Global Cybersecurity Trends for 2024

Global Cybersecurity Trends for 2024 | MergeBase

As we approach 2024, companies must navigate a complex landscape of cybersecurity challenges. Economic pressures, geopolitical tensions, and rapid technological advancements require a multifaceted approach to cybersecurity. From AI’s dual role as both a tool and a threat to the importance of continuous threat exposure management and the evolving role of platform engineering, companies must remain vigilant and adaptable.

Check out our new video of Oscar, Delan, and Kelly discussing cybersecurity from a multifaceted perspective as we transition to 2024. They explore how global contexts influence cybersecurity strategies, the dual role of AI in strengthening and challenging cybersecurity digital security, and the emergence of new threat scenarios. Additionally, discusses the strategic prioritization of technologies in cybersecurity, emphasizing the continuous evolution and adaptation required in this dynamic field.

Stay informed, invest in the right tools, and embrace emerging technologies to stay one step ahead of cyber threats.

Delan: Hello everyone. Today we’re going to be talking about some of the global trends that are going to be affecting cybersecurity in 2024. Now, obviously, that’s a very general topic. So we’re going to get down to some of the specifics we’re going to talk about. So we’re going to get into all those topics, and I just want to kick it over to Kelly West to get started.

Kelly: Thanks, Delan. Last week, mid-November, the economist every year does this. They do their world ahead. They’re a great source for sort of the overarching trends in the global environment. This isn’t technology. It’s not security specific. It’s to help everyone predict what will be happening in the next year.

They talk about conflict in Europe, conflict in the Middle East, and heightened tensions globally in the geopolitical environment. They talk a great deal about AI. AI shows up everywhere, in essentially every trend list you’re going to look at. And they talk about the green transition and how that impacts this overarching environment. Then, we need to look at technology trends. Cybersecurity is by its very nature.

Then, we need to look at technology trends. Cybersecurity is by its very nature. Just using it here as a source, Gartner. They put together their trend report, the top strategic technology trends 2024. And they didn’t put it into a prioritized list of these things in any way. They drew on a number of trends that they see happening in 2024 and grouped them into protecting investment to have how they term it. Gartner, of course, always uses its own terminology to define categories. You see a number of overarching technology trends around.

AI trust, risk, security management, threat exposure management, and AI-augmented development. You see AI democratized generative AI. So you can see how important it is. It’s essentially already taken 30% of the top trends list. AI itself is not just one trend. There are all the ways it will be applied, etc. Machine customers, arguably another way that AI will influence where more and more, it’s not necessarily people that are interacting with technology, but technology interacting with technology.

So you see, amongst all of these trends, the sort of context in which the cybersecurity trends will take place. And then finally, and I just use two examples, they’re not just technology trends. Still, cybersecurity trends, just taking a few out of Forbes’s top list, AI was showing up, of course, on both sides of cybersecurity, AI to defend AI.

If you look across the list, you see AI at the top, and then you see API security. And I just want to draw a parallel. The Internet of Things cyber attacks and API security are both just new threat surfaces that are exposed. And so there are new attack vectors that cybersecurity has to pay attention to that have become increasingly important: less than zero trust architecture, zero trust architecture. These were on the 2023 list. It takes time for people and tech companies to react to these trends. And we’re seeing regulation and other AI impacts and citizen generated products.

Overall, that sets a context for the trends that we’re going to talk about and the things that are influencing them.

Delan: Thank you, Kelly, for the introduction. Let’s dive a little bit deeper into some of the things you mentioned there. That was a great overview, but I just wanted to direct the question to Oscar. So. Kelly had mentioned that there will be a lot of, you know, environmental trends impacting cybersecurity. So I just wanted to, if you could maybe go into a bit more detail about some of the geopolitical economic trends we’re seeing, you know, some of the details of how you think that’s going to affect cybersecurity in 2024 and beyond.

Oscar: If you look geopolitically, it’s definitely; Kelly mentioned it already, conflicts are increasing, but there are also conflicts between highly developed countries that are using all kinds of cyber and electronic warfare as part of their arsenal.

It’s probably one of the most effective parts of their arsenal that has multiple impacts. Also, it creates a lot of investment dollars into these types of technologies, which, unfortunately, has had a negative spin-off on compromises becoming available. It effectively leads to more investments into a cyber arms race that can impact any type of organization. I think what also is happening is that because of these conflicts, it legitimizes cyber attacks, from criminals, but also from nation states.

I remember that ten years ago, I worked for a technology company and we were doing our threat intelligence kind of discussions and doing our threat assessments. We thought, well, we’re never going to be a target for a nation-state, but they’re going after the NSA and all kinds of other organizations, but definitely not after us, but that has changed.

Solarwinds was attacked by an Asian state. And actually, the government is taking action against SolarWinds, and they’re CEO so as an example, just because they weren’t well enough protected against that and so we’re seeing that going to increase.

So, very much, the political landscape is going to have an impact on us, and making cybersecurity even more important and economical kind of going a little bit the other ways where we’re seeing kind of, you know, leveling off of growth that often has the impact that budgets are going to get constrained in a special areas like security. People immediately look to what country to save some money there.

