CISOs don’t need a crystal ball – they already know that 2024 will be another tough year, especially with AI at everyone’s mind. Instead of playing catch-up regarding the security of emerging tech like generative AI, organizations will prioritize investment in proactive cybersecurity measures to get ahead of the coming wave.
CISOs will be employing AI and automation to safeguard against increasingly complex data threats, themselves driven by AI-enabled cybercrime-as-a-service and persistent nation-state driven threats.
Automation within digital operations will become a critical game changer as it supports incident responders in making the right decision, quickly, while under pressure. The right automation tooling will revolutionize security processes and reduce the amount of human error in reacting to new IT incidents at pace and at scale in the new year.
Here are some of the risks and opportunities CISOs can expect to manage over the course of 2024.
Big incidents will be BIG
High-visibility attacks will continue to be rare, but when they occur, they will be major news, with massive implications for customers and even wider society, depending on the organization affected.
Unlike the indiscriminate “spray-and-pray” attacks we used to be so afraid of, bad actors will shift their attention to building sophisticated campaigns to take down high-value targets that are more financially rewarding for them. These types of attacks will require a much higher level of maturity on the defender’s side to prevent, detect and recover from.
Once again, it will be AI power and automation at scale that will allow criminals to fine-tune approaches and methodically work through every potential vulnerability across organizational infrastructure and the human staffing element.
Customer support-focused phishing
Due to the increased effectiveness of AI-driven phishing attacks and conflicting goals (keep customers happy, maintain security discipline), customer support teams will be more in the line of fire as a target for compromise as the first step in a broader data compromise/ransomware attack.
Social media scams will expand
Social media scams will soon be made that much smarter through AI-driven presentation and language personalization – not to mention easier and cheaper for attackers to launch, manage, and tailor.
Making phishing perfect
The sophistication and quality of AI-driven social media attacks will make its way into the phishing world and will allow bad actors to extend their spear phishing techniques to anyone, not just the senior executives.
This will allow sophisticated attacks against lower-level employees, and we’ll likely see them become the primary target of land-and-expand APT attacks.
A refocus on endpoint security
As we come to terms with the impact of work from anywhere, and the difficulty in addressing AI-enhanced phishing attacks, the endpoint becomes once again front and center as a technical control point.
Organizations will renew their interest and deployment of secure endpoints, including endpoint lockdown, secure configuration, and endpoint-level data-leak protection. Those that don’t will swiftly see the error of their ways as risks increase and the need for control becomes priority number one.
SEC cybersecurity regulations will cause headaches
Companies that must report through the new US mechanisms will have a rough time as they are still determining what to expect from the SEC itself in terms of SEC-driven oversight and investigation in response to 8k filings.
Vendors will struggle as customers with an SEC reporting responsibility up their demands about the vendor’s reporting requirements and try to include vendors in the customer’s reporting requirements – all part of the joys of a security-informed supply chain.
Those organizations with the best trust management awareness of their security and regulatory compliance status will be well positioned to move faster with sales, acquisitions, and reporting. This will lead to a situation where those who have their “stuff” together can react and reap the benefits of multiple demands much quicker – affecting where businesses chose to spend their money.
Cyber insurance will continue to be a tax without a pay-off
Cyber insurance continues to be hard to get, harder to retain and bears an unclear ROI. Large organizations will aim to keep it because of their contractual obligations, but it will offer a small return on investment.
Rather than seeing cyber insurers step up to the plate to provide effective guidance on security controls to protect a company, we will continue to rely on guidance from DHS/CISA, GCHQ/NCSC and other trusted government agencies with oversight and mandates for national and global cybersecurity.
Digital identity solutions will be needed
As widespread AI-driven hiring scams – either fake companies masquerading as real ones, or with AI masquerading as potential employees – continue, we will see a resurgence of the identity-proofing concerns and solutions that industry struggled with in the early 2000s. Truly verifying an individual’s identity will become a much more involved and AI-mediated process.
Giant companies such as Amazon, Google and Microsoft will use their deep knowledge of who-is-who to provide identity verification, perhaps finally allowing individuals to see value in handing all their private information over to large, powerful firms.
CISOs will continue to struggle with growing responsibilities
Expect more studies and examples of CISOs leaving their roles because of stress, fatigue and mental and physical health issues.
Even with continued calls for a seat at the table, and the focus of the SEC on a company’s cybersecurity risk, the model of CISO as accountable for everything and responsible for nothing will continue and will put companies at risk unless they change their roles and responsibilities.
2024 – a year like any other – just more so
All in all, 2024 is likely to throw up surprises more in how threats materialize in sophistication, pace, and scale, rather than in their type. The well-prepared CISO should be formulating their business plans to account for an AI-threatened, and an AI-defensive future.