2023 will be remembered as the year when breaches of trust, not cybersecurity, led to a fever pitch of litigation and regulatory changes. In 2023, the Federal Trade Commission (FTC) implemented a delayed formal change to the Safeguards Rule, expanding the scope of covered entities, and announced another change to be effective in early 2024. The Securities and Exchange Commission (SEC) chose litigation in over 40% of standalone cases rather than opting for settlements, and the updated SEC rules came into force, placing a substantial emphasis on transparency in disclosures for companies.
2024 will be a year of immense change. I’m calling it “The Year of Trust.” Here’s why:
- The Cybersecurity Futures 2030 report from the World Economic Forum found that trust will increasingly be a fundamental theme for companies and governments
- The lack of trust by market regulators of their regulated entities’ intent and capabilities to comply with increasingly prescriptive requirements has been a central theme in 2023
- Third-party vendor risk management has historically been an unfunded mandate at many companies, but as business deal with frequent supply chain security breaches, companies will re-evaluate how they trust one another
- An erosion of public trust caused by adversarial use of artificial intelligence as part of information operations will likely be a central theme of elections around the world in 2024
Let’s dig in to my six predictions for the coming year.
1. Cybersecurity compliance will become a business driver
The media emphasis on supply chain security and highly publicized breaches throughout 2023 has made business operations more challenging for both B2B and B2C companies. It’s impractical and inefficient to complete a different 1,000+ question third-party risk management (TPRM) questionnaire for every new vendor or supplier. In 2024, I predict proactive companies will look not only to maintain their existing cybersecurity attestations (like SOC 2) and certifications (like ISO) but also seek to expand the number of those external validations to demonstrate their trustworthiness.
This is a sea change in the overarching narrative of cybersecurity, long relegated to the role of a cost center, to make it a key competitive differentiator. Companies that can demonstrate their trustworthiness through external validations and well-designed policy and security statements that align with internationally recognized cybersecurity frameworks will likely find a smoother path to profitability.
Audit committees, rather than Chief Information Security Officers (CISOs), will be at the forefront of collaborating with business leaders and external assessors to showcase their companies’ trustworthy cybersecurity practices. By proactively sharing these details early in the sales cycle, companies can avoid time-consuming TPRM questionnaires and accelerate their deals. Demonstrating compliance in cybersecurity will be a key factor in attracting and retaining top talent.
2. Companies will attempt to transfer more cybersecurity risks to vendors and service providers
A second prediction for 2024 is that companies will attempt to transfer as much risk as legally feasible to their vendors and service providers. This will include the business risks associated with cybersecurity and privacy — specifically, the unauthorized disclosure, alteration, or destruction of confidential or private information at companies. This strategy will serve as a method to limit potential legal liabilities and to control costs.
This may, at times, feel like a contractual shell game as companies work to offload the processing or storage of data and the associated risks to third parties to minimize first-party risk to their businesses. Companies seeking to use this strategy may find it complicated due to the proliferation of national data regulations and updates in privacy laws that reflect political agendas more than technological feasibility. While risks can never be eliminated, they can be reduced to an acceptable organizational tolerance level.
3. Companies will reevaluate their disclosure procedures
The SEC’s new requirements for disclosures are intended to reinforce investor trust in a company’s cybersecurity maturity. In 2024, we’ll see the first stumbling attempts by companies to communicate their stances and the resulting market and regulator reactions.
In 2024, I predict companies will re-evaluate their disclosure procedures, focusing on the integrity and origin of the data used for disclosures. Internally, companies must always be prepared to ‘show their work’ to the internal audit committee. Externally, those companies that align their new risk disclosure statements in line with generally accepted terminology, such as the language used for Enterprise Risk Management (ERM), should simplify stakeholders’ understanding of how organizations manage their unique security and privacy risks and opportunities.
4. Investment in compliance operations will continue to grow
My fourth prediction is that companies will continue to see how necessary investment in compliance operations is, as the previous predictions will come at a cost. Collecting and testing evidence of control operation to earn new compliance certifications or attestations is a potentially labor-intensive effort. Understanding first-party and third-party risks is a similarly complex task that cannot be conducted manually at scale. The audit committee will demand confidence in the chain of custody, the provenance, and the reliability of data used to produce and communicate external disclosures. To scale, companies must automate what makes sense.
Investment in compliance operations is the only rational path forward in light of these challenges. Automated systems for collecting and testing control effectiveness can build investor and public trust, especially when such systems can be audited more efficiently than manual methods. The direct correlation of controls with business risks allows organizations to easily conduct gap analysis work without retaining expensive consultancies when considering earning another certification or attestation. A real-time overview of how risks are being effectively mitigated by controls (based on automated data collection and testing) will give senior executives the confidence to make public statements and disclosures without increased risks of personal liability. Achieving this requires the right Governance, Risk, and Compliance (GRC) tools, not additional staffing.
