Cybersecurity risks increase every year and bludgeon victims who fail to prepare properly. It can feel like crossing a major highway while blindfolded. Many never see the catastrophe about to happen, until it occurs. Cybersecurity predictions offer a glimpse at the dangerous oncoming traffic and help leaders develop strategies to navigate their journey safely. If we blindly step off the curb it will eventually end poorly when the luck runs out. For those interested in a better understanding of the oncoming risks, this is the information you are looking for.
Some dangers are familiar and persistent. We know the pool of threats and attackers will increase, more hacks will occur, credentials will be haphazardly mismanaged, disinformation will run rampant, new buzzwords and acronyms will be born, troves of data will be harvested, the battle to keep technology patched will continue to be problematic, ransomware and cybercrime will continue to thrive, and the headlines will be regularly filled with sad stories of digital victimization. This is the normal cadence the industry expects and although difficult to keep pace, the cybersecurity world is able to tread these waters.
Beyond the expected, we must also keep watch for the unpleasant surprises that can severely disrupt the security, trust, and capabilities of our digital world. Often a combination of disruptive technologies, lagging risk behavior trends, shifts in threat actor capabilities or focus, greater expectations for cybersecurity, and new regulatory structures emerge to wreak havoc. This year is no different but the details continue to be important.
Those in cybersecurity who fail to look ahead will be crushed by what they don’t see coming. Cybersecurity predictions provide leadership insights into what preparations and adaptations should be considered before a crisis occurs. So, let’s explore what 2024 and beyond has in store for all of us in the digital world.
Cybersecurity is a notoriously unpredictable and chaotic industry where attackers set the tempo for innovation, investment, and anticipate a response by defenders. This leads to sub-optimal situations where cybersecurity professionals largely react to the exploitations of malicious actors. Ironically, investing in preventative measures is the most efficient stratagem, but understanding what will be the most effective is dependent on accurately forecasting how the risks will manifest in the future.
This demand leads to the development of cybersecurity predictions which must take into account underlying drivers of the attackers, defenders, and technology where the battles will play out. There is a method to the madness of trying to forecast such a complex and muddled industry. I have followed a process over the years to identify significant trends that will unfold and contract those with industry concerns that I believe will not come to fruition. The goal is simple — to help organizations make better cybersecurity strategic organization, investment, and resource allocation decisions to maximize the value and help them manage to the most optimal level of security risk.
For this year’s predictions, a common theme emerged around significant investment and capabilities of a specific threat archetype, the aggressive nation-states, that represents a catalyst that profoundly influences what attackers can accomplish and the resulting impacts on the overall digital ecosystem. Aggressive nations have a ripple effect on the entire cybersecurity industry.
I first explored and predicted the impacts several years ago and called out multiple shifts for the 2023 predictions. This year my predictions extrapolate to the next evolution of these activities and the wake they leave behind. I have concluded the increasing involvement of offensive nation-states directly supports most of the 2024 cybersecurity predictions. We are in the midst of a quiet leap forward for attackers that represents a significant challenge for cybersecurity professionals to manage the elevated levels of digital risk.
Nation-state investment, innovation, and willingness to conduct complex attacks are the catalyst that underpins the advancement of malicious capabilities and empowers all levels of activity across the spectrum of cyber threat archetypes.
This is the natural progression of the 2023 predictions where the massive investments in tools, techniques, acquisition of vulnerabilities, and rapid development of exploits have positioned aggressive nations like Russia, China, North Korea, and Iran at the pinnacle of threats and a catalyst for other attackers.
Multi-year investments have matured to a point where attacks are well-resourced, planned, and exploited in ways that align with the varying objectives of the host nations. The infrastructure and talent behind attacks are stable and organized, allowing for multiple simultaneous campaigns and increased proficiency in the speed of exploitation. Parent organizations continue to provide covert shelter to operate, technical infrastructures to develop and test, extradition safety, and intelligence support. Such advancement of professional capabilities will allow these attackers a greater advantage over their defending counterparts in 2024, with their adaptation proficiency becoming the most troublesome attribute for the cybersecurity industry to deal with.
