2023 was a tumultuous year that drove technology transformations at a pace unknown. The industry saw an accelerated and unrivaled pace of technology adoption, persistent yet evolving challenges and unparalleled market dynamics around the world.
The following are the top three trends from last year that influenced my thinking as a CIO at the top of 2024:
1. Software Supply Chain: The Root Cause of 2023’s Notable Breaches
2023 saw the industry’s first double supply chain attack that spotlighted third- and, particularly, fourth-party suppliers as a potent threat vector.
Take, for example, the massive compromise of 3CX – a VOIP and teleconferencing provider – who was Trojanized, unfolding multi-staged attacks against users in early 2023. According to Mandiant, this was the first double supply chain attack that the industry had likely seen, impacting a large portion of over 600,000 customers. In mid-2023, the exploitation of file transfer software MOVEit, leading to ransomware, was yet another instance of a software supply chain attack. Several impacted organizations were suppliers or vendors to other organizations, causing downstream impact to organizations large and small, as well as U.S. and French government agencies.
2. GenAI’s Hype Cycle and Adoption
In less than a year of its launch, ChatGPT hit 100 million weekly users, and over 2 million developers are currently building on the company’s API, including the majority of Fortune 500 companies. As a technologist, I find this exciting but troubling at the same time.
It’s an exciting time to harness the potential of AI to advance, yet navigating AI’s Wild West is challenging. With no playbook or precedent to follow, technologists and cybersecurity professionals must skillfully navigate the potential and real-world secure applications of GenAI. While GenAI is expected to boost productivity and innovation, fearmongers warned early on that bad actors would use it for nefarious purposes. Underscoring this concern, in January 2023, CyberArk Labs published a blog based on their research, proving that ChatGPT could produce sophisticated polymorphic malware with the right prompts.
To tackle these issues head-on, the U.S. issued an executive order on AI, and the EU introduced the AI Act in 2023 to help enforce best practices and regulatory frameworks.
3.Global Political and Economic Uncertainty
Last year was also marred by geopolitical conflict in different parts of the world, resulting in several attempted attacks on critical infrastructure and supplier ecosystems. According to the World Economic Forum, in 2024, 90% and 79% of its chief economists expect geopolitics and domestic politics to be sources of volatility in the global economy, respectively. With several armed conflicts likely to continue well into the new year and three of the world’s five largest economies (U.S., India, and U.K.) heading for national elections, there is no doubt in my mind that attacks on critical infrastructure and, in turn, on technology vendors will amplify around the globe.
I expect complexities to rise as the lines between nation-state actors and cybercriminals blur and there is a steady shift in the intent of attacks from espionage to sabotage.
My Outlook for 2024
2024 will be a cat-and-mouse game between cybersecurity teams and bad actors in a politically charged world. I expect relentless social engineering attacks, attempts to cripple critical infrastructure, exploitation of the supply chain and every other possible vulnerability to rise multi-fold.
In 2024, to protect your organization, you’ll need to:
- Periodically evaluate your vendors’ security capabilities. Your vendors’ ability to secure their products and services will ensure your organization can stay secure and confidently conduct business. Given the heavy reliance on third-party SaaS solutions, 98% of organizations have a relationship with a vendor that experienced a data breach within the last two years. Your organization may be one of them; therefore, it’s important to leave no stone unturned to boost your defenses. Also, pay special attention to end-of-life products that are still in use and secure them.
- Remember that the definition of AI systems is not limited to GenAI. AI systems include GenAI along with systems using neural networks and tools built over several years. In 2024, it is essential to evaluate, secure and manage all systems – both old and new. You should consider contractual agreements that periodically allow you to review your suppliers’ risk-based governance and risk management policy for all products and systems using AI in any capacity. This practice should include provisions for any information-sharing on relevant audit trails, reviews, bias and fairness in decision-making, data retention, etc.
- Go back to the basics and do them right. Focus on improving employee training, organizational security hygiene, round-the-clock threat detection and response, upskilling cybersecurity skills and adopting automation and artificial intelligence.
- Implement a robust Zero Trust strategy. If you have not started your journey to Zero Trust, wait no more. Start Now. On the other hand, if you have already implemented a Zero Trust strategy, evaluate and iterate your strategy against the backdrop of any changing environments. Remember, comprehensive security means implementing a Zero Trust strategy throughout the entire identity lifecycle.
- Treat your people as the greatest asset, not the weakest link. We can have all the tools in the world to protect our organization, but the most valuable assets are the people – cybersecurity experts, employees, contractors, and partners, among many others. Be sure to treasure, train and nurture them. At the end of the day, it’s all about the people.
Finally, as a CIO and a technology leader, I recommend that you take a step back and find your balance and scale, but do not rush as you grapple with these new issues.
In 2024, I plan to share my thoughts and recommendations with you on a regular basis. In the upcoming blogs, I will discuss several important issues, including the right balance between upskilling cybersecurity talent and adopting AI tools, best practices to maintain privacy and managing cloud complexities. I hope you’ll find it helpful in your journey to protect your organization.
Happy 2024 to all of you.
Omer Grossman is the global chief information officer at CyberArk. You can check out more content from Grossman on CyberArk’s Security Matters | CIO Connections page.