2024 Cybersecurity Predictions and Key Risks
Matthew Rosenquist
CISO at Mercury Risk. - Formerly Intel Corp, Cybersecurity Strategist, Board Advisor, Keynote Speaker, 190k followers
Matthew Rosenquist – CISO, Cybersecurity Strategist, & Industry Advisor – Cybersecurity Insights
Cybersecurity risks increase every year and bludgeon victims who fail to prepare properly. It can feel like crossing a major highway while blindfolded. Many never see the catastrophe about to happen, until it occurs. Cybersecurity predictions offer a glimpse at the dangerous oncoming traffic and help leaders develop strategies to navigate their journey safely. If we blindly step off the curb it will eventually end poorly when the luck runs out. For those interested in a better understanding of the oncoming risks, this is the information you are looking for.
Some dangers are familiar and persistent. We know the pool of threats and attackers will increase, more hacks will occur, credentials will be haphazardly mismanaged, disinformation will run rampant, new buzzwords and acronyms will be born, troves of data will be harvested, the battle to keep technology patched will continue to be problematic, ransomware and cybercrime will continue to thrive, and the headlines will be regularly filled with sad stories of digital victimization. This is the normal cadence the industry expects and although difficult to keep pace, the cybersecurity world is able to tread these waters.
Beyond the expected, we must also keep watch for the unpleasant surprises that can severely disrupt the security, trust, and capabilities of our digital world. Often a combination of disruptive technologies, lagging risk behavior trends, shifts in threat actor capabilities or focus, greater expectations for cybersecurity, and new regulatory structures emerge to wreak havoc. This year is no different but the details continue to be important.
Those in cybersecurity who fail to look ahead will be crushed by what they don’t see coming. Cybersecurity predictions provide leadership insights into what preparations and adaptations should be considered before a crisis occurs. So, let’s explore what 2024 and beyond has in store for all of us in the digital world.
Prelude:
Cybersecurity is a notoriously unpredictable and chaotic industry where attackers set the tempo for innovation, investment, and anticipate a response by defenders. This leads to sub-optimal situations where cybersecurity professionals largely react to the exploitations of malicious actors. Ironically, investing in preventative measures is the most efficient stratagem, but understanding what will be the most effective is dependent on accurately forecasting how the risks will manifest in the future.
This demand leads to the development of cybersecurity predictions which must take into account underlying drivers of the attackers, defenders, and technology where the battles will play out. There is a method to the madness of trying to forecast such a complex and muddled industry. I have followed a process over the years to identify significant trends that will unfold and contract those with industry concerns that I believe will not come to fruition. The goal is simple — to help organizations make better cybersecurity strategic organization, investment, and resource allocation decisions to maximize the value and help them manage to the most optimal level of security risk.
For this year’s predictions, a common theme emerged around significant investment and capabilities of a specific threat archetype, the aggressive nation-states, that represents a catalyst that profoundly influences what attackers can accomplish and the resulting impacts on the overall digital ecosystem. Aggressive nations have a ripple effect on the entire cybersecurity industry.
I first explored and predicted the impacts several years ago and called out multiple shifts for the 2023 predictions. This year my predictions extrapolate to the next evolution of these activities and the wake they leave behind. I have concluded the increasing involvement of offensive nation-states directly supports most of the 2024 cybersecurity predictions. We are in the midst of a quiet leap forward for attackers that represents a significant challenge for cybersecurity professionals to manage the elevated levels of digital risk.
2024 Cybersecurity Predictions:
1. Nation-State attack dominance now underpins the capabilities, growth, and impacts of the cybersecurity industry
Nation-state investment, innovation, and willingness to conduct complex attacks are the catalyst that underpins the advancement of malicious capabilities and empowers all levels of activity across the spectrum of cyber threat archetypes.
This is the natural progression of the 2023 predictions where the massive investments in tools, techniques, acquisition of vulnerabilities, and rapid development of exploits have positioned aggressive nations like Russia, China, North Korea, and Iran at the pinnacle of threats and a catalyst for other attackers.
