Everyone agrees that artificial intelligence will have an increasingly important role, both for attackers and defenders, and that ransomware isn't going away any time soon. Cyber skills will remain in short supply and budgets will remain tight. The infosecurity market will also see continued vendor consolidation. But the devil is in the details, so what specific trends might we see?

When it comes to AI, we should be ready for a large-scale incident enabled by the technology, says John Dwyer, head of research at IBM X-Force:

"The Morris worm is widely believed to be the first cyberattack ever reported, back in 1988. I think in the relatively near term we'll see a 'Morris Worm-like' event where AI is confirmed being used to scale a malicious campaign."

AI also poses a threat that isn't on many CISO's radar yet – data poisoning. Brian Higgins, security specialist at Comparitech explains:

"It's wise to consider that data drives our economy and it is becoming increasingly vital whatever your business may be. Most companies and organizations will have some form of machine learning incorporated into their operations, relying on a clean data model to train and develop before deployment. Data poisoning isn't very mainstream yet but poses a real threat to organizations who aren't taking reasonable steps to protect their model.”

If you haven't been breached yet, AI may make it more likely as threats actors use it to expand their range of targets, explains Greg Day, senior vice president and global field CISO at Cybereason:

"With the increase in volumes of successfully breached companies getting close to saturation, adversaries must find new targets. AI Chatbots such as ChatGPT can now enable anyone to be extremely capable at communicating in any language. As such, we must expect to see attacks move into more local languages."

AI technology will also help attackers evade your last line of defense – the 'human firewall' – says Leanne Salisbury, principal consultant at Adarma:

"AI-based social engineering will create more sophisticated and convincing phishing emails, voice mimicry and possibly deepfake videos based on trusted individuals or organisations."

Another technology that has been developing in the wings for years may finally become significant in 2024 – quantum computing. But this is not necessarily in the way you expect, says Jon France, CISO at ISC2:

"Quantum computing tends to get the most attention in quantum technology discussions, but we likely won't see it become commercially available for the next three to five years. What we'll continue to see is increased activity around quantum-safe cryptography. The focus on quantum-resistant algorithms is strong in the research community, and I anticipate we'll see more of that activity and search for improved algorithms in 2024 from NIST, ETSI and others."

Even if the malicious use of quantum computing is some years away, the time to start preparing for it is now, says Kazuhiro Gomi, president & CEO of NTT Research:

"The need to prepare for this threat is real. With NIST's expected release of more PQC standards in 2024, industries, governments, and others are expected to begin ramping up their migration planning efforts. This is based on the concern that malicious actors are currently collecting ongoing communication data and could compromise security once scalable quantum computers become available."

The adoption of new technology always carries risks, and one place where this will be felt is in operational technology (OT) says Tom Solell, VP of EMEA at Sygnia:

"Companies' digitalisation processes are being leveraged by hackers to stealthily access businesses' IT & OT environments, attack critical infrastructures, and take control over essential systems, especially via ransomware-related TTPs. In the year ahead, we are expecting more industrial and manufacturing cyberattacks – particularly as these entities continue to digitise their legacy infrastructure to make room for technology advancements (such as AI and 5/6G).”

The vulnerability of 'essential operators' – those managing critical national infrastructure – is going to lead to a more complex regulatory environment, says Christian Borst, EMEA CTO at Vectra AI:

"In 2024, we will see UK essential operators struggle with a compliance balancing act, as they juggle NIS2 directives and the UK's incoming NIS regulations, which are set to diverge from NIS2 once finalised.”

There's always the potential for our technology to be turned against us, says Stephen Robinson, senior threat intelligence analyst at WithSecure:

"The success and methodology of the recent MOVEit compromise will begin to inspire more mass exploitation campaigns targeting edge data transfer servers. I expect to see more copycat attacks where the value is the exploited server itself, not the access it provides to the rest of the network. This type of attack has fewer steps, so it's simpler for the attacker to pull off and much harder for the defender to detect.”

Our dependency on third-party technology means that 2024 might be the right time to take a good, hard look at your software supply chain, says Nick Rago, field CTO at Salt Security:

"As architectures become increasingly complex, combined with more dependencies on third-party code and services, supply chain attacks targeting software dependencies and operational third-party providers will escalate in 2024 and beyond – especially as threats actor techniques become more stealthy and harder to detect."

