As we begin 2024, the cybersecurity landscape is at a crossroads, shaped by the unprecedented integration of AI, escalating cyber threats, and a rapidly evolving policy environment. Business leaders, CISOs, and security teams find themselves grappling with security challenges that demand strategic foresight and resilience.
We sat down with Illumio business leaders and cybersecurity experts to learn the key concerns, trends, and priorities on their minds as they begin the new year. Keep reading to hear what they shared.
AI will be a boon for threat actors
Though AI has been a reality for years, it finally broke the mainstream in 2023. This November was ChatGPT’s first birthday, and after only a year, we’re already seeing an exciting innovation being used by threat actors to speed up the attack process.
Cyber leaders are predicting that AI will continue to be a big deal in the security space. Unfortunately, they see many of the AI benefits going to attackers — at least for the near future.
“In its early innings, the AI advantage will go to attackers,” said Andrew Rubin, Illumio’s CEO. “In 2024, I predict that attackers will experiment more with AI.”
Paul Dant, Senior Systems Engineer at Illumio, agreed, explaining that AI will only make it easier for bad actors to carry out targeted attacks in 2024. He sees threat actors using AI to continue to target simple security gaps but with the speed and efficiency of AI-generated tactics.
According to Anup Singh, CFO at Illumio, this will lead to an even greater pressure on organizations to prioritize cybersecurity initiatives. “We’ll continue to see a big explosion in the need for cybersecurity, largely attributed to the ongoing proliferation of AI and ML (machine learning). Every day, companies are introducing new AI initiatives, and as a result, attacks are getting increasingly sophisticated.”
Despite the AI advantage for attackers in the coming year, industry leaders have hope that the pendulum will swing back in the defenders’ favor.
“In the long run, either AI will become an effective tool for both, or defenders will find interesting and creative ways for us to use AI to better defend ourselves,” Rubin explained.
Singh agreed, predicting that “we’ll see more resources being put towards companies that are using AI/ML to advance progress and algorithms to counter increasingly ruthless and dynamic attackers.”
Cyber will remain a national priority
With the proliferation of AI in 2023, we saw global governments jumping to address AI safety and security with the Biden Administrator’s new executive order on AI and the AI Safety Summit in London.
Cyber leaders see this increased government involvement and interest in cybersecurity as an indication that security will continue to be a national priority in 2024.
“The federal government has a vested interest in effectively securing critical infrastructure and other essential operations, and they will continue to take a more active stance in securing U.S. infrastructure against digital adversaries,” Rubin said.
The way they’ll accomplish that? Zero Trust security strategies. According to Gary Barlet, Federal Field CTO at Illumio, “Government agencies are starting to get serious about implementing Zero Trust strategies.” He expects to see an uptick in Zero Trust funding in 2024.
And while the majority of new cybersecurity mandates coming from the federal government only impact federal agencies, industry leaders believe new legislation will impact private sector security planning and strategy, too.
“More federal oversight and increased cybersecurity regulation will change the way that organizations, businesses, and executives prioritize and think about cybersecurity in the new year,” Singh said. He sees the 2023 legislation around reporting and breach disclosures (from the SEC and TSA, in particular) as indicators to private-sector organizations that they should make risk reduction and cyber resilience business imperatives in 2024.
But compliance shouldn’t be the only reason organizations are adopting better cybersecurity practices in the new year.
“I think 2023 was also the nail in the coffin for compliance-based security strategies,” said Raghu Nandakumara, Senior Director of Solutions Marketing at Illumio. Any organization that waits until compliance mandates come into effect to implement segmentation is literally a sitting duck for attackers.”
Complacency isn’t an option anymore
With increasing signals to organizations that security should be top priority in 2024, cyber leaders are speaking out about the disease of complacency infecting cybersecurity thinking at many businesses. In fact, recent research by Vanson Bourne revealed that 25 percent of security decision-makers don’t even think their organizations will be breached.
“People are still moving way too slowly in security, and they are overanalyzing everything at their organization’s expense,” Rubin pressed. “We’re too interested in orchestrating perfect cyber outcomes, and while that search for perfection happens, attackers are leapfrogging their foes with superior skills and techniques that evade even the most advanced security measures. In 2024, organizations must execute faster if we want to see any real progress in mitigating risk.”
As the threat landscape widens and bad actors grow more aggressive in their tactics, 2024 marks a turning point for organizations to make cyber resilience a top priority. And this job isn’t just for the CISO.
“The reality is that more people must be more willing to push back and set realistic expectations with business leadership, rather than blindly following orders,” said John Kindervag, creator of Zero Trust and Chief Evangelist at Illumio. “We need security leaders who have a direct line to the CEO, that have the insight and the courage to tell them what they need to hear when it comes to risk and threats and not just what they want to hear.”
The good news? The industry is starting to see some change — Trevor Dearing, Director of Industry Solutions Marketing at Illumio, is seeing organizations shift their thinking when it comes to cybersecurity.
“I think it’s now more broadly recognized that cybersecurity is no longer just about data protection but about improving business resilience,” he said. “The challenge now is planning and acting on this.”
It’s time for Zero Trust action
Security leaders are encouraging organizations to adopt Zero Trust for cyber resilience. Zero Trust is a globally validated strategy that assumes breaches are inevitable and is based on a "never trust, always verify" mindset. Cyber leaders are urging organizations to get started on their Zero Trust journey or continue building stronger Zero Trust practices in 2024.
As the creator and “godfather” of Zero Trust, Kindervag believes that 2024 will mark the end of organizations simply talking about Zero Trust.
“What we’ll see in the year ahead is a greater implementation, not just conceptual buy-in, of Zero Trust for a number of reasons — chief among them being how bad the attack landscape has gotten and how that's increasingly affecting the executive suite,” he said.
A Zero Trust security strategy encourages a defense-in-depth model, acknowledging that traditional perimeter-only defenses aren’t enough for today’s sophisticated attacks. Dearing expects organizations to include microsegmentation, also called Zero Trust Segmentation, as a foundational element of their Zero Trust defense-in-depth strategy.
“I hope the resurgence of defense-in-depth goes granular to micro-defense in depth, using technologies like microsegmentation to really provide that last line of defense in the ongoing battle against ransomware,” he said.