Cybersecurity, safeguarding computer information systems, hardware, networks, and data, has been one of the top priorities of organisations across all industries globally. While technology becomes more sophisticated and cybercrimes become more threatening, practices to protect organisational assets against cyber threats increasingly become necessary.
Statista notes that there are around 5.45 million cybersecurity professionals globally in 2023. Even though the number has increased from 4.6 million professionals in 2022, the talent gap remains to be wide in the industry, as the demand for cybersecurity skills continually shoots up. Even with a widening gap, current cybersecurity professionals make the most they can with the skills they have learned throughout the years.
Cybersecurity in 2023
For Patrick Joyce, the Global Resident CISO, Proofpoint, the most effective cybersecurity strategy he learned in 2023 is a people-centric approach to cybersecurity and protection.
“As evident from 2023, bad actors are increasingly employing techniques like social engineering and phishing, exemplifying their focus on manipulating human behaviour to infiltrate systems, rather than exploiting technological weaknesses.”
Mel Migriño, the Southeast Asia regional director at Gogolook, and chair and president of Women in Security Alliance Philippines, acknowledges that cybersecurity strategy varies from one enterprise to another. She adds that cybersecurity strategies are primarily driven by a company’s risk appetite, resources, capabilities, and regulations.
“Zero trust as a framework and operational strategy is effective to most organisations following a prioritised approach. Also, the Assumed Breach strategy worked well mostly in critical infrastructure,” the Gogolook executive says.
While there is no one-size-fits approach to cybersecurity strategies, Migriño says it must align with business objectives, risk management framework and principles, people and culture, and regulatory and contractual obligations.
Joyce’s most significant learning in 2023 is the awareness of being up against constantly evolving threat actors.
“They are now even prioritising identity over technology. While the specifics of their tactics, techniques, and procedures (TTPs) and the technology they target may change, one constant remains: people and identities are the most targeted links in the attack chain,” he explains.
For Migriño, it is how threat actors leverage emerging technologies like AI to deploy attacks.
AI has penetrated our lives in ways we did not expect its scale. Hence, there is a strong need to ensure and integrate identity proofing and validation in online transactions and activities.
Mel Migriño
Similar scenarios keep cybersecurity professionals awake at night.
“Threat actors are more equipped, creative, and motivated than ever. Even with a multi-layered, people-centric approach, we still need to remain vigilant and expect the unexpected,” says Proofpoint’s Joyce.
“It is about the many forms of attacks and the scale of attacks that adversaries can launch while Business As Usual work immerse cyber defenders and the team has limited resources, failing to detect the early stages of an attack, resulting in the business to freeze part or most of its operations,” Migriño says.
AI, top 2024 concern
Joyce considers the prevalence and democratisation of generative AI as one of the biggest concerns in 2024.
“Malware developers are already using open-source tools and generative AI to make advanced techniques accessible to an even larger audience. This has resulted in the proliferation of malware with advanced detection-bypass capabilities. This further democratisation might thus lead to the increase in advanced malware by lowering the barrier to entry for more amateur developers in 2024,” he says.
“As there are many ways to misuse AI like the creation of AI-based malware, FraudGPT, scam-based AI, AI gender biases and discrimination that when not detected, controlled and managed will lead to huge risks in our daily lives – ways of work, choices, and perspectives,” says Migriño.
2024 Challenges cybersecurity profession
Joyce believes “threat actors will continue to exploit the human element, and more so in 2024.”
Aside from offensive AI, he lists evolving toolsets that allow threat actors to attack even more industries and continued aggression against identities and privileges as challenges to cybersecurity in 2024
Migriño believes that the lack of AI regulation on a local scale will be a significant cybersecurity challenge in 2024, as well as continued, persistent cyber attacks and burnout among cybersecurity professionals.
“More practitioners are moving in search for a somewhat balanced work and personal time,” she says.
Staying relevant
Joyce says it is vital for cybersecurity professionals to collaborate and share insights to stay informed about the latest threats and defence strategies even as threat actors are already doing the same.
Continuous learning through this information exchange will enhance our collective knowledge and response capabilities.
Patrick Joyce
He also hopes CISOs and fellow cybersecurity professionals will advocate for a proactive and adaptive cybersecurity strategy. He says it is vital to recognise and secure the “human element in the cyber defence chain.”
To stay relevant, Joyce reminds cybersecurity professionals to stay updated with industry trends and advancements. He encourages them to adopt responsible AI policies and contribute to discussions on enhancing cybersecurity practices in cybersecurity.
For Migriño, cybersecurity professionals must join in the knowledge exchange within the community.
“Don’t hesitate to seek peer professional advice, as through coaching, mentoring, and asking questions, we learn more,” she says.
She hopes the industry will learn how new standards, regulations, and emerging risks can impact enterprises and encourages industry players to propose solutions to common cybersecurity issues.
“Ensure that cybersecurity is a discussion across all levels including the Board. Participate in private-public partnership collaborations in closing gaps in cybersecurity,” Migriño says.