Menu
CYBERSECURITY PRIORITIES FOR 2024
SureCity Networks CSO Tim Kirk reviews the Cyberspace in 2023 and shares his key priorities for CISOs to focus on in 2024.
INTRODUCTION
The threat to your organisation from cyber crime is accelerating: according to the Australian Cyber Security Centre’s (ACSC) Annual Cyber Threat Report 2021-22, ACSC received more than 76,000 cybercrime reports, an increase of nearly 13% that equates to one report every seven minutes.
The risk landscape over the last year has been all too familiar. Australia’s prosperity continues to make it more attractive to cybercriminals, ransomware is evolving and impacting all organisations – in particular small-to-mediumsized businesses, and there’s a rise in nation state actors and in espionage. Add to that the influence of new digital technologies like generative AI and evolving business priorities, and 2024 becomes a year of continued complexity for CISOs.
Fresh from a visit to this year’s Australian Cyber Conference, our Founder and CEO Tim Kirk tells us more about some of the key trends he’s seen over 2023, and discusses how they’ll influence priorities and key areas of action for CISOs in 2024. They include the importance of reducing complexity, operationalising security standards, the need for a controls-based framework, and why.
KEY TRENDS IN 2023
“A few things stand out this year, which were validated by a lot of the people that we spoke with at the conference,” says Tim. “While the cyber threat is growing, there’s a sense that the level of interest or focus from within the business is dissipating in favour of other areas like technology transformation or AI strategies, meaning CISOs are often having to do more with less, something SCN has set out strategies for tackling in our recent whitepaper.
“There’s also work to be done around the policies companies have in place and compliance with the frameworks they must adhere to,” Tim adds. “For a lot of businesses, there’s a difference between what’s seen in a compliance audit and what’s happening in the real environment. It’s not always indicative of a strong security posture where the rubber hits the road with things like a Managed Detection Response (MDR) partner, the security operations centre (SOC) configuration, how well deployed the firewall is, or if everything really does have multi-factor authentication (MFA).
CISOs also need to be mindful of other trends. These include the Australian Securities and Investments Commission’s (ASIC) recent announcement that company directors could be held responsible for security breaches based on them ‘not acting with reasonable care and diligence’, greater robustness of cyber insurance policies which, says Tim, has resulted in more complex requirements for businesses to adhere to, evolving mindsets towards ransomware as a result of companies backing up their data more effectively and improving incident response plans that make some think they don’t need to pay to get data back or engage with adversaries, and continued poor security hygiene around new technologies and processes for things like data.
“We’re still trying to fix processes that, a lot of the time, shouldn’t still happen or exist in the business environment. Data is a good example. There’s no scenario where it should still be dotted around the business.”
“Companies are realising that all of these factors need more than just a fix to bad practices,” says Tim. “We’re still trying to fix processes that, a lot of the time, shouldn’t still happen or exist in the business environment. Data is a good example. There’s no scenario where it should still be dotted around the business. Put it in one place, put MFA on it, we can do proper analysis and data loss prevention (DLP) solutions, and look for sensitive information rather than having disparate silos everywhere. If just one of those gets compromised, it’s a serious issue.
“For CISOs, who have to be focused on strategic value, regulatory and policy concerns, business acquisitions and more, the focus for the future has to be on reassessing how effective our cyber policies really are,” Tim states. “CISOs and security professionals have spent a lot of time getting board interest, driving special steering committees, initiatives, and frameworks over the years, but we have to ask ‘is it really working?’. I’m not so sure. I sense that, in the current environment, there’s a perception that processes, and things like insurance and indemnity, can cover or close some of the gap and eliminate the risk, but CISOs and security teams have to look beyond that. Technology needs to play a key role.”
2024: WHERE CISOs NEED TO FOCUS
Tim points to several areas of focus for CISOs in 2024. Technology, including best-of-breed platforms and a strong managed services provider like SCN will continue to be crucial. Reducing complexity within the business environment to minimise attacks services, particularly around where data is located, is essential. And operationalising controls-based cyber frameworks to deliver true cyber hygiene is key.
