Editor’s note:The ISACA Now blog is looking ahead to 2024 with to-do lists from ISACA experts for professionals working in IT audit, risk management, information security, privacy and IT governance. Today, Sandeep Godbole shares his 2024 to-do list for security professionals. See more cybersecurity resources from ISACA here.
Around the new year, there is much discussion and anticipation among the cybersecurity community for what the future holds. The pace at which we continue to experience technological change leaves little time to prepare. The new year is not an inflection point where the change is concentrated; rather, the change is spaced throughout the year. The new year, however, reminds us to think about the future. These ruminations help us understand what to expect, the extent of our preparedness and the prioritization of our security strategy.
Security risks, threats and malicious actors have been part of the connected technology world for a long time. The intents of malicious actors and the security team remain the same. It is the actions of the malicious actors that mutate, building upon the technology change and changes to the environment.
The field of artificial intelligence (AI), the rapid deployment of generative AI applications, the acceptance of cloud as the primary IT deployment fabric and the deployment of blockchain technology are among the more visible technology trends. Some of these trends are in their nascent stages, while others have matured. Beyond technology advancements, in 2023, political and strategic developments impacting the tech world also were significant. The world has seen military aggression and conflict among nations, and even nations at peace have witnessed a slew of legislation directed at data protection and IT infrastructure. These dynamics combine to impose a significant strain on the security community.
Many entities publish their annual technology trends and predictions around this time of the year, and this is also a time for security professionals to build their to-do lists for the new year. In my view, the security community can benefit by placing these five things on their 2024 to-do lists: build AI knowledge, architect security for the cloud, refocus security on the human element, build security governance and do your boring stuff well.
1. Build AI Knowledge
The buzzword today for security professionals is AI (or GenAI). Many organizations are experiencing a heavy build-up of applications, utilities and models that leverage some form of AI. As a security expert, you may be expected to or may have already been called upon to advise upon the security of such solutions. While security architects contributing to specific solutions need a deeper understanding of the AI solution being integrated, all security professionals need to gain a solid understanding of the security aspects relevant to the AI. This requires an understanding of AI and the ability to review the AI aspects relevant to the implementation, including the solution architecture, security controls, data protection, as well as non-technical aspects, such as contracts.
2. Architect Security for the Cloud
Cloud computing is no longer a novelty since most services have been offered for over a decade. However, the surge in cloud adoption and variety of services make it important for security professionals to guide on the architectural aspects related to cloud deployment. Based on the nature of the cloud services, security professionals have a role to play in either architecting or driving implementation of security controls related to data protection, protecting data flows, user management controls, detection and response, end of service obligations, etc. Service providers may offer security monitoring interfaces and utilities. The security team can support by leveraging this to the maximum extent.
3. Refocus Security on the Human Element
This is a priority that will never cease to be out of fashion and relevance. New technology brings new risks and new attack vectors, and many of them target users. From the user perspective, it is important to appreciate that there are too many things that they need to address from a security perspective, and the list is not static. For example, user awareness related to keeping passwords secret was relevant since the mainframe days, and since then, there is more that has been added along the way with newer services and products. Cloud-based source code management systems require expertise to ensure safe usage and to avoid code credential embedding.
More generally, elements related to user security awareness need to be regularly revised. Analysis of security incidents, as well as plans for new technology adoption, can help to identify additional areas relevant to the human element in security.
4. Build Security Governance
Operating in a dynamic environment where tools, processes, risks and priorities continuously evolve is no easy task. The diversity related to the risks, tools and controls create governance challenges. Appropriate security governance enables alignment, integration and management of multiple security aspects. Security governance requires the organization, at various levels, to review, evaluate and steer the organization to an appropriate level of security. Ensuring that technological changes are addressed as part of the governance scope is very important. Security professionals, leveraging relevant frameworks such as COBIT, have a big role to play in this process.
5. Do Your Boring Stuff Well
In the new year, don’t let all of the new trends and technologies distract you from the fundamentals. Novelty always attracts interest, and routine activities rarely make heads turn. However, basic security controls are of the greatest importance when securing any organization. No matter what the technology, doing the basics right is essential. Controls like data classification, encryption, multi-factor authentication, endpoint detection, cloud security-related solutions, external agency security scores and organization-specific darknet intelligence go a long way in protecting the organization. No matter what the technology, basic security controls retain their importance in protecting the organization.
Different organizations will have different priorities and different risk profiles. The above discussion provides inputs that can be considered applicable to various organizations. For security professionals, alignment to organizational priorities and activities yield the best value and lead to effective risk management. Understanding technology trends and the current security environment helps to deliver optimal security risk management. The new year, 2024, promises to be an exciting one for security professionals, and I am sure you will enjoy the journey.
