Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: 2024 Cybersecurity Trends
Quick Take
On this episode of Compliance Unfiltered, the CU guys chat at length regarding the coming trends of the 2024 security and compliance landscape.
Curious what Artificial Intelligence has in store for the compliance community in 2024? Wondering what’s new in the phishing arena? How about news on the authentication front?
Answers to all these topics and more on this episode of Compliance Unfiltered.
Remember to follow us on LinkedIn and Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside the Luigi to your compliance, Mario. Mr. Adam Goslin, how the heck are you, sir? I am doing good, Todd. How about yourself? I cannot complain at all. Today, sir, as we approach the end of 2023, you and I are going to take some time to talk about the future, more specifically the upcoming trends in cybersecurity for 2024.
Kick us off with the first of the trends that you see coming next year. Well, the biggest of them is going to be the cybersecurity skills gap. The bottom line is, there aren’t enough cybersecurity people to meet the increasing demands in the industry. That skills gap is only going to go up as threats increase, as more and more companies, blessedly, realize that they need to take their cybersecurity more seriously. You know, we’re going to see a tightening of the kind of cybersecurity and compliance market all the way through 2024 and probably for years to come. Similarly, as the demand for cybersecurity goes up, so will the demands for IT. IT personnel, certainly one of the pools that people are going to get pulled from are those that are already in IT that already have a notion of how to operate day by day, getting basically force promoted, if you will, into that position. So that will continue to see a trend in. The reality is that the need for security and cyber security folks, compliance folks, etc. is certainly going to outpace the needs of IT, but we’re going to see a similar tightening in the IT arena as well.
I think you and I just did a part on fractional cybersecurity folks and some of the benefits of going that route, I would tell organizations, get to taking a look at how you’re going to shore up that gap in your skillset and do it sooner than later because certainly if there’s a lot of organizations that will just take the approach of, wow, we’re just going to go hire somebody. That’s great. But in a tightening job market with few resources, etc, that means that’s going to be a very expensive adventure for folks to go down. So one thing I would say to people is don’t just hire somebody that has the right stuff on the resume. Making sure that you’re not getting under qualified people isn’t going to do any good. You’re going to blow a bunch of money and really not move your program forward with effective movement. So going back to that notion of reduced costs while getting the expertise that you need with a fractional cyber resource certainly would be a good way to go about doing it.
Most assuredly. Now, it seems like one of the topics that everyone is buzzing about is artificial intelligence or AI. What do you see coming in that arena? There’s no question. It was the buzzword of 2023. On the one hand, you’re going to see an increasing number of organizations that want to use AI for protection to dynamically identify threats to the organization with a preventative tool. But in the same sense, the flip side of that coin is that that same capability is already being leveraged by bad actors. that can expediently change and adapt attack patterns, etc. So AI will be incredibly valuable to them, especially for identifying attack targets, they’ll be able to increase their automation of identifying potential victims. So that’s kind of the scary flip side of it. There’s a notion out there that, AI is gonna be able to do everything under the sun and anything you can dream of and blah, blah, blah, blah. But I kind of use a word of caution to organizations. When you’re using artificial intelligence, you’re feeding it information and data. Where’s the data going? Who has access to that data? Are they able to store any of that information? You know, what types of sensitive data are you, you know, and ending up, you know, saving or storing or sharing, you know, with those platforms, you know, organizations need to be judicious about it in a similar sense to, you know, their kind of protections that they have around things like vendor management, vendor vetting, making sure they’ve got, you know, appropriate protections and non-disclosures, etc, in place. You know, these are all things that will kind of come into play as folks adopt a greater and greater, you know, use of, use of AI. You know, certainly, you know, there’s, we’re going to see, you know, kind of forward-looking security personnel, you know, pushing to regulate the employee’s use of generative AI. I expect that’ll be a focal point for a lot of organizations where they’ll be incorporating policy changes, you know, into the policies and procedures that they have that govern their own organization so they can attempt to, you know, kind of control what’s going on.
Has AI become scary for folks yet? I don’t know about, has it become scary yet? I don’t know about that. There’s a lot of, what I see more is a lot of folks that are just willy-nilly diving headfirst into the pool. It’s kind of like, it’s kind of like before you knew there were sharks, you know, type of thing. And, you know, and you’re like, whoa, I’m going to go swim in the ocean and blah, blah, blah, and then, you know, the more that you, the more you hear the reports about people with missing limbs and bite marks and, you know, blah, blah, blah, then, you know, then the sense of trepidation seeps in. I don’t think we’re there yet. I think we’re still in the, I still think we’re in the, you know, still skipping toward the ocean, if you will, at this stage of the game with wanton glee. So we’ll see how it works out, but I am sure there are going to be many lessons learned.