Multi-year investments have matured to a point where attacks are well-resourced, planned, and exploited in ways that align with the varying objectives of the host nations. The infrastructure and talent behind attacks are stable and organized, allowing for multiple simultaneous campaigns and increased proficiency in the speed of exploitation. Parent organizations continue to provide covert shelter to operate, technical infrastructures to develop and test, extradition safety, and intelligence support. Such advancement of professional capabilities will allow these attackers a greater advantage over their defending counterparts in 2024, with their adaptation proficiency becoming the most troublesome attribute for the cybersecurity industry to deal with.
The trickle-down effects of nation-state research, investment in vulnerability acquisition, and development of complex code continue to be at play, bestowing significant benefits to the broader community of malicious actors. For example, as nations pay millions of dollars for zero-day vulnerability exploits and use them for attacks against targets, the code and methods are revealed for other threat actors who dissect and use these components for their attacks. Organized cybercriminals are quick to take advantage and implement new tools in their attack strategies. Such expensive vulnerabilities, exploits, and methods would normally be well beyond the reach of these lesser threats but are enabled by the vast resources cascading down from nation-state actors.
The primary target and focus for nation-states will continue to be their adversaries Critical Infrastructure sectors, such as healthcare, government, communications, transportation, defense industrial base, media, utilities, finance, and cargo logistics.
In 2024
2. Critical Infrastructure targets are where the next significant battles play out
With aggressive nation-states heavily targeting Critical Infrastructure organizations, there will be significantly increased impacts and near-misses in these sectors.
Governments will attempt to assist the security practices and begin to institute more rigid cybersecurity requirements for these sectors.
Cybercriminals and terrorists will also target the Critical Infrastructure sectors as they align with these attackers’ core motivations of financial gains and political influence respectively.
With increasing pressure from the past few years, many critical infrastructure organizations have upleveled their cybersecurity, making the overall sector moderately more secure. But there are many outliers and attackers will pursue easy targets as the most desirable victims.
Smaller companies have less to invest and will be behind larger organizations that have resources to better defend themselves. They will suffer disproportionately. Additionally, there are larger organizations that choose to do the minimum required and will realize they are highly susceptible to attack.
In 2024:
3. Supply Chain hacking methods evolve and increasing attacks become a problem for everyone
Advanced attackers are developing tools and tactics to intensify supply chain compromises, fueling many new attacks in 2024 that impact disproportionate numbers of downstream consumers.
Supply Chain attacks, where a vendor is compromised so the attacker can gain passthrough access to their customer’s computing assets or impact organization operations downstream, are still relatively rare. Such attacks are often complex and typically take a high degree of skill. However, these represent powerful and far-reaching opportunities for those threat actors that can successfully pull them off.
Software, cloud-based services, and to a lesser extent hardware appliances will be the most sought-after targets. The goal will be to exploit the trust and access of suppliers and to compromise the intended targets, their customers.
These attacks fit perfectly with the skillset and resources of aggressive nation-state threat actors, as they pursue Critical Infrastructure targets, high-value intellectual property, and intelligence. Once inside, they will work to remain undetected for as long as possible and resist being evicted while accomplishing their goals.
In 2024:
4. More vulnerabilities and exploits in heavily used business products upend patching cadences and commitments
The intense demand for vulnerabilities and exploits has reached newfound heights, driving more research and tool development, leading to a spike in discoveries and shortened windows for vendors to patch.
The commercial and black-market prices can be in the millions of dollars for a single vulnerability and accompanying exploit with the most valuable being zero-days for popular operating systems and cloud environments. Research efforts will also scale across applications, operating systems, firmware, and hardware. We may see a small but growing number of highly specific Operational Technology (OT) system vulnerabilities abused by attackers.
In 2024:
5. Generative AI becomes the double-edged tool we have been waiting for and dreading
The Generative Artificial Intelligence arms race has begun, as innovation and adoption swell to record-breaking levels, becoming a threat to digital security, privacy, and safety while also providing tremendously helpful capabilities to cybersecurity defenders.
