Cybersecurity risks increase every year and bludgeon victims who fail to prepare properly. It can feel like crossing a major highway while blindfolded. Many never see the catastrophe about to happen, until it occurs. Cybersecurity predictions offer a glimpse at the dangerous oncoming traffic and help leaders develop strategies to navigate their journey safely. If we blindly step off the curb it will eventually end poorly when the luck runs out. For those interested in a better understanding of the oncoming risks, this is the information you are looking for.
Some dangers are familiar and persistent. We know the pool of threats and attackers will increase, more hacks will occur, credentials will be haphazardly mismanaged, disinformation will run rampant, new buzzwords and acronyms will be born, troves of data will be harvested, the battle to keep technology patched will continue to be problematic, ransomware and cybercrime will continue to thrive, and the headlines will be regularly filled with sad stories of digital victimization. This is the normal cadence the industry expects and although difficult to keep pace, the cybersecurity world can tread these waters.
Beyond the expected, we must also keep watch for the unpleasant surprises that can severely disrupt the security, trust, and capabilities of our digital world. Often a combination of disruptive technologies, lagging risk behaviour trends, shifts in threat actor capabilities or focus, greater expectations for cybersecurity, and new regulatory structures emerge to wreak havoc. This year is no different but the details continue to be important.
Those in cybersecurity who fail to look ahead will be crushed by what they don’t see coming. Cybersecurity predictions provide leadership insights into what preparations and adaptations should be considered before a crisis occurs. So, let’s explore what 2024 and beyond has in store for all of us in the digital world.
Cybersecurity is a notoriously unpredictable and chaotic industry where attackers set the tempo for innovation and investment, and anticipate a response by defenders. This leads to sub-optimal situations where cybersecurity professionals largely react to the exploitations of malicious actors. Ironically, investing in preventative measures is the most efficient stratagem, but understanding what will be the most effective is dependent on accurately forecasting how the risks will manifest in the future.
This demand leads to the development of cybersecurity predictions which must take into account underlying drivers of the attackers, defenders, and technology where the battles will play out. There is a method to the madness of trying to forecast such a complex and muddled industry. I have followed a process over the years to identify significant trends that will unfold and contract those with industry concerns that I believe will not come fruition. The goal is simple — to help organizations make better cybersecurity strategic organization, investment, and resource allocation decisions to maximize the value and help them manage to the most optimal level of security risk.
For this year’s predictions, a common theme emerged around significant investment and capabilities of a specific threat archetype, the aggressive nation-states, that represents a catalyst that profoundly influences what attackers can accomplish and the resulting impacts on the overall digital ecosystem. Aggressive nations have a ripple effect on the entire cybersecurity industry.
I first explored and predicted the impacts several years ago and called out multiple shifts for the 2023 predictions. This year my predictions extrapolate to the next evolution of these activities and the wake they leave behind. I have concluded the increasing involvement of offensive nation-states directly supports most of the 2024 cybersecurity predictions. We are amid a quiet leap forward for attackers that represents a significant challenge for cybersecurity professionals to manage the elevated levels of digital risk.
2024 Cybersecurity Predictions:
1. Nation-state attack dominance now underpins the capabilities, growth, and impacts of the cybersecurity industry
Nation-state investment, innovation, and willingness to conduct complex attacks are the catalyst that underpins the advancement of malicious capabilities and empowers all levels of activity across the spectrum of cyber threat archetypes.
This is the natural progression of the 2023 predictions where the massive investments in tools, techniques, acquisition of vulnerabilities, and rapid development of exploits have positioned aggressive nations like Russia, China, North Korea, and Iran at the pinnacle of threats and a catalyst for other attackers.
Multi-year investments have matured to a point where attacks are well-resourced, planned, and exploited in ways that align with the varying objectives of the host nations. The infrastructure and talent behind attacks are stable and organized, allowing for multiple simultaneous campaigns and increased proficiency in the speed of exploitation. Parent organizations continue to provide covert shelter to operate, technical infrastructures to develop and test, extradition safety, and intelligence support. Such advancement of professional capabilities will allow these attackers a greater advantage over their defending counterparts in 2024, with their adaptation proficiency becoming the most troublesome attribute for the cybersecurity industry to deal with.
