{"id":1252,"date":"2024-12-16T06:00:00","date_gmt":"2024-12-16T06:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1252"},"modified":"2024-12-16T06:00:00","modified_gmt":"2024-12-16T06:00:00","slug":"security-leaders-top-10-takeaways-for-2024","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1252","title":{"rendered":"Security leaders top 10 takeaways for 2024"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

This year has been challenging for CISOs, with a growing burden of responsibility, the push to make cybersecurity a business enabler<\/a>, the threat of legal liability<\/a> for security incidents, and an expanding attack landscape<\/a>.<\/p>\n

As the year comes to a close, CISOs reflect on some of the takeaways that have shaped the security landscape in 2024.<\/p>\n

Rushing to adopt AI coding assistants created new vulnerabilities<\/h2>\n

AI has shaken up cybersecurity, driving the development of new tools while also putting this powerful technology in the hands of hackers and cybercriminals, says Jake Williams, faculty at IANS Research and VP of R&D at Hunter Strategy.<\/p>\n

However, for organizations that rushed to adopt AI, this largely untested technology brings its own risks and created new vulnerabilities instead of solutions.<\/p>\n

Williams has worked with several organizations that jumped into using AI coding assistants and found they were shipping code faster in their pilot groups. \u201cIn most cases, they deployed these tools more widely, and usually without additional developer training, and are finding higher defect rates in code since moving to AI coding assistants.\u201d<\/p>\n

Most teams will take longer to resolve issues in AI-generated code. However, some organizations are finding that using AI coding assistants only for specific tasks, such as remediating vulnerabilities discovered with SAST, doesn\u2019t increase the defect rate, Williams tells CSO.<\/p>\n

Instead of asking whether AI coding assistants are bad, the question should be around the appropriate use cases.<\/p>\n

AI-generated code is a narrow, highly structured, easily measured use case \u2014 a task where it excels. Given the issues in this application, Williams suggests it indicates there are likely to be other problems with AI implementations that aren\u2019t so obvious. \u201cThat we aren\u2019t seeing overwhelming success here indicates there are likely hidden failures elsewhere in our AI adoptions that are simply harder to measure,\u201d he says.<\/p>\n

SEC rule changes: Best to err on the side of transparency<\/h2>\n

The US Securities and Exchange Commission (SEC) 2023 rules around risk management, strategy, governance, and incident disclosure added more regulations and significant reporting requirements<\/a> for security leaders of public companies.<\/p>\n

The impact has been felt this year, as corporate disclosure burdens have increased significantly, according to Kayne McGladrey, field CISO with hyperproof, who tracks the impact of regulatory changes.<\/p>\n

One of the most significant new rules, which has received the lion\u2019s share of press attention, is the \u2018materiality\u2019 component, or the need to report \u201cmaterial\u201d cybersecurity incidents to the SEC within four business days of discovery.<\/p>\n

At issue is whether the incident led to significant risk to the organization and its shareholders. If so, it\u2019s defined as material and must be reported within four days of this determination being made (not its initial discovery).<\/p>\n

\u201cMateriality extends beyond quantitative losses, such as direct financial impacts, to include qualitative aspects, like reputational damage and operational disruptions,\u201d he says.<\/p>\n

McGladrey says the SEC\u2019s materiality guidance underscores the importance of investor protection in relation to cybersecurity events and, if in doubt, the safest path is reporting. \u201cIf a disclosure is uncertain, erring on the side of transparency safeguards shareholders,\u201d he tells CSO.<\/p>\n

Smaller businesses are upping their security game<\/h2>\n

Leaders at smaller organizations are no longer paying lip service to cybersecurity and compliance, they\u2019re making smaller investments in security and compliance strategy earlier to ensure their companies are resilient as they grow, according to Carlota Sage, founder and community CISO at Pocket CISO.<\/p>\n

As a virtual or fractional CISO service, Sage has observed startups engaging vCISO services earlier, in pre-seed and Series A stage and, in some cases, before they\u2019ve finalized their minimum viable product.<\/p>\n

