Innovating vs reacting – taking cybersecurity to the next level
Published June 24, 2024
- Cybersecurity
The 2024 Cybersecurity landscape
Protection against cyberattacks is one of the major challenges of our time. Today, although precise estimations of the cost of cyberattacks are always difficult to calculate, no one can deny that cybersecurity is a topic that must be dealt with. Too often we hear of organizations being subject to cyber threats with attackers seeking to spread disinformation, make fraudulent money, destabilize critical infrastructure or espionage. Cyber attackers whether criminals, government or hacktivist now have more means to act: more resources and greater incentives and are using every angle they can, up to improving their attack with the use of AI.
To add to this escalating challenge, geopolitical crises have dramatically exacerbated the threat situation around the globe. This has led to companies exploring the decoupling of their information system to cope with the more stringent regulations that requires a different approach in specific countries.
Additionally, many industries have strict regulation and compliance requirements to maintain, with many more on the horizon: the AI Act/ AI Exec order from Biden, DORA, FCA/PRA OpRes, NIS2 and critical infrastructure regulations all over the world.
Cybersecurity professionals are challenged to address these topics quickly, effectively, and cost-efficiently. The way to do this is to rethink cybersecurity: from a reactive defense function to an enabling and accelerating function for progress and innovation. It is only through this mindset shift of cybersecurity that companies can differentiate themselves from their competitors and generate decisive advantages.
Here’s 3 recommendations to facilitate this shift:
Cyber Resilience has become an absolute must in recent years, with many regulations entering the market on many different angles notably DORA, NIS2, CRA (Cyber Shield in the US).
Despite growing investment, the degree of maturity in this area remains low, with significant disparities between organizations and sectors.
Our new cybersecurity benchmark* indicates that the overall maturity of companies is increasing, with the Financial Services sector coming out on top, with a maturity level of 60% (vs an average of 53%).
What differences can be observed across highly regulated vs non-regulated industries?
Heavily regulated industries, such as the finance, energy sector and life sciences, tend to have greater cyber maturity due to high investments and regulatory scrutiny. For finance, this is because of traditionally high investments and scrutiny from regulations, notably DORA, NIS2, CRA (Cyber Shield in the US).
If you’re operating in a regulated industry, companies must focus on effective pragmatic testing that highlights gaps in maturity and on ‘convergent coverage’.
Although unregulated industries are not yet under the same pressure, in the medium term it will be crucial for everyone to do what is necessary rather than what is required when it comes to cybersecurity. Be on the lookout for future regulation, get involved in wider industry groups to learn best practices from peers and use awareness campaigns, training and crisis exercises to highlight the importance of cyber maturity to your organisation.
Continual improvement on your compliance and resilience is key. Embed strong programme management, continuously improve processes, secure funding and be on the lookout of future regulations.
Everything is digital and everything needs to be secure. And that’s the mindset businesses must have today. Cybersecurity professionals have to work with business in a different way and change the image of cybersecurity in order to make this mindset a reality.
A security culture is necessary to ensure that cybersecurity becomes ingrained within employee mindset. Awareness campaigns need to be specialised in order to raise awareness of new risks achieve the desired culture change outcomes.
Companies who have successfully implemented this security first mindset are even using cyber as a commercial advantages in their business development.
Cybersecurity professionals must look towards a long term and collective view to build a strong team, create communities and career paths to not just attracting, but to develop talent and make people want to stay.
With 4 million unfilled cybersecurity jobs in the world and 92% of professionals reporting to have cybersecurity skills gaps*, how is this shift possible? Diverse skills are needed and companies must work harder to attract this talent into the business and face the challenges of tomorrow.
*ISC2 2023
The current rapid pace of technological development shows no signs of slowing down. Navigating the intersection of leveraging AI’s benefits, mitigating threats, and ensuring robust security measures are in place is pivotal for organizations in today’s dynamic landscape.
CISOs will be challenged to keep up with this pace in the coming years and take cybersecurity to the next level. They must strike the best possible balance between the necessary risk mitigation measures, a strong security environment and, of course, the cybersecurity mindset needed by all.
As an example, AI solutions feed on enterprise data. Therefore, before implementing AI, it is essential to secure the access to data and to properly manage access control. Then, you can start thinking about securing the AI solution itself.
To sum up
To take your cybersecurity to the next level; focus on these three things. Firstly stay in the game when it comes to regulation, threat landscape and new tech arrival. Second; change the perception of cybersecurity across your entire organization and show the value cyber is bringing to the table. Finally make sure you drive change in the field to ensure resilience of your business and its ability to grow years over years.
*Maturity levels were measured against international standards (NIST CSF / ISO 27001/2) during assessment missions carried out by Wavestone consultants. The sample, dated June 1, 2024, includes over 150 organizations, representing almost 7 million employees.
Author
-
Gérôme Billois
Partner – France, Paris
Wavestone
LinkedIn