At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”).

The chatter around AI shouldn’t have been a surprise to anyone who attended RSAC in 2023. Generative AI as we know it today was only a few months old then. Everyone wanted to talk about it, but no one was quite sure of the impact it would have on cybersecurity.

A year later, there are still a lot of questions, but the profession has embraced AI into its tools and solutions. It was by far the most popular topic across the educational sessions and in demonstrations and presentations across the Expo. But it wasn’t the only issue that cybersecurity professionals were contemplating. Here are some of the most popular topics that people at RSAC were talking about.

AI isn’t just generative AI

There were over 100 sessions that dealt with AI at the conference. Many conference attendees were most interested in the double-edged sword of generative AI: how to use it as a tool to detect and prevent cyberattacks and how cyber criminals use the technology to launch attacks. AI’s role in misinformation campaigns and developing deepfakes has many people worried about a significant shift in the way threat actors use social engineering. This worry only compounds with the concern that security awareness training won’t be able to keep up.

The term “shadow AI” was mentioned a number of times, often by CISOs who expressed concern that the risks faced through shadow IT and shadow cloud behaviors are beginning to repeat themselves in the use of unauthorized AI. Right now, much of shadow AI is related to employees who use tools like ChatGPT for research resources and trusting the information they receive as absolute truths. But as employees become more sophisticated in using AI tools and as generative AI shows itself as a potential security risk, CISOs want to see steps taken to get AI policies and approved tools adopted into the organizations sooner rather than later.

However, one of the issues that cybersecurity experts were quick to point out is the need to separate generative AI from other types of AI. Because of the overwhelming presence of AI throughout the conference, the technology has this feeling of newness to it, that it is something that was just introduced in the past year. Many of the panel discussions covered machine learning and large language models and how to build on the predictive benefits these technologies bring to cybersecurity tools. AI isn’t new, one CISO said; it’s been around in some form for decades. The hope is that the AI hype of this year settles down by RSAC 2025 and that there will be more positive discussions around building better predictive models with AI or more defined uses of the tool.

Data governance and AI

One topic that seemed to come up almost as much as AI was data governance. Some of the conversations were around AI’s role in data governance, but cybersecurity professionals spoke of the need to know their data and build out policies that will meet ever-evolving compliance standards. Data governance was commonly mentioned along with the SEC cybersecurity disclosure rules and other government regulations put in place. As one cybersecurity executive pointed out, the struggle with data governance comes down to the biases from three different areas within a company: the engineers who create data; the C-suite team who use the data and the CISO who controls the data and the security around it. There is no agreement on what determines metadata, and until there is governance that agrees with all biases’ points, true data governance will be difficult, if not impossible, to achieve—and that hurts overall security efforts.

The absence of zero trust

In 2023, zero trust was far and away the most discussed topic at RSAC. While everyone wanted to talk about generative AI last year, it was often centered around zero trust architecture and principles. This year, zero trust was pushed into the RSAC dustbin. Oh, it was still there: eight sessions had a focus on zero trust and it was highlighted in more than a few company displays. But it has moved beyond its initial buzz, which one CISO suggested wasn’t that surprising.

Applying zero trust principles is time-consuming and because it has been a couple of years since the White House released its cybersecurity executive order, many companies are already well into their zero trust journey. It may be because it is no longer the “it” buzz term or it may be because there isn’t the demand for more information, but the glow around zero trust has officially dimmed.

Budgets, or lack thereof

At the brunch roundtable mentioned earlier, one of the CISOs said they expected to hear a lot about security budgets, or, more to the point, the lack of security budgets. Funding for security was a topic that came up frequently, as many security professionals weren’t afraid to say they were dealing with a delicate balance to manage budget cuts with rising costs around cyber incidents.

IT and security departments need to do a better job of learning the language of business executives and explaining how and why cybersecurity fits into the corporate model and overall business operations. But if cuts to the security budgets continue, with layoffs of experienced security personnel and the inability to get the tools needed to keep up with the latest threats—especially around AI security models—companies will get hit with cyberattacks, and the costs will be greater than the budget cuts.

It’s clear from this year’s RSAC that we’re just at the tip of the iceberg when it comes to AI advancements—and the hype around it doesn’t appear to be going anywhere anytime soon. But what security concern, emerging tech or new marketing buzzword will be top of mind for attendees at next year’s RSAC?

The post Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about appeared first on Security Intelligence.

Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats. 

Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of approach can maximize investments by bringing new and existing security tools together, make SOC analysts more productive by moving their workflow into one place, and provide flexibility for organizations as their IT and security programs change. Our vision for a next-generation, open and integrated security platform  is built around three key tenets:

1. Open architecture: With the growing number of different tools and cloud platforms that organizations are using today, a next-gen security platform must be open enough to easily work with different tools from different vendors. Consolidating existing tools or moving data is often too expensive and complex to undertake, but adopting a platform that is based on open-source technology and backed by an open standards body allows teams to maximize existing investments by bringing all tools together in a standardized way.
2. Centralized hub: SOC analysts can improve their productivity with one primary system of record to manage their workflows. A centralized hub on top of an open architecture provides a way to fuse people, process and technology. This enables analysts to move out of the individual tools they use and streamline their work into one place while still providing the valuable data from the existing tools and decreasing the need to train the entire SOC on all of the tools deployed. The goal is to automatically put the right information in front of the right person at the right time to drive effective and decisive resolution.
3. Flexible deployment: Most organizations are using multiple clouds and on-premises solutions to manage their security and IT environments. And each is typically in the midst of their own unique journey to the cloud. A next-gen security platform that can deploy anywhere gives businesses the flexibility to choose what’s best now, and in the future, while avoiding lock-in to a particular deployment model.