\u201cSmall technology consulting and boutique software development groups are looking for ISO 27001 certifications to ensure they can continue serving their larger customers,\u201d she tells CSO.<\/p>\n

In addition, leaders of mid-sized (300-500 employees) companies are looking for confirmation outside of an audit that their security and compliance programs are following best practices and in good shape.<\/p>\n

Organizations are focusing on transparency and open communication with customers<\/h2>\n

This year has seen the emergence of trust programs at major cloud service providers and Fortune 100 companies, according to George Gerchow, faculty at IANS Research and interim CISO\/head of trust at MongoDB.<\/p>\n

Major outages from companies like Snowflake and CrowdStrike, and multiple incidents involving Okta have eroded trust in cloud service providers, Gerchow says. \u201cTraditional security questionnaires and shared responsibility models aren\u2019t cutting it anymore, and we\u2019ve known that for a while,\u201d he says.<\/p>\n

The lack of transparency surrounding major outages and incidents has created a lot of anxiety and, as a result, cloud adoption has slowed down. \u201cYet, the reality is that the tools people need are increasingly cloud-based,\u201d he tells CSO.<\/p>\n

In response, some organizations are focusing on building the Office of Trust, dedicated to transparency and open communication with customers. \u201cThese efforts are about getting ahead of the trust crisis, with VPs of security actively discussing emerging threats and how to build confidence. Everyone is seeking that transparency,\u201d he says.<\/p>\n

Gerchow believes these offices will function as a direct line for companies to better protect themselves and their customers in the event of an incident. \u201cAs investment in AI continues to grow, trust and collaboration between teams will be more crucial than ever. The only way forward is to establish a foundation of trust,\u201d he says.<\/p>\n

Third-party security scrutiny improved, but needs more work<\/h2>\n

\u201cFinally, and thankfully, progress has been made in recognizing that our existing process of requiring vendors to complete pages and pages of questionnaires to get \u2018verified for business\u2019 by customers is broken,\u201d says Olivia Rose, CISO and founder at Rose CISO Group.<\/p>\n

On the vendor side, these questionnaires are time-consuming, carrying a heavy onus on team resources, according to Rose. \u201cOn the customer-side, we expect CISOs, one of the most paranoid groups on the planet, to hand over access to their sensitive data and environments based on a few hundred answers provided by the vendor, along with a SOC2 report,\u201d she says.<\/p>\n

Despite these processes, the number of third- and fourth-party breaches have not declined in frequency, further supporting the notion that the whole process is broken, Rose says.<\/p>\n

AI has improved how teams provide responses to these questionnaires, allowing them to do so more quickly, accurately and painlessly. Even so, there\u2019s still scope for improvement and the potential to save a considerable amount of time and resources that are spent on this function.<\/p>\n

\u201cI\u2019m crossing my fingers and remain hopeful that in 2025, a startup will emerge with a more powerful and concrete way for customers to evaluate and verify that their connecting vendors have the expected level of security,\u201d she says.<\/p>\n

More incident response staff to handle the increase in phishing attacks<\/h2>\n

Phishing methods have continued improving throughout 2024, creating a growing burden on detection teams. \u201cI\u2019ve seen a trend in phishing attacks where cybercriminals no longer send a single phishing email to thousands of our users,\u201d says Tammy Loper, VP, information technology and security at University of Tampa.<\/p>\n

Instead, cybercriminals are customizing each of the thousand phishing emails sent at once to make it difficult or next to impossible for incident responders to shut down the attack nearly as quickly, says Loper.\u00a0<\/p>\n

If a phishing email is detected after it\u2019s received (because it\u2019s evaded the email security detection) and the user interacts with it, because of this subtle change, incident handlers can no longer quickly purge it from all the inboxes that may have received the same exact phishing message. \u201cThey now have to look for similarly constructed phishing emails with tiny differences that render each one a different and unique threat to our end users and purge each one separately,\u201d she says. \u201cCybercriminals always improve at evading detection and creating new challenges for information security teams.\u201d \u00a0\u00a0<\/p>\n

