Top 10 Challenges Facing CISOs in 2024

Cybersecurity Trends

2023 has been a year of dichotomies. On the one hand, we've seen hypergrowth in security awareness and investment. However, at the same time, ransomware risks have continued to skyrocket, and attacks are becoming more frequent and damaging.

It's safe to say that the world is currently engaged in a cyber arms race which, with the added perils of GenAI, quantum computing, and global unrest, shows no signs of slowing.

As we turn toward 2024, these will be the top ten challenges facing CISOs this year.

To generate this list, we analyzed internal Silent Breach data, discussions with clients and industry leaders, as well as a general review of global trends, technologies, and threats.

1. Ransomware Continues to Dominate

As predicted, ransomware attacks continued to grow more popular and successful. The JBS and Colonial Pipeline attacks back in 2021 provided a template for hackers who've used the past year to differentiate and hone their techniques. Hardly a week goes by without a major breach of a government, healthcare group, university, or technology firm. Attackers have proven patient enough to bring down large multinationals (such as NVIDIA), governments (the Costa Rican government declared the world's first national cyber emergency) as well as adept at automating scripts to compromise thousands of smaller targets. Due to their impact and prevalence, ransomware attacks remain the number one challenge facing CISOs around the globe.

2. Organizational Buy-In

In a recent online poll, we asked 100 cybersecurity professionals what keeps them up at night. The response was shocking. 39% answered that their number one concern is a ‘lack of organizational buy-in'. In other words, CISOs may be hired to defend against external threats, but they are more concerned by an internal environment which holds them back from effectively doing their job.

CISOs are expected to develop an organization's security strategy, but real change can only take place once the plan is implemented across the organization. At the end of the day, it is up to individual managers and their teams to apply the controls that have been recommended to them by the security team. Shadow IT, limited awareness, and tight budgeting all come together to blunt the impact of security measures. Due to the extensive damage inflicted by cybercrimes in recent years, however, CISOs will have a unique opportunity in 2024 to prioritize cybersecurity across the board.

3. Compliance

Adopting voluntary security standards has become a popular way for companies to build brand trust, reduce insurance premiums, as well as standardize and harden their existing security practices. For example, the recently released Cross-Sector Cybersecurity Performance Goals (CPGs) help OT providers identify and respond to strategic threats threatening critical infrastructure.

In 2024, CISOs will be encouraged to adopt similar frameworks as the industry moves toward shared priorities and best practices. Silent Breach research suggests that CISOs currently prefer the ISO 27001, SOC-2, and the NIST CSF compliance frameworks.

4. Transparency

Companies, individuals, and governments are demanding more transparency when it comes to cybersecurity exposures. For example, the twin Optus and Medibank hacks in Australia leaked sensitive information belonging to tens of millions of customers, prompting a swift public backlash. In response, the Australian government has vowed to become the most cyber-secure country in the world by 2030 and will mandate extensive data disclosures, outstripping both the GDPR and CCPA.

In addition, the United States SEC released a sweeping set of cyber disclosure regulations that require companies to notify the public of a breach with 72 hours. For those in healthcare, the Biden administration is currently preparing new cybersecurity standards in response to a devastating wave of healthcare security breaches. CISOs around the world will want to preempt any similar events in their home markets by voluntarily introducing greater transparency into their policies and messaging.

5. Attack Surface Reduction

Organizations across nearly every sector still struggle to secure their public-facing applications. In 2023, Silent Breach security analysts found that 92% of web applications tested contained serious security flaws. A major contributor to this trend is the rapid expansion of attack surfaces. CISOs are finding that they must defend against cyberattacks on multiple fronts including web, mobile, social, physical, wireless, and cloud. Reducing their attack surface, or at least slowing its expansion, will be a major security indicator for many organizations.

6. Third-Party Risk Management

According to a recent survey of 1,200 security leaders across a dozen industries, over 90% of organizations have suffered a security breach due to vulnerabilities in their supply chain. Pair this with the fact that the average vendor ecosystem now includes over 3,700 companies (up from 1,013 in 2020), and it's no surprise that supply chain cyberattacks have quadrupled in the last year. In 2024, CISOs will be looking to implement supply chain security controls as well as increasing their security due diligence before any integrations or partnerships are approved.

7. From Reactive to Proactive Security

Far too many companies only learn they're under attack after it's too late. In fact, it takes an average of 192 days for companies to realize they've been breached. That's like trying to defend a bank after the robbers are already in the vault. Early indicators and advanced threat intelligence allow organizations to notice the signs of an attack being prepared and launch protective measures well in advance.

At Silent Breach, we've developed Quantum Armor, an innovative predictive breach detection tool designed to safeguard your digital assets proactively. Instead of waiting for an attack to happen, Quantum Armor assesses your system's historical and real-time data collected from your external attack surface, cloud environment, and the dark web to anticipate and pinpoint potential threats. This proactive approach gives your security teams more time to prepare and respond, minimizing potential damage.

8. Asset Management

Fewer than 1% of companies possess a clear understanding of the whereabouts of their digital assets, owing to the intricate nature of private and public cloud systems along with diverse collaborations. As enterprises expand and adopt more collaborative methods, managing assets has evolved into a pressing issue. Prioritizing the advancement of asset management maturity is crucial, focusing on achieving a comprehensive view that encompasses Shadow IT. To respond to the widespread trend of decentralization within organizations, robust asset discovery solutions must be put in place.

It's well known that you can only protect what you know about, and obtaining a clear understanding of your company's digital assets will continue to be a top challenge for CISOs in 2024.

9. GenAI / LLMs

The rapid introduction of LLMs has created one of the largest technological leaps in a generation. Enterprises in every sector have rushed to launch their own Generative AI solutions to do everything from planning honeymoons to build stock portfolios. It's not just chat bots anymore. Today, GAI will write code for your application, manage your company's finances, and generate your marketing assets. All in a matter of seconds.

But is it safe?

A recent study found that employees routinely enter sensitive information into ChatGPT including source code, client data, company strategy, and even patient records. After Samsung allowed their employees to leverage LLMs, it took only 3 weeks for their engineers to get caught leaking trade secrets.

Like any new technology, LLMs still have a long way to go before their security gaps are well understood and controlled for. The truth is that at this point we're still learning a lot about how LLMs can be used and what they are capable of. This doesn't mean that LLMs should be avoided entirely, only that they need to be handled with abundant care by engineers who are qualified and properly trained. Companies that leverage LLMs – either as an integrated solution or an external resource – should consider conducting regular training workshops and penetration tests focused on LLM security.

10. Consolidation

Slimmer teams, tighter budgets, fewer tools. CISOs will be looking to support their company's bottom line by consolidating more of their tools under a single vendor, and more functions within a single tool. This will reduce overall licensing costs while creating a more dynamic, user-friendly workflow.

For example, Silent Breach's Quantum Armor integrates the key benefits of both EASM and DRPS into a single comprehensive solution. Quantum Armor not only monitors your application and cloud attack surface for security flaws and misconfigurations, but also provides live intelligence across the exposed, deep and dark webs.

Did we forget anything? Comment with your thoughts on LinkedIn. Want help implementing any of the above suggestions? Contact Silent Breach today to speak with one of our experts.

About Silent Breach: Silent Breach is an award-winning provider of cyber security services. Our global team provides cutting-edge insights and expertise across the Data Center, Enterprise, SME, Retail, Government, Finance, Education, Automotive, Hospitality, Healthcare and IoT industries.