By Shira Landau, Editor-in-Chief, CyberTalk.org.
As a Chief Information Security Officer (CISO), you’re entrusted with orchestrating a harmonious convergence of technology, strategic acumen, and foresight for the purpose of securing a formidable organization. In so doing, you need unparalleled insights into emerging trends, incredibly dependable statistics, practical cyber security frameworks, solutions and tactics, and more. It’s tough, but we get it, and we’re here to help.
To help advance your 2024 security roadmap and to empower you to build out an even more relevant and actionable approach than what you currently have in-play, keep these notes in mind. You’ll likely achieve increased stakeholder satisfaction, stronger security outcomes, and greater alignment between cyber security and business objectives. Next-level 2024 checklist notes:
7 items for your 2024 CISO checklist
1. Upgraded cloud security strategy. In the last year, more than a third of businesses experienced a data breach in their cloud environment. This reflects a 35% increase over 2022’s numbers. Cloud security professionals say that zero trust is a key cloud security priority for 2024 – superseding data privacy and compliance.
In addition, securing your SaaS ecosystem is key. Current SaaS security strategies and methodologies often aren’t adequate. Sixty-eight percent of organizations are increasing their investments in hiring and training staff on SaaS security. However, there’s much more to be done; more sophisticated threat prevention and defense tools are needed.
2. API security. Ninety-four percent of security professionals and API developers experienced security problems related to APIs in the last 12 months. Although 95% of CISOs plan to prioritize API security within the next two years, can you make progress around API security maturity against a condensed timeline, as to more effectively prevent threats?
In working towards API security maturity, start out by identifying all APIs in use within your organization. There are many ways to discover APIs; from discovery tools, to technical documentation reviews, to conversations with developers. Assess whether or not existing tools can meet visibility and compliance needs. Then, integrate better tools to reduce data breaches (and data leakage, shadow API…etc.,) and consolidate tooling where applicable.
3. Post-quantum preparation. CISA, NIST and the NSA encourage organizations to start preparing for the implementation of post-quantum cryptography by establishing a Quantum Readiness Roadmap, engaging with technology vendors to discuss post-quantum roadmaps, conducting inventories to identify and understand cryptographic systems and assets and by drawing up migration plans that prioritize the most sensitive and essential assets. More here.
4. AI-driven threat prevention. Artificial intelligence-powered platforms are capable of analyzing exceptional quantities of data at speeds that humans could never compete with. CISOs and cyber security leaders must invest in AI-driven security tools to enhance their organizations’ abilities to proactively prevent and respond to emerging threats, reducing the probability of cyber breaches.
On a related note, as you continue to integrate AI into your organization’s cyber security stack, your security staff’s roles and responsibilities may need to evolve. You may want to strategically map out how to redeploy existing talent as to maximize resources – cyber and human.
5. AI red team exercises. While AI red teaming standards are not yet extant because AI technology is relatively new, Microsoft has had a dedicated AI red team since 2018. According to the tech giant, it’s critical to test AI models at both the base model level and the application level.
“Both levels bring their own advantages: for instance, red teaming the model helps to identify early in the process how models can be misused, to scope capabilities of the model, and to understand the model’s limitations,” says Microsoft.
6. Zero trust architecture. Ninety-seven percent of organizations have already implemented a zero-trust initiative (or planned to within 18 months, as of September 2022). How can your organization further mature its zero trust implementation? CISA’s Zero Trust Maturity Model is a useful guiding framework, describing four ‘pillars’ that organizations can leverage as maturity stage benchmarks.
Maturity may also lie in the creation of a new role, such as that of a Zero Trust Program Manager or a Zero Trust Lead Architect. Staff expertise is critical to further ZT maturation.
7. Citizen developer tools and products. The Citizen Developer concept empowers people who cannot code to create connected systems and applications. Some tools allow new users to connect APIs and to create customized automation without coding. As these tools gain popularity among employees, organizations need to ensure that they don’t become shadow IT and that there are adequate accountability and cyber security measures in-place.
For more insights into the latest cyber security trends, please see CyberTalk.org’s past coverage. Lastly, to receive more timely cyber security news, insights and cutting-edge analyses, please sign up for the cybertalk.org newsletter.