SOAR is at the core of a next-gen security platform

Security orchestration, automation and response (SOAR) solutions are built on four engines as defined by Gartner: workflow and collaboration, ticket and case management, orchestration and automation, and threat intelligence management. The fusion of these capabilities improves SOC productivity and incident response (IR) times by bringing together people, process and technology. As such, these engines also provide an ideal basis for a robust security stack. Indeed, SOAR capabilities based on an open architecture and with a flexible, hybrid cloud deployment is the ideal approach for a security platform that fulfills this vision.

Placing SOAR at the heart of a security platform helps teams extend and maximize value across the ecosystem and to any security process while working in a centralized, coordinated manner. Incorporating SOAR capabilities into a next-gen security platform provides a foundation that will deliver several benefits.

Better communication within and outside the security team

Any SOC, especially a virtual one, requires seamless collaboration to guide responses and organize tasks — this is a key capability of a SOAR platform. Rather than starting from scratch, teams can work intelligently by following workflows embedded within dynamic playbooks. Furthermore, security teams can leverage the workflow and collaboration engine of SOAR to communicate with key players in different functions, such as IT, legal, HR or PR, helping to facilitate a coordinated and efficient response.

Improved efficiency with centralized case management

SOC analysts gain efficiencies from case management capabilities that can be managed from the centralized hub of a SOAR solution, eliminating the need to switch between multiple tools and dashboards. When case management is extended beyond the SOAR solution and into a broader security platform, it provides analysts with a common format to use across all connected capabilities. A strong case management function will also include dashboard and reporting capabilities to track metrics and KPIs, highlight trends and gaps, and elevate the business value of the SOC.

Maximum depth and breadth of the ecosystem

Security teams can maximize the depth and breadth of their ecosystems through an open architecture. An open, standards-based approach allows SOC teams to leverage the capabilities of a diverse ecosystem through integrations across a wide variety of data sources and tools and to capitalize on existing investments. The orchestration of these technologies extends SOAR capabilities while providing security analysts greater visibility into the ecosystem.

Placing SOAR at the heart of a next-gen platform allows customers to extend SOAR benefits beyond the incident response process for which SOAR was created to include any security process, such as vulnerability management, identity management, DevSecOps and more. This not only logically extends this investment to generate additional ROI but also yields KPIs about these processes, which can be used to drive continuous improvement and transform security’s relationship to the rest of the organization.

The post Why security orchestration, automation and response (SOAR) is fundamental to a security platform appeared first on Security Intelligence.

In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.

With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt to meet the cyber challenges of the future?

The CISO’s role in the past

Steve Katz became the world’s first CISO when he took the position at Citicorp/Citigroup in 1995. From the beginning of his CISO journey, Katz realized that the role was not just an IT position; it was about serving the business by reducing risk. In the following years, other organizations added this new position, with the CISO reporting to the CIO in most organizational structures. While many CISOs recognized the true nature of their role, the rest of their organizations were often not on the same page.

In time, CISOs found themselves managing issues outside their organizations, such as building partnerships, working with suppliers and managing external data transmissions. However, many organizations felt the role still primarily remained in the IT realm, with the foremost responsibility of keeping the business from making headlines due to a major cybersecurity breach or attack. This meant that many CISOs mainly focused on compliance and risk management.

The role of CISOs today

In recent years, the CISO role has taken another significant shift in the face of increasing cyberattacks and the growing risks of business disruption, fines and reputational damage. According to Splunk’s CISO Report, 86% of those surveyed say that the role has changed so much since they became a CISO that it’s almost a different job. The role has moved from primarily being a technical role to more of a business leader.

Instead of implementing cybersecurity, CISOs now focus on helping the organization’s leaders understand the importance of cybersecurity and lead the strategic thought for the organization’s cyber strategy. CISOs bridge the gap between the technical language that comes easily to the IT department and the business language of senior leadership.

This shift also caused a reshaping of the organizational structure, with 47% of CISOs now reporting directly to their CEO, according to the Splunk report. By having the CISO answer to the CEO instead of the CIO, the organization illustrates the importance of cybersecurity as a key priority. Additionally, CISOs now have a bigger influence with a seat at the executive table and, often, even on the board of directors.

Future predictions for the CISO role

Cybersecurity experts debate whether the role of CISO should focus on business or technology. As we move forward, the answer will solidly fall into the middle. More than ever before, today’s successful CISOs must possess a rare blend of both technical and business acumen to truly succeed at the role.

Instead of simply helping the organization speak a common language in terms of cybersecurity and risk, the CISO will take a larger leadership role, owning the cybersecurity strategy for the entire organization. With the increased profile and responsibility, other employees will also realize the importance of cybersecurity in organizations.

