Peter H. Gregory, Senior Director, Cyber GRC at GCI Communications. Author of more than 50 books, including The Art of Writing Technical Books.
As we head into 2024, I’ve gathered my thoughts on topics important to cybersecurity leaders.
Artificial Intelligence (AI)
At present, every cybersecurity professional should appropriately and responsibly use an extended language model (LLM) generative AI tool to acquire skills and supplement their capabilities in using AI tools for generation ideas and quality assurance. For example, if I need to update my organization’s Acceptable Use Policy (AUP), I can chat with an AI tool to get examples of typical AUPs to ensure my organization’s AUP is complete.
Organizations must develop AI governance processes so that senior management is aware of the proposed uses of AI to improve the quality and effectiveness of the organization. Whether an organization is risk-averse or risk-averse, management needs visibility and control over its uses of AI.
Cyberdisclosures
Proposal cyberdisclosure rules from the SEC have had companies buzzing all year long. The rules are still evolving, and while many organizations have developed effective reporting templates (with plenty of disclosure to date), we may see more changes to reporting requirements.
I think private organizations should take this into account and build capacity to keep their boards informed about cyber capabilities and cyber incidents. Both private and public organizations are adopting Sarbanes-Oxley accounting controls to ensure the integrity of accounting processes and reporting. The same goes for private organizations who should develop a cyber reporting framework for boards of directors.
supply chains
Third-party risk management is increasingly in demand. Organizations are using more suppliers and service providers, and the standards for evaluating them are growing in scope, depth and rigor, leading to a perfect storm in which there are not enough resources to properly evaluate suppliers.
Third-party risk management must rapidly evolve toward a credit scoring and credit reporting model, where neutral marketplaces collect and distribute cyber risk information about suppliers and service providers to organizations who are considering their products and services. Many companies have had this vision, but none have clearly succeeded in becoming a reliable and detailed source of third-party cyber risk information.
Software nomenclature
As the seminal work “Tragedy of the Digital Commons” points out, the researcher Chinmayi Sharma says that “more than 97% of all software uses open source”, but the promise of open source security, due to the large number of observers watching, has been proven false. Open source software is essential to all computing, but too much remains unsecured, and many people mistakenly believe it’s someone else’s problem to solve.
Tools for creating inventories and cataloging open source components are emerging, but many software companies will be reluctant to disclose the complex components of their products in what is called a Software Bill of Materials (SBOM), claiming that their SBOMs represent their trade secrets. The balance between protecting trade secrets and the need to responsibly disclose the use of open source code is subject to change.
Equip the workforce
Nearly half of American companies dropping their college degree requirements. In the field of cybersecurity, this gives greater weight to the need for targeted training and certifications. Many organizations today lack degree requirements for IT and cybersecurity positions, in part because colleges and universities are slow to develop valuable cybersecurity degree programs. The industry already has this in hand, but organizations need to keep an eye on this trend to stay competitive in job markets.
Cyber insurance
Will 2024 be the year that cyber insurance companies and the policies they issue reflect real cyberattack risk factors? Years ago, insurance companies asked some questions about an organization’s prevention, detection and response capabilities. Today, they use lengthy questionnaires (like those used in third-party risk assessments) to identify risk factors. Many boards are unwilling to give up cyber insurance, and yet the requirements imposed by cyber insurance companies are forcing many organizations to improve their cyber capabilities.
Return of the cloud
Cloud computing has been a boon to organizations of all sizes, providing agility and elasticity and reducing the time needed to implement new business information systems. However, many businesses have found that their cloud computing costs are much higher than expected, often higher than the costs of insourcing IT.
Part of the cost of cloud computing goes toward funding elasticity, which is the ability of organizations to quickly expand their computing to meet peak demands. But the needs of many organizations are stable and predictable. Cloud computing is a high-margin business, and some organizations looking to reduce costs are considering abandoning the cloud and returning to on-premises computing. I saw articles highlighting use cases for returning from the cloud and I think this trend will continue. The cloud is here to stay in all its forms, but not every organization needs to use it for all of their business IT needs.
We are already seeing strong potential for disruption and innovation in cybersecurity. But this is what we see every year, even if the issues vary somewhat from one year to the next.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Am I eligible?