Our Evolving Digital Reality and What It Means for 2024

Our most recent edition of the GovWare Conference and Exhibition in October saw over 12,000 policymakers, cybersecurity leaders, and cyber practitioners from 80 countries coming together. Amid three days of intensive keynotes, discussions, and networking, what were the top talking points from the conference?

Crucially, what do these developments portend for the cybersecurity landscape in 2024? To find out, we approached Leonard Ong, Director, Cyber Defense Group at Synapxe, and Ron Green, Cybersecurity Fellow (formerly the Chief Security Officer), Mastercard earlier this month for their thoughts.
 

An evolving digital reality

The fluid cybersecurity landscape is continually changing as new technologies are introduced and novel threats emerge. As unique attack vectors surface, CISOs must stay updated and swiftly adapt their defences to tackle these new and evolving challenges.

“There is an ever-increasing expectation about the CISO to not only secure the system, defend the business, enable innovation, but also to help the company maintain that trust among stakeholders and regulators,” observed Ong. “If we see a new technology, we need to assess how it can help us. At the same time, we must consider whether this technology could be exploited by threat actors in their campaigns.”

To stay abreast with the activities of cyber adversaries, Ron Green called for CISOs to band together and establish networks for information sharing. “To keep up with what adversaries are doing, I think it's important that CISOs have an established network for sharing information, to work together. The bad guys work together; we need to work together.”

Green cited the Financial Services Information Sharing and Analysis Center (FS-ISAC), of which Mastercard is a member, as an example of a successful information-sharing community. “FS-ISAC members see the alerts filed by other financial institutions. Victims are anonymised, though members can request FS-ISAC to reach out and potentially make contact [to learn more].”
 

The dangers of AI

Unsurprisingly, AI was featured heavily at GovWare 2023, with some delegates highlighting how their organisation have adopted an AI-centric development policy. But as organisations scramble to incorporate AI into every facade of their operations before its weaknesses are fully understood, are we setting ourselves up for disaster?

“We need to be mindful of bringing in new technologies fast and not knowing what it does or how it works. You could introduce unknown threat vectors that you didn't consider or didn't know about.  But now you're reliant on it, and it's stuck in your network,” noted Green.

When push comes to shove, Green suggested setting up an air-gapped environment for experimenting with AI. This way, any unknown threat vectors are easily contained, he says.

“We want to enable innovations at the end of the day – but do we also have guardrails?” asked Ong, as he noted how implementing new capabilities and new systems is part and parcel of technology. In his view, making the effort to collaborate with stakeholders is crucial.

“In public healthcare, we have the HealthTech Instruction Manual. That contains our security policies and doubles up as our standards or guidelines. And we ensure that whatever we innovate, whatever we work on, complies with that. So far, I have been quite happy. We recently launched our internal AI capability, and they've done so while observing the policies that we have.”
 

Cyber is everyone’s responsibility

Cybersecurity is no longer the sole responsibility of the CISO. Or as Green puts it: “Cybersecurity is everybody's responsibility. You can have the greatest and most technical cybersecurity team in your company. But if your teammates – other employees – are falling victim to social engineering attacks, [then it’s not going to help the organisation].”

“Help the rest of the company understand your strategy and what you're doing. They are out there every day, if you have them in tune and engaged, people that you didn't expect could come forward with their perspectives or views. You will get insights that you might not have thought about,” said Green.

“Security awareness is an ongoing effort. Instead of repeating the same content every year for the sake of ticking the box, we made it into an exercise where employees get educated, not only to protect themselves or company assets but also themselves and their families,” said Ong.

He cautioned against a cookie-cutter approach: “CISOs need to understand [the different groups] of users in their organisations. We need to be able to customise our messages to different audiences in a way that they can understand. Risk profiles might differ, and we should also recognise that not everyone is working in tech-related roles.”

“If that human defence fails, then there are multiple technical controls that are in place. And we also have administrative control, for instance. Indeed, our policies are constantly updated to make sure that we address the right track and emerging risks,” Ong added.
 

Building trust in an untrustworthy world

With trust under relentless pressure, what can organisations do to validate and secure their systems in this new year? And how can CISOs get started in 2024?

For Ong, this starts with some introspection and self-reflection: “We should recognise the good that we did – I think that's important to recognise what we have achieved. We should also look at the other side of that: What could we have done better?”

In addition, the start of every new year is also the perfect time to interact with stakeholders within the organisation, renew everyone’s commitment to cybersecurity, and step up efforts to be more vigilant in the face of increased cyber threats, he says.

Finally, as organisations seek to improve their security posture, it pays to focus on one area at a time, says Green. Though there is a temptation to do “everything everywhere all at once”, Green cautioned that this will only lead to frustration. The same is true of attempts to implement more advanced measures when the foundations are not in place.

“If you're still missing the basics, and you attempt to do Zero Trust, you are going to be frustrated because you don't have the foundation on which to implement it effectively… To improve, you work on one layer first. Once you feel good about it, then move on to the next layer,” he summed up.