The below article is authored by Deepa Seshadri, Partner, Risk Advisory, Deloitte India, and member of the ISACA Emerging Trends Working Group; and Manishree Bhattacharya, Associate Director, Risk Advisory, Deloitte India
From banks to power plants, ports to casinos, and hospitals to educational institutions – cyber attackers truly broad-based themselves this year. While organizations and regulatory bodies are continuously playing catch-up, the volatile state of the overall social, economic, and political environment continues to fuel newer motivations for attackers, hacktivists, and State-sponsored groups.
In today’s time and age, physical threats are getting remodeled into digital and cyber threats. Interconnected networks of both physical and software supply chains have opened access like never before, with research indicating that it could take less than 45 mins to ransom an entire network.1 Cybersecurity today is a strategic business requirement for overall organizational resilience, business continuity and stakeholder trust. Our approach can no longer be rudimentary. We must look deeper into future possibilities to design and transform our cyber practices and thrive better.
With that lens, here are a few things to watch out for in 2024 and be better prepared:
Finding the way through compliances
As attackers were getting agile, regulators were also tying the loose ends. From US SEC’s cybersecurity disclosure rule2 to India’s landmark Digital Personal Data Protection Act, 2023 (DPDPA)3 – enterprises are going to have their hands full preparing themselves to become compliant. Mid-2023, while the US launched its IoT cybersecurity labeling program4, the EU was prepping for ‘The Cyber Resilience Act’ which calls for security considerations for IoT products5. Regulators are trying to cover it all – processes, data, cyber-physical systems, artificial intelligence etc., and introduce them in a timely manner. It is only natural to get overwhelmed with such requirements and their associated cost of compliance.
However, it is also important to reconsider these regulations as an opportunity to safeguard ourselves and stay ahead of the curve. We need a change in our mindset and the way we handle compliance. A few best practices such as leveraging automation and technology to ease the process of implementation, going slightly above and beyond the regulatory requirements to future-proof, and obtaining a top-down mandate that helps break the silos, and ensures robust oversight and reporting can make compliance an opportunity rather than a struggle.
Taming the AI juggernaut
AI-powered deepfakes are rising both in number and quality, leading to more fraud, misinformation and even chaos. AI is enabling threat actors to enhance their tactics, techniques, and procedures, with AI-generated malicious codes, AI-driven reconnaissance, and putting existing cybersecurity practices and defenses to the test. At the same time, use of enterprise AI to enhance efficiencies, fuel innovation and experiences is also creating more risks and vulnerabilities. In the battle of ‘Man vs. Machines’, our best chance is when we leverage machines to fight machines – for example, leveraging AI to identify anomalies in the network almost real-time, to identify anomalies in authentications, to improve vulnerability scanning, to improve assessments, reviews, and risk scoring, and to detect phishing emails created by AI. It is essentially the question of which side tames the AI juggernaut first.
Addressing the supply-chain security weaknesses
Enterprises today exist in an intricate and interconnected value chain by operating in multi-cloud, outsourcing activities, incorporating enterprise software and platform solutions, and working with ‘n’ number of third-party suppliers and partners. Some of the high-profile attacks in the last two to three years draw our attention to supply chain security gaps, and how those could lead to data breaches, espionage, and disruption of operations. This should mean that organisations must enhance their contractual obligations with third-parties, necessitating security controls, audit reports, robust monitoring and visibility around data, and joint crisis management drills, alongside water-tight contracts, with liabilities and indemnities. At the same time, using data and analytics for better risk scoring and stratification of suppliers can also help in managing cyber risks effectively. Securing the software supply chain with Software Bill of Materials (SBOM), open source and vendor source code reviews, and creating an overall awareness and practices for secure software development can benefit all organisations in the value chain.
CISOs assuming the role of a leader, and setting responsibilities right
A recent lawsuit directed at a CISO has sent the whole industry in a frenzy. One is forced to ask what it implies for future incidents and breaches, across jurisdictions. In another turn of events, a ransomware group recently reported its victim to a regulatory body. One thing is clear – this is a pivotal moment for the board and the management to take cognizance of cybersecurity as a business imperative. Cyber risk oversight can no longer be just another tick in the box but a hallmark of good corporate governance, stakeholder trust and relationships, and overall value creation. A security leader needs the right support and the necessary impetus to be able to protect organisations.
For boards and management, one of the top priorities in 2024 will be to support, empower, and protect the CISO. For security leaders, it is to assume the role of a business leader and influence the management and the board to strongly consider cyber on top of their agendas. To do so, CISOs must understand business priorities and ambitions, and must be able to show the right value of cyber with insights that management can understand and appreciate. CISOs, together with management can influence and transform the organisational cyber culture and be prepared in these times of uncertainty. At the same time, CISOs must try to safeguard themselves, by asking for necessary safety nets that the directors and officers are typically entitled to. When the stakes are high, they must not shy away from asking for a seat at the table and influence broader business decision making that can have an impact on the organisation both in the short and the long term.
Talent will continue to be in demand and ensuring we have a diverse and equitable cyber team will be important. Considering the automation and emerging technologies such as AI, the mix of talent will also vary in the coming years.
We have passed that stage where cybersecurity was just a technology imperative. Businesses need cyber today as a guiding light to stay resilient, on the right side of regulations, and leverage it to build customer and stakeholder trust. The year 2024 will be quite defining in the way security elevates in an organisation and the way the role of a CISO transforms.
Sources
- Deloitte Publication – Ten key questions and actions to tackle ransomware in critical infrastructure
- SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies
- Digital Personal Data Protection Act 2023
- Biden-Harris Administration Announces Cybersecurity Labeling Program for Smart Devices to Protect American Consumers
- EU Cyber Resilience
