Home » What is the Strategy for Future-Proofing Cybersecurity Given Current Trends in 2024?

What is the Strategy for Future-Proofing Cybersecurity Given Current Trends in 2024?

by The Delta News
Delta data generative ai artificial intelligence compliance

Generative AI is the technology of the moment and the future, but cybersecurity leaders have yet to truly put it to work. It’s difficult to identify “best practices,” when so many are grasping at “new practices” that haven’t yet been proven to deliver outcomes and ROI.

Vendors are increasingly making overtures and promises around AI’s benefits — fostering innovation, offering gains in speed and productivity — but the revolutionary technology has yet to offer real viability when it comes to cybersecurity.

However, 2024 will be the year that gen AI-driven security products finally emerge, and 2025 will see those tools delivering real risk-management outcomes.

This prediction is among the IT consulting firm’s top cybersecurity trends for 2024 among others explored below.

CISOs are both skeptical and hopeful about Generative AI

CISOs are concerned about how to enable their organization to safely, securely and ethically introduce Gen AI and leverage the technology to help achieve or accelerate the achievement of their strategic objectives.

In the not-so-distant future, gen AI can help security departments increase their defensive capabilities, including in areas such as vulnerability management and threat intelligence and response, Addiscott pointed out.

Gen AI also has the potential for a security team to increase operational efficiency, something that is a key business driver given the current global cybersecurity talent shortages.

As of now, however, employees are more likely to experience prompt fatigue rather than productivity growth, he noted. However, organizations should still encourage experiments and manage expectations — both inside the security department and out.

Ultimately, while many organizations are initially skeptical, there’s “solid long-term hope for the technology,” said Addiscott.

Security Behavior and Culture Programs taking root

Culture is critical to any cybersecurity program. According to Gartner, CISOs are increasingly embracing this idea and adopting security behavior and culture programs (SBCPs).

The firm predicts that by 2027, 50% of CISOs at large enterprises will have adopted human-centric security practices.

“SBCPs represent a more comprehensive and integrated approach, where the intent is to foster and embed more secure behaviors and work practices across the breadth of the organization,” explained Addiscott.

This tactic takes a more holistic view across all enterprise roles and functions, rather than merely focusing on the actions of the end-user employee.

To support organizations in their move to this model, Garter has developed PIPE (practices, influences, platforms, enablers), a framework guiding practices not traditionally used in security awareness programs — such as organizational change management, human-centric design practices, marketing and PR and security coaching.

PIPE also encourages organizations to incorporate employee demographics, enterprise budgets, executive risk cultures and digital and cyber literacy into their cybersecurity programs. Furthermore, these should be personalized by incorporating employee use data from various security tools and Gen AI can help out here.

SBCPs allow organizations to do deep dives on data to determine what employee behaviors caused certain security incidents. For example, if they compromised credentials, clicked on unsafe links or misused email. They can then take a more balanced approach moving forward.

Executive support is fundamental, he said, as is having a vision of what ‘good looks like’ that employees can understand. Leaders should realize there is no “one-size-fits-all” approach to learning and should also regularly evaluate program efficacy.

SBCPs are a much larger undertaking than traditional security awareness training programs, and not all organizations have the capabilities, maturity or capacity to scale beyond what they are currently doing. Still, it doesn’t have to be an “all or nothing” approach, either.

Bridging boardroom communications gaps with metrics

As regulators around the globe look to strengthen rules around cybersecurity, boards of directors must become more familiar with organizational risks in 2024. The challenge, however, is that boards often do not have “deep-level cybersecurity expertise,” .

“Technology-centric, operationally focused and backward-looking/lagging” cybersecurity performance indicators are gibberish to them, and don’t help them truly understand company risk and how to address it.

This is giving rise to outcome-driven metrics (ODMs), which essentially draw a straight line between cybersecurity investments and the protections they deliver. Security leaders can demonstrate their program’s performance in a “line-of-sight” and show results being achieved (or not) based on an organization’s risk appetite.

ODMs are central to creating a defensible cybersecurity investment strategy, reflecting agreed protection levels with powerful properties, and in simple language that is explainable to non-IT executives.

Third-party risk management a must

The software supply chain is under constant attack, so it’s pretty much inevitable that third parties will experience a cybersecurity incident sooner or later.

As a result, CISOs are focusing more on “resilience-oriented investment” rather than “front loaded due diligence”.

He advised strengthening contingency plans for third-party engagements that pose high cybersecurity risk. Also, create third-party-specific incident playbooks, conduct tabletop exercises and define a clear offboarding strategy (such as timely access revocation and data destruction). Establishing a robust and resilient supply chain for your digital capabilities is critical to broader organizational resilience.

Cybersecurity reskilling

There’s no question that there’s a cybersecurity talent shortage. Gartner reports that in the U.S. alone, there are only enough qualified cybersecurity professionals to meet 70% of the current demand.

Cloud migration, generative AI adoption, operating model transformation, an expanding threat landscape and vendor consolidation only exacerbate this trend and demand a multitude of new skills.

As a result, cybersecurity leaders need to move away from legacy practices stipulating ‘X’ years of experience or specific types of skills (as these can be learned). They should instead look to hire for “adjacent skills”; “soft skills” such as business acumen, verbal communication and empathy; and new skills that will be part of entirely new cybersecurity roles.

Organizations to develop a cybersecurity workforce plan that documents needed skills and shows how roles will evolve. They should also foster learning cultures that incorporate hands-on skills development via “iterative, short bursts” as opposed to “waterfall-based” training.

Notably, hire for the future, not the past. Job descriptions should remove language that describes ‘unicorns’ or  “ideal applicants that do not exist or are nearly impossible to find, hire and retain.

Continuous threat exposure management (CTEM) gaining momentum

With attack surfaces expanding enormously in recent years, driven by accelerated SaaS adoption, widening digital supply chains, remote working and other factors, organizations are left with many blind spots. They have limited visibility and their technologies are often siloed.

To address this, many enterprises are adopting continuous threat exposure management (CTEM). Instead of trying to find and patch every vulnerability, CTEM helps security teams assess and manage exposure on an ongoing basis. This allows them to remediate based on their organization’s specific threat landscape. By 2026, organizations that prioritize CTEM will see a two-thirds reduction in breaches.

At the same time, identity access management (IAM) is becoming ever more critical. Organizations need to “redouble efforts to implement property identity hygiene” and should also expand identity threat detection and response (IDTR), implement security posture assessments and “refactor” identity infrastructure by “evolving toward an identity fabric.


DELTA Data Protection & Compliance Academy & Consulting – info@delta-compliance.com

You may also like

THE DELTA NEWS
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

Delta-Compliance.com is a premier news website that provides in-depth coverage of the latest developments in finance, startups, compliance, business, science, and job markets.

Editors' Picks

Latest Posts

This Website is operated by the Company DELTA Data Protection & Compliance, Inc., located in Lewes, DE 19958, Delaware, USA.
All feedback, comments, notices of copyright infringement claims or requests for technical support, and other communications relating to this website should be directed to: info@delta-compliance.com. The imprint also applies to the social media profiles of DELTA Data Protection & Compliance.

Copyright ©️ 2023  Delta Compliance. All Rights Reserved