Last updated at Sat, 03 Feb 2024 22:19:56 GMT
It’s fair to say that 2023 was a turning point for the cybersecurity industry, and no one felt it more than the CISO. From the onslaught of ransomware and zero-day attacks, to the SEC’s new reporting rules, and added to technological innovation and sprawl, CISOs have never been under more pressure to get security right.
When you boil down a CISO’s job description to what it is we really do, predicting the unpredictable comes out at the top of the list. We must stay on top of our organization’s unique risk profile so that we can oversee the people, technologies, and processes that will keep threat actors out.
At the same time, our role at the executive level and our ability to affect change across the business is also top of mind. This is not what I or any of the fellow CISOs I speak with view as an “optional” part of our role; rather, being valued as a strategic contributor to the organization’s success is an imperative.
Without a doubt, 2024 is going to be a challenging year for those of us in the CISO role. Looking ahead, I expect the role itself to transform in several ways and, by default, security operations will also undergo change. Read on for my top predictions of what will occur this year.
Prediction 1: CISOs will either have a seat at the table or they’ll be on the menu
For years, CISOs have been expected to do security in a vacuum regardless of what the rest of the company is doing. Irrespective of the decisions being made by the rest of the organization, the CISO is expected to figure it all out and make it secure regardless! They’re not just in charge of security, they’re in charge of potentially (bad) decision making by others around security.
Regulations such as SEC disclosure, NIS2, changes to Fedramp, and new executive orders around security mean there is more of a focus around structural-operational cadence with security in 2024. Therefore, the biggest question for most CISOs is going to be: how am I — and, indeed, how is my work — viewed by the business? The CISO is either going to be figuring out the solution with the business, or they will be an isolated person expected to figure out the solution based on a business decision that they’ve played no part in making.
Ultimately, CISOs will have a seat at the table or they will be the scapegoat when things inevitably go wrong. There is no in between. So, it’s essential that CISOs are able to demonstrate the value they provide and in a way that non-technical executives understand.
To demonstrate their value, CISOs must show how their security asks are tied to business imperatives, and the financial benefit or risk that each ask presents. Showing demonstrable improvements in security — as well as being able to easily adapt when environments change — helps executive boards see that CISOs and the security programs they develop and deploy are inherent enablers of business growth.
Prediction 2: Compliance will be top of mind for CISOs
We’re in a new era when it comes to reporting cyberattacks. CISOs are in a ‘butt-clenching’ phase trying to figure out how to comply and how to report cyber incidents when they occur. The new SEC rules make it clear that CISOs now need to think more carefully about how they talk about security and governance publicly and to regulators, when in the past they didn’t think about it by de facto.
This year, CISOs are going to be on a path of self-scrutiny. When claims are made that multi-factor authentication (MFA) is enabled across the enterprise and vulnerabilities are remediated immediately, for example, CISOs need to be checking that such actions are being done to avoid potential false claims and associated consequences.
There will be an immediate need for greater focus on compliance packs by CISOs, not just this year but over the next couple of years. Just having an ISO certification or a NIST framework doesn’t mean that operations are completely aligned.
A certification is merely a moment in time. However, CISOs need to be confident that operations are compliant beyond that piece of paper. Even the tiniest of siloes, migrations, and changes create risks such as misconfigurations, vulnerabilities, and exposures; therefore, it’s essential to have a SOC team that has complete coverage of environments and can easily adapt when environments change. CISOs also must continue to ensure they’re employing the continuous assessment and validation process that aligns with their organization’s compliance requirements.
Prediction 3: CISOs will increase their emphasis on consolidation
No one will be surprised by my saying that businesses want more bang for their buck in 2024. Every business wants simplicity, not complexity, in their security stack! Just look at third-party risk management, for example. Funnily enough, CISOs don’t want to have to manage 500 third parties; they only want to have to manage five or so.
Every time there is an incident, CISOs and their security teams need to go to each third party, figure out what they’ve been doing, and keep following up with them. This is where the tool sprawl has huge consequences. If there are 500 parties to manage, that's a killer for overstretched and under-resourced security teams.
As CISOs, we understand that throwing more money around doesn’t solve your security problem. Implementing various point solutions within the SOC won’t end bottlenecks, inefficiencies, and negative ROI. The real value for CISOs is when the SOC team is able to do more focused tasks without costs spiraling out of control.
Therefore, CISOs will be looking to consolidate and streamline this year, allowing for better manageability, efficiency, and — ultimately — security efficacy.
The CISO Community Coming Together
While I can’t be entirely sure how my role will look at the end of the year, one thing that does make me hopeful is the wonderful network of people that I’m a part of. It’s so important for the security industry to collaborate, and the connectivity of CISOs is critical to our achieving success both professionally and on behalf of the organizations we serve.
Security is a team sport, and the security community has a unique ability to come together to solve complex challenges. I’m looking forward to knowledge sharing with my peers and the greater industry as we prepare for and adapt to innovations in artificial intelligence (AI), quantum, and other exponential technologies.
For more thoughts from the Rapid7 team on what 2024 could bring, watch the Top Cybersecurity Predictions webinar on-demand.