As security threats grow more sophisticated, the talent shortage continues, burnout concerns persist, and new regulations proliferate, CISOs’ jobs only become harder. 2023 was an especially challenging year, with a brighter spotlight on the CISO role thanks to the charges against SolarWinds’ CISO and the sentencing of Uber’s ex-CSO. That’s on top of the SEC’s strengthened cybersecurity breach disclosure requirements.
Generative AI also went mainstream, creating even more headaches for CISOs. While the promise of the technology is undeniable, it can add new security risks if it’s not adequately vetted before onboarding. The pressure is on, and it’s getting more intense.
As we move into 2024, CISOs must prepare themselves.
AI and Emerging Technologies Introduce New Threats
With the emergence of any new technology, security leaders should expect to see threat actors taking advantage of it—and AI is no exception. We’ve already observed the emergence of new AI-powered tactics and techniques, and AI opens up a whole new attack vector for opportunistic cybercriminals.
Ransomware gangs, for example, quickly jumped onto the AI train, leading to faster and more sophisticated attacks. And external threat actors aren’t the only thing CISOs need to worry about. As AI adoption continues, data loss prevention and the maintenance of data integrity will become even bigger challenges they’ll need to prepare for and address.
“CISOs will need to create an AI action plan.”
If they haven’t done so already, CISOs will need to create an AI action plan. This should include rules for acceptable AI use and updated data loss prevention (DLP) processes and policies. Updated DLP policies should account for instances where an employee could upload sensitive or proprietary data to an AI tool.
New Regulations Require a New Approach to the Job
If the threat of AI-powered cybercriminals wasn’t stressful enough, the regulatory landscape also continues to keep CISOs on their toes. The SEC’s strengthened cybersecurity breach disclosure regulations weren’t the only new rules introduced in 2023.
The Federal Trade Commission and the New York State Department of Financial Services, among other agencies, are quickly following suit with similar policies. As we saw with the conviction of Uber’s former security head and the charges filed against SolarWinds, security executives’ feet will be held to the fire for these incidents. It’s time to prepare for that.
CISOs must grow beyond solely possessing technical prowess and hone their broader enterprise risk management skills as part of that preparation.
Doing this will be critical to their continued success and will enable them to understand how the laws in the jurisdictions where they operate will impact their roadmaps, risk profile, and ultimately tie back to their company’s goals and objectives.
Getting Back to The Basics Will Be Essential In 2024
With all these changes, getting back to security posture basics will be a major priority. No company has the basics 100% locked in because the landscape continues to change and assets continue to grow. The CIS Security Controls are an excellent place to start. Focus on these five essentials:
- Inventory: Having an as-complete-as-possible inventory of your assets and devices is one of the most essential components of a sound security strategy because, as the saying goes, you can't protect what you can't see. The scope of enterprise assets is always growing, making this harder – but also even more important.
- Continuous vulnerability management: Companies should prioritize which vulnerabilities they remediate based on which would be most impactful to the enterprise or likely to be exploited first due to ease of use.
- Access management: Create a centralized system to manage access privileges and credentials for all who need them. The system should be consistent in its assigning of roles and privileges for each user. It’s also a good idea to create a system for provisioning and de-provisioning access.
- Data recovery: Establish data recovery practices that can restore your digital assets to a pre-incident state. Enterprises need many types of data to make business decisions. When that data is not available or is untrusted, it could negatively impact the enterprise.
- Application security: Establish a process for managing the security of all applications, no matter their origin. This will arm your security team with the procedures and tools necessary to prevent, find and fix chinks in the armor so that they don’t affect your organization.
Remember What’s Important
Between emerging technology and new regulations, it’s clear that CISOs have a lot on their plates. As 2024 rapidly approaches, CISOs need to stay the course and focus on the foundational security strategies and tactics that have always mattered most. When the basics are in place, it makes tackling the new and unknown a lot less daunting.