023, the concepts of data blast radius and quantifiable data breach exposure will be used in over 20% of public data breach notifications. Confidence Level: 55%
We have yet to see wide spread adoption in breach notifications. This may change in the future, as requirements to disclose incidents that jeopardize the confidentiality, integrity and availability of information come into play. Particularly with SEC rules requiring disclosure of material incidents from December 2023. In the mean time, we have seen term data blast radius grow in usage amongst our competitors.
Our Assessment: Missed
Prediction 5: By December 2024, cyber insurers will no longer rely on insured declarations alone to estimate the impact of potential losses, and use tools to aggregate potential losses based on quantifiable data breach exposure or data blast radius per user. Confidence Level: 50%
We are still optimistic that we will still see insurers start to look at this problem from the data out. It is clear that right now insurers are under pressure and are looking for ways to reduce their payouts cost effectively. As a result, we expect they may instead build incentives and penalties to drive use of data security posture tools.
Confidence Level Decreased
Prediction 6: Through 2023, organizations will increasingly look and invest in tools that reduce the potential for data leakage; rather than solely detecting leakage of data, resulting in a 10% reduction of spend in traditional enterprise DLP tools. Confidence Level: 68%
The dramatic increase in budgets for data security platforms has been noted above. Unfortunately we struggled to find any hard data to support the 2023 cybersecurity prediction of a decrease in DLP budgets as a result. There is however a lot of anecdotal evidence indicating that enterprise DLP vendors are offering substantial price decreases to ward off competition, including DLP features built into products.
Our Assessment: Partial
Prediction 7: Through 2023, regulations like SEC rule 106 (4) – 9 will encourage radical transparency – resulting in 20% decrease in the lag time between disclosure of a breach and preliminary analysis of the impact to customers. Confidence Level: 56%
The final SEC rules requires disclosure of material incidents within 4 days. Organizations in scope must comply with this requirement enforced from December 2023. This represents a long delay from when we originally anticipated this. Organizations are ramping up for these requirements. Regardless of timing we’ve already seen a substantial decrease in time before disclosure. Unfortunately a lot of this has not been under the control of the organizations themselves. The Mandiant M-Trends 2023 Report highlights that “Organizations were notified of breaches by external entities in 63% of incidents compared to 47% in M-Trends 2022”. This increase is unfortunately partly as a result of an increase in Adversary Notification – notably related to Ransomware. Not the radical transparency we were hoping for.
Our Assessment: Accurate
Prediction 8: Through 2023, organizations fined by one international privacy regulator will be fined again by at least two other international privacy regulators for the same issue. US states will start to adopt similar approaches as modern data privacy laws expand across US states. Confidence Level: 57%
This prediction continues to play out in Europe. More importantly, we are also seeing signs of it within US states, as evidenced by the news that Meta is being sued by multiple states for harming young people’s mental health.
Our Assessment: Accurate
Prediction 9: By June 2024, at least one large organization will be fined by a corporate regulator for their ongoing poor data governance and inability to demonstrate understanding of where their data is and how it is secured. Confidence Level: 66%
The investigation kicked off as a result of a data breach, but it is pretty clear from the consent order against Drizly, that the issues stemmed from a failure to keep track of their data. Notably a substantial amount of the enforcement actions focus on data governance and in particular, data minimization of data. Given this we feel that this cybersecurity prediction feelsspot on!
Our Assessment: Accurate
Prediction 10: By December 2023, 70% of organizations with one cloud deployment will deploy on a second cloud environment. Confidence Level: 67%
According to PluralSight, State of Cloud 2023, “More than 65% of organizations currently operate within multi-cloud environments, with 20% saying they’re actively pursuing an additional cloud platform for their cloud environment”. The report published in June, so we can safely claim this as an accurate 2023 cybersecurity prediction.