As one of the newer executive roles, only existing for the past few decades, the CISO has evolved considerably since Katz made the news. As threats grow more sophisticated and businesses become increasingly digital, the business disruption of cybersecurity attacks often affects every aspect of a company. Organizations that realize the increased importance of cybersecurity and evolve their CISO role can create a culture where every employee and executive views cybersecurity as their job.

The post The evolution of a CISO: How the role has changed appeared first on Security Intelligence.

Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?

A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close to cyber, it will reach them anyway — at least according to a potential new SEC rule. What should security leaders do?

Cyber knowledge gap

A recent CyberEdBoard report said, “Board members are just not equipped to understand technology. The other side of the problem is that CISOs tend to talk in technical terms and it goes right over the board’s head. We have to figure out ways for CISOs to communicate effectively to the board.”

That might be a generalization as tech savviness increasingly makes its way into the upper ranks of business. However, when only a fraction of CISOs report to CEOs, it raises questions about how companies prioritize security issues.

Meanwhile, the federal government is increasingly concerned about the impact of cyberattacks, for example, on critical infrastructure and government agencies. And the feds are taking action to enforce compliance.

SEC enforcement moves forward

In 2022, the SEC nearly doubled the size of the Enforcement Division’s Cyber and Crypto Assets Unit. Since then, the unit has initiated enforcement proceedings against SEC-regulated entities due to insufficient cybersecurity controls and inadequate disclosure concerning cyber risks and incidents.

Over the past two years, SEC enforcement has resulted in charges, fines and settlements. Some of the biggest financial entities in the world have had to pay penalties ranging from $425,000 up to $35 million.

Are public company regulations next?

Now, the SEC’s proposed Rule 10 would specifically require all public companies to report material cybersecurity incidents on Form 8-K. Rule 10 would also mandate periodic disclosures regarding a registrant’s policies and procedures to identify and manage cybersecurity risks, management’s role in implementing cybersecurity policies and procedures — and the board of directors’ cybersecurity expertise, if any.

The board should get on board with cyber

Although some board members might still be reluctant to address security issues head-on, education is the key. Some easy-to-grasp parameters should be presented, like the global average cost of a data breach reaching $4.45 million. Or tell them about the $35 million SEC fines.

Security leaders should also compile data about the real-world risk — and damage — that cyber presents to their company. How many attacks did you detect last year? How many breaches? What were the estimated costs? What measures are needed to minimize further incidents and what would be the investment needed?

These are simple concepts that any business-minded person can get their head around. Armed with this type of information, board members could converse intelligently with any regulatory agency.

It would be unreasonable to ask board members to become cyber experts, but they can be guided to understand the associated business risks and benefits. Additionally, cyber executives should have a seat in the C-suite — or at least direct access to the CEO.

Give the board terms they understand

As per Marco Túlio Moraes, CISO and expert board advisor at CyberEdBoard, security officers need to learn to speak in financial terms.

For example, can you explain the total loss exposure for your cyber risk portfolio in quantitative financial terms? This can help everyone grasp the size of the issue to drive the strategy. Healthcare, for instance, has a risk portfolio with an average loss exposure of $5.5 million, given a probable annual likelihood of 9% and an average loss of $40 million. Is this something your board can accept?

Once these numbers are clearly outlined, risk appetite and tolerance can be defined given constraints such as budget, staff, time and other resource limitations. From there, an informed discussion about strategic cybersecurity can happen, including investments, responsibilities and expected results.

The post Boardroom cyber expertise comes under scrutiny appeared first on Security Intelligence.

Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.

A future cryptographically relevant quantum computer may be able to break public-key algorithms such as Rivest-Shamir-Adleman (RSA), Elliptic Curve Diffie-Hellman (ECDH) and the Elliptic Curve Digital Signature Algorithm (ECDSA), leaving sensitive information vulnerable to attacks. Even today, data not protected with quantum-safe cryptography is at risk of being stolen and stored until it can be decrypted. These are commonly called “harvest now, decrypt later” attacks.

Standards bodies worldwide have begun guiding the transition to quantum-safe cryptography — encryption algorithms based on math problems considered difficult for even a mature quantum computer to solve. In 2022, after a six-year-long submission and review process, the National Institute of Standards and Technology (NIST) selected four quantum-resistant algorithms for standardization, three of which were contributed by IBM researchers and partners. Recent guidance from NIST, the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) recommends that organizations create a quantum-readiness roadmap for transitioning to these standards, which NIST expects to publish in 2024.

While every organization, guided by its CISO, should create its own quantum-readiness roadmap, three steps are critical for every organization to undertake to become quantum-safe:

1. Discover your cryptography
2. Observe your cryptography
3. Transform your cryptography.

1. Discover your cryptography

The first step in the journey toward quantum-safe security is to gain a deep understanding of the vulnerabilities within the existing cryptographic infrastructure.

Discovery activities should identify at-risk cryptography and determine where the dependencies exist, translating these findings into robust cryptographic inventories. For example, IBM Quantum Safe Explorer scans source code to identify and inventory cryptography usage, formatting this information as a Cryptography Bill of Materials (CBOM) that can be shared with the software supply chain.

Cryptographic discovery should extend beyond applications to include network protocols, systems and assets, especially those that create and validate digital signatures. For third-party products, CISOs should work with their technology procurement specialists to gather information about embedded cryptography from vendors. After a thorough discovery process, CISOs might be surprised to learn how wide their quantum risk exposure is, given broad dependencies on public-key cryptography embedded within applications, networks and systems.