Most assuredly. Now, what’s coming in the landscape of security and compliance? Well, in the security compliance arena, for the last number of years, we’ve seen kind of an increasing awareness of the need to take security seriously. And that trend will certainly continue. As the security needs go up, you can expect to see some changes in the cybersecurity landscape. Certainly, we’ve talked about it before, but I’ll say it again, cyber liability insurance. Even five years ago, the applications to go get that insurance were 10 questions long. You know, now they’re 10s of pages long. You know, the insurance requirements are gonna tighten, premiums are gonna go up, the agencies are going to enhance their ability to detect when somebody’s not, you know, their security profile doesn’t match their attestations on their applications. Yeah, I’d also expect, you know, there’s a pretty large boon of organizations providing cyber liability insurance. And I think a lot of them have gotten their butts kicked. And so it’s probably gonna be an interesting, you know, kind of constriction of, you know, of the people that are out there in the marketplace is what we’ll be seeing over, you know, kind of over the course of 2024 while your premiums continue to go north. You know, in addition, from a cyber security regulations perspective, you know, just to expect the requirements, number of requirements to grow, the rigor of those requirements to increase, you know, PCI has released, you know, PCI, PCI DSS version four, which has more requirements than 321 CMMC is tightening up their, you know, kind of their regulations. A lot of the standards out there are, will continue to, you know, morph and change as the, you know, kind of landscape continues to change. And certainly, you know, not the least of which for TCT proper, you know, you can expect that TCT will continue doing what we’ve been doing. And that is, you know, serving the needs of anybody that’s got security and compliance, you know, needs in the marketplace across any industry standard regulation. I mean, the whole purpose of our platform is to take the user input feedback seriously and to be that one-stop shop for all of your, you know, security and compliance needs. You can expect that will… that will continue as things change in the marketplace as well.
Now, are the light bulbs starting to twinkle at the upper levels within organizations when it comes to security and compliance? Because for far too long, this has just been a topic that the IT department takes care of, right? Yeah, exactly. Well, I mean, honestly, I started into this space about two decades ago, and for well over one of those decades, it almost felt like you were screaming stop at a tornado type of thing. You’re just yelling into the wind, if you will. I’ll use that one instead of the alternative that I could use. But the bottom line is that it is nice to see that light bulbs are finally. twinkling, you know, at the upper levels of management of organizations. Whether it’s, you know, whether it’s at the executives that head up IT, you know, arena, whether it’s all of the C-suite, whether it’s the board level, you know, we’re starting to see awareness going north. We’re starting to see organizations with interest in having greater visibility into where the hell are we, you know, type of thing in terms of where we, you know, where we need to be, where are we against where we need to be. So certainly, you know, the upper levels within organizations, I see them kind of clamoring for more information, more transparency, you know, from their C-suites and directors that oversee, you know, information security and those, you know, those folks that are in charge of, you know, of the security landscape for an organization, you know, they’re going to need tools and techniques that, you know, allow them to quickly, efficiently, effectively identify, you know, where are we, where are we at, are we doing the things we’re supposed to do, ability to provide, you know, reporting up the food chain, you know, to the, you know, to those folks that are starting to ask more and more questions.