Our Assessment: Accurate
Prediction 11: Through December 2023, the approaches and standards for permissions management will continue to deviate for each cloud, resulting in a 30% increase in cloud identity and entitlement management usage to manage permissions at the user and data object level. Confidence Level: 76%
Oracle wants to wrap some standarization around how permissions policies are enforced, regardless of the location of the data in a cloud environment. They are yet to see any adoption amongst other players. Unsurprising then that the CIEM market continues to grow. KuppingerCole analysts estimate the Compound Annual Growth Rate for this market at 36.9% to 2025.
Our Assessment: Accurate
Prediction 12: Through December 2024, CISO’s that have adopted vendor consolidation approaches will look to layer in additional best of breed solutions as standalone vendors adopt more open interfaces. Confidence Level: 69%
The age old dilemma on whether to pursue vendor consolidation or best-of-breed solutions continues. It appears to have shifted in favor of vendor consolidation in the current economic environment, but the enduring nature of this dilemma will undoubtedly play out in coming years. A key factor to consider is the concept of data gravity, where data’s mass and complexity will influence decisions. Organizations with centralized data may pursue interoperable best-of-breed solutions to avoid data migration cost complexities, while those with a distributed data and technology footprint may lean towards vendor consolidation for simplicity. Evidence shows that it is perhaps too ambitious to bank on this happening by December 2024 for all CISO’s who have consolidated vendors.
Our Assessment: Confidence Level Decreased
Prediction 13: By 2025, data security posture management (DSPM) vendors that offer solely a static analysis of permissions on data objects will fail as cloud security posture management (CSPM) vendors and other vendors add these capabilities to their platforms. Confidence Level: 72%
Cloud security posture management (CSPM) and other vendors have quickly incorporated data classification capabilities and launched “DSPM products” to take advantage of the emergence of DSPM on the Gartner hype cycle. As a result, it it clear that DSPM vendors that lack features beyond data classification are struggling. Unable to compete, they will inevitably fail. The larger vendors are also realizing that DSPM is more than just data classification. As a result, they have kickstarted a wave of acquistions by larger players seeking these differentiating capabilities. The data security landscape is clearly in flux. Organizations increasingly value comprehensive solutions that encompass more than data classification, setting the stage for further evolution in this field.
Our Assessment: Confidence Level Increased
Prediction 14: By 2028, adjacent markets for cloud security posture management (CSPM), cloud infrastructure entitlement management, and data security posture management (DSPM) will blur with platform vendors offering capabilities that meet the infrastructure, data and identity needs on a single platform. Confidence Level: 76%
As we’ve seen with the line between CSPM and DSPM being eroded through both marketing and the products, the attractiveness of adjacent markets is too powerful to resist. It is clear that these markets will blur. The end result may well be XSPM – because everyone loves an acronym.
Our Assessment: Confidence Level Increased
Prediction 15: By December 2024, privileged access management and identity governance and administration tools will consider security posture into policy decisions when granting privileged access and assessing ongoing need for permissions. Confidence Level: 62%
While this remains a great goal, the impetus to build these integrations has not been driven by customers, or influenced by industry analysts, as a result, we’ve identified no GA integrations from data security posture tools into PAM or IGA tools
Our Assessment: Confidence Level Decreased
Prediction 16: By December 2024, All market leading identity providers will have acquired or invested in both a data security posture management (DSPM) solution, and a cloud infrastructure entitlement management solution. Confidence Level: 74%
This was an easier prediction to assess the accuracy of. Taking the five leaders in the 2022 Gartner® Magic Quadrant™ for Access Management, three (60%) have made investments in a DSPM vendor, while one (20%) has made an investment in an CIEM vendor, and another (20%) has made an acquisition of CIEM. It is fair to say that this production looks on track to come true by December 2024.
Our Assessment: Confidence Level Increased
Reflection and Next Steps
Reflecting on these predictions allows us to appreciate the dynamic nature of cybersecurity. Regardless of the outcome, each 2023 cybersecurity prediction has contributed to our understanding of the industry’s trajectory. As we look towards the future, we will continue to share our insights, helping organizations navigate the ever-evolving landscape of data security.