The trickle-down effects of nation-state research, investment in vulnerability acquisition, and development of complex code continue to be at play, bestowing significant benefits to the broader community of malicious actors. For example, as nations pay millions of dollars for zero-day vulnerability exploits and use them for attacks against targets, the code and methods are revealed for other threat actors who dissect and use these components for their attacks. Organized cybercriminals are quick to take advantage and implement new tools in their attack strategies. Such expensive vulnerabilities, exploits, and methods would normally be well beyond the reach of these lesser threats but are enabled by the vast resources cascading down from nation-state actors.
The primary target and focus for nation-states will continue to be their adversaries Critical Infrastructure sectors, such as healthcare, government, communications, transportation, defense industrial base, media, utilities, finance, and cargo logistics.
In 2024
1. We shall see 20%-30% more severe vulnerabilities discovered, leading to emergency patches by major software, service, and Operating System (OS) vendors. There will be an equitable increase in exploitations of severe vulnerabilities, leading to greater impacts. Direct targets of the nation-state attackers will experience the most pain, but downstream victims will also be caught up in the process.
2. Time to exploit, from the point of vulnerability discovery to seeing attacks occur, will shorten to levels dangerously close to how fast vendors can respond, creating a window of opportunity for widespread exploitation.
3. The complexity of code, including chained exploits, will again increase in sophistication. This will be problematic for all but the most capable digital forensics teams. The inability to determine root causes and track down the breadth of affected systems leads to longer victim recovery times and exacerbates the overall impacts.
With aggressive nation-states heavily targeting Critical Infrastructure organizations, there will be significantly increased impacts and near-misses in these sectors.
Governments will attempt to assist the security practices and begin to institute more rigid cybersecurity requirements for these sectors.
Cybercriminals and terrorists will also target the Critical Infrastructure sectors as they align with these attackers’ core motivations of financial gains and political influence respectively.
With increasing pressure from the past few years, many critical infrastructure organizations have upleveled their cybersecurity, making the overall sector moderately more secure. But there are many outliers and attackers will pursue easy targets as the most desirable victims.
Smaller companies have less to invest and will be behind larger organizations that have resources to better defend themselves. They will suffer disproportionately. Additionally, there are larger organizations that choose to do the minimum required and will realize they are highly susceptible to attack.
In 2024:
1. Cybercriminals, terrorists, and nation-states will be the primary attackers for Critical Infrastructure sectors, with several major attacks perpetrated by nation-states.
2. Expect to see many small Critical Infrastructure organizations compromised and a few large companies that have severely underinvested in security leadership and capabilities.
3. Critical Infrastructure attacks will become more apparent and impactful to the public.
Advanced attackers are developing tools and tactics to intensify supply chain compromises, fueling many new attacks in 2024 that impact disproportionate numbers of downstream consumers.
Supply Chain attacks, where a vendor is compromised so the attacker can gain passthrough access to their customer’s computing assets or impact organization operations downstream, are still relatively rare. Such attacks are often complex and typically take a high degree of skill. However, these represent powerful and far-reaching opportunities for those threat actors that can successfully pull them off.
Software, cloud-based services, and to a lesser extent hardware appliances will be the most sought-after targets. The goal will be to exploit the trust and access of suppliers and to compromise the intended targets, their customers.
These attacks fit perfectly with the skillset and resources of aggressive nation-state threat actors, as they pursue Critical Infrastructure targets, high-value intellectual property, and intelligence. Once inside, they will work to remain undetected for as long as possible and resist being evicted while accomplishing their goals.
In 2024:
1. Nation-state attacks on supply chains will double in 2024.
2. Supply Chain attacks will be leveraged to target Critical Infrastructure targets.
3. Recovery from supply chain attacks will cost 3x-5x more as compared to data breaches.
The intense demand for vulnerabilities and exploits has reached newfound heights, driving more research and tool development, leading to a spike in discoveries and shortened windows for vendors to patch.
The commercial and black-market prices can be in the millions of dollars for a single vulnerability and accompanying exploit with the most valuable being zero-days for popular operating systems and cloud environments. Research efforts will also scale across applications, operating systems, firmware, and hardware. We may see a small but growing number of highly specific Operational Technology (OT) system vulnerabilities abused by attackers.
In 2024:
1. Serious zero-day vulnerabilities emerge at a faster rate which adds multiplicative levels of complexity and challenges for victims, with follow-on exploitations appearing much sooner
2. Open Source will be a favorite target for moderate to highly sophisticated vulnerability exploitation efforts.
3. Nation States will be the biggest buyers, willing to pay tens of millions of dollars for exploits of technology that is widely adopted. Supply chain types of attacks will be coveted the most.