This has led to the need to increase incident response staff to handle an exponentially larger amount of unique security alerts or threats.<\/p>\n

AI revealed unforeseen security threats<\/h2>\n

This year showed potential security issues related to AI can be hard to predict and it\u2019s always easier to connect the dots after the fact.<\/p>\n

Vandy Hamidi, CISO at BPM, says it\u2019s already had a significant impact in many forms, but IT and infosec teams need to stay on top of security threats and manage them as soon as they emerge.\u00a0<\/p>\n

\u201cThere are predictions galore for the future of humanity post-AI, but the real outcomes won\u2019t be evident until they\u2019re at our front door,\u201d he tells CSO.<\/p>\n

Security professionals should guide and educate colleagues, while also educating themselves about this new class of risks as soon as possible. It will also demand agility to optimize the impact of the technology while being ready to adapt as security risk changes.<\/p>\n

CISOs are aware deepfakes are a new class of risk<\/h2>\n

Easy access to deepfakes, even authorized deepfakes, which companies may utilize to rapidly produce video content or create an interactive bot is a new class of threat, says Hamidi.\u00a0<\/p>\n

\u201cWhat happens if a realistic bot can be used to emulate a real person in real-time?\u201d<\/p>\n

Deepfakes create compliance and data privacy issues around who owns the likeness and security concerns if a trusted individual\u2019s likeness or voice is used to perpetrate a fraud, he says.<\/p>\n

Mandy Andress, CISO at Elastic, says deepfakes to become more commonplace, spurred on by improvement with generative AI.<\/p>\n

This year has shown that security teams must play an instrumental role in countering deepfake attacks by helping organizations better understand the risks and educating employees. \u201cUsing AI and machine learning can help supercharge efforts, helping teams make decisions and counter attacks by leveraging massive amounts of data,\u201d she says.<\/p>\n

Third-party threats have become more complex and diffuse<\/h2>\n

Growing third-party dependency continues to incentivize breaches that compromise user communities and at the same time, they\u2019ve become more complex across different environments, according to Bethany De Lude, CISO at The Carlyle Group.<\/p>\n

\u201cAs companies have adopted multi-cloud and SaaS-based business models, new challenges have emerged in managing risk across an information landscape defined by identity \u2014 and not a traditionally controlled edge,\u201d she says.<\/p>\n

In response, De Lude believes that new, pragmatic approaches to data and vendor management will emerge that take into account the changing boundaries and the way security increasingly centers on who has access to data and systems, rather than where those systems are located.<\/p>\n

\u201cThey\u2019ll need to address the way modern businesses operate across a complex, interconnected and distributed environment,\u201d she says.\u00a0<\/p>\n

AI and automation reshaped vulnerability management<\/h2>\n

This year showed how new tools that leverage AI for automated Q\/A and regression testing at scale are reducing the burden on teams and accelerating safe, effective remediation processes, according to Rick Doten, VP, information security and CISO at Carolina Complete Health.<\/p>\n

\u201cThese remediation workflow tools support prioritization, normalization, and de-duplicating of findings to route them to the appropriate team, and even create tickets to assign to specific people,\u201d he says.<\/p>\n

Although this can already be done with security orchestration, automation, and response (SOAR) tools, it requires people to create automation scripts and the process and workflow to support the automation.<\/p>\n

AI-backed tools address resource limitations and the challenge of responsibility to fix the findings across many teams that might have different remediation workflows and ticketing systems. \u201cWith the dynamic nature of cloud environments, it\u2019s [AI tools are] important because we have tens of thousands of findings to be remediated in workloads,\u201d Doten says.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

This year has been challenging for CISOs, with a growing burden of responsibility, the push to make cybersecurity a business enabler, the threat of legal liability for security incidents, and an expanding attack landscape. As the year comes to a close, CISOs reflect on some of the takeaways that have shaped the security landscape in […]<\/p>\n","protected":false},"author":0,"featured_media":1235,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1252","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1252"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1252"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1252\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1235"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1252"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1252"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1252"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}