“We need a controls-based framework or data structure that organises and categorises internal controls and that’s driven by how things are actually configured and what the threat landscape is,” says Tim, on how the policy landscape should evolve. “You currently have a yearly audit to ensure compliance obligations are being met, but I don’t think that’s enough. As an example: you have a control that says you have to deploy layer seven inspection at every internet egress point. To meet that, you give some evidence, maybe take a screenshot of a firewall – but therein lies the problem, that’s a single moment in time and that layer seven is very generic. It’s a blanket coverage statement.
“At the same time, things like ISO 27001 are a good marker to show you have certain types of security technologies and processes in place, but they can’t go through every control,” he adds. “It’s a standard and is about compliance but companies can check the boxes, show they’re doing the best they can to comply in the yearly audit and that’s enough. For CISOs, it’s about knowing you can’t get your house in order once a year and that they need to be more proactive, and operationalising the security standards and frameworks they adhere to.
“Ultimately, their role means they own the responsibility for everything in the organisation from a risk standpoint,” Tim notes. “But that’s challenging considering the breadth of the role – strategy of acquisition, overall policy, regulatory concerns, the level of business exposure and risk. To meet these key areas of focus for next year and beyond, they can’t be down working in the weeds. They need to build a good team internally to deliver operational excellence, use the best technology platforms – when you do a framework it won’t ask if you deploy a solution like our partners Palo Alto Networks or Cisco, it just states ‘technology’ which means it may pass you an audit but not much more – and they need a good managed service provider.”
SCN, your trusted CISO advisor SCN can help CISOs and their organisations mitigate many of these kinds of challenges. Get in touch today to see how we can help accelerate your Cybersecurity program.
Get in touch
THANK YOU!
CYBERSECURITY PRIORITIES FOR 2024
INSIGHT
SureCity Networks CSO Tim Kirk reviews the Cyberspace in 2023
and shares his key priorities for CISOs to focus on in 2024.
INTRODUCTION
The threat to your organisation from cyber crime is accelerating: according to the Australian Cyber Security Centre’s (ACSC) Annual Cyber Threat Report 2021-22, ACSC received more than 76,000 cybercrime reports, an increase of nearly 13% that equates to one report every seven minutes.
The risk landscape over the last year has been all too familiar. Australia’s prosperity continues to make it more attractive to cybercriminals, ransomware is evolving and impacting all organisations – in particular small-to-mediumsized businesses, and there’s a rise in nation state actors and in espionage. Add to that the influence of new digital technologies like generative AI and evolving business priorities, and 2024 becomes a year of continued complexity for CISOs.
Fresh from a visit to this year’s Australian Cyber Conference, our Founder and CEO Tim Kirk tells us more about some of the key trends he’s seen over 2023, and discusses how they’ll influence priorities and key areas of action for CISOs in 2024. They include the importance of reducing complexity, operationalising security standards, the need for a controls-based framework, and why.
KEY TRENDS IN 2023
“For a lot of businesses,
there’s a difference between
what’s seen in a compliance
audit and what’s happening
in the real environment.”
“A few things stand out this year, which were validated by a lot of the people that we spoke with at the conference,” says Tim. “While the cyber threat is growing, there’s a sense that the level of interest or focus from within the
business is dissipating in favour of other areas like technology transformation or AI strategies, meaning CISOs are often having to do more with less, something SCN has set out strategies for tackling in our recent whitepaper.
“There’s also work to be done around the policies
companies have in place and compliance with the frameworks they must adhere to,” Tim adds. “For a lot of businesses, there’s a difference between what’s seen in a compliance audit and what’s happening in the real environment. It’s not always indicative of a strong security posture where the rubber hits the road with things like a Managed Detection Response (MDR) partner, the security operations centre (SOC) configuration, how well deployed the firewall is, or if everything really does have multi-factor authentication (MFA).
