CISO Radar: 2024 – A Year of Adaptation, Collaboration, and Transformation in Cybersecurity

To securely harness the Cloud’s full potential, your first challenge is to break down silos. Many organizations have isolated this technology, by creating centers of excellence or appointing dedicated experts, without integrating them within existing security or IT teams. Although this was necessary to get the technology off the ground, it is now having a detrimental effect. Faced with the increase in Cloud-native or hybrid projects, operational changes are needed to take the burden off Cloud security teams. The Cloud must become an IT system like any other. Cloud security also needs to be onboarded into the CI/CD chains and agile methodologies deployed in organizations, including for internal systems.

Your second challenge: Cloud opportunities in terms of cybersecurity are still under-exploited. These include:

• Automated deployment of resources and security policies.
• Visibility into the Cloud environment, enabling better perimeter monitoring.
• Development of new resources, with no code / low code (no need to code to deploy) or no admin (fewer users with administrator roles) strategies.

This can often be explained by insufficient team training, or by the large number of features offered by Cloud services, and their rapid development pace. Analyzing the existing capabilities of Cloud platforms and aligning them with the organization’s cyber processes is often a very positive step and enables you to deal with issues that have been outstanding for years (real-time compliance checks, security policy monitoring, etc.).

Zero Trust is a target for almost all our clients. Several assessment frameworks are available today (including Wavestone’s) for drawing up a transition plan towards a Zero Trust model that is effective on several dimensions: infrastructure, applications, access etc.

Large organizations are currently carrying out two types of projects.

1. ZTNA (Zero Trust Network Access) deployment, which focuses on network and remote access.
2. Micro-segmentation, which involves dividing the network into segments and dynamically applying specific security policies to them.

But Zero Trust is not limited to remote access and micro-segmentation. The greatest challenge is to gradually migrate applications to a Zero Trust model. This is a profound and complex change that takes time. Mature organizations are currently building a convergent approach where adoption progress is measured incrementally through tangible metrics. These include: the percentage of critical applications managed with conditional access, coverage of users by Zero Trust access, coverage of critical environments by micro-segmentation and the number and precision of criteria for assessing the level of trust.

It’s a progressive yet steady movement, which needs to be driven and sustained over time.

Awareness-raising is one of the most widespread practices in cybersecurity and has been for years. However, phishing campaigns often deliver disappointing results, pointing to a “glass ceiling” being reached, and highlighting the urgent need to rethink cybersecurity training and bring it closer to the field, to the highest-risk areas.

The aim is not to break through this ceiling, which would require an excessive amount of energy, but rather to specialize awareness campaigns to successfully change behavior.

The four actions below prove to be the most effective.

1. Identify major risk areas related to business operations.
2. Work closely with business units and employees to review and improve processes. It’s no longer a question of spreading broad, generic messages, but rather of looking at how to change ways of working with those who actually carry them out.
3. Be creative, but always pragmatic, when adapting security practices.
4. Measure the impact of your changes.

Geopolitical turmoil over the past few years and stricter regional regulations suggest that a fully onboarded international IS is no longer an option. Some international organizations are already segmenting their IS into more localized versions, around two or three major zones. This trend is gaining momentum.

This new landscape offers two ways forward for organizations.

The proactive approach aims to restructure your architecture over the long term to create between two and four different zones.

• Build a segmented AD (Active Directory) (e.g., ensure the localization of domain controllers).
• Add a layer of security to foreign subsidiaries or entities (e.g., set up firewalls and filtering rules).
• Maintain a global detection capability by consolidating alerts rather than just logs.
• Ensure that third-party contracts are assessed from a sovereign geopolitical standpoint (e.g., hire local players able to deploy on-site in case of incident).

The reactive approach focuses on setting up crisis mode when rapid decoupling is required.

• Identify sensitive geographical areas.
• Implement Red Button procedures to shut down the network, privilege accounts, and access to applications and workstations.
• Anticipate business impacts and legal risks of isolation (e.g., when transferring security systems from an embargoed country).