The trickle-down effects of nation-state research, investment in vulnerability acquisition, and development of complex code continue to be at play, bestowing significant benefits to the broader community of malicious actors. For example, as nations pay millions of dollars for zero-day vulnerability exploits and use them for attacks against targets, the code and methods are revealed for other threat actors who dissect and use these components for their attacks. Organized cybercriminals are quick to take advantage and implement new tools in their attack strategies. Such expensive vulnerabilities, exploits, and methods would normally be well beyond the reach of these lesser threats but are enabled by the vast resources cascading down from nation-state actors.
The primary target and focus for nation-states will continue to be their adversaries Critical Infrastructure sectors, such as healthcare, government, communications, transportation, defense industrial base, media, utilities, finance, and cargo logistics.
1. We shall see 20%-30% more severe vulnerabilities discovered, leading to emergency patches by major software, service, and Operating System (OS) vendors. There will be an equitable increase in exploitations of severe vulnerabilities, leading to greater impacts. Direct targets of the nation-state attackers will experience the most pain, but downstream victims will also be caught up in the process.
2. Time to exploit, from the point of vulnerability discovery to seeing attacks occur, will shorten to levels dangerously close to how fast vendors can respond, creating a window of opportunity for widespread exploitation.
3. The complexity of code, including chained exploits, will again increase in sophistication. This will be problematic for all but the most capable digital forensics teams. The inability to determine root causes and track down the breadth of affected systems leads to longer victim recovery times and exacerbates the overall impacts.
2. Critical Infrastructure targets are where the next significant battles play out
With aggressive nation-states heavily targeting Critical Infrastructure organizations, there will be significantly increased impacts and near-misses in these sectors.
Governments will attempt to assist the security practices and begin to institute more rigid cybersecurity requirements for these sectors.
Cybercriminals and terrorists will also target the Critical Infrastructure sectors as they align with these attackers’ core motivations of financial gains and political influence respectively.
With increasing pressure from the past few years, many critical infrastructure organizations have upleveled their cybersecurity, making the overall sector moderately more secure. But there are many outliers and attackers will pursue easy targets as the most desirable victims.
Smaller companies have less to invest and will be behind larger organizations that have resources to better defend themselves. They will suffer disproportionately. Additionally, there are larger organizations that choose to do the minimum required and will realize they are highly susceptible to attack.
1. Cybercriminals, terrorists, and nation-states will be the primary attackers for Critical Infrastructure sectors, with several major attacks perpetrated by nation-states.
2. Expect to see many small Critical Infrastructure organizations compromised and a few large companies that have severely underinvested in security leadership and capabilities.
3. Critical Infrastructure attacks will become more apparent and impactful to the public.
3. Supply Chain hacking methods evolve and increasing attacks become a problem for everyone
Advanced attackers are developing tools and tactics to intensify supply chain compromises, fueling many new attacks in 2024 that impact disproportionate numbers of downstream consumers.
Supply Chain attacks, where a vendor is compromised so the attacker can gain passthrough access to their customer’s computing assets or impact organization operations downstream, are still relatively rare. Such attacks are often complex and typically take a high degree of skill. However, these represent powerful and far-reaching opportunities for those threat actors that can successfully pull them off.
Software, cloud-based services, and to a lesser extent hardware appliances will be the most sought-after targets. The goal will be to exploit the trust and access of suppliers and to compromise the intended targets, their customers.
These attacks fit perfectly with the skillset and resources of aggressive nation-state threat actors, as they pursue Critical Infrastructure targets, high-value intellectual property, and intelligence. Once inside, they will work to remain undetected for as long as possible and resist being evicted while accomplishing their goals.
1. Nation-state attacks on supply chains will double in 2024.
2. Supply Chain attacks will be leveraged to target Critical Infrastructure targets.
3. Recovery from supply chain attacks will cost 3x-5x more as compared to data breaches.
4. More vulnerabilities and exploits in heavily used business products upend patching cadences and commitments
The intense demand for vulnerabilities and exploits has reached newfound heights, driving more research and tool development, leading to a spike in discoveries and shortened windows for vendors to patch.
