5 Top Security Predictions for 2024

Thanks to Tim Keary, Technology Specialist??|??Fact Checked by Eddie Wrenn

Last updated: 2 January 2024

KEY TAKEAWAYS

Techopedia contacted some of the top CISOs in tech to find out what they saw as the top security trends to watch in 2024.

?

Top Security Trends

·??????2023 demonstrated significant changes to the cybersecurity threat landscape, particularly in AI.?

·??????For instance, following the release of ChatGPT in November 2022, SlashNext’s 2023 State of Phishing report found that?phishing emails increased by 1,265%.

Just as artificial intelligence has helped many employees streamline their workflows, threat actors use it to enhance their ability to launch offensive attacks. This can be as simple as using a chatbot to write more convincing phishing emails or developing AI-generated malware.

Here are the top 5 CISOs Security Trends for 2024

5. Understanding cybersecurity responsibility

“In 2024, CISOs and security professionals have three top priorities. One is to ensure that everyone within the organization understands their responsibility in cybersecurity, not just the security team. This can be accomplished by implementing robust training programs.

Additionally, they must continuously educate employees about phishing scams and the importance of not clicking on suspicious links by incorporating tools to minimize spam and phishing attempts.

Finally, security experts need to employ queryable encryption to protect sensitive data even if it is compromised by ransomware.”

How can ISO 27001 Help?

In 2024, CISOs and security professionals have a primary goal: ensuring that every member of the organization comprehends their role in cybersecurity, extending beyond the confines of the security team. This objective is achieved through the implementation of robust training programs. Aligning with the ISO 27001:2022 clause 5.3 and control 5.2, organizations must define and allocate information security roles and responsibilities according to their specific needs. This strategic approach fosters a comprehensive understanding of cybersecurity duties and ensures adherence to established standards, promoting a robust and well-structured information security framework.

4. The rise of polymorphic malware

“There isn’t any more significant impact on our society than the advent of AI, which is no different in cybersecurity. In 2024 and beyond, we anticipate a rise in polymorphic malware, a sophisticated malware developed using AI.

This type of malware is particularly concerning because it can learn and adapt to the security systems it encounters. After analyzing and understanding these security defenses, the malware can discreetly infiltrate and spread within these systems, often evading detection by standing security measures.

The second most extensive cybersecurity challenge IT leaders will continue to face is increased data breaches caused by employees’ negligent behavior. This often involves improperly handling or sharing sensitive and confidential business information.

Without realizing it, employees might inadvertently expose these confidential data by mishandling emails, utilizing unsecured networks, or falling prey to phishing scams.

This kind of data breach can be especially damaging as it involves internal access and may lead to the unauthorized disclosure of critical business secrets of personal data of customers and employees.”

Tyler Young, CISO of BigID

How can ISO 27001 Help?

This sophisticated form of malware is crafted using AI, endowing it with the ability to learn and adapt to the security systems it encounters. By discreetly infiltrating and spreading within these systems, polymorphic malware poses a significant threat, often eluding detection by existing security measures.

The second major cybersecurity challenge anticipated is increased data breaches attributed to employees' negligent behavior. This involves the mishandling or sharing of sensitive and confidential business information. Without realizing the consequences, employees may unintentionally expose confidential data through various means, including mishandling emails, utilizing unsecured networks, or falling victim to phishing scams.

The potential damage from such data breaches is substantial, particularly as they involve internal access, potentially leading to the unauthorized disclosure of critical business secrets or personal data of both customers and employees.

In addressing these challenges, reference to ISO 27001:2022 becomes pivotal. Control 8.7 of ISO 27001:2022 focuses on "Protection Against Malware." This control emphasizes the need for organizations to implement and support protective measures against malware threats. Importantly, it underscores the importance of appropriate user awareness and training, aligning with Clauses 7.2 and 7.3 of ISO 27001:2022.

Clause 7.2 stresses ensuring that personnel know the information security policy, their roles, responsibilities, and the implications of non-conformance to security requirements.

Clause 7.3 emphasizes providing relevant training to personnel to ensure their competence in information security matters, covering various aspects, including handling information security incidents. The landscape of cybersecurity evolves the proactive implementation of ISO 27001:2022 controls, wildly Control 8.7,5.15 and 5.18, supported by user awareness and training (Clauses 7.2 and 7.3), is essential to fortify defenses against the rising threat of polymorphic malware and the challenges associated with employee negligence.