4. Use of new technologies, like AI, will be employed to discover vulnerabilities, chain exploits, and refine attacks to be faster, more impactful, and increasingly difficult to evict.
The Generative Artificial Intelligence arms race has begun, as innovation and adoption swell to record-breaking levels, becoming a threat to digital security, privacy, and safety while also providing tremendously helpful capabilities to cybersecurity defenders.
Unlike its famous yet-to-be-created cousin General AI, Generative AI (GenAI) will not become sentient nor try to take over the planet, but it will be infused into every digital service and technology to make them better, cheaper, and faster to arrive to market. GenAI tools can do remarkable things from creating realistic images, personas, media, and original writings to identifying key elements in data or content. The popular Large Language Models, like ChatGPT, are phenomenal and analyze or synthesize information to answer questions in easily understandable ways or generate content to inform and advise. Such powerful capabilities that make things better and easier to use are one of the reasons they have skyrocketed in popularity with consumers and businesses.
The swell of consumer interest has fueled massive investments which in turn has produced insane levels of innovation and adoption. Tools and code are often open-source and freely available to anyone. The race of rapid integration for such code, tools, and services has left little time to focus on security evaluation, remediation, or assurance. The result is these systems are wrought with undiscovered vulnerabilities that represent a new and serious risk vector for all who embrace GenAI.
Like all powerful technology tools, AI represents a double-edged sword, enhancing the scalability and capabilities of attackers while simultaneously empowering the same for defenders. The timing and details vary, but it becomes an arms race to see which side can better utilize the untapped power of Gen AI.
In 2024:
1. Attackers will leverage AI for more scalable and effective social engineering attacks, disinformation campaigns, vulnerability discovery, and exploit amplification. AI increases the attacker’s agility and depth, therefore significantly reducing the time for defenders to respond. AI becomes a force multiplier for victimization and losses.
2. For defenders, we will see the adoption of AI technologies, specifically Defensive Generative Adversarial Networks and Generative AI to identify vulnerabilities, defend systems, and miraculously translate vast quantities of security telemetry data into understandable information. The inability to interdict misinformation with GenAI will be an obvious missed opportunity for defenders.
3. Overall, expect more accidental privacy exposures, higher quality and creative social engineering campaigns, better threat indication logic, no significant response by defenders to mute misinformation capabilities, and increased speed of vulnerability detection for both exploitation and remediation.
Recent introductions, updates, and enforcement to cyber regulations are forcing uncomfortable changes for security and compliance teams.
Many new security and privacy regulations are taking effect across various sectors and technologies, that may require significant adaptation for organizations to be compliant. New regulations for the development and adoption of Artificial Intelligence will limit some exposures by slowing down the overall adoption process and allowing more understanding of the potential security risks. While reducing the risks of inadvertently introducing vulnerable AI systems, it also delays the potential security benefits of innovative AI security tools.
New supply chain rules for government customers will increase the costs of compliance, but benefit from a greater confidence that suppliers are trustworthy in their operation and development of products.
Perhaps the most controversial regulations are from the US Securities and Exchange Commission (SEC), which requires public companies to report any material cybersecurity incidents to their shareholders within 4 days. This regulation protects longstanding investor rights to be informed in a timely manner of risks to their investments by mandating a level of transparency to the public. The highly controversial regulation took effect at the end of 2023 and publicly owned businesses in 2024 are now held accountable for compliance. This is of significant concern to many public companies who prefer to conceal, delay public announcements, or spin a creative narrative to minimize shareholder perceptions and negative sentiment for cybersecurity attacks.
Enforcement of regulations is also causing serious tension. GDPR and other privacy cases continue to sting major internet properties, with the penalties for not safeguarding the confidentiality of sensitive personal information trending ever higher.
SEC enforcement is making a substantial impression on the cybersecurity community. The case against the UBER Chief Information Security Officer (CISO) concluded with a conviction last year and the case against the CISO of SolarWinds, announced in 2023, is ongoing. Specifically holding CISOs accountable for fraudulent reporting is new and one of the most heated topics going into 2024.
In 2024:
1. The regulatory landscape becomes more confusing as various regulations appear to overlap, seem unclear, and generate fear from misinformation. In the short term, unfounded fears of regulatory enforcement will grow among cybersecurity leaders and executives as non-compliance will not only expose the organization to regulatory prosecutions but also be a foundation for customer litigation cases.