You know, certainly organizations are going to need tool sets that, you know, integrate with one another, provide monitoring and recording capabilities across the organization, you know, certainly for organizations that are subject to a multitude of, you know, a multitude of certifications, you know, being able to, you know, kind of tell at a glance where are they against, you know, all of their various certifications and standards that they need to, need to be compliant with. Well, what about in the fishing arena, though? Well, we talked about it, we talked about it earlier and it kind of plays into this. In that That is the, in 2024, what I said, we talked about it earlier, is the notion of AI. One of the interesting kind of symptoms, right, that we’ve been telling people for years, is, oh, well, just look at the language and look at the grammar and look at the spelling within the, what you’re getting, et cetera. You know, the reality is, is that with the admins and AI, the capability to use increased automation, et cetera, the phishing attacks are going to get harder to spot. They’ll be, they’ll become more common. You know, the bad actors will increase their sophistication. They’ll be employing, you know, complex phishing attacks that are harder to recognize. You know, we’ll see a continuously evolving ransomware landscape that produces, you know, more successful ransomware attacks on organizations. you know, we’ve had various state-sponsored fishing attacks that have been prevalent for years. Those will continue through 2024. You know, the private and commercial organizations need to realize that, you know, they are on the list, you know, for being targeted by, you know, even by government-sponsored attacks because it’s a lot easier to get information out of, you know, out of organizations by, you know, kind of taking the long way around. There’s usually, you know, lower barrier to success. There’s a, you know, higher chance of success. You know, certainly when you’re going through vendors of a client versus the client proper. So I’d expect that we’re gonna see a lot more kind of indirect approaches to getting into organizations. We’ve seen, you know, we’ve seen some instances of that happening already. I think we’ll see an escalation, you know, of those as we go into 2024, for sure.
Nice. What do you see for the attack surfaces, though? The attack surfaces, we’ve got, you know, a couple of different arenas. So, you know, for bad actors are constantly looking for new ways to go get in. So that means they’ll, you know, they’ll take these indirect paths to get there. You know, so certainly with the, you know, dramatic expansion of cloud services that continue to explode through 23, I don’t see that slowing down in 24, you know, we’ll see a lot of those cloud platforms, you know, being targets. And the one thing for the, you know, for the listener to realize is that, you know, while the cloud platforms, you know, have security and security protections and whatnot in place for themselves, you know, there’s a line of distinction between what the cloud platform is covering of their infrastructure versus where your role and responsibility starts, you know, in that cloud arena. You know, it’s a, it’s a been a big misnomer from organizations is that, oh, well, we’ve got our stuff up in the cloud, so we must be safe. And it’s just not the case. In many cases, it’s just delusional of the organizations that are up and in the cloud thinking that, because they’re there, they’re covered.
There’s a lot of things that the cloud providers can, yes, provide, but you’ve got to understand where their protections end type of thing. So cloud platforms do make for really juicy opportunities for bad actors. I would expect a lot more targeted attacks on those cloud platforms in the coming year. Certainly, we’ve got zero-day exploits that come into play. In 2024, we’ll start seeing more of this happening, where the zero days are going to be discovered, but not announced. And that’s by the bad guys, if you will. Could even be by some of the good guys. The reality is that zero days hold an interesting advantage. So for the bad guys, they can go out and they can use zero days to be able to attack organizations until that zero day is now discovered, and it’s no longer a zero day. But in the same sense, the nation states that have complex programs for monitoring of other nation states, et cetera, they certainly use zero days to their advantage to be able to keep their eyeball over there.
We’ve talked about this in a couple of different ways, but certainly attack surface-wise, supply chain is going to continue to be a target. Every organization has vendors and suppliers that provide a various list of services to them. Those suppliers certainly are going to… pose risk to the organization, whether it’s a printing provider, whether it’s a backup provider, you’re sharing sensitive data with these suppliers and at the end of the day, their vulnerabilities become yours. Certainly, we expect to see more and more suppliers getting targeted as well through this year. And lastly, from a tax surface perspective, is the internet of things, the ever increasing complexity of connected devices that leave individuals and organizations more vulnerable to attack. So there are a lot of entry points to an organization’s data from the internet. And I’m, I’m positive we’re going to see some new and inventive attacks on those connected devices in 2024.
Now, how do us lowly humans play into things here? Well, the human element of cybersecurity has always been a thing. Probably the most important priority for organizations in 2024 is going to be to get their personnel actively involved in it as being part of the solution.
Certainly, if your personnel or your people aren’t adequately trained, you’re not going to be able to adequately protect the organization during that period of time. Certainly, organizations need to pay more attention to what their employees are doing, where they’re storing information. Data loss prevention or DLP has been an issue for years, and it’s become more important, especially as the capability for remote work has increased. Certainly, our years of going through COVID pushed a lot of organizations to a remote working model, and for a lot of organizations, they’ve continued that model. The next evolution of DLP, there’s some new tool sets out there called Data Security Posture Management, or short form, DSPM. The tools will monitor and identify where sets of data are being sent, who has access to them, how they’re being used. Certainly, for the people in the organization, gaining control, gaining an understanding of where they’re putting things, where they’re storing things. Are they using their own assets, like a personal… You know one drive or something or they using the only the, the company provided You know provided assets, you know, those, those are all elements that are going to kind of play into it when we get to when we get to You know evaluating, you know what we’re doing with the information and data of the organization How about authentication?