Unlike its famous yet-to-be-created cousin General AI, Generative AI (GenAI) will not become sentient nor try to take over the planet, but it will be infused into every digital service and technology to make them better, cheaper, and faster to arrive to market. GenAI tools can do remarkable things from creating realistic images, personas, media, and original writings to identifying key elements in data or content. The popular Large Language Models, like ChatGPT, are phenomenal and analyze or synthesize information to answer questions in easily understandable ways or generate content to inform and advise. Such powerful capabilities that make things better and easier to use are one of the reasons they have skyrocketed in popularity with consumers and businesses.
The swell of consumer interest has fueled massive investments which in turn has produced insane levels of innovation and adoption. Tools and code are often open-source and freely available to anyone. The race of rapid integration for such code, tools, and services has left little time to focus on security evaluation, remediation, or assurance. The result is these systems are wrought with undiscovered vulnerabilities that represent a new and serious risk vector for all who embrace GenAI.
Like all powerful technology tools, AI represents a double-edged sword, enhancing the scalability and capabilities of attackers while simultaneously empowering the same for defenders. The timing and details vary, but it becomes an arms race to see which side can better utilize the untapped power of Gen AI.
In 2024:
6. New cyber regulations force operational changes for cybersecurity, risk management, and compliance.
Recent introductions, updates, and enforcement to cyber regulations are forcing uncomfortable changes for security and compliance teams.
Many new security and privacy regulations are taking effect across various sectors and technologies, that may require significant adaptation for organizations to be compliant. New regulations for the development and adoption of Artificial Intelligence will limit some exposures by slowing down the overall adoption process and allowing more understanding of the potential security risks. While reducing the risks of inadvertently introducing vulnerable AI systems, it also delays the potential security benefits of innovative AI security tools.
New supply chain rules for government customers will increase the costs of compliance, but benefit from a greater confidence that suppliers are trustworthy in their operation and development of products.
领英推荐
Perhaps the most controversial regulations are from the US Securities and Exchange Commission (SEC), which requires public companies to report any material cybersecurity incidents to their shareholders within 4 days. This regulation protects longstanding investor rights to be informed in a timely manner of risks to their investments by mandating a level of transparency to the public. The highly controversial regulation took effect at the end of 2023 and publicly owned businesses in 2024 are now held accountable for compliance. This is of significant concern to many public companies who prefer to conceal, delay public announcements, or spin a creative narrative to minimize shareholder perceptions and negative sentiment for cybersecurity attacks.
Enforcement of regulations is also causing serious tension. GDPR and other privacy cases continue to sting major internet properties, with the penalties for not safeguarding the confidentiality of sensitive personal information trending ever higher.
SEC enforcement is making a substantial impression on the cybersecurity community. The case against the UBER Chief Information Security Officer (CISO) concluded with a conviction last year and the case against the CISO of SolarWinds, announced in 2023, is ongoing. Specifically holding CISOs accountable for fraudulent reporting is new and one of the most heated topics going into 2024.
In 2024:
7. Greater visibility of cybersecurity will create fear but drive better ownership of digital risk.
Greater transparency of cybersecurity failures will highlight weak leadership, insufficient investments, and poor organizational stewardship but drive better practices.
Competition fosters a focus on results. Organizations that are not serious about security will no longer be able to conceal their lack of commitment. As incidents become more public, the need to establish more robust cybersecurity capabilities becomes a priority to compete with businesses that successfully avoid such embarrassing breaches of trust.
Transparency for material attacks, mandated by the SEC for public companies, will begin to trickle down to private companies as well, as trust is a competitive advantage in the marketplace. It will start slowly, but funding and venture capital groups will drive better security oversight to protect their financial investments.
Overall better visibility contributes to more insightful metrics used to understand the scale of attacks, failures in security, overall impacts, and emerging best practices. Eventually, risk management, resource allocation optimization, and insurance modeling will benefit as a result.
In 2024:
8. Rising expectations for trust will crush weak cybersecurity strategies
Everyone’s expectations for cybersecurity have significantly elevated to new levels, raising the bar of success and lowering the tolerance for failure, wreaking havoc on minimalist cybersecurity strategies.