The commercial and black-market prices can be in the millions of dollars for a single vulnerability and accompanying exploit with the most valuable being zero-days for popular operating systems and cloud environments. Research efforts will also scale across applications, operating systems, firmware, and hardware. We may see a small but growing number of highly specific Operational Technology (OT) system vulnerabilities abused by attackers.
1. Serious zero-day vulnerabilities emerge at a faster rate which adds multiplicative levels of complexity and challenges for victims, with follow-on exploitations appearing much sooner
2. Open Source will be a favorite target for moderate to highly sophisticated vulnerability exploitation efforts.
3. Nation States will be the biggest buyers, willing to pay tens of millions of dollars for exploits of technology that is widely adopted. Supply chain types of attacks will be coveted the most.
4. Use of new technologies, like AI, will be employed to discover vulnerabilities, chain exploits, and refine attacks to be faster, more impactful, and increasingly difficult to evict.
5. Generative AI becomes the double-edged tool we have been waiting for and dreading
The Generative Artificial Intelligence arms race has begun, as innovation and adoption swell to record-breaking levels, becoming a threat to digital security, privacy, and safety while also providing tremendously helpful capabilities to cybersecurity defenders.
Unlike its famous yet-to-be-created cousin General AI, Generative AI (GenAI) will not become sentient nor try to take over the planet, but it will be infused into every digital service and technology to make them better, cheaper, and faster to arrive to market. GenAI tools can do remarkable things from creating realistic images, personas, media, and original writings to identifying key elements in data or content. The popular Large Language Models, like ChatGPT, are phenomenal and analyze or synthesize information to answer questions in easily understandable ways or generate content to inform and advise. Such powerful capabilities that make things better and easier to use are one of the reasons they have skyrocketed in popularity with consumers and businesses.
The swell of consumer interest has fueled massive investments which in turn has produced insane levels of innovation and adoption. Tools and code are often open-source and freely available to anyone. The race of rapid integration for such code, tools, and services has left little time to focus on security evaluation, remediation, or assurance. The result is these systems are wrought with undiscovered vulnerabilities that represent a new and serious risk vector for all who embrace GenAI.
Like all powerful technology tools, AI represents a double-edged sword, enhancing the scalability and capabilities of attackers while simultaneously empowering the same for defenders. The timing and details vary, but it becomes an arms race to see which side can better utilize the untapped power of Gen AI.
1. Attackers will leverage AI for more scalable and effective social engineering attacks, disinformation campaigns, vulnerability discovery, and exploit amplification. AI increases the attacker’s agility and depth, therefore significantly reducing the time for defenders to respond. AI becomes a force multiplier for victimization and losses.
2. For defenders, we will see the adoption of AI technologies, specifically Defensive Generative Adversarial Networks and Generative AI to identify vulnerabilities, defend systems, and miraculously translate vast quantities of security telemetry data into understandable information. The inability to interdict misinformation with GenAI will be an obvious missed opportunity for defenders.
3. Overall, expect more accidental privacy exposures, higher quality and creative social engineering campaigns, better threat indication logic, no significant response by defenders to mute misinformation capabilities, and increased speed of vulnerability detection for both exploitation and remediation.
6. New cyber regulations force operational changes for cybersecurity, risk management, and compliance.
Recent introductions, updates, and enforcement of cyber regulations are forcing uncomfortable changes for security and compliance teams.
Many new security and privacy regulations are taking effect across various sectors and technologies, that may require significant adaptation for organizations to be compliant. New regulations for the development and adoption of Artificial Intelligence will limit some exposures by slowing down the overall adoption process and allowing more understanding of the potential security risks. While reducing the risks of inadvertently introducing vulnerable AI systems, it also delays the potential security benefits of innovative AI security tools.
New supply chain rules for government customers will increase the costs of compliance, but benefit from a greater confidence that suppliers are trustworthy in their operation and development of products.