5. CISOs will be recognized as risk advisors, not risk owners
My fifth prediction is that Chief Information Security Officers (CISO) will be finally recognized as risk advisors rather than risk owners. A CISO’s team has never been best placed to understand the full monetary value or efficiencies of a given critical business system; instead, the executive who owns vital performance indicators associated with their critical systems has the best view on the monetary values associated with that critical system.
Similarly, a CISO cannot reasonably hope to develop business continuity plans associated with systems outside their direct control. Yet, for years, there has been a narrative that despite these limitations, a CISO is expected to sign-off on the so-called cybersecurity risks of those business systems. This has never been true, and cybersecurity risks were a convenient fiction. We’ve always been managing business risks.
In 2024, I predict we’ll see increased scrutiny of how CISOs advise business system owners on potential cybersecurity-related business risks and the decisions made by these owners to address these risks. For example, a CISO’s team may be able to recognize and raise a potential business risk associated with a lack of system availability caused by an increased risk of ransomware. They can then present that to the business owner and work with the business owner to qualitatively describe the potential impact of that risk. It is then up to the business owner to decide to apply additional controls, accept the risk, or hope to transfer the risk to a third party or cyber insurance.
However, these steps must be documented with a tamper-proof audit log of who knew what and when. Having this evidentiary log in the right GRC tool will help limit civil liability for CISOs and provide market regulators or defense attorneys the facts that they need to make fair and accurate judgements.
6. Macroeconomic factors and regulation will push AI to the trough of disillusionment
For just over a year, society has collectively been at the peak of inflated expectations around the possibilities of artificial intelligence. The next stage in Gartner’s hype cycle is the ‘trough of disillusionment,” and while it’s approaching quickly, this is not due to technological limitations. I predict that the cybersecurity conferences in 2024 will be a classic example of why we can’t have nice things.
Around ten years ago, nearly all cybersecurity products suddenly supported Zero Trust. I remember being at a tradeshow where a vendor was claiming how their network hub was a Zero Trust box. Switches come in three primary forms, and this particular hub was the simplest type, a passive hub; as it lacked any intelligent features, it was clearly not related to Zero Trust, despite the shiny blue padlock sticker. A signature-based antivirus vendor was promoting their Zero Trust antivirus. Had these been isolated incidents with vendors that quickly failed, we might not have lost the use of the phrase “zero trust” due to misguided marketing efforts.
Instead, a decade (or more) of Zero Trust marketing has led to CISOs and CIOs learning to ignore the tone-deaf product pitches and to allocate budget and resources away from Zero Trust. This is unfortunate as Zero Trust remains a valid enterprise architecture and security strategy, just no one wants to hear about it.
We’re on the cusp of seeing this again with artificial intelligence. CISOs are already widely predicting flat or declining budgets for 2024, and AI has been heralded by some as a way of doing more with less. The obvious (and incorrect) solution would be to use those limited dollars on a force accelerator like AI. This unfortunate combination of macroeconomic factors will likely mean most cybersecurity vendors start claiming how their products now have AI, are AI, or were always based on AI, as a potential way of attracting attention from cash-strapped CISOs. This marketing is more likely to attract the unwanted attention of the FTC.
Gary Gensler, chair of the FTC, has spoken directly and forcefully about the problems of “AI washing”, likening it to “greenwashing” in ESG disclosures. The FTC recently approved an omnibus resolution allowing the use of civil investigative demands (CIDs), which are a form of compulsory process similar to a subpoena, in investigations relating to products and services that claim to use AI. In practical terms, this means that if a company claims that their product is now magically AI that they’ll need to be prepared to explain to a regulatory body how it precisely is an AI, and a shiny blue sticker won’t be considered sufficient evidence.
The collective combination of these factors — AI being pushed as the “Next Big Thing™” in cybersecurity, CISOs getting tired of hearing how everything’s an AI, and public regulatory investigations of those AI claims — will lead boards, CISOs, and other senior technology leaders to quickly become disillusioned with AI in 2024.
This does not mean that AI investment will dry up; rather, effective AI will need to be trusted by both end-users and buyers. There are also potential positive benefits outside of security for the appropriate use of AI in companies. For example, go-to-market teams can use AI personas to test market messaging in addition to existing conversations with internal experts, resulting in more meaningful interactions. AI can be leveraged to automate menial tasks like reviewing policy documents, identifying and labeling structured and unstructured data, and summarizing content to save time. While there’s much to be skeptical of, there’s also much to look forward to in the coming year if we leverage AI responsibly and practically.
To wrap it up
In many ways, 2024 will be a critical year for the future of cybersecurity management. Thankfully, 2023 was not our Sarbanes-Oxley (SOX) moment, though some have made the comparison. Companies that invest in building trust through investment in compliance operations and recognizing the CISO as a trusted risk advisor will be better positioned than those who meet compliance obligations only as a burden or who continue to see cybersecurity as an unwanted expense.
By embracing these six predictions, we can live in a future free from overreaching cybersecurity regulations akin to SOX. It’s imperative for senior leaders from all businesses to work towards this brighter future built on mutual trust and demonstrated compliance.