3. Attacks on the supply chain, data supply chain, and rise of security automation

“Expect attacks focused on ungoverned open-source ecosystems to accelerate in 2024. We’ve already seen how attackers have learned to seed open-source repositories with malicious Python packages that have names that closely resemble popular legitimate packages.

Given software developers' reliance on these packages, tack is likely to persist—and result in serious vulnerabilities— this kind for the foreseeable future.

Over 90% of the world’s software is built on top code and languages, which, open-source, will have broad implications. As a partial solution, I expect to see more companies and teams using AI to assess the risk of open-source packages.”

Data governance and the data supply chain will become critical issues.

“CISOS will need to take a stand on data governance in 2024: Either in favor of strict discipline and control of private/protected data or in favor of its open use with an acceptance of the associated risk that comes with it. Data, like software, has supply chains.

For example, if someone deletes data or a customer requests its removal in a supply chain, and that data has already been used to inform a large language model (LLM), it may be difficult or impossible to unwind it.

For companies building machine learning models, data supply chains require operational discipline, which falls under the domain of the CISO to manage.”

AI will replace “shift left” security with security automation.

“Shifting security left aimed to fix security flaws earlier in the software development lifecycle by bringing it closer to the developer. However, the consequence of this increase in responsibility has burdened developers beyond reason.

In 2024, shift left security will be placed by automating security out of the developer’s workflow, something I call shifting down, as it pushes security not automated and lower-level functions. AI will help automate the identification and remediation of security issues by reducing developers’ security burden with less and more actionable feedback.”

Josh Lemos, CISO of GitLab

How can ISO 27001 Help?

The supply chain is increasingly becoming a target for cyberattacks as attackers seek to exploit vulnerabilities in interconnected systems. These attacks can disrupt the flow of goods and services, compromise sensitive data, and have far-reaching consequences on organizations and their customers.

With the digital transformation, organizations are relying on complex data supply chains, where data flows between various entities, both internal and external. Securing this data supply chain is crucial to protecting sensitive information and ensuring the integrity and confidentiality of data throughout its lifecycle.?

In response to the evolving threat landscape, organizations are adopting security automation to enhance their ability to detect, respond to, and mitigate cyber threats

Automation can improve the efficiency of security processes and help organizations stay ahead of rapidly evolving cyber threats.

Control 5.19 - Information Security Supplier Relationship:

This control focuses on establishing and maintaining an information security management system (ISMS) to manage security aspects of supplier relationships. It includes assessing and managing the risks associated with suppliers and ensuring that contractual agreements address information security requirements.

Control 5.20 - Addressing Information Security within the Supply Chain:

This control emphasizes the need to identify and manage information security risks within the supply chain. It involves implementing measures to secure the supply chain, including assessing suppliers' security practices and ensuring they align with the organization's information security policies.?

Control 5.21 - Managing Information Security in the ICT Supply Chain:

This control is specific to managing information security risks within the Information and Communication Technology (ICT) supply chain. It involves identifying and assessing the security risks associated with ICT products and services, ensuring they meet security requirements.

Control 5.22 - Managing Review and Change Management of Supplier Service:

This control focuses on the ongoing management of supplier services, including periodic reviews and change management. It aims to ensure that the security controls remain effective over time and that any changes to supplier services are assessed for their potential impact on information security.

Attacks on the open-source software supply chain will accelerate.

2. Data breach disclosure requirements will tighten

“In 2024, the stakes for CISOs will skyrocket, particularly in light of developing incident disclosure rulings. In 2023, the SEC introduced a primary incident disclosure ruling for public cybersecurity companies that shook cybersecurity leadership across multiple industries.

In late July, it was announced that public companies were required to disclose any material breach within four business days of discovering that the incident had material impact.

Given the ruling's relatively vague language—even after the SEC’s clarification last week—CISOs are on edge about how these regulations will impact their work and potentially expose them to prosecution.

It’s common knowledge that the full impact of a breach can take months, if not years, to become known after a rigorous investigation. Because of this, in 2024, we will see an increase in CISOs seeking D&O insurance, and many more will seek their lawyers to protect themselves.

The security community has always been characterized as an open ecosystem of information sharing, CVE disclosure, and best practices. It has made us a rich and close community over the years.

