Industry executives and experts share their predictions for 2024. Read them in this 16th annual VMblog.com series exclusive.
Predictions Impacting CISOs the Most in 2024
By Gaurav Banga, Founder and CEO of
Balbix
2023 was a pivotal year for cybersecurity with
the introduction of new requirements by the SEC, continued economic uncertainty
forcing lower budgets, and the advent of AI-powered cyber attacks. With
cybersecurity becoming an increasingly important concern, 61% of CISOs feel
they faced unreasonable job expectations and 60% report feeling burnout in
2023, according to data from Proofpoint.
The role of the CISO has never been more
complex and high-risk than right now. It is my prediction that 2024 will
present two major cybersecurity challenges for CISOs that will continue to
drive stress points to all-time highs.
1. Confusion around SEC compliance will create a rigid
landscape for CISOs
As the SEC's cybersecurity rules are set to go
into effect starting in December 2023, there is great uncertainty as to how the
rules will be enforced and who is responsible for determining the materiality
of cyber risk for assets, applications, and incidents.
To better manage this new regulatory
landscape, CISOs will increasingly look towards specialized third-party vendors
and service providers for assistance. This will include, implementing automated
and comprehensive vulnerability assessments, constant predictive prioritization
of flaws and vulnerabilities, and real-time cyber risk quantification.
The SEC's recent charge
against SolarWinds and its CISO for "fraud and internal control failures relating to allegedly
known cybersecurity risks and vulnerabilities" is a glimpse into how the SEC
may react to non-compliance. This early precedent has sent shockwaves through
the CISO community and their reactions provide a glimpse into how the industry
will respond to potential future charges.
Lastly,
close collaboration between CISOs, the CEO, legal counsel, and third-party
vendors will be critical for organizations to make sure reports are filed
correctly in order to avoid penalties, or worse, from the SEC.
2. AI will haunt the day-to-day life of the CISO
In addition to overseeing complicated,
high-risk regulatory compliance, CISOs in 2024 will have to contend with
escalating AI-powered cyber threats. These threats may include the
proliferation of deepfakes created to spread misinformation, advanced malware
duplication, and indecipherable phishing techniques. Phishing was the most common type of initial attack vector in
2023, and in 2024 this technique will likely be AI-powered.
Even more, generative AI's ability to quickly
duplicate existing information online stands to upend the way we approach
intellectual property (IP). There are two sides to the risks of AI for IP. On
the one hand, AI creates a huge exposure risk through its constant scraping of
data that exists already online. For example, if your developer team uses AI to
review a unique line of code, that code could end up in a different
organization's product. On the other hand, your developer team could use code
generated from AI to unknowingly embed a different organization's IP. This is
particularly a concern for those who hold trade secrets and are concerned about
their IP-protected data showing up in AI training models, which is one of the
widest reported IP risks, according to Deloitte.
Left to their own devices, CISOs are forced to
navigate the complex IP landscape as it continues to be impacted by AI. Without
strict regulations, CISOs are left to wait for regulators to catch up with the
impact of rapidly evolving technologies. This leaves the door open for bad
actors to infiltrate critical systems with adversarial AI-based techniques.
Adversarial AI used by bad actors can often
circumvent static defenses and human analysts - even more so when 59% of teams
are short-staffed or on the brink of burnout. The
only way to beat AI used by bad actors is to empower your teams to use AI; AI
itself is the best tool to defend against AI threats. By using AI proactively,
CISOs can significantly limit cybersecurity breaches, lower overall incident
response times, and prevent high-cost damages from AI-based cyber attacks. To
achieve this, CISOs must have an AI strategy. CISOs must empower their teams to
incorporate AI-based techniques into their tech stack. Right now, only 6% of
organizations have dedicated teams to evaluate AI risk mitigation, according to
KPMG.
CISOs in 2024 will face the twin challenge of
ensuring SEC compliance and defending escalating AI-powered threats. This
challenge requires proactive planning, defense upgrades, and
cross-collaboration with teams on all fronts to successfully navigate these
issues.
While the challenge is demanding, addressing
these emerging threats also presents a unique opportunity for CISOs to step
into a critical leadership role that puts cybersecurity at the forefront of
organizational decision-making. Investing now
in capabilities and partnerships will help reduce your organization's cyber
risk and ensure every potential attack vector is secure into 2024 and beyond.
##
ABOUT
THE AUTHOR
Gaurav Banga is the Founder and CEO of
Balbix (https://www.balbix.com/), and serves on the boards of several
companies. Before Balbix, Gaurav was the Co-founder & CEO of Bromium and
led the company from inception for over 5 years. Earlier in his career, he
served in various executive roles at Phoenix Technologies and Intellisync
Corporation, and was Co-founder and CEO of PDAapps, acquired by Intellisync in
2005. Dr. Banga started his industry career at NetApp. Gaurav has a PhD in CS
from Rice University, and a B.Tech. in CS from IIT Delhi. He is a prolific
inventor with over 50 patents.