A few main themes emerged from this year’s Gartner Security and Risk Summit. Let’s discuss.
Cybersecurity Trends for 2024
Members of the ePlus Security team recently attended the Gartner Summit and came back even more excited to help our customers achieve stronger security postures. As a follow up to the Summit, Gartner released this document. Our take is below.
Keynote
The main keynote had an interesting position that I think is worth exploring in depth, and that is this: IT security is paranoically focused on 100% perfect performance, and that is not helpful, and we need to change that expectation.
In terms of IT security, the point was twofold: First, we as an industry are way too focused on prevention, and not nearly enough on recovery. Second, this obsession is causing people to drive themselves crazy with overwork and brings about burnout in both leaders and individual contributors.
On the first point: we are focused too much on prevention, and not enough on recovery. This flies in the face of one of the most important and true things we say when we talk about security: It’s not about “IF” you get breached, it’s about “WHEN.” This is doubly true now when the evidence clearly shows companies, CEOs, and Boards are all perfectly willing to increase their risk exposure to achieve growth.
This all means that things like, immutable backups, recovery runbooks, and especially DR practice, need to be brought further to the forefront. From a strategic perspective, we need to be helping customers build towards Fault Tolerant Organizations.
The keynote also talked about creating a Minimum Effective Toolset: really understand what your company’s risks are and design a security portfolio that covers that precisely, without over tooling.
Gartner’s own article about highlights, and a link to the main keynote, is available here.
AI
The concept of Augmented Security was brought up, both in the keynote and in many, many sessions. The general consensus seems to be “proceed with caution.” (In fact they used the phrase “Short-term skepticism, longer-term hope” to introduce the concept of GenAI in their Trends for 2024 session.) Too many tools exist that are just slapping an AI label on, without showing how that AI benefits. At this time they believe that GenAI is great at translating human language into queries. For example, a lot of threat-hunting software uses proprietary query languages like KQL. GenAI can take human language asks, and spit out a KQL query. It does this very well. But that KQL system is still necessary, and so are the engineers who can sanity-check the query that is generated. AI falls down when it has to interrogate the data directly on its own. (Hence their focus on Augmented Security, and not a full replacement.) They did publish the Gartner Generative Gartner Generative AI Impact Radar for 2024 AI Impact Radar for 2024 to help guide discussion on what’s out there.
AI Security
There are tools out there that aim to make AI more secure. We have talked Varonis Copilot extensively over the past few weeks.. that’s a good example. Microsoft themselves will be releasing Compliance Manager to help protect AI at the application level. It will be tied into Purview and provide guided assistance on how to stay compliant with the growing number of worldwide AI regulations. Other Microsoft tools include Azure AI Content Safety, Defender for Posture and AI threat protections for pre-built AI apps and homegrown efforts. AI Safety System to help protect against “direct and indirect prompt injection attacks” - more to come from MSFT on all of that in the near future.
Risk
Risk was a common theme, and the main point was that businesses are increasingly willing to take risks to see gain. This is putting more stress on cybersecurity year over year. The recommendations were clear: establish Risk programs, get everyone to agree to the guidelines at a Board level, and stick to them. Risk exists no matter what, and can't be realistically avoided 100% - but you can define the areas where these risks are, for lack of a better term, riskier than others. They called this an Actionable Risk Appetite. This should be followed with Key Risk Indicators that will let you know when the Appetite is being exceeded, which then needs to cause immediate action to resolve the risk.
Zero Trust / IAM
Zero trust didn’t come up too much, mostly because they believe that the concept is well established in the marketplace. In one session they did lament the name- basically saying that it’s not really ZERO trust, but ZT is catchier than saying “the barest possible amount of trust, for a limited time, that can and will be removed the second the entity steps out of line.” Identity and contact are crucial to ZT, and “they must be solid.” ZT is still absolutely integral to security and should be a constant goal- It’s just that this year AI took a lot of the marketing buzz away from it.
Basic Identity protections remain a largely unsolved problem, especially in the cloud. Stats include: 78% of accounts in the cloud are not using MFA, and 80% of provisioned accounts are still privileged but inactive, making identity a huge attack vector.
Conclusion
Overall, the conference emphasized the huge importance of AI in the enterprise, both now and in the future. For now, companies should tread lightly with an emphasis on testing before deploying into production, and creating policy that insists upon verifying the AI outputs. Looking forward, securing the data that goes into (and comes out of) AI systems is going to be an ever-increasing concern, as is a shared responsibility model across the new normal of hybrid and multi-cloud environments. Upper management is going to have to take an active part in building this collaboration in order to make sure that cybersecurity initiatives are strongly aligned with organizational goals.
Ready to learn more?
You deserve a strong security culture that can sustain your business today and tomorrow.
ePlus Security is a leading security technology advisor and integrator with a broad solutions portfolio, strong industry relationships, and an unmatched breadth of engineering talent and expertise. With a focus on customer experience, our security team designs and delivers outcome-focused, customized cybersecurity programs aimed at defining and mitigating business risk, maximizing technology investments, and creating safer digital environments.
Learn why ePlus Security is a trusted advisor and partner for all the security needs of your organization. Check out Compromise Nothing for additional information and to set up a security strategy session with our team.