Perhaps the most controversial regulations are from the US Securities and Exchange Commission (SEC), which requires public companies to report any material cybersecurity incidents to their shareholders within 4 days. This regulation protects longstanding investor rights to be informed promptly of risks to their investments by mandating a level of transparency to the public. The highly controversial regulation took effect at the end of 2023 and publicly owned businesses in 2024 are now held accountable for compliance. This is of significant concern to many public companies who prefer to conceal, delay public announcements, or spin a creative narrative to minimize shareholder perceptions and negative sentiment for cybersecurity attacks.
Enforcement of regulations is also causing serious tension. GDPR and other privacy cases continue to sting major internet properties, with the penalties for not safeguarding the confidentiality of sensitive personal information trending ever higher.
SEC enforcement is making a substantial impression on the cybersecurity community. The case against the UBER Chief Information Security Officer (CISO) concluded with a conviction last year and the case against the CISO of SolarWinds, announced in 2023, is ongoing. Specifically holding CISOs accountable for fraudulent reporting is new and one of the most heated topics going into 2024.
1. The regulatory landscape becomes more confusing as various regulations appear to overlap, seem unclear, and generate fear from misinformation. In the short term, unfounded fears of regulatory enforcement will grow among cybersecurity leaders and executives as non-compliance will not only expose the organization to regulatory prosecutions but also be a foundation for customer litigation cases.
2. Regulations will drive more cohesion between cybersecurity, privacy, legal, AI, executives, and the board, resulting in enhanced overall digital trust by consumers, partners, and investors.
3. Budgets may get a small reprieve to improve processes for compliance, but cybersecurity teams will not see major investments due to new regulations.
7. Greater visibility of cybersecurity will create fear but drive better ownership of digital risk.
Greater transparency of cybersecurity failures will highlight weak leadership, insufficient investments, and poor organizational stewardship but drive better practices.
Competition fosters a focus on results. Organizations that are not serious about security will no longer be able to conceal their lack of commitment. As incidents become more public, the need to establish more robust cybersecurity capabilities becomes a priority to compete with businesses that successfully avoid such embarrassing breaches of trust.
Transparency for material attacks, mandated by the SEC for public companies, will begin to trickle down to private companies as well, as trust is a competitive advantage in the marketplace. It will start slowly, but funding and venture capital groups will drive better security oversight to protect their financial investments.
Overall better visibility contributes to more insightful metrics used to understand the scale of attacks, failures in security, overall impacts, and emerging best practices. Eventually, risk management, resource allocation optimization, and insurance modelling will benefit as a result.
1. A spike in reported breaches and compromises will be seen in 2024, not due to more attacks, but rather because of the greater transparency mandated by new SEC regulations.
2. The SEC's 4-day rule of notification for material cybersecurity events will force transparency for investment and leadership, driving more executive and board-level focus on cybersecurity deliverables to avoid or minimize losses.
3. News coverage of cybersecurity incidents will be timelier and provide a detailed analysis of winners and losers.
4. This greater visibility of true impacts will help improve the efficacy of cybersecurity metrics and insurance risk calculations over the next few years.
5. More enforcement of privacy and SEC notification requirements, with CISOs at risk of being prosecuted, will create newfound pressure that will shift how CISOs conduct and interject themselves in risk reporting and marketing messages.
8. Rising expectations for trust will crush weak cybersecurity strategies
Everyone’s expectations for cybersecurity have significantly elevated to new levels, raising the bar of success and lowering the tolerance for failure, wreaking havoc on minimalist cybersecurity strategies.
Security, privacy, and safety, the hallmarks of cybersecurity, matter more to everyone. Customers are savvier about breaches, theft, unavailability, and downstream impacts on their systems. Cybersecurity is now a growing purchase and loyalty criterion. Suppliers, vendors, and other 3rd parties are held to higher standards as their customers realize they assume some of the risks of vulnerable partners. Executives are more aware than ever that a cybersecurity incident can undercut profitability and place long-term barriers to organizational success. Boards are quickly maneuvering to enhance their cybersecurity insights as it becomes material to their shareholder duties. Auditors and regulators are also responding, being more particular and vigilant in their assessments. Across the spectrum, concern for cybersecurity is manifesting in greater expectations that organizations are acting in responsible, ethical, and trustworthy ways.