There’s been a lot of talk recently you know about You know zero trust and buttoning up authentication and you know Certainly oversight of authentication will continue to increase over the course of the coming year You know, I’ve been glad to see a marked increase in the demand for multi-factor authentication It’s like it seems like over the last we’ll call it two to three years You know just seeing a lot of the online platforms, online services, web-based delivery, adapting more and more and more, adapting two-factor authentication for that connectivity, which is good. That’s not going to slow down. We’re going to probably see an increased move toward streamlined authentication, use of biometrics instead of devices, things along those lines. Because you can lose your phone, but you can’t lose your face. So there may be some interesting elements that come into play in the authentication space. I think we’ll start seeing that kind of morphing over the course of 24. But we’re probably several years down the line before we’re seeing some pretty massive changes in that arena. But it will just continue to. The drum will not stop banging, shall we say. No, certainly not.
Now, tell me more about the long-term exposure you see coming for companies. This is an interesting one, and probably one that I’d warrant a lot of companies haven’t really thought about. So there were days where they really weren’t taking their cybersecurity seriously. Honestly, they probably didn’t even have logs that would even tell them if they’d had an issue, things along those lines. So you’ve got to figure there have probably been thousands, if not tens of thousands, of organizations that had breaches two years ago, three years ago, etc. For some of the bad actors, part of their driving force is to have a breach and immediately attempt to monetize it, which often will flag the organization to they’ve had an issue. But you figure it this way. Every single time that an organization is getting breached, there’s a whole slew of encrypted data that gets exfiltrated from the organization. And it may be that that encryption, we can’t break it today, but a year from now, two years from now, 10 years from now, whatever. At some point in the game, that information is going to be breakable. And we’re going to start to see, I believe we’re going to start to see more and more organizations where the data that has been breached is from years prior. It’s almost like there’s all these landmines out there that are just waiting to get stepped on type of thing. And basically the attackers are sitting there waiting for the capabilities and prowess of the decryption capability to be able to crack, be able to crack whatever encryption happened beyond it. So certainly for those organizations that are taking their security and compliance seriously, that are staying up to speed on changes to their encryption algorithms to keep them as up to date as they can, all of those certainly are going to be good words of advice. The biggest problem for organizations is if they haven’t been taking their security and compliance seriously, they may already have a time bomb that’s just sitting on a shelf waiting to get decrypted. And I have a sense we’re going to see more and more of that as things unfold.
Parting shots and thoughts for the folks this week. Well, certainly as we’re looking into 2024, security and compliance landscape is going to rapid and pretty substantial evolution over that period of time. There’s the increasing sophistication of cyber threats, rise of AI, both defensively and offensively, the awareness of the need for cybersecurity at the executive levels. These are just some of the critical factors that will shape the field of security and compliance as we navigate 2024. For organizations out there, the one thing that I would say to organizations, and this is just a reminder for the listeners, I didn’t just all of a sudden start into this space and poof became knowledgeable about security and compliance. I literally was one of the people that didn’t have any effing clue what I was doing in the space when I first started. But the best way to get to a point where you have active protections for your organization is to get started. So organizations need to get informed, they need to be agile, proactive, they need to identify they’re at in terms of today against security and compliance standards and then put together a game plan for closing up gaps and bolstering the posture of the organization. Very important is for the organization as a whole to see that leadership cares about security and compliance. You’re the leaders of the organization. Everyone is going to step in line with where your heads are at. If you don’t care about security and compliance as a leader, then what do you think chances are that your people are actually going to? You’ve got to lead by example in shaping the direction of the organization toward a more secure, more compliant stance. Certainly it’s going to help to mitigate risk and quite frankly to seize new opportunities within this space. The last thing that I’ll say, this is going to be our last pod before we get into the holiday season if you will, is wishing our listeners happy holidays, merry Christmas, and happy new year, and hopefully you get more than your fill. Enjoy some time with friends and family and we will look forward to chatting with you in 2024.
Absolutely and that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered.
I’m Todd Coshow. And I’m Adam Goslin. I hope we help to get you fired up to make your compliance suck less.
