Why data, AI, and regulations top the threat list for 2024

The new year finds us confronted by a landscape characterized by political uncertainty, social fragmentation, escalating geopolitical tensions, and a turbulent macro-economic backdrop, making it crucial for security leaders to strategically prepare for the forthcoming challenges.

Let’s explore the three main security challenges businesses will face in 2024:

1. Data

Modern businesses generate and manage vast volumes of data daily. Since data is central to decision-making and competitive advantage, its sudden disruption or unavailability can lead to severe repercussions for the business.

Some of the essential questions security teams ought to be asking themselves include: How do we manage and safeguard aspects like confidentiality, integrity, and availability of data? What strategies can we employ to protect our data against cyber threats and misuse? How do we address the security challenges that emerge with expanding data repositories? How do we differentiate between valuable data and redundant information?

Furthermore, there’s often a misalignment in how data is structured versus the business framework. Consequently, security teams may need to engage in discussions with business units to clarify issues such as how we are applying our data. With whom is this data being shared? Who holds accountability for it? Who is responsible for making decisions regarding data security? Is it the information security team, the chief executive, the board, or is it a combined effort?

2. Artificial intelligence

Although AI technologies aren’t new, the recent widespread adoption of AI has introduced a myriad of business and security challenges for organizations. Key questions to consider include: How do we monitor AI usage within the organization? How do we regulate the data shared with AI systems by employees? How do we ensure ongoing compliance with ethical standards and legal requirements?

Data is the cornerstone of AI. How do we provide sufficient data for AI systems while ensuring this data is secure, ethical, and transparent? How do we safeguard AI data and algorithms from manipulation by threat actors? Security teams need to be vigilant about all AI-related risks, including ethical concerns. Despite these challenges, AI offers significant opportunity for companies aiming to evolve and enhance their business models.

In 2024, corporate boards will likely assume a central role in overseeing AI’s secure deployment across the organization. This scenario presents a prime opportunity for security teams to align closely with business objectives, be at the forefront of the AI revolution, and actively participate in key business decisions alongside management teams.

3. Regulations

Security is rapidly evolving, and so are regulations governing it. Over the next 12 months, several regulations will either be introduced, updated, or reviewed. For example, GDPR may lead to stringent reinforcements in 2024; the Digital Operational Resilience Act (DORA) will apply to financial entities across the EU in January 2025; the EU AI Act may be voted in.

Given these developments, organizations must develop a comprehensive understanding of the regulations in the jurisdictions where they operate. This knowledge is crucial for building the necessary processes and frameworks proactively, as once these regulations are enforced, adjusting to them retroactively will be challenging. Hence, staying ahead of these regulations in 2024 is imperative, as non-compliance could lead to severe legal, financial, and reputational consequences.

How can cybersecurity leaders address these security challenges?

Below are four risk management initiatives that cybersecurity leaders can integrate into their 2024 cybersecurity planning:

1. Communicate issues in business terms

It’s essential for cybersecurity leaders to present issues in a manner that resonates with business leaders. CEOs typically prefer to avoid technicalities. Their concern is how technology will impact the business and whether it aligns with overall objectives. Will it meet stakeholder expectations? What are the risks in terms of financial, operational, and economic factors, beyond technical aspects?

2. Establish clear risk tolerance levels

For security leaders working with management teams, it’s crucial to define the company’s risk tolerance concerning cyber loss, akin to other risk types. For instance, what is the risk tolerance for employing generative AI? Who is responsible for making this decision? What regulations are relevant, and how will this affect the information we disclose?

3. Implement a robust and practiced response plan

Executive teams and boardrooms seek assurance. They require confidence that the organization is prepared for unexpected crises, ensuring there is comprehensive situational awareness across the organization, and confirmation that vigilant monitoring of activities is ongoing. They need reassurance that fundamental cyber protection measures are implemented and that a thoroughly documented and regularly rehearsed business continuity and response plan is ready to be activated in the event of a security incident.

4. Build awareness, foster accountability in the workforce and supply chain

The nature of work has transformed significantly in recent years, necessitating updates in security policies and procedures to reflect these changes. Organizations must explicitly outline accountability for data collection and usage, engage in collaborative and transparent interactions with stakeholders, and ensure everyone understands their role in safeguarding the business. Likewise, it’s crucial to extend the same security principles and procedures to third parties and supply chain partners that handle data on behalf of the parent organization.

To summarize, we’re facing three key areas that will continue to grow in complexity and challenge: data, AI, and regulation. There’s an increasing expectation for closer engagement between security teams and business operations, coupled with board directors’ growing concerns about their personal liability. If security leaders concentrate on these threat management initiatives, they can significantly help mitigate risk and contribute to building a resilient organization into the future.