The past several years has seen tech leaders of various stripes ascend the executive ranks as digital competency and resilience become even more important determinants of business success.
Many see this an acceleration – or expansion – of an existing trend, notably the inexorable rise of CIOs within the board room.
But what few would have predicted is the sheer explosion of cyber security threats throughout the past few years, which have served to push CISOs and other cyber security leaders to the fore.
Cyber security is now amongst the top priorities for businesses of all size and type across every industry.
Throughout 2024, it’s expected that those with responsibility for ensuring it will need to step up, both in terms of deploying the best technology and procedures, as well as ensuring closer engagement and clearer communications with the board and staff across the organisation.
Here are the top trends for cyber security leaders in 2024:
1. Augmented cybersecurityWith cyber leaders facing more pressure by the day, it’s important to reconsider what’s realistic and sustainable if they’re to continue performing and not burn out.
This year, expect to hear the term ‘augmented cybersecurity’ more often as organisations seek to abandon the ‘zero-tolerance-for-failure’ mindset, putting response and recovery on par with prevention. ‘Augmented cybersecurity’ organisations unlock innovation across their existing people, technology and business engagement to thrive amid permanent complexity.
Likewise, as CISOs and other tech professionals are asked to sit with the board, they need to augment their newfound leadership remits with technologies that enable leaders to make fast, sophisticated, data-driven decisions that direct workers' activities in partnership networks and not through legacy chains of command. This will help them evolve from tactical leaders to business executives and storytellers.
2. Mapping human behaviour
CISOs and other cyber leaders need to embrace better ways to communicate and improve awareness of cyber security threats and mitigation strategies. It’s not enough that the media is awash with endless reports of breaches; staff need to be brought to a more sophisticated level of understanding that takes account of their specific organisation and vulnerabilities.
Cybersecurity leaders often lament that "the users are the weakest link in the cybersecurity chain." But what if it's actually the cybersecurity practitioners' unreasonable expectations about users — diverse human populations with varying talents and failings — that creates or exacerbates that weakness?
3. Enabling the GenAI journeyWhether you fully buy into the hype around AI, it’s hard to argue that technologies like GenAI are going to play an important part in changing how many of us work and think. Similarly, whether you accept the hype around the dangers of AI, you can’t ignore the power of this new technology and therefore its potential to spawn new risks. CISOs must prepare and enable the organisation for AI technology. This ensures breaking down the hype, knowing the best practices, and establishing guardrails around the technology.
4. Elevating CISOs to the boardAs we touched on above, CISOs are following closely behind their CIO, CDO and other senior peers in being brought into the c-suite to keep boards up-to-date on cyber risks and share their strategies for mitigating them. Driving this trend further in 2024 will see greater scrutiny from regulators – along with more regulations – as the number, sophistication and severity of attacks increases, leading to organisations and the boards that run them being more accountable for their actions, or lack thereof.
5. Optimising resilience for ransomware attacksWith ransomware now the most common form of cyber attack, CISOs and their teams need to make the most of learning from these sorts of breaches to build resilience and muscle memory. They need to address stress before, during, and after a ransomware attack, which will – in most cases - increase employee satisfaction, retention, and performance during the attack.
6. Assembling a diversity of voices and skillsOne of the biggest myths about cyber security is that it’s merely an extension of the IT team.
As the profession has evolved over the years in response to the unimaginably complex, dangerous and fast-paced landscape organisations face today, it’s clear that cyber security is very much its own specialisation, requiring people from diverse backgrounds with diverse skills and experience to solve some of the biggest and most pressing digital problems around. This has seen talented people – including and especially talented women – from across multiple industries making career pivots to cyber security.
7. Dealing with the cybersecurity talent crunchThe previous trend is expected to help CISOs and other tech leaders address the worrying skills shortage plaguing organisations and their cyber security teams. Finding the right talent and ensuring they’re a cultural fit for your organisation is critical. Likewise, they need to be mindful of the ‘talent management life cycle’, creating the right culture and establishing the right incentives and rewards to retain talent will be a key determinant of success when it comes to building the best cyber security teams.
8. Demonstrating the value of cyber securityThis year, CISOs will need to communicate to boards and the c-suite the potential for cyber security to actually create value, rather than being merely a cost centre.
For example, many find it hard today to acquire and maintain support for Security Behavior and Culture Programs (SBCPs). Phishing simulation click rates are often used as a measure of effectiveness. However, they provide only flimsy (at best) evidence of SBCP success, meaning there’s an opportunity for CISOs to prove SBCP’s effectiveness using a mix of outcome-driven metrics and qualitative indicators.
Then there’s Protection-Level Agreements (PLAs) which are concrete assertions of risk appetite. Negotiating PLAs determines your executives’ desired level of protection within their willingness to pay for it, meaning CISOs and other tech leaders are able to manage and guide investment with greater accuracy and clarity, while creating stakeholder defensibility.
Finally, CISOs should seize opportunities to convey ‘effective value’ stories to spark informed conversations with business leaders to influence cybersecurity priorities and investments.