2. Regulations will drive more cohesion between cybersecurity, privacy, legal, AI, executives, and the board, resulting in enhanced overall digital trust by consumers, partners, and investors.
3. Budgets may get a small reprieve to improve processes for compliance, but cybersecurity teams will not see major investments due to new regulations.
Greater transparency of cybersecurity failures will highlight weak leadership, insufficient investments, and poor organizational stewardship but drive better practices.
Competition fosters a focus on results. Organizations that are not serious about security will no longer be able to conceal their lack of commitment. As incidents become more public, the need to establish more robust cybersecurity capabilities becomes a priority to compete with businesses that successfully avoid such embarrassing breaches of trust.
Transparency for material attacks, mandated by the SEC for public companies, will begin to trickle down to private companies as well, as trust is a competitive advantage in the marketplace. It will start slowly, but funding and venture capital groups will drive better security oversight to protect their financial investments.
Overall better visibility contributes to more insightful metrics used to understand the scale of attacks, failures in security, overall impacts, and emerging best practices. Eventually, risk management, resource allocation optimization, and insurance modeling will benefit as a result.
In 2024:
1. A spike in reported breaches and compromises will be seen in 2024, not due to more attacks, but rather because of the greater transparency mandated by new SEC regulations.
2. The SEC 4-day rule of notification for material cybersecurity events will force transparency for investment and leadership, driving more executive and board-level focus on cybersecurity deliverables to avoid or minimize losses.
3. News coverage of cybersecurity incidents will be timelier and provide a detailed analysis of winners and losers.
4. This greater visibility of true impacts will help improve the efficacy of cybersecurity metrics and insurance risk calculations over the next few years.
5. More enforcement of privacy and SEC notification requirements, with CISOs at risk of being prosecuted, will create newfound pressure that will shift how CISOs conduct and interject themselves in risk reporting and marketing messages.
Everyone’s expectations for cybersecurity have significantly elevated to new levels, raising the bar of success and lowering the tolerance for failure, wreaking havoc on minimalist cybersecurity strategies.
Security, privacy, and safety, the hallmarks of cybersecurity, matter more to everyone. Customers are savvier about breaches, theft, unavailability, and downstream impacts on their systems. Cybersecurity is now a growing purchase and loyalty criterion. Suppliers, vendors, and other 3rd parties are held to higher standards as their customers realize they assume some of the risks of vulnerable partners. Executives are more aware than ever that a cybersecurity incident can undercut profitability and place long-term barriers to organizational success. Boards are quickly maneuvering to enhance their cybersecurity insights as it becomes material to their shareholder duties. Auditors and regulators are also responding, being more particular and vigilant in their assessments. Across the spectrum, concern for cybersecurity is manifesting in greater expectations that organizations are acting in responsible, ethical, and trustworthy ways.
CISOs will be expected to explain better and deliver more, with essentially the same level of resources. The biggest challenge for security leaders will be to understand and manage to the expectations within the constraints of budget, authority, and the allowance of security to add friction to the company.
In 2024:
1. We can expect more harsh criticism when cybersecurity attacks occur. With everyone perceiving a stake in the game, there will be lots of vocalizations and backlash. Companies will want to avoid serious brand impacts and may be quick to blame CISOs.
2. An interesting self-feeding cycle will emerge where unsatisfied expectations of consumers and investors will drive legislators and oversight bodies to institute more regulations. More regulations are perceived to address the risks, thereby driving even higher expectations in consumers.
3. Understanding the market pressures, boards will fully embrace the integration of cybersecurity expertise to help them navigate the business.
4. The cyber insurance industry also acts on its elevated expectations and will demand more security oversight, controls, and capabilities as part of its policies, with severe increases in premiums or abandonment for non-compliance.
5. Standard clauses for cybersecurity will be added to vendor agreement contracts
6. Marketing teams will fully commit to leveraging security, privacy, and safety as purchase criteria for a competitive advantage in their campaigns.
The combination of greater expectations, more regulations, increased capabilities of threats, and more vulnerabilities to address, culminates in a situation where the required additional cybersecurity resources are far beyond what will be available.