2. Observe your cryptography

Once security leaders have discovered the weaknesses in their cryptographic infrastructure, the next step is to observe the potential impact and identify the necessary steps to mitigate these risks.

With a dynamic perspective of their enterprise-wide cryptographic usage, CISOs can begin the work of cybersecurity risk assessments. This step involves working with cybersecurity and privacy managers to prioritize sensitive and critical data sets most at risk from “harvest now, decrypt later” attacks and with the highest business value and impact. To translate these insights into a quantum-safe strategy, security leaders should evaluate the business relevance in relation to the complexity of mitigation for specific assets so that they can plan their quantum-safe transition in a way that optimizes performance, compatibility and ease of integration.

3. Transform your cryptography

The final step in the journey to quantum-safe security is the transformation of cryptographic infrastructure to incorporate quantum-resistant cryptography.

Before deploying quantum-safe solutions to their stack, security leaders should equip their teams with the tools and education to test the new cryptographic protocols and evaluate the potential impact on systems and performance. Quantum-safe solutions that can be updated without having to overhaul their cybersecurity infrastructure will help CISOs establish crypto-agility and ensure they can proactively and seamlessly address potential quantum vulnerabilities. Security leaders should engage vendors to determine their timeline for migrating to quantum-safe cryptography for processes, services and systems secured with quantum-vulnerable cryptography embedded in third-party products.

By following the three steps of discover, observe and transform, CISOs can assess the vulnerabilities in their cybersecurity landscape and begin implementing quantum-resistant cryptography to safeguard their organization’s data for the coming quantum computing era. The time to embark on the journey to quantum-safe security is now.

The post The CISO’s guide to accelerating quantum-safe readiness appeared first on Security Intelligence.

From world events to the economy, 2023 was an unpredictable year. Cybersecurity didn’t stray far from this theme, delivering some unexpected twists. As organizations begin planning their security strategies for 2024, now is the time to look back on the year before and extrapolate what the future may hold.

The year kicked off with Generative Artificial Intelligence (GenAI) hitting the headlines and dominating the conversation unexpectedly. The impact of the many new uses for GenAI rippled the cybersecurity world and was a top topic and cybersecurity concern, with a data breach of ChatGPT highlighting the risk. Cybersecurity professionals also increased their use of AI technology to help detect and prevent attacks.

Ransomware stayed in the headlines, starting with an increase in volume. The month of March alone saw 400 attacks. Local governments were a prime target this year with more than 34 attacks, including one incident that shut down critical systems in Dallas. On the good news front, the U.S. government issued the NIST Cybersecurity Framework 2.0 and the White House Cybersecurity plan took steps to protect critical infrastructure from cyberattacks.

To get insights into what to expect in the cybersecurity industry in 2024, we talked to leading experts. Here’s what they have to say.

2024 will be the year of deception (Charles Henderson, Global Head, IBM X-Force)

2024 is going to be a busy year for cyber criminals amid ongoing geopolitical tensions, major elections in the U.S. and European Union and the biggest sporting event in the world (Paris Olympics) all taking place within a few months of each other. It’s a perfect storm of events that’s going to see disinformation campaigns on a whole new level.

Cyber criminals have everything they need to deceive unsuspecting users, consumers and even public officials through AI-engineered deception tactics. We’re about to see improved deep fakes, audio fakes and very convincing AI-crafted phishing emails in cyber criminals’ efforts to deceive the public and advance their malicious objectives.

GenAI is about to make “customer acquisition” much easier for cyber criminals (Charles Henderson, Global Head, IBM X-Force)

Until now, cyber criminals have been very limited in how they can monetize from their data spoils collected from the billions of data compromised over the years. But all that’s about to change thanks to GenAI. GenAI is going to help filter through, correlate and categorize those huge data sets in minutes and put them together in a programmatic way for cyber criminals to create profiles for potential targets. GenAI’s ability to optimize target selection is no different from how it’s improving the customer acquisition process in marketing — it’s just a different light of legality.

Enterprises will see an influx of “doppelgänger users” (Dustin Heywood, Chief Architect, IBM X-Force)

With millions of valid enterprise credentials on the Dark Web right now and the number continuing to rise, attackers are weaponizing identity, viewing it as a stealthy means of access to overprivileged accounts. In the next year, I expect we’ll see more “doppelgänger” users popping up in enterprise environments, with users behaving a certain way one day and another way the next — this abnormal behavior should be enterprises’ sign of compromise. Attackers are assuming legitimate users’ digital identities unbeknownst to them, with this trend only exacerbating in 2024. Security and password hygiene have never been more important.

Get ready for the AI version of Morris Worm (John Dwyer, Head of Research, IBM X-Force)

The Morris worm is widely believed to be the first cyberattack ever reported back in 1988. I think in the relatively near term we’ll see a “Morris Worm-like” event where AI is confirmed being used to scale a malicious campaign. With AI platforms starting to become generally available to businesses, adversaries will begin testing the nascent AI attack surface, with activity increasing as AI adoption begins to scale. While we’re still far out from the day when AI-engineered cyberattacks become the norm, these things don’t happen overnight — but the “premiere” is likely around the corner.