CISOs will be expected to explain better and deliver more, with essentially the same level of resources. The biggest challenge for security leaders will be to understand and manage to the expectations within the constraints of budget, authority, and the allowance of security to add friction to the company.
1. We can expect more harsh criticism when cybersecurity attacks occur. With everyone perceiving a stake in the game, there will be lots of vocalizations and backlash. Companies will want to avoid serious brand impacts and may be quick to blame CISOs.
2. An interesting self-feeding cycle will emerge where unsatisfied expectations of consumers and investors will drive legislators and oversight bodies to institute more regulations. More regulations are perceived to address the risks, thereby driving even higher expectations in consumers.
3. Understanding the market pressures, boards will fully embrace the integration of cybersecurity expertise to help them navigate the business.
4. The cyber insurance industry also acts on its elevated expectations and will demand more security oversight, controls, and capabilities as part of its policies, with severe increases in premiums or abandonment for non-compliance.
5. Standard clauses for cybersecurity will be added to vendor agreement contracts
6. Marketing teams will fully commit to leveraging security, privacy, and safety as purchase criteria for a competitive advantage in their campaigns.
9. Resource constraints mutate from fears to nightmares
The combination of greater expectations, more regulations, increased capabilities of threats, and more vulnerabilities to address, culminates in a situation where the required additional cybersecurity resources are far beyond what will be available.
Cybersecurity is generally seen as an overhead cost, which should be optimized to reduce expenditures. In contrast, recent reports indicate that CISOs will on average ask for an additional 20% increase in their annual budgets. Few will get anywhere close to that amount and some may see a decrease, requiring cuts to be made to their programs.
The disparity between what cybersecurity departments believe is needed and what will be provided will seriously widen, creating stressful dilemmas for CISOs to decide what will be funded. The CISOs understand the results will be unfavourable, but unclear to what extent until the bad things occur.
In addition, the demand from traditionally resource-constrained Small and Medium Businesses (SMBs) will be on the rise. SMBs are realizing that it is more important than ever to benefit from cybersecurity leadership and insights to avoid catastrophic blunders. It is no longer optional as cyber represents a material risk to competitiveness and survivability. Without significant budgets to hire, they will look for alternate ways to obtain and benefit from professional cybersecurity insights.
1. CISOs are asked to justify, in measurable dollars/sense or business value, the cost and friction introduced by cybersecurity. Selling Fear, Uncertainty, and Doubt (FUD) won’t be enough.
2. Some thought-leading CISOs will begin looking at different ways to deliver and showcase value to justify the security budget, investment, and executive support.
3. Acquiring and retaining cybersecurity talent will be even more difficult, especially at the leadership levels, giving rise to the virtual (vCISO), fractional (fCISO), and CISO-as-a-Service practices. These part-time and advisory CISO models will gain more traction as a resource utilization optimization opportunity, especially for Small and Medium Businesses (SMBs).
10. Cybersecurity responsibilities increase in scope and push organizations to adapt or break
A perfect storm of constrained resources, more accountability, and greater responsibilities will push cybersecurity organizations to the brink, forcing CISOs to either adapt or fail.
Regulators, boards, and c-suite executives will look to their CISO to play a greater role in protecting the company from lawsuits and prosecutions. This will force CISOs into unfamiliar territory while still trying to manage the growing problems of managing the risk of loss due to cyber events.
CISOs will be drawn into more discussions and accountability regarding contracts, audits, legal issues, and regulatory filings. CISOs will be expected to communicate directly with the board, and actively engage with the C-suite, partners, suppliers, vendors, investors, regulators, auditors, and customers.
This will take a different skill set than traditionally seen in CISOs. Some organizations, that can afford to hire a Chief Trust Officer will split these new duties, but for most, it will fall on the shoulders of the CISO.
Training and certifications will expand for both security and board leadership to assist all parties in understanding the new regulatory and liability requirements.
This situation will increase the already high levels of stress experienced by CISOs, forcing many of them to rethink their approach to justifying budget and for some, their career path.
Maintaining an optimal level of security risk, given the aggregation of issues above, will push many security organizations to a breaking point. The risk of degradation and inability to satisfy the new expectations will become apparent as incidents occur and transparency requirements draw in public scrutiny.
