The role of the Chief Information Security Officer (CISO) in 2024 extends beyond adding a few extra hats in the room. From disruptions across the cybersecurity landscape to changes in technology, geopolitics, and the evolution of cyberattack methods, challenges facing the CISO position include new legal concerns. There are new compliance demands, increased scrutiny, and needed support from the board level.
Through recent years, the role of a CISO has transitioned from one of technical oversight to that of an executive-level decision-maker. As dependence rises on automation, digital transformation, and robust solutions for customer and IT services, organizations have increasingly leaned on their CISOs to expand on these areas of business strategies and lead in the protection and response from emerging threats in technology and cybersecurity.
Today’s CISO must balance their focus between operations, compliance, steering clear from enhanced cyber threats, and possibly managing budget and resources to maintain all essential functions and operations. In 2024, CISOs oversee a much larger table than what was known prior. At the heart and center of the most critical factors of cybersecurity, succeeding at the CISO position relies on agility, greater degrees of balance, responsibility, and a future-proof, robust degree of attention. Working across the organization, CISOs can mitigate the impact of future threats, maintaining coverage and costs and assisting varying departments including procurement, legal, and security.
Higher Degree of Difficulty for CISO Position
According to research by The Life and Times of Cybersecurity Professionals Volume VI, 2023, 62% of CISOs believe the role of a cybersecurity professional is somewhat more difficult than it was two years ago, and 32% of CISOs claim the role is significantly more difficult. On top of evolving cyberattack methods beyond phishing and ransomware, the new legal and regulatory procedures from the SEC significantly made headlines regarding how and when cyberattacks were publicly disclosed.
As covered in our previous analysis of the cyberattack impacting Clorox, the new rules by the SEC promote greater public transparency regarding recent cyberattacks. Previously, businesses could pay the ransom or meet other demands made by attackers to prevent the story from going public and bringing consumer trust and their reputation into question. Now, organizations must [briefly describe what you have to do instead.] In May of 2023, Uber’s CISO paid a ransom to prevent SEC disclosure and was sentenced to three years of probation with a fine of $50,000.
Months later, the CISO of SolarWinds attempted to finesse the disclosure process by not including known risks or accurately reporting on the company’s response to a 2020 cyberattack. To downplay threats, this launched an SEC investigation that found public statements conflicting with what was internally communicated, including a 2018 presentation explaining how their remote access was “not very secure.”
CISOs now face personal liability for data losses, privacy losses, and other cyberattack damages. To best defend themselves, it’s critical to keep detailed system records to record potential and existing security incidents with details of the actions taken. To understand the SEC’s compliance demands, it’s key to define with the company’s general counsel the definition of materiality. There should be a clear divide between what is considered significant and what is not. As seen by these recent examples, CISOs are being found at a greater degree of liability in response and disclosure of cyberattacks. It is now imperative to communicate with the board on which security controls are required and the potential losses a company faces in the event of a breach.
“For many organizations, even if they purchase a very robust and expensive security product, they treat the process like a checkbox, as if to say, ‘Ok, we have it.’ Well, you don’t have it because you’re not fully set up. If you haven't configured it fully and it's not fully deployed, you have this false sense of security, which could be worse than not having another product.”
-Amir Carmi
CISO, ThriveDX
Changes in Rules to Engagement
It’s been reported and predicted that social engineering, phishing, and other known cyber threats will grow in scale as generative AI empowers bad actors to further their actions. AI cannot only generate more credible malicious content at scale, but it can also invent entirely new practices designed to precisely manipulate a target in question.
In a case showcasing the new frontier of corporate fraud, a finance worker in Hong Kong received a Zoom call from scammers using deep fake videos to disguise themselves as board-level employees and the bad actors were able to engineer a transfer of $25 million.
Microsoft and Open AI collaborated to look into the usage of large language models (LLMs) and found several nation-state groups already applying them for criminal activities. These organizations, located in countries such as North Korea, Iran, and China, have their eyes set on impacting the election season late in the year. Ian Trimble, a CISO from Mandiant explains, “AI can help you do number crunching at a scale far better than any human. We’ve been using it for our detection technology, to look for anomalies, to help us find those needles in the haystack.”
2024 is the year for CISOs to secure the AI revolution through leadership, communication, and establishing best practices for this expanding environment. According to research by the group Info-Tech, over 40% of the organizations surveyed do not have AI governance in place. CISOs are responsible for identifying the expectations and goals of AI usage. Potential vulnerabilities, existing security gaps, and areas that define accountability must be included in the framework to protect against worst-case scenarios.
“When it comes to looking at bad actors, unusual behaviors, the large language models are pretty good at that. One thing we’ve seen is using LLMs as accelerators for upskilling and learning. Before analysts were drowning in alerts without knowing how to parse, where to go, how to do triage,etc. New simulations like Google Chronicle and Microsoft Sentinel are streamlining the process towards a turnkey solution for quicker detection and resolution.”
-Ian Trimble
Mandiant
ThriveDX Cybersecurity Instructor
As CISOs rely more upon third-party vendor platforms, CISOs face greater accountability towards managing vendor risk and ensuring comprehensive policies for protecting data and sensitive information.
Re-Emphasizing The Human Factor and Resource Management
As CISOs become more liable for cyberattacks, more present in the C-suite, and more responsible for addressing emerging technologies, CISOs must be upfront with resource management, ensuring compliance with management at all levels, and educating and engaging in the active protection of all data and sensitive information relating to the company and employees.
CISOs must go beyond the checkbox and apply penetration testing, tabletop exercises, red teaming, and other methods of testing preparations and potential response plans. To best manage the most qualified employees within an organization, it may be considered to form cybersecurity committees that can report directly to the CEO, board, shareholders, employees, and regulatory committees.
To achieve this high standard of accountability and situational awareness, CISOs must take the initiative to address the talent gap in cybersecurity, as the challenge will continue to grow as the workforce needs to keep up with advancements in the industry. Talent shortages create vulnerabilities that expose organizations to new advances in cyber threats. The 2023 Global Cybersecurity Skills Gap Report noted that staffing shortages contribute to a growth in breaches. The report states that 68% of leaders agree that cybersecurity skills shortages create additional cyber risks for their organizations. The report states that the skills gap is a growing concern for boards of directors with 83% of boards calling for a greater headcount of IT security staff.
With increased regulation and liability, CISOs need to protect their organization and themselves by employing future-proof plans and taking governance of emerging technologies. Transparency is no longer a best practice, but a legal requirement within an organization. CISOs must establish and enforce the most effective measures for preventing data loss and protecting the digital infrastructure while reporting to the SEC, investors, and the board regarding all threats to operational and supply chain threats. With agility, awareness, and preparations across the organization, from procurement from third parties to internal protocols, CISOs can best be equipped for a year of new challenges.
For more information about previous costly cyberattacks from earlier in 2023, you can read our analysis of the ICBC Cyberattack and The Clorox Company.