Amid midlife crisis, ransomware is heading for a makeover (John Dwyer, Head of Research, IBM X-Force)

Ransomware may be facing a recession in 2024 as more countries pledge not to pay the ransom and increasingly fewer enterprises succumb to the pressure of encrypted systems — choosing to divert funds to rebuilding systems versus decrypting systems. Ransomware operators are starting to face a cash flow problem, making it challenging to keep up with their resource-intensive campaigns.

While we anticipate a bigger pivot to high-pressure data extortion attacks, ransomware isn’t going anywhere, as we expect it to shift focus to a consumer or small business target base where threat actors’ leverage remains strong. But considering that ransom demands against small and medium-sized businesses are likely to be less than enterprise victims, it’s clear that ransomware is heading for a makeover.

Generative AI adoption will force CISOs to focus on critical data (Akiba Saeedi, Vice President, Data Security, IBM Security)

With enterprises beginning to embed GenAI into their infrastructure, they’re dealing with new risks introduced by centralizing various types of data into AI models, various stakeholders accessing those models and data they’re ingesting, as well as the actual inference and live use of the model. This risk will drive CISOs to redefine what data can introduce an existential threat to the organization if compromised (e.g., fundamental IP) and reassess the security and access controls surrounding it.

Data security, protection and privacy measures are the linchpin to the success of an AI-driven business model. But with data becoming more dynamic and active across the environment, the discovery, classification and prioritization of critical data will be a top action for security leaders in 2024.

GenAI will level up the role of security analysts (Chris Meenan, Vice President, Product Management, IBM Security)

Companies have been using AI and machine learning to improve the efficacy of security technologies for years, and the introduction of generative AI will be aimed squarely at maximizing the human element of security. In this coming year, GenAI will begin to take on certain tedious, administrative tasks on behalf of security teams — but beyond this, it will also enable less experienced team members to take on more challenging, higher-level tasks.

For example, we’ll see GenAI being used to translate technical content, such as machine-generated log data or analysis output, into simplified language that is more understandable and actionable for novice users. By embedding this type of GenAI into existing workflows, it will not only free up security analysts’ time in their current roles but enable them to take on more challenging work — alleviating some of the pressure that has been created by the current security workforce and skills challenges.

From threat prevention to prediction — cybersecurity nears a historic milestone (Sridhar Muppidi, CTO, IBM Security)

As AI crosses a new threshold, security predictions at scale are becoming more tangible. Although early security use cases of generative AI focus on the front end, improving security analysts’ productivity, I don’t think we’re far from seeing generative AI deliver a transformative impact on the back end to completely reimagine threat detection and response into threat prediction and protection. The technology is there, and the innovations have matured. The cybersecurity industry will soon reach a historic milestone: achieving prediction at scale.

A new approach to security’s “identity crisis” (Wes Gyure, Director, Identity and Access Management, IBM Security)

As organizations continue expanding their cloud services and applications, each one brings its own disparate identity capabilities — creating a web of disconnected identity profiles and capabilities across cloud, on-premise systems and applications. In the past, organizations hoped to consolidate these identities via a single identity solution or platform, but in today’s reality, organizations are coming to terms with the fact that this approach is neither practical nor feasible.

In the coming year, organizations will move to embrace an “identity fabric” approach which aims to integrate and enhance existing identity solutions rather than replace them. The goal is to create a less complex environment where consistent security authentication flows and visibility can be enforced.

“Harvest now, decrypt later” attacks to become more common with quantum advancements (Ray Harishankar, IBM Fellow, IBM Quantum Safe)

Quantum system performance continues to scale closer to the point of being cryptographically relevant, with studies conducted by World Economic Forum, National Security memorandums and timelines published by CNSA suggesting quantum computers could have the ability to break the most widely used security protocols in the world by as early as the 2030s. And right now, classical systems are still vulnerable to “harvest now, decrypt later” attacks — where bad actors steal and store data for later decryption on the chance of accessing such future quantum computers. With quantum computing advancing rapidly, we believe these attacks will become more common over the next several years.

Recognizing these risks, the U.S. National Institute of Standards and Technology (NIST) has already begun the process of developing new quantum-safe cryptography standards and is expected to publish its first official standards in early 2024. In anticipation of this, organizations should start the process today of identifying cryptography used in their environments to prepare for the transition to quantum-safe cryptography to ensure their data and systems remain protected from threats posed by quantum decryption. With bad actors already carrying out “harvest now, decrypt later” attacks, and some estimates showing this transition could take as long as 15 years, the earlier organizations start, the better.

2023 was an unpredictable year, and 2024 will certainly hold many more surprises. But with proper planning and agile cybersecurity strategies, your organization can meet those challenges as they come.

Explore the cybersecurity predictions from 2023 and 2022.

The post Cybersecurity trends: IBM’s predictions for 2024 appeared first on Security Intelligence.

With the increased regulation surrounding cyberattacks, more and more executives are seeing these attacks for what they are – serious threats to business operations, profitability and business survivability. But what about the Board of Directors? Are they getting all the information they need? Are they aware of your organization’s cybersecurity initiatives? Do they understand why those initiatives matter? Maybe not.