Security, privacy, and safety, the hallmarks of cybersecurity, matter more to everyone. Customers are savvier about breaches, theft, unavailability, and downstream impacts on their systems. Cybersecurity is now a growing purchase and loyalty criterion. Suppliers, vendors, and other 3rd parties are held to higher standards as their customers realize they assume some of the risks of vulnerable partners. Executives are more aware than ever that a cybersecurity incident can undercut profitability and place long-term barriers to organizational success. Boards are quickly maneuvering to enhance their cybersecurity insights as it becomes material to their shareholder duties. Auditors and regulators are also responding, being more particular and vigilant in their assessments. Across the spectrum, concern for cybersecurity is manifesting in greater expectations that organizations are acting in responsible, ethical, and trustworthy ways.
CISOs will be expected to explain better and deliver more, with essentially the same level of resources. The biggest challenge for security leaders will be to understand and manage to the expectations within the constraints of budget, authority, and the allowance of security to add friction to the company.
In 2024:
9. Resource constraints mutate from fears to nightmares
The combination of greater expectations, more regulations, increased capabilities of threats, and more vulnerabilities to address, culminates in a situation where the required additional cybersecurity resources are far beyond what will be available.
Cybersecurity is generally seen as an overhead cost, which should be optimized to reduce expenditures. In contrast, recent reports indicate that CISOs will on average ask for an additional 20% increase in their annual budgets. Few will get anywhere close to that amount and some may see a decrease, requiring cuts to be made to their programs.
The disparity between what cybersecurity departments believe is needed and what will be provided will seriously widen, creating stressful dilemmas for CISOs to decide what will be funded. The CISOs understand the results will be unfavorable, but unclear to what extent until the bad things occur.
In addition, the demand from traditionally resource-constrained Small and Medium Businesses (SMBs) will be on the rise. SMBs are realizing that it is more important than ever to benefit from cybersecurity leadership and insights to avoid catastrophic blunders. It is no longer optional as cyber represents a material risk to competitiveness and survivability. Without significant budgets to hire, they will look for alternate ways to obtain and benefit from professional cybersecurity insights.
In 2024:
10. Cybersecurity responsibilities increase in scope and push organizations to adapt or break
A perfect storm of constrained resources, more accountability, and greater responsibilities will push cybersecurity organizations to the brink, forcing CISOs to either adapt or fail.
Regulators, boards, and c-suite executives will look to their CISO to play a greater role in protecting the company from lawsuits and prosecutions. This will force CISOs into unfamiliar territory while still trying to manage the growing problems of managing the risk of loss due to cyber events.
CISOs will be drawn into more discussions and accountability regarding contracts, audits, legal issues, and regulatory filings. CISOs will be expected to communicate directly with the board, and actively engage with the C-suite, partners, suppliers, vendors, investors, regulators, auditors, and customers.
This will take a different skill set than traditionally seen in CISOs. Some organizations, who can afford to hire a Chief Trust Officer will split these new duties, but for most, it will fall on the shoulders of the CISO.
Training and certifications will expand for both security and board leadership to assist all parties in understanding the new regulatory and liability requirements.
This situation will increase the already high levels of stress experienced by CISOs, forcing many of them to rethink their approach to justifying budget and for some, their career path.
Maintaining an optimal level of security risk, given the aggregation of issues above, will push many security organizations to a breaking point. The risk of degradation and inability to satisfy the new expectations will become apparent as incidents occur and transparency requirements draw in public scrutiny.
The best CISOs have been preparing for this eventuality and already have plans in motion that showcase clear operating goals, robust strategy, and plans with supporting metrics that are relevant. These elite CISOs will shift their value story, expanding from protection and compliance to also include elements of competitive advantage to support the overall corporate goals. They will be well-positioned to adapt.
Many of their counterparts will not.
In 2024:
2024 will be a tough year for CISOs. A rise in expectations, regulations, attacker capabilities, and growing difficulty in obtaining the necessary resources to keep pace will push many leaders to the brink. Sadly, the challenges will only get tougher in subsequent years.
Prologue: Final Insights — Not all cybersecurity fears will come to fruition
Although my concerns for digital risk run deep by nature, there are many things that I am not worried about in 2024. Contrary to many of my industry counterparts, there are aspects of cybersecurity that I believe we should not fear.
So, what disasters won’t happen in cybersecurity 2024?