While it's easy to focus on technology, we can never forget the human factor and one example of this is a likely increased exploitation of the insider threat, says Zach Fleming, head of red teaming at Integrity360:

"Because AI is built into many security tools and the external perimeter controls have gotten much better lately, a lot of what ransomware groups are doing now is just bribing employees. I think that's going to increase, particularly in the current economic environment. Ways of working with threat actors are becoming harder to detect, with insider threats pretending to accidentally slip up in providing attackers access to systems and/or information. If you're that insider threat actor/employee, it's a high reward and it's low risk."

Threat actors will also increasingly supplement their technology with human skills, leading to more targeted attacks, says Steve Bradford, senior vice president EMEA at SailPoint:

"We're already seeing an increase in attacks that are highly targeted, with hackers undertaking detailed research into businesses – for example, spending hours working out who is the CEO in a business and gathering all the details required for a successful approach. The scale of the problem will only increase in 2024 – from 'one-man bands' who are socially engineering attacks, to massive organisations running criminal networks. Their strategy is simple: if they can find enough people, they can find a weak link somewhere."

The other human element we need to consider is privacy, and this is something that will impact more and more businesses, says Martin J Kraemer, security awareness advocate at KnowBe4:

"Privacy regulation spans the globe and organisations will begin to adapt to the new demands in this landscape. We will see privacy by design and privacy UX gaining more traction. Especially with the adoption of large language models in organisations, privacy by design and further ethical considerations around the use of LLMs will become prevalent."

We're also likely to see increased activity by nation-state actors, reckons Simon Hodgkinson, former BP CISO and strategic adviser to Semperis:

"We have experienced a marked increase in geopolitical tension globally and this will likely escalate into the cyber space. Nation states could use cyber attacks to supplement on-the-ground warfare, by disrupting critical infrastructures or finance systems. Where economic sanctions are in place, nations and organisations may turn to cyber to fund their activities – attacking businesses who will pay ransoms or stealing crypto currencies."

Some of these rogue states may even work in concert, says Dr Joye Purser, field chief information security officer at Veritas Technologies:

"I expect we will see greater collaboration among more autocratic nations, enabling them to increase the sophistication and volume of attacks."

We're likely to see some changes to the infosecurity functions within organizations, says Chris Dimitriadis, chief global strategy officer at ISACA, and CISOs may finally get the voice they need:

"Financial damage is forcing the board to sit up, listen and invest in strategies to protect the business, many times due to an incident and increasingly more often due to the existence of more tech-savvy boards. As cyber security gets discussed at the top table, it's down to the CISOs to put down the technical jargon and focus on communicating the business value of any technology or human investments to protect the business and help it achieve its objectives.”

Environmental, social and governance (ESG) requirements are likely to mean that boards will pressure CISOs to better communicate cyber risk, according to Matthew Roach, Head of i-4 at KPMG UK:

"Cyber security is quickly taking precedence in ESG frameworks, and insights into a company's overall corporate conduct and risk management can be evidenced from its reporting on cyber security risk metrics. As a result, boards will sit up and take greater notice of their cyber risks.”

Organisations in all industries are likely to be subject to greater regulation, says Edgard Capdevielle, CEO at Nozomi Networks:

"2024 will be the year where regulations catch up with the market. There will be a race between the SEC and other governmental organisations to implement regulations and/or provide guidelines.”

All these issues could have profound effects on the role of the CISO, says Jason Nurse, a professor at the University of Kent and director of science & research at CybSafe:

"It is no secret the SolarWinds saga has sparked heated discussion among CISOs, with many deeply concerned about personal liability. While the case isn't black-and-white, if prosecutions ramp up, what will it mean for the future of the CISO position? Learning from the insights of CISOs, such as Michalis Kamprianis and Ira Winkler, we could see CISOs walk away altogether or shorten their already brief average tenures. Once filling a post in a new organization, if security professionals don't immediately get C-suite support in resolving security flaws, is it worth a CISO staying in their role and potentially being held liable for issues leadership isn't prepared to fix? If not, this will undoubtedly directly impact both cyber criminals and the organizations they target."

Finally, while we're busy thinking about what 2024 will bring, we should really be looking further ahead, warns Jonathan Miles, principal threat response analyst at Mimecast:

"Strategic planning now needs to start looking further ahead and start planning for what lays ahead in the next three to five years. Immediate risk is more costly to deal and although a proactive approach to risk identification, management and mitigation will be more cost effective, there will be a need to react, likely at cost, to the novel dynamic cyber risks that arise if not considered as a strategic focus. "

Alicia Buller Editor SC Media