Industry executives and experts share their predictions for 2024. Read them in this 16th annual VMblog.com series exclusive.
How New Technology and Legislation Will Impact The Threat Landscape
By John
Kindervag, Creator of Zero Trust and Chief Evangelist at Illumio
In
2023, cyberattacks remained rampant and aggressive, as we saw bad actors grow
increasingly sophisticated and indiscriminate in their attacks. As we enter
into 2024, whether we attribute an increase in attacks to AI, a renewed drive
from attackers, or simply the fast-changing nature of the industry, it is more
critical than ever for security teams to ensure they're preparing accordingly
for the inevitable attacks and threats to come. If we take a look at cloud
breaches in the past year alone, Illumio's 2023 Cloud
Security Index revealed that cloud-based attacks cost organizations nearly
$4.1 million. And bad actors aren't slowing down anytime soon. In the new year,
security professionals have to stay vigilant as the threat landscape evolves
and widens, becoming more costly and impactful in the process.
Looking
ahead at the year to come, here are a few of the top trends that business and
security leaders should expect to see and be prepared for in 2024.
Government agencies will provide
guidance on bills of materials
A
major concern that we will continue to see into next year is the strength of
the supply chain. We can expect to see increased documentation and guidance
from government agencies on software and hardware bill of materials (SBOM and
HBOM), which will outline how organizations can determine if they have clean
software and hardware in place. This will be prevalent for industries such as
the chip manufacturing industry, as the U.S. remains concerned about
adversaries injecting malicious capabilities into the technology stack.
This new generation's understanding
of today's technology will benefit future laws and regulations
As a
new generation of legislators enters the government, we will see more
legislation that is reflective of the current technology landscape. Right now,
a significant challenge in technology and cyber legislation is that current
regulators don't understand how the internet works, which makes it difficult to
govern and enforce what happens in the digital world. This new generation will
not only have a better understanding of how the internet, and its adjacent
technology works, but they'll also be able to translate that knowledge into
discerning which laws and regulations are meaningful. For example, we can look
for this to first play out in the AI regulatory environment, where digital
natives are more excited about the possible threats of this technology, while
the older generation is more worried about the threats posed by this
technology.
The SEC and other regulatory agencies
will enforce stricter reporting requirements
Right
now, most breaches and incidents go unreported. In 2024, we will need
legislation to enforce better reporting of cybersecurity incidents and data
breaches to record the necessary data points to help determine where the real
problems lie. We have a lot of statistics about physical crime because when
people are in trouble, they know to call the police. In the same way, we need
to develop a way to incentivize people to report cybercrime so that we can
collect data points to better inform our collective approach. Right now, we're
just guessing, which is not effective. Coming into 2024, we will see the SEC,
and other regulatory agencies, mandating more reporting requirements in the
future.
Zero Trust will be implemented into
organizations' security plans
The
phase of simply talking about Zero Trust has ended. In 2024, we will see
greater implementation, not just conceptual buy-in, of Zero Trust for several
reasons - chief among them being how bad the attack landscape has progressed
and how that is increasingly affecting the executive suite. Illumio's Cloud
Security Index reveals that while over half of organizations believe that
their cloud security is inadequate, 98% of organizations store their
significant data in the cloud - making Zero Trust Segmentation imperative to
defend threats. Zero Trust as a strategy doesn't change, of course, the
solutions will always get better and better.
Security professionals will need to
be vocal about risks and threats to CEOs
In
2024, people need to stop being complacent when it comes to cyber. Most still
think that no one's going to attack them (only 25% of orgs think they'll be
breached), but the reality is that everyone is a target. Despite some progress
on the legislative front, the reality is that more people must be more willing
to push back and set realistic expectations with business leadership, rather
than blindly following orders. We need security leaders who have a direct line
to the CEO and insight to communicate what they need to hear when it comes to risk and threats and not just what
they want to hear.
In
2024, cyber teams will be up against new and even more daunting challenges as
the threat landscape continues to develop. It will be up to organizations'
leadership to ensure their security teams are equipped with the knowledge and
tools to come out on top.
##
ABOUT THE AUTHOR
John
Kindervag, Creator of Zero Trust and Chief Evangelist at Illumio
John has over 25 years of experience working as both an
industry analyst and practitioner. He is most known for creating the Zero Trust
model of cybersecurity. John was most recently the senior vice president at
MSSP ON2IT, focusing on cybersecurity strategy, and before that was the field
CTO at Palo Alto Networks. Prior to his time at Palo Alto Networks, John was
the Vice President and Principal Analyst for the security and risk team at
Forrester Research, where he developed the Zero Trust model of cybersecurity.