I thought I’d write a little summary of what I think are going to be the top 5 big events of 2024 in the cyber security space, based on my security ‘gut’ and some patterns I’m seeing evolving…
1. More bigger & audacious hacks…
A pretty obvious one, but I think 2024 is going have some truly monstrous hacks and in two main areas:
- Highly integrated SaaS product providers – these are SaaS products that tie into a lot of other SaaS services. In effect their surface area is large, complex and constantly evolving – I’m talking about Auth providers, data/API integrators, etc – any product offered up as a SaaS that takes data from a number of systems, manipulates that data and hands it onto a number of other systems. These face numerous security challenges including: separation/isolation between customers, resource cross talk, 3rd party integrations and ‘varied’ authN/authZ coverage…
- Health and ‘old’ services – basically organisations with large data sets but not the resources to keep current on their security control coverage. These used to be unofficially ‘off limits’ to the more ethical hackers, but the need to make money is winning out against any semblance of ethics..
In essence there are two drivers here: ‘over the horizon’ complexity (in other words all the stuff you cannot control or see), and just a simple inability to keep current.
2. The AI security love-fest will start to come to an end…
ATM you can’t look at any security product without it having some sprinkling of AI in it like some magic fairy dust that solves all your security problems (I’m just waiting for my cappuccino to come with AI!). We are in the ‘exciting but unproven’ stage, where AI is being thrown at any problem to create differentiation in the market place. This will all come to a sorry end when a hack (maybe of the monstruous variety) occurs on a system that was meant to be protected by AI solutions and everyone will have their ‘a ha’ moment. This will happen for sure in 2024, although whether it will fully see the light of day in 2024 is another matter.
In essence there is no getting away from the core security control requirements, AI is something you should carefully apply to layer on additional controls over the base set, it is NO substitute for such controls. Sorry, no free lunch via AI, plus to do it right you will need additional expenditure on resources to configure and keep it in tune (otherwise it will just go rotten over time).
I also think people will discover LLM’s have limited applicability in areas that require precise and correct language in ill defined and evolving problem spaces; in effect the effort spent training and correcting will be greater than just doing it by hand. There will be an illusion of efficiency that hides efforts to compensate for incorrectness (I call this the shiny tool illusion, i.e. its AI it must be better right?).
3. The security skills shortage will continue
This is just a sheer product of the aggregate security surface that’s out there, its growing somewhere North of 10% per annum (this is probably quite conservative if one takes into account all the cloud integrations and interdependencies), so if we aren’t creating at least 10% more security professionals per year, the skills shortage will keep getting worse. And, no, AI will not save you, see the previous point.
I actually don’t think we have a skills shortage problem, we actually have more of a skills leverage problem, i.e. the problems are not getting solved correctly as classes of problem – I’ll explain this thinking some more in a later article (it will blow your mind…).
4. A rise in ‘junk’ security certifications
I’m seeing this a lot, people piling up their profiles or CV’s with essentially ‘junk’ certs, and this will get even worse in 2024. Myself, I do not care what LinkedIn, AWS, MSFT, etc security course video you sat through and answered a short questionnaire on to pass; I want to see you actually doing the following:
- Doing a proper industry recognised certification that is actually hard to get and requires money and effort to keep;
- Doing some online challenges (say Capture the Flag);
- Contributing to a security library;
- Finding vulnerabilities in services and responsibly reporting them;
- Contributing to setting security standards.
When I see someone loaded up on junk certs, its an instant red flag – so just stop doing it – it impresses nobody in the know and will actually stop you getting on in the security space, real knowledge requires real effort – get used to it and do it, no short cut to the top.
5. Governmental Oversight/Policies
In 2024 a lot more governments will start demanding more security regulation and general oversight of how society critical businesses go about their security operations. This is been growing in 2023 but I think a lot of regs and policies will be rolled out globally. This is a good thing by intention, but I still have my reservations over if it will truly change the risk dynamics for the better over the long term. Reason being if these just exist to set common baselines, then the hackers will adapt to look for weaknesses above the baseline. Hackers have the opportunity to think outside the box and use a variety of techniques to achieve their objectives, where as businesses are restricted in how they can adopt security controls in a lagging fashion.
So what do you think? Am I being too much of a Security Grinch? Feel free to write below, I’ve enabled the comments for this article.