So a lot of security managers and executives will have to look at that. And so you get this complicated situation where, on the one hand, the trend is to get more investments in cybersecurity on the bad side of things. So that if you’re defending, then you’re being asked to cut your budget and tighten your belt, how is that going to work together?

That’s, and then, on the other hand, on the technology side, AI is coming. So, but of course, that’s probably also an additional investment, so an additional cost that also is going to help the bad guys as well. So it’s, it’s not necessarily the trend is your friend.

Delan: And you had mentioned that, you know, conflicting push and pull from restricting economic conditions, but also increase heightened security risks.

Do you think that’s going to affect the technologies that companies are choosing in cybersecurity? You know, the types of technologies that they’re implementing or prioritizing?

Oscar: Well, I think they have to be forced to prioritize and really look at what the top-level risks are. Where are they coming from? And so where, you know, how can I spend my scarce security dollars as wisely as possible, right? And so, but we’re seeing that known vulnerabilities are routinely being exploited now with continuous warnings from CISA and the FBI to take care of that.

And the industry is still responding relatively slowly. That’s definitely hygiene or basic things that still need to get in place across a lot of industries. Some industries are there, but not everybody.

Delan: Kelly, you had been mentioning AI taking up a third of that matrix in the Gartner report that you mentioned. So, the use of AI, generative AI specifically, is showing up everywhere.

What are some of the important considerations of AI relating to application and cyber security that we should be thinking about in 2024?

Kelly: The AI topic is its own large topic. One of the things they talked about was threat exposure management. And so that’s a very important aspect of the trends overall. I think it relates to the geopolitical tensions that Oscar’s talking about, you know, where it becomes more acceptable to even attack a nation’s economy if they’re not in the block of allies you have. And so, threat exposure management is going to be an increased focus all around, not just as it relates to AI.

And I think that a major trend in the development of applications that’s just happening in parallel is platform engineering. And this is about how applications are developed, how the teams work, and what it means for the way they work. And it’s going to shift responsibilities around.

But let me start on the AI question because, as you said, it’s taking up 30% of the list.

One of the ones that I would highlight is that non-technologists are going to be able to generate websites and applications using AI. And AI is then essentially writing the code. This is new for how applications are created. How is that going to fit into the processes of ensuring that the applications created in this way are secure?

And so for example, what components will AI include in the application? You know, it’s very common for developers to use open-source components. What’s AI going to do that way? What’s it going to bring in? What are the implications of the software licenses? What are the implications for vulnerabilities and security?

It’s going to be very important to treat this new way that applications are created properly from a security assessment perspective and get the correct tools in place to ensure that since there are no lies on it. But I think there are other important aspects as well. Oscar, do you?

Oscar: It will accelerate a trend that we’ve seen over like a long-term trend. If you go back 20 to 25 years, perhaps 50% of an application was external libraries. And often, you were buying external libraries. Now, they’ve all become open source. It made them effectively more accessible. So that has now increased to 80 to 90%.

And I think by generating applications through AI tools, that’s going to increase further, and we’re also going to increase the amount of code that we are actually producing because now it’s going to be generated. So that means there’s going to be more code out there. There are going to be more known libraries with ultimately known vulnerabilities, right? Because even if we generate the perfect environment right now and there are no vulnerabilities in the libraries that are underlying these websites that have been created in six months, there will be a few vulnerabilities in them and, in 12 months, a few more.

And are we, you know, ongoingly going to manage that? Are you eight AI tools going to do that? Very likely not. So it just increases the amount that we need to look after. And yeah, that’s definitely an important element that you want to automate, and you want to make sure that it’s going to be a smooth and efficient process because otherwise, it becomes unmanageable for organizations.

Delan: Probably part of the continuous threat exposure management trend that, uh, that Gartner had been talking about. So, you know, as you’re using these tools and, you know, more and more tools, like Kelly said, write the code for you, you know, how, you know, what do companies need to do to build up and maintain a program that helps them with continuous threat exposure management?

What must companies do to achieve continuous threat Exposure Management?

Kelly: We’ve done some work in the past that way where we talked about the prioritization of tools and that will be an important aspect. And I think that’s just, you know, for laying a foundation. You’re going to need to have a solid foundation in place. And then there’s going to be additional work you need to do.

Delan: So Kelly, you had mentioned there’s a trend and a push towards platform engineering. So, I thought we could revisit that here. And what impact do you think that platform engineering is going to have on developer productivity and the approaches to application security that companies are taking?

Kelly: The platform engineering trend is quite important because it’s part of the evolution of how software and applications are developed. When organizations are younger, they will tend to just have a development team, and the development team is responsible for everything one way or another. And then, as that organization matures or gets larger, it might have a security team and a development team. And a lot of the cybersecurity space will focus on how that security team and development team need to work together to be productive.

Once a platform engineering team is put in place, and just to clarify for anyone who might not be familiar with the phrase, a platform engineering team actually is a team dedicated to providing the tools, structures, and processes in many cases that the development team will use to develop the application. So, a platform team is specifically focused on assisting the developers with productivity, but they sit in a natural place to become the interface to the security team.