According to Harvard Business Review, only 47% of board members regularly engage with their CISO. There appears to be a huge disconnect between cybersecurity reality and Board of Director awareness. And in the case of a cyber crisis, your organization’s Board may be critical in making those key decisions that customers/clients, the public and now regulatory bodies further require.

The value of engaging the Board of Directors

As evidenced by the Cost of a Data Breach Report 2023, cyberattack and data breach costs are increasing year over year. In 2023, the cost of a data breach has increased by 15.3% since 2020. The attack surface of many organizations is also increasing with digital transformation efforts.

With recovery costs skyrocketing and more technology to secure, boards need to be involved in key decisions and they should be aware of what kinds of protections are in place. Boards of Directors are responsible for ensuring an organization stays profitable and accountable to its stakeholders. An ill-informed board may be frustrated and left with the feeling of being unprepared in the case of a cyber crisis. It is better to inform them of security-related efforts sooner rather than later.

For several years, the U.S. Securities and Exchange Commission (SEC) has been flirting with the idea of implementing cybersecurity requirements that fall upon the Board of Directors for compliance and ownership. The most recent proposed rule requires public companies to disclose if board members have appropriate cybersecurity expertise and adequate awareness to respond to a cyber crisis within their organization. This requirement represents a growing desire for organizations to take more ownership of data security and enlists additional attack consequences of cyber crisis activities upon the Board of Directors and those who are responsible for informing and arming them with critical crisis response capabilities.

How cybersecurity leadership can foster a strong relationship with the Board of Directors

Engaging the board of directors may seem like a difficult task, but there are steps an organization can take to ensure that the Board of Directors is aligned with cybersecurity goals and objectives.

Step 1: Educate your Board

• Be sure to provide an overview of the latest regulations impacting your organization and the locations it operates in. Those not in security roles may not know the intricacies of breach notification timelines or the thresholds for disclosure.
• Ensure the board knows how security teams operate within your organization. Make sure they have awareness of the different vendors that are used to augment a response. In addition, familiarizing your board members with response plans, even at a high level, can further elevate the connection between cybersecurity leadership and board members.

Step 2: Develop a common vernacular with board members

• Establish a common security language with your board. This means ensuring everyone knows what acronyms stand for (ahem, CSIRP, CSERT and the like – they’ve become second nature to security professionals but not everyone else). Also, determine a baseline understanding of general security terms and threats. It is better to have a common definition within your organization.
• Define what a crisis is—and isn’t. By establishing a Cyber Crisis Management Plan, your organization will have baseline qualification criteria and definitions. We’ve seen it many times before, when teams don’t agree on these before a crisis, it causes a plethora of issues.

Step 3: Enlist support

• Enlist both internal and external resources to support your cybersecurity initiatives. Mobilize your organization’s C-Suite to foster a deep security culture across the organization.
• Providing a quality threat intelligence briefing to your Board of Directors can provide awareness and perspective that is tailored to the strategic goals board members care about. IBM X-Force Threat Intelligence is poised to provide this tailored threat intelligence to your Board of Directors. X-Force has a wealth of knowledge that can help your organization’s Board prepare and understand.
• Find support within the Board itself – some people, including board members, are security nerds at heart. Engage those individuals more and they’ll be your champions. Help them learn more. You may even have a cybersecurity expert on the board already.

Step 4: Communicate with the Board effectively

• Provide the board with monthly or quarterly high-level security updates highlighting key efforts including product implementation, tabletop or simulation findings and any other important security activities.
• Be sure to keep conversations non-technical and provide key metrics. These stakeholders don’t need all the nitty gritty details, but it is helpful for them to know roles, timelines and when they need to be involved. Remember that a security response is a whole-of-business job and the Board is a part of that.
• Keep the line of communication open and involve the Board in any security newsletters or internal awareness campaigns.

Step 5: Practice

• If your board of directors wants a more hands-on and immersive scenario, the IBM X-Force Cyber Range has Business Response Challenges geared toward this audience. The team engages board members in conversations around regulations, business impact and health and safety. These experiences give board members the opportunity to respond to a cyberattack in a safe environment.

Engaging and communicating with your board of directors doesn’t have to be a daunting task. Take the time to understand members’ concerns and bring them meaningful updates, threat intelligence and metrics. The hardest part is opening the line of conversation and determining what each party needs. Once the relationship is developed, security teams and the Board will be able to converse more easily and effectively, and your organization will be better poised to protect itself.

The post Empowering cybersecurity leadership: Strategies for effective Board engagement appeared first on Security Intelligence.

Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety.

How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue.

2004 – 2009: Inaugural year and beyond

This early period emphasized general cybersecurity hygiene, such as using strong passwords, keeping software updated and being cautious about phishing attempts.

For example, in 2005, the National Cybersecurity Alliance emphasized:

• Protecting personal information, especially when asked for personal data online
• Using anti-virus software, a firewall and anti-spyware
• Setting up operating systems and Web browser software properly with regular updates
• The use of strong passwords or strong authentication technology
• Backing up important files.

2009 – 2018: Our shared responsibility

In 2009, DHS Secretary Janet Napolitano inaugurated Cybersecurity Awareness Month at an event in Washington, D.C. At the time, Napolitano was the highest-ranking government official to participate in the campaign’s activities. This period emphasized cybersecurity as a shared responsibility involving individuals, businesses and governments.