Decoupling calls for a radical change in IS management and, in the future, cybersecurity. It requires cross-functional discussions with, on the one hand, top management, who are involved in the same way as in M&A operations, and, on the other hand, business units, to fully understand access and communication needs at company scale. Multinationals often have a dual objective when it comes to unbundling: to keep their business running as smoothly as possible and, at the same time, to protect themselves against espionage, malicious acts or attacks.

It is vital to find this new balance before being compelled to react in a state of emergency.

Third-party attacks increased in 2023. The latest attacks on Boeing, ICBC and DP World highlight just how tricky third-party management can be. With so many partners, suppliers and subcontractors in an organization (and its subsidiaries!), managing third parties is a real puzzle for cybersecurity teams.

Once again, regulations, including DORA’s Chapter V, call for greater monitoring. To meet the regulator’s requirements, you’ll need to assess third-party risks, introduce specific clauses in contracts, and define a strategy for rapid decontractualization (stressed exit).

Efficient third-party management cannot rely on security teams alone. All departments need to be involved: IT, purchasing, business etc. A third-party evaluation platform, available to all, can engage them effectively.

You also need to involve your most critical third parties in joint crisis exercises. This kind of integrated training, still very uncommon, allows both sides to learn from each other.

Last but not least, cooperating with industry players is key to safeguarding core market assets. That’s especially true for third parties that can’t be re-insourced (e.g. large Cloud platforms), or where no alternative exists for the market (e.g. SWIFT).

Managing third parties means dealing with the risks of thousands, or even tens of thousands, of entities. It’s a major effort that calls for long-term commitment!

With all the buzz around artificial intelligence (AI), organizations are facing unprecedented threats affecting the very heart of these models. New attacks are emerging, such as poisoning (modifying training data to trick it), oracle (hijacking AIs to make them reveal things they shouldn’t), or illusion (making AIs believe things that are false but invisible to humans). New risk assessment and protection measures need to be put in place.

In the short term, the priority is therefore to secure business projects using AI, particularly in the following stages:

• Classifying AI use cases according to regulatory criteria (refer to the future European AI Act) or the NIST (National Institute of Standards and Technology) AI risk management framework.
• Defining responsibility matrix and governance for use case validation, taking into account cybersecurity, transparency, privacy, bias and ethics.
• Implementing dedicated safeguards where necessary, either by integrating security directly into the project design, or by implementing new products for AI security.

Looking ahead, you’ll have to monitor AI developments in cybersecurity. 2024 will hold plenty of interesting announcements, but we recommend not to invest prematurely. More mature companies can, however, start centralizing security data in a Security Data Hub to take advantage of AI solutions when they are mature.

While communications and storage encryption (data at rest) has become commonplace, the encryption revolution carries on with the rise of technologies such as encryption in use. Regulators are taking an interest in these issues, as in the case of DORA. This trend calls for integration of confidential computing principles by bringing encryption right into the processor’s memory and registers. However, this can go even further, particularly with homomorphic encryption (enabling data to be processed without the need for prior decryption).

At the same time, quantum computers pose a growing threat. Although their peak impact is expected between 2030 and 2033, there are already warning signs. You need to start thinking now about which sensitive data will need to remain confidential for at least a decade.

There are three key stages in the transition to post-quantum.

1. Identify sensitive data, understand its nature and strategic importance, and prioritize migration.
2. Analyze thoroughly current commercial and open source encryption systems.
3. Adopt post-quantum encryption solutions, even imperfect ones, for continuous testing and adjustment.

At this stage, a dual-encryption strategy, combining traditional and post-quantum methods, offers multi-layered security adapted to current and future challenges.

Given the urgency of the climate change situation, cybersecurity teams need to assume their share of responsibility and adopt sustainable practices that go beyond Green IT. As CISOs oversee security policies, they can also influence them to promote less energy-intensive security measures, without increasing the level of risk.

This starts with assessing the environmental impact of security measures. A number of tools allow you to measure the greenhouse gas emissions of infrastructures (both on-premises and in the cloud) and endpoints. This first step enables you to identify the most polluting devices within your organization.

The goal is then to reduce emissions without significantly compromising the level of safety, i.e. without affecting critical measures.

Initial work to provide an operational response to this issue will be published in early 2024, so stay tuned!