· Cyber Pearl Harbor and the End of the World — Full commitment by sophisticated attackers to destroy massive parts of the global digital domain, like that of the United States, has severe unintended consequences that even aggressive nations states don’t welcome. Our digital world is heavily intertwined across borders with entrenched dependencies. For one nation to cause overwhelming destruction will likely result in severe backlash damage to their own critical online infrastructures. At this point, adversaries have no way to insulate themselves or gracefully limit the collateral damage from massive attacks. The nation-ending cyberattack, popularized in Hollywood movies, is not a realistic immediate threat.
· Severe meddling in US Elections — The world will be watching the US elections in 2024. Many fear attempts by foreign enemies to tamper with results and influence the outcome. Although this is a likely desire by many nations, the fact is that the US is ready and fully expecting such attacks. The element of surprise is gone and so is the realistic opportunity of attacker success. There will be a tsunami of disinformation, but that already comes from every angle, even the participants. Tampering with the voting infrastructure is a different story. Preparations to prevent tampering are already in high gear. Even on the disinformation front, there will be extra caution by reputable news and social sites, with citizen monitors ready to throw a red flag when they see potentially foreign foul play. Monitoring and detection capabilities will be greater than any previous election and the consequences to any nation attempting such actions will likely be severe. Rest assured that a small army of cybersecurity professionals is working to make the election fair and transparent, so do your civic duty and vote!
· AI destroying our digital ecosystem and mankind as we know it — Although AI will be a powerful tool to help hackers, it will be in ways they already generally exploit. As for AI taking over the world, an old Hollywood trope, the reality is that such great advances in Generative AI that we see today, are a far cry from the General AI portrayed in self-aware systems of a dystopian future. For 2024, we are safe from AI overlords taking over humanity.
· AI will put cybersecurity workers out of work — Like all transformational innovations, there will be more jobs created by AI than lost. AI is best served as a tool and the only people who will be out of work will be those who don’t know how to use AI.
· Cyber warfare doing more damage than traditional kinetic warfare — As fearsome as critical infrastructure attacks are, they still pale in comparison to what traditional warfare brings. As we have seen in Ukraine, cyberwar does not replace tanks and troops, but rather it augments them. Until the day that a cyberattack campaign can kill a hundred thousand people, we should keep our fears in perspective. Someday that will be an issue, but not in 2024.
· Privacy will unravel — Contrary to what some will say, privacy is not on the brink of collapse. In fact, the privacy industry is healthy, full of tremendously smart people, and benefits from empowering legislation that is starting to be enforced! I believe there is great momentum in the privacy field and it will be much stronger still by the end of 2024.
Matthew Rosenquist — CISO, Cybersecurity Strategist, & Industry Advisor — Cybersecurity Insights.
Follow on LinkedIn and subscribe to the Cybersecurity Insights channel for more news, analysis, and discussions.
"Tech aficionado specializing in SAAS platforms ,applications & Cyber Security Solutions , guiding companies towards digital transformation for future business success."
2 个月For any services in the domain of Cyber Security, Please feel to connect with me.
Senior Digital Marketing Specialist- Data Dynamics
7 个月You're right, the forecast is complex this year! It highlights the interconnectedness of cybersecurity.?Do you think any one factor will be the biggest challenge?
Driving Marketing Innovation | Leading Two99 - A Consortium of Agencies Transforming Brands
8 个月Fantastic insights! Your article really sheds light on the upcoming trends in Cyber Security.
Deep Tech Diplomacy I AI Ethics Advocacy I Digital Strategist I Futurist I Quantum-Digital Twins-Blockchain I Innovation Ecosystems I UN G20 EU WEF I Precision Health Expert I Forbes I Board Advisor I Investor ISpeaker
8 个月We should consider publishing 2024 cyber-ethics predictions too ????
Deep Tech Diplomacy I AI Ethics Advocacy I Digital Strategist I Futurist I Quantum-Digital Twins-Blockchain I Innovation Ecosystems I UN G20 EU WEF I Precision Health Expert I Forbes I Board Advisor I Investor ISpeaker
8 个月Thanks for sharing Matthew Rosenquist.