Security Think Tank: 2024 is the year we bridge the cyber divide

REGULATORS: Extending the reach of regulatory muscle and enforcement

1. Defending forward will see greater traction. Regulatory bodies will flex greater muscle in enforcing take-down operations of ransomware gangs, botnets, scam call centres and disinformation sites. Regulators will also consider enforcement with internet service providers to protect national internet fabrics, and to shield machines from being infected or controlled. Both AI harms and quantum risks will be in the cross-hairs as they are being watched closely to protect the public while gaining buy-in from big tech. AI regulations may change in reaction to the impact disinformation and deepfakes could potentially have on election outcomes.

2. Increased oversight over CIIs and reclassifying sectors. Mandated reporting of cyber incidents will be more prevalent across regulatory frameworks. Critical infrastructure information (CIIs) and supporting ecosystems, digital trust, cyber resilience and cybersecurity maturity will go under greater scrutiny. As more non-CIIs that CIIs depend upon are breached, a review of industry sectors not previously categorised as the CII sector will be considered. SBOM and HBOM oversight will be a key area of focus to manage supply chain risk.

3. Supporting SMEs with greater handholding and guidance plus financial aid. Cyber security authorities will elevate the amount of guidance and support to SMEs, providing free or subsidised resources including self-assessment toolkits. SMEs that perform well will be recognised in public ratings.

4. Greater regulatory clout on widely used infrastructure and services. Elevated focus on security-by-default and by-deployment (i.e. professional services) by vendors and service providers will be demanded beyond security-by-design. This will cover CSPs, OEMs and OSS. More regulations will require software vendors to declare their SBOM/HBOM, and licensing schemes for MSSPs will widen. Software/hardware may see greater categorisation to distinguish more secure products from the less secure ones.

ENTERPRISES: Board and CISO accountabilities and responsibilities will be reviewed

1. Board and CISO accountability/responsibility clarified. Increasingly, a focus on board accountability and on cyber security has been highlighted and elaborated through revised SEC rules. Boards, in turn will demand independent assurance and visibility of risk/security metrics as scrutiny on resilience and third-party risks rises with more publicized breaches. Increasingly, the CISO that is given cybersecurity accountability, beyond just responsibility, will demand greater empowerment to make cyber decisions.

2. CISO liability, insurance and unionization generates focus. The cases of Uber and SolarWinds have triggered the question of CISO liability. When the s*** hits the fan, the CISO’s due diligence is brought into question. CISOs will demand better remuneration and/or job security insurance. Furthermore, CISOs caught in structural conflict and security theatrics will have second thoughts about downplaying bad reporting. CISOs will also increasingly seek out peers to rely on their CISO networks as sources of strength, support, insights and intelligence.

3. Securing the enterprise better. CISOs will extend oversight not only into vendor environments but also development/test environments as hackers leverage weaker entry points of the enterprise. Strengthening resilience will increasingly be a core part of the entire enterprise security strategy.

3.1 Increased scrutiny and oversight into TVRA of environments supporting crown jewels will take place. This coverage extends to CSPs, OEMs, OSS as well as social media platforms. Cloud security enhancements previously planned will be implemented.

3.2 Management of third-party risk, tighter remediation timeline on KEVs, especially those flagged with ransomware indicators, adversarial simulation with red/purple teaming engagements and extension of TTXes to suppliers will see greater traction and oversight.

3.3 Greater enforcement of third-party requirements at tendering as well as ongoing monitoring stages will take place. As risk of supply chain breaches increases, there may be consideration to in-source back what’s already outsourced.

3.4 IAM will be strengthened, such as against MFA fatigue attacks. A zero-trust mindset will be more prevalent with more enterprises increasingly incorporating assumed breach as part of their approach. Passwordless authentication will see greater adoption.

3.5 The levelling up of cyber security maturity for OT beyond IT will also be more prevalent. As more cyber insurers use proprietary maturity assessments, there will be discussions on harmonisation and standardisation to allow reports to be ported among insurers and organisations.

3.6 CISOs will have to incorporate controls to counter adversarial AI tactics and foster synergies with data and AI governance teams. Controls to ensure quantum-resistant cryptography in the symmetric space to future-proof encrypted data and transmissions will also be put in place if they are not already.

3.7 Response to the ever-evolving threat landscape will entail greater adaptability and agility. Policies, standards, procedures, risk registers, OKRs, KRAs and KRIs will be updated more frequently. Staffing will also take a more agile approach.

TECHNOLOGY PROVIDERS: Securing emerging technology and emerging security technology

1. Leveraging AI for cyber security increases. Technology providers will increase their pace of integrating generative AI into their cyber security products and services, riding on already keen interest. AI will be leveraged in adversarial simulations as well as countermeasures against deepfakes, quishing/phishing attacks, etc.

2. Quantum resilient cryptography discussions get serious. Vendors will continue watching NIST candidates for PQC closely and as interest in QKD to secure communications grows, claiming first moves in setting infrastructure/application cryptography standards will be a key driver for vendors desiring a competitive advantage.

3. Exploration into possible synergies between AI and quantum. The integration of AI and quantum in the form of QML in MLOps will also be of interest as big security data requires advanced analytics to detect highly sophisticated attacks.

4. Watching the regulatory space closely. As regulators tighten their oversight over technology providers, vendors will increase efforts into undertaking more rigorous technology development process, through security-by-design pipeline, equipped with security-by-default settings and documented with security-by-deployment guidance for consumers. Technologies that defend against deepfakes and disinformation will be sought-after, especially prior to election campaign periods.

In summary, 2024 will be an interesting year to keep a close watch on all these initiatives and drivers, and hopefully our community of regulators, enterprises, technology providers and individuals can level the battlefield as the fight rages on between defenders and attackers in an ever-volatile and complex environment.

Steven Sim Kok Leong is a member of the Information Security Advisory Group at ISACA and chair of the OT-ISAC Executive Committee