2010: STOP. THINK. CONNECT. initiative begins

In 2010, the STOP. THINK. CONNECT. initiative was unveiled at that year’s Cybersecurity Awareness Month with a proclamation from President Barack Obama. Continuing to this day, the initiative addresses human behavior online, and for good reason. The most recent Verizon Data Breach Investigations Report reveals the human element continues to be a key driver of 74% of breaches, including social engineering hacks, errors and misuse.

2014: Call for built-in security

In 2014, a new emphasis was placed on building security into information technology products. That year, the National Cybersecurity Alliance stated that security is an essential element of software design, development, testing and maintenance. The goal back then was to engage with stakeholders and educate others about what to do and look for in products.

This theme resonates even more powerfully today, as seen in the current National Cybersecurity Strategy. The strategy proposes new measures and regulations aimed at encouraging secure development practices from software vendors.

2015 – 2019: The era of encryption

The 2015 IBM Cost of a Data Breach report was the first to provide a detailed breakdown of mitigating factors for data breach costs. And from 2015 to 2019, the top two factors held a five-year winning streak. The leading factors during those years were the formation of an incident response (IR) team followed by the extensive use of encryption.

2018: The birth of CISA

In 2018, President Donald Trump signed the Cybersecurity and Infrastructure Security Agency Act of 2018, which established the Cybersecurity and Infrastructure Security Agency (CISA). CISA assists both other government agencies and private sector organizations in addressing cybersecurity issues. CISA now spearheads Cybersecurity Awareness Month efforts, which were previously under the auspices of the National Cybersecurity Alliance.

2019 – 2022: Do Your Part. #BeCyberSmart

During this period, the Do Your Part. #BeCyberSmart campaign was launched. This theme encourages individuals and organizations to own their role in protecting their part of cyberspace, stressing personal accountability and the importance of taking proactive steps to enhance cybersecurity.

Over the last decade, ransomware has grown significantly as a security concern. The number of ransomware attacks has increased along with the damage associated with each incident. Security solutions that gained more traction during this period included strategies such as identity and access management (IAM), zero trust and AI-assisted cybersecurity.

2023 and beyond

This year, CISA challenges everyone to help ‘Secure our World’ by adopting four simple steps that everyone can take to stay safe online:

• Use strong passwords (long, random and unique)
• Turn on multifactor authentication on all accounts that offer it
• Recognize and report phishing (“think before you click”)
• Update software (enable automatic updates and patches).

“As cyber threats become more sophisticated, individuals and families, small and medium businesses and large companies all have an important role to play in keeping our digital world safe and secure,” said CISA Director Jen Easterly. “This Cybersecurity Awareness Month we are asking everyone to do their part to ‘Secure Our World’ by adopting key behaviors that promote online safety and security.”

The post The evolution of 20 years of cybersecurity awareness appeared first on Security Intelligence.

Generative AI (GenAI) is poised to deliver significant benefits to enterprises and their ability to readily respond to and effectively defend against cyber threats. But AI that is not itself secured may introduce a whole new set of threats to businesses. Today IBM’s Institute for Business Value published “The CEO’s guide to generative AI: Cybersecurity,” part of a larger series providing guidance for senior leaders planning to adopt generative AI models and tools. The materials highlight key considerations for CEOs with respect to the cybersecurity benefits that GenAI can bring, and the potential risks it can introduce, to their enterprises.

The guidance draws on insights from 200 C-suite leaders and reveals that despite substantial concerns over risks, enterprises are moving full steam ahead with GenAI adoption, eager to reap the rewards and efficiencies promised by GenAI innovation. Key highlights include:

• Innovate first, secure later? Despite nearly all surveyed executives (94%) considering it important to secure AI solutions before deployment, 69% also say innovation takes precedence over security for GenAI.
• AI security spend moving upwards: By 2025 AI security budgets are expected to be 116% greater than in 2021, with 84% of respondents saying they will prioritize GenAI security solutions over conventional ones.
• GenAI viewed as a force multiplier for cyber workforce: 92% of surveyed executives say that, instead of being replaced, it is more likely their security workforce will be augmented or elevated to focus on higher-value work.

Generative AI becomes cybersecurity’s next big bet

As business leaders seek to drive more effective cybersecurity capabilities across their environments, they are expecting to spend more on generative AI-driven solutions. The overwhelming majority of survey respondents (84%) say they will prioritize generative AI security solutions over conventional ones, eager to see the promise of these innovations materialize.

The findings further emphasize the productivity gains that AI promises at the human and technology levels. Today’s AI maturity can help security analysts, empowering them to do more with less through intelligent assistants and speedier, more intuitive detection and response tools.

Survey respondents largely agreed that their workforce is the top area that would benefit from GenAI for security capabilities, with 52% of respondents saying generative AI solutions will positively impact their ability to develop and retrain security talent — an essential requirement amid an ever-evolving threat landscape. The majority of surveyed executives also viewed GenAI as an accelerator of digital trust with 52% indicating that GenAI will help establish easier user access management, permissions, and entitlement across their organizations. Similarly, 47% of executives say GenAI will help improve the time to detect and respond to cyber threats.