So, it helps to focus the relationship between teams, and maybe most importantly, it localizes decision-making over security tools and the operation of those tools. In previous discussions that we’ve had as a group, we talked about how you can get your security tool implemented when you need multiple stakeholders to buy in an agile environment. A development group will have multiple agile teams, and you want to put in, say, a software composition analysis tool, somebody’s got to do it first in one of those teams and then maybe show the other teams it’s working.

Well, when platform engineering comes into place, that’s not the way it works anymore. It’s the platform engineering team that really would put the toolset in place. And so it helps prioritize the tools more easily. It helps operationalize them. I think it will help organizations that are following that trend to get the security tools in place. But I wouldn’t want to ignore the question of, when Gartner puts together these technology trend reports, they’re focused on very large organizations that are probably at that mature end of the spectrum.

For smaller organizations, they have to think, okay, we are not ready for a platform team, but what can we do to ensure that we’re putting some decision-making structure in place so that we can choose the security tools we need in order to be properly positioned to defend against all the trends that we’re discussing. And I think that can be a really important consideration for them.

Delan: It’s a lot of information about, you know, things we’re seeing in 2024, but what do you think is gonna spill over from 2023?

Oscar: Definitely, I think zero trust is kind of a long-term prediction. To be honest, zero trust is a very hard bar for organizations to meet. And for a lot of organizations, it might not be a realistic target to hit. And so that’s one part of the reason that a lot of organizations have paid lip service to it but haven’t really been able to implement it. Right. Because theoretically speaking, zero trust makes a lot of sense.

Obviously, it’s clear to everyone that that would dramatically improve the security of the organizations, but getting there is a long journey. And so that’s not something that you do in a year and for a lot of organizations that they might not even ever achieve.

So I think that’s why perhaps we’re going to see some kind of audit targets that are a little bit less than zero trust, but going in that direction is more realistic for a lot of organizations.

Kelly: I think there’s another one that probably really got started in 2023. And as a result of one of the trends they’re even citing for 2024, which is increased regulatory focus on cybersecurity. And that’s the software bill of materials or SBOM requirements that are showing up.

And just by listing out all the components in software, it raises the awareness around those components. And so it’s going to necessarily raise the awareness around vulnerabilities in those components, which is the intent. And the whole ecosystem for software bill of materials and SBOMS is still very young and is going to be maturing during 2024, but I really got it started in 2023. And I think we’re going to see that being an important part of the trends in cybersecurity, not because it’s necessarily purely security-focused, but because you just can’t focus on a software bill of materials without security coming along with it.

Oscar: a number of the trends are kind of coming together here as well. Right on the one hand, you know, the environmental pressures basically mean more effort has to be put into cyber security. At the same time, there’s potentially a budget crunch. But then, with the shift to platform security, I think there’s an opportunity for companies to deal with these issues more efficiently, and especially to get the kind of basics in place as a step towards zero trust and to the regulatory pressures around SBOM.

For instance, platform security can handle node vulnerabilities with SCA tools and SBOM tools, and make sure that that is kind of pervasively in place across the organization, and then also lay immediately the foundation for the next steps towards zero trust as well.

Delan: All right. So, to wrap up the discussion, I’m hearing that there are going to be quite a few factors driving increased priority on application security in 2024, increased urgency caused by geopolitical and economic concerns, especially some of the conflicts between more developed nations with more developed security or threat programs.

And that’s going to be investing more and more in cybersecurity where they haven’t before. There’s also going to be the economic concerns of constricting budgets for securities that’s going to be pushing against that. So, companies are going to be focused on finding efficient ways to increase their overall security.

And so, you know, one of the things that’s going to be leveraged on both sides of the battle is AI. So, you know, this is, you know, AI has a potential to be, you know, a cost-effective way for companies to generate intelligence that they weren’t able to generate, you know, manually don’t have the manpower to. Still, it is also going to be utilized by attackers to generate threats as well as potentially AI generating software or, um, generated websites, generated, you know, pieces of code with vulnerabilities in them, which attackers might leverage.

We’re also going to be seeing managing threat exposure will be critical. And so that means, you know, managing threats in your software supply chain, you know, MergeBase does come into the cybersecurity trends there. You know, companies are going to be needing to monitor open-source threats more than ever.

As well, we’re going to be seeing an approach to DevSecOps that needs to be more efficient, and that might be having a platform engineering team, you know, that’s it’s whether we see platform engineering really take off this year is still to be seen, but companies are going to be aiming for a way to make their programs more efficient.

We are also seeing a continuing trend from 2023; the governments are pushing for more regulation and software, including a focus on a software bill of materials or SBOM, as a way to comply with those regulations or be in compliance. And again, companies are also going to be focusing on getting a solid foundation for application security in place, securing their supply chains. And that’s going to be critical to face all these changes coming in 2024.

All right, well, thank you both for joining me today. Thanks for talking about some of these top trends for 2024, and we’ll see you all next time.