Cybersecurity is generally seen as an overhead cost, which should be optimized to reduce expenditures. In contrast, recent reports indicate that CISOs will on average ask for an additional 20% increase in their annual budgets. Few will get anywhere close to that amount and some may see a decrease, requiring cuts to be made to their programs.
The disparity between what cybersecurity departments believe is needed and what will be provided will seriously widen, creating stressful dilemmas for CISOs to decide what will be funded. The CISOs understand the results will be unfavorable, but unclear to what extent until the bad things occur.
In addition, the demand from traditionally resource-constrained Small and Medium Businesses (SMBs) will be on the rise. SMBs are realizing that it is more important than ever to benefit from cybersecurity leadership and insights to avoid catastrophic blunders. It is no longer optional as cyber represents a material risk to competitiveness and survivability. Without significant budgets to hire, they will look for alternate ways to obtain and benefit from professional cybersecurity insights.
In 2024:
1. CISOs are asked to clearly justify, in measurable dollars/sense or business value, the cost and friction introduced by cybersecurity. Selling Fear, Uncertainty, and Doubt (FUD) won’t be enough.
2. Some thought-leading CISOs will begin looking at different ways to deliver and showcase value to justify the security budget, investment, and executive support.
3. Acquiring and retaining cybersecurity talent will be even more difficult, especially at the leadership levels, giving rise to the virtual (vCISO), fractional (fCISO), and CISO-as-a-Service practices. These part-time and advisory CISO models will gain more traction as a resource utilization optimization opportunity, especially for Small and Medium Businesses (SMBs).
A perfect storm of constrained resources, more accountability, and greater responsibilities will push cybersecurity organizations to the brink, forcing CISOs to either adapt or fail.
Regulators, boards, and c-suite executives will look to their CISO to play a greater role in protecting the company from lawsuits and prosecutions. This will force CISOs into unfamiliar territory while still trying to manage the growing problems of managing the risk of loss due to cyber events.
CISOs will be drawn into more discussions and accountability regarding contracts, audits, legal issues, and regulatory filings. CISOs will be expected to communicate directly with the board, and actively engage with the C-suite, partners, suppliers, vendors, investors, regulators, auditors, and customers.
This will take a different skill set than traditionally seen in CISOs. Some organizations, who can afford to hire a Chief Trust Officer will split these new duties, but for most, it will fall on the shoulders of the CISO.
Training and certifications will expand for both security and board leadership to assist all parties in understanding the new regulatory and liability requirements.
This situation will increase the already high levels of stress experienced by CISOs, forcing many of them to rethink their approach to justifying budget and for some, their career path.
Maintaining an optimal level of security risk, given the aggregation of issues above, will push many security organizations to a breaking point. The risk of degradation and inability to satisfy the new expectations will become apparent as incidents occur and transparency requirements draw in public scrutiny.
The best CISOs have been preparing for this eventuality and already have plans in motion that showcase clear operating goals, robust strategy, and plans with supporting metrics that are relevant. These elite CISOs will shift their value story, expanding from protection and compliance to also include elements of competitive advantage to support the overall corporate goals. They will be well-positioned to adapt.
Many of their counterparts will not.
In 2024:
1. We will witness a spike in the number of CISOs that are fired, retire, or vacate their positions in search of less stressful environments. This will add to the talent gap problems in the industry.
2. The gap between available CISOs and the market demand grows even larger, with compensation also increasing.
3. New training and certifications will emerge for CISOs and boards to inform and formalize new standards of risk management oversight.
4. In the first half of 2024, CISOs will be more vocal regarding the concerns of new regulations and their impact on resources. It will be a particular pain point we will see discussed across the community. By the back half of the year, most of the fear will have dissipated as it will be seen as an accepted operating structure.
2024 will be a tough year for CISOs. A rise in expectations, regulations, attacker capabilities, and growing difficulty in obtaining the necessary resources to keep pace will push many leaders to the brink. Sadly, the challenges will only get tougher in subsequent years.
Although my concerns for digital risk run deep by nature, there are many things that I am not worried about in 2024. Contrary to many of my industry counterparts, there are aspects of cybersecurity that I believe we should not fear.
So, what disasters won’t happen in cybersecurity 2024?
Matthew Rosenquist — CISO, Cybersecurity Strategist, & Industry Advisor — Cybersecurity Insights.
Follow on LinkedIn and subscribe to the Cybersecurity Insights channel for more news, analysis, and discussions.