CISOs also need to be mindful of other trends. These include the Australian Securities and Investments Commission’s (ASIC) recent announcement that company directors could be held responsible for security breaches based on them ‘not acting with reasonable care and diligence’, greater robustness of cyber insurance policies which, says Tim, has resulted in more complex requirements for businesses to adhere to, evolving mindsets towards ransomware as a result of companies backing up their data more effectively and improving incident response plans that make some think they don’t need to pay to get data back or engage with adversaries, and continued poor security hygiene around new technologies and processes for things like data.
“We’re still trying to fix processes that, a lot of the time, shouldn’t still
happen or exist in the business environment. Data is a good example.
There’s no scenario where it should still be dotted around the business.”
“Companies are realising that all of these factors need more than just a fix to bad practices,” says
Tim. “We’re still trying to fix processes that, a lot of the time, shouldn’t still happen or exist in the
business environment. Data is a good example. There’s no scenario where it should still be dotted
around the business. Put it in one place, put MFA on it, we can do proper analysis and data loss
prevention (DLP) solutions, and look for sensitive information rather than having disparate silos
everywhere. If just one of those gets compromised, it’s a serious issue.
“For CISOs, who have to be focused on strategic value, regulatory and policy concerns, business
acquisitions and more, the focus for the future has to be on reassessing how effective our cyber
policies really are,” Tim states. “CISOs and security professionals have spent a lot of time getting
board interest, driving special steering committees, initiatives, and frameworks over the years, but
we have to ask ‘is it really working?’. I’m not so sure. I sense that, in the current environment,
there’s a perception that processes, and things like insurance and indemnity, can cover or close
some of the gap and eliminate the risk, but CISOs and security teams have to look beyond that.
Technology needs to play a key role.”
2024: WHERE CISOs NEED TO FOCUS
Tim points to several areas of focus for CISOs in 2024. Technology, including best-of-breed platforms and a strong managed services provider like SCN will continue to be crucial. Reducing complexity within the business environment to minimise attacks services, particularly around where data is located, is essential. And operationalising controls-based cyber frameworks to deliver true cyber hygiene is key.
“We need a controls-based framework or data
structure that organises and categorises internal
controls and that’s driven by how things are
actually configured and what the threat
landscape is,” says Tim, on how the policy
landscape should evolve. “You currently have a
yearly audit to ensure compliance obligations
are being met, but I don’t think that’s enough.
As an example: you have a control that says you
have to deploy layer seven inspection at every
internet egress point. To meet that, you give
some evidence, maybe take a screenshot of a
firewall – but therein lies the problem, that’s a
single moment in time and that layer seven is
very generic. It’s a blanket coverage statement.
“At the same time, things like ISO 27001 are a good marker to show you have certain types of security technologies and processes in place, but they can’t go through every control,” he adds. “It’s a standard and is about compliance but companies can check the boxes, show they’re doing the best they can to comply in the yearly audit and that’s enough. For CISOs, it’s about knowing you can’t get your house in order once a year and that they need to be more proactive, and operationalising the security standards and frameworks they adhere to.
“Ultimately, their role means they own the
responsibility for everything in the organisation
from a risk standpoint,” Tim notes. “But that’s
challenging considering the breadth of the role –
strategy of acquisition, overall policy, regulatory
concerns, the level of business exposure and
risk. To meet these key areas of focus for next
year and beyond, they can’t be down working in
the weeds. They need to build a good team
internally to deliver operational excellence, use
the best technology platforms – when you do a
framework it won’t ask if you deploy a solution
like our partners Paolo Alto Networks or Cisco, it
just states ‘technology’ which means it may
pass you an audit but not much more – and they
need a good managed service provider.”
SCN, your trusted CISO advisor
SCN can help CISOs and their organisations mitigate many of
these kinds of challenges. Get in touch today to see how we can help accelerate your Cybersecurity program.
THANK YOU!
- +61 1300 105 473
- [email protected]
- 8 Ross Street, South Melbourne, VIC 3205
- 403/55 Holt Street, Surry Hills NSW 2010 (Sydney)
- 12 The Square, Market Harborough, UK
Company
Partners
- Palo Alto Networks
- Microsoft
- Cisco
- VMWare
- + All Partners