Generative AI adoption outpaces security and governance

Despite nearly all executives agreeing that it’s important to secure AI solutions before deployment, 69% say innovation takes precedence over security for GenAI. Rather than incorporating security considerations into innovation efforts, business leaders appear to be prioritizing development of new capabilities without addressing new security risks. This is even though 96% say adopting generative AI makes a security breach likely in their organization within the next three years.

While the survey takeaways suggest that business leaders fear they may lose a competitive edge or market lead by waiting for security to be baked into their AI-led business models, they are also concerned with increasing their risk exposure: nearly half of the study’s respondents voice concern about GenAI expanding their organizations’ attack surface. Specifically, 47% of those surveyed are concerned that adopting GenAI in operations will lead to new kinds of attacks targeting their applications, own AI models, data, or services.

It’s clear that when it comes to AI, we’ve crossed a new threshold: business leaders are eager to capitalize on the benefits promised by today’s innovations. In terms of security, they’re betting on new technologies to create more empowered, more productive teams. They’re looking for faster and more intuitive ways of working — whether detecting anomalies, managing risks, or responding to security incidents.

While many business leaders appear willing to accept the risk of insufficiently secured AI operations if it means they can evolve their business faster, security and technology leaders can take this as an opportunity to influence the conversation. It’s essential to understand that secure AI drives powerful AI outcomes, and that today we have the tools, processes, and strategies to help businesses establish secure AI business models as they embark on a dynamic journey of AI adoption.

Access “The CEO’s guide to generative AI: Cybersecurity” here.

Learn more about how IBM can help businesses accelerate their AI adoption securely here.

Learn more about how IBM is leveraging AI across its security portfolio here.

The post C-suite weighs in on generative AI and security appeared first on Security Intelligence.

Data breach costs continue to grow, according to new research, reaching a record-high global average of $4.45 million, representing a 15% increase over three years. Costs in the healthcare industry continued to top the charts, as the most expensive industry for the 13th year in a row. Yet as breach costs continue to climb, the research points to new opportunities for containing breach costs.

The research, conducted independently by Ponemon Institute and analyzed and published by IBM Security, constitutes the 18th annual Cost of a Data Breach Report. A leading benchmark study in the security industry, the report is designed to help IT, risk management and security leaders identify gaps in their security posture and discover what measures are most successful at minimizing the financial and reputation damages of a costly data breach.

The 2023 edition of the report draws analysis from a collection of real-world data breaches at 553 organizations, with thousands of individuals interviewed and hundreds of cost factors analyzed to create the conclusions in the report. (The breaches studied occurred between March 2022 and March 2023, so mentions of years in this post refer to the year of the study not necessarily the year of the breach.)

Top findings from the Cost of a Data Breach report

Below are some of the top findings from the 2023 Cost of a Data Breach Report.

1. Security AI and automation, a DevSecOps approach, and incident response (IR) plans led the way in cost savings. Some of the most effective security tools and processes helped reduce average breach costs by millions of dollars, led by security AI and automation. Those that used security AI and automation extensively saved an average of $1.76 million compared to those that had limited or no use. Meanwhile, organizations in the study that had robust approaches to proactive security planning and processes also reaped large benefits. A high-level use of a DevSecOps approach (a methodology for integrating security in the software development cycle) saved organizations an average of $1.68 million. And a high-level use of incident response (IR) planning and testing of the IR plan was also advantageous, leading to reduced costs of $1.49 million on average.

2. AI and ASM sped the identification and containment of breaches. Organizations with extensive use of security AI and automation detected and contained an incident on average 108 days faster than organizations that didn’t use security AI and automation. Additionally, ASMs, solutions that help organizations see the attacker’s point of view in finding security weaknesses, helped cut down response times by an average of 83 days compared to those without an ASM.

3. Costs were high and breaches took longer to contain when data was stored in multiple environments. Data stored in the cloud comprised 82% of all data breaches, with just 18% of breaches involving solely on-premises data storage. 39% of data breaches in the study involved data stored across multiple environments, which was costlier and more difficult to contain than other types of breaches. It took 292 days, or 15 days longer than the global average, to contain a breach across multiple environments. Data stored in multiple environments also contributed to about $750,000 more in average breach costs.

4. Organizations with internal teams that identified the breach fared much better at containing the cost. Just 33% of breaches in the study were identified by the organization’s internal tools and teams, while neutral third parties such as law enforcement identified 40% of breaches and the remaining 27% of breaches were disclosed by the attackers, such as in a ransomware attack. However, those organizations that identified breaches internally saved on average $1 million compared to breaches disclosed by the attackers. Investments in security were led by IR planning and testing, employee training and threat detection and response tools. Although just 51% of organizations said they increased security investments after the breach, those that did increase investment focused on areas that were effective at containing data breach costs, for a significant ROI, according to the study. 50% of those organizations plan to invest in IR planning and testing; 46% in employee training; and 38% in threat detection and response tools such as a SIEM.

Next steps

There’s a lot more quality research in the Cost of a Data Breach Report, but the most valuable component is the security recommendations from IBM Security experts, based on findings from the report.

View our security recommendations on the report landing page, where you can also register to download the full report.

Finally, hear directly from our experts in a special webinar detailing the findings and offering security best practices. Sign up for the webinar on August 1, 2023.

The post What’s new in the 2023 Cost of a Data Breach report appeared first on Security Intelligence.