The best CISOs have been preparing for this eventuality and already have plans in motion that showcase clear operating goals, robust strategy, and plans with supporting metrics that are relevant. These elite CISOs will shift their value story, expanding from protection and compliance to also include elements of competitive advantage to support the overall corporate goals. They will be well-positioned to adapt.
Many of their counterparts will not.
1. We will witness a spike in the number of CISOs who are fired, retire, or vacate their positions in search of less stressful environments. This will add to the talent gap problems in the industry.
2. The gap between available CISOs and the market demand grows even larger, with compensation also increasing.
3. New training and certifications will emerge for CISOs and boards to inform and formalize new standards of risk management oversight.
4. In the first half of 2024, CISOs will be more vocal regarding the concerns of new regulations and their impact on resources. It will be a particular pain point we will see discussed across the community. By the back half of the year, most of the fear will have dissipated as it will be seen as an accepted operating structure.
2024 will be a tough year for CISOs. A rise in expectations, regulations, attacker capabilities, and growing difficulty in obtaining the necessary resources to keep pace will push many leaders to the brink. Sadly, the challenges will only get tougher in subsequent years.
Prologue: Final Insights — Not all cybersecurity fears will come to fruition
Although my concerns for digital risk run deep by nature, there are many things that I am not worried about in 2024. Contrary to many of my industry counterparts, there are aspects of cybersecurity that I believe we should not fear.
So, what disasters won’t happen in cybersecurity 2024?
Cyber Pearl Harbor and the End of the World — Full commitment by sophisticated attackers to destroy massive parts of the global digital domain, like that of the United States, has severe unintended consequences that even aggressive nations states don’t welcome. Our digital world is heavily intertwined across borders with entrenched dependencies. For one nation to cause overwhelming destruction will likely result in severe backlash damage to their own critical online infrastructures. At this point, adversaries have no way to insulate themselves or gracefully limit the collateral damage from massive attacks. The nation-ending cyberattack, popularized in Hollywood movies, is not a realistic immediate threat.
Severe meddling in US Elections — The world will be watching the US elections in 2024. Many fear attempts by foreign enemies to tamper with results and influence the outcome. Although this is a likely desire by many nations, the fact is that the US is ready and fully expecting such attacks. The element of surprise is gone and so is the realistic opportunity of attacker success. There will be a tsunami of disinformation, but that already comes from every angle, even the participants. Tampering with the voting infrastructure is a different story. Preparations to prevent tampering are already in high gear. Even on the disinformation front, there will be extra caution by reputable news and social sites, with citizen monitors ready to throw a red flag when they see potentially foreign foul play. Monitoring and detection capabilities will be greater than any previous election and the consequences to any nation attempting such actions will likely be severe. Rest assured that a small army of cybersecurity professionals is working to make the election fair and transparent, so do your civic duty and vote!
AI destroying our digital ecosystem and mankind as we know it — Although AI will be a powerful tool to help hackers, it will be in ways they already generally exploit. As for AI taking over the world, an old Hollywood trope, the reality is that such great advances in Generative AI that we see today, are a far cry from the General AI portrayed in self-aware systems of a dystopian future. For 2024, we are safe from AI overlords taking over humanity.
AI will put cybersecurity workers out of work — Like all transformational innovations, there will be more jobs created by AI than lost. AI is best served as a tool and the only people who will be out of work will be those who don’t know how to use AI.
Cyber warfare doing more damage than traditional kinetic warfare — As fearsome as critical infrastructure attacks are, they still pale in comparison to what traditional warfare brings. As we have seen in Ukraine, cyberwar does not replace tanks and troops, but rather it augments them. Until the day that a cyberattack campaign can kill a hundred thousand people, we should keep our fears in perspective. Someday that will be an issue, but not in 2024.
Privacy will unravel — Contrary to what some will say, privacy is not on the brink of collapse. In fact, the privacy industry is healthy, full of tremendously smart people, and benefits from empowering legislation that is starting to be enforced! I believe there is great momentum in the privacy field and it will be much stronger still by the end of 2024.
Matthew Rosenquist — CISO, Cybersecurity Strategist, & Industry Advisor — Cybersecurity Insights.