However, I anticipate a more secrecy culture among CISOs and the security community since the developing SEC rulings may discourage information sharing. CISOs will be likelier to keep potentially incriminating details close to the chest, holding off until it seems safe to share.

Devin Ertel, Chief Information Security Officer at Menlo Security

How can ISO 27001 Help?

ISO 27001:2022, the controls delineate a comprehensive framework for information security management. Specifically, Control 5.24 through Control 5.28 focuses on information security incident management. These controls collectively address various facets of planning, preparation, assessment, decision-making, response, learning, and evidence collection in the context of information security incidents.

Control 5.24, "Information Security Incident Management Planning and Preparation," is fundamental in establishing a structured approach to anticipate and manage information security incidents effectively. It outlines meticulous planning and preparation measures to ensure an organization's readiness for potential security breaches.

Control 5.25, titled "Assessment and Decision on Information Security Event," contributes to the incident management process by providing a systematic methodology for evaluating the significance of information security events. This control aids in making informed decisions regarding the appropriate course of action in response to identified events.

Control 5.26, "Response to Information Security Incidents," is pivotal in guiding organizations through the response phase. It delineates well-defined steps and protocols for an information security incident, ensuring a swift, coordinated, and effective response.

Following the response phase, Control 5.27, designated "Learning from Information Security Incidents," underscores the importance of a continuous improvement cycle. This control emphasizes the need to extract valuable insights and lessons from past incidents, fostering a proactive approach to enhance overall information security measures.

Control 5.28, labeled "Collection of Evidence," establishes a structured process for gathering and preserving evidence related to information security incidents. This control is crucial for resolving ongoing incidents, substantiating the organization's adherence to regulatory requirements, and facilitating post-incident analysis.

1. The regulatory landscape will become more complex

“In 2024, the landscape of cybersecurity compliance is expected to evolve significantly, driven by emerging technologies, evolving threat landscapes, and changing regulatory frameworks.

Privacy regulations like the GDPR and CCPA have set the stage for stricter data protection requirements. More regions and countries are expected to adopt similar rules, expanding the scope of compliance requirements for organizations that handle personal data.

Artificial intelligence and machine learning will be more prominent in cybersecurity compliance. These technologies will automate threat detection, analyze vast datasets for compliance violations, and provide real-time insights, making it easier for organizations to stay compliant.”

Joseph Carson, chief security scientist, and advisory CISO at Delinea

How can ISO 27001 Help?

As businesses expand globally, the regulatory landscape becomes more intricate. Multiple jurisdictions, varying standards, and the constant evolution of technology contribute to the perplexity organizations face in meeting compliance obligations. Real-world examples underscore the challenges and emphasize the importance of proactive regulatory navigation.

Understanding the Needs and Expectations of Interested Parties (Clause 4.2)

To navigate the regulatory maze effectively, organizations must first understand the needs and expectations of their stakeholders. ISO 27001:2022, in clause 4.2, emphasizes this crucial aspect, serving as a foundational step in building a robust information security management system.?The requirements of interested parties can include legal and regulatory requirements and contractual obligations.?

Control 5.31 addresses the intricate legal, statutory, regulatory, and contractual requirements. Complying with these obligations is imperative for organizations to uphold their integrity and protect sensitive information from legal repercussions.

Control 5.36 in ISO 27001:2022 outlines how organizations should ensure seamless compliance with information security policies, thereby fortifying their defense against potential threats.

Regular audits and assessments are pivotal in identifying gaps and ensuring continuous adherence to regulatory standards. Organizations are encouraged to establish proactive measures to mitigate risks and maintain a proactive stance in the face of evolving regulations.

Incorporating ISO 27001 into an organization's fabric is not just about compliance; it's also a potent risk management strategy. ISO 27001 empowers organizations to fortify their defenses against potential regulatory pitfalls by systematically identifying, assessing, and addressing risks.

The Bottom Line

If our top security trends are correct, enterprises, employees, and security leaders must remain vigilant in 2024 to confront the growing complexity in the regulatory and cyber threat landscapes.

While there are no simple answers to protecting against next-generation threats, building a security-conscious company culture and implementing basic best practices, from zero-trust access controls to multi-factor authentication, can help reduce exposure in the future.

References

AI tools such as ChatGPT are generating a mammoth increase in malicious phishing emails (CNBC)

Cybersecurity Disclosure (SEC)