Security Fireside Chat: Insights for C-suites Tackling Cybersecurity in 2024

The study showed that IT budgets have declined across Canada in absolute terms by more than 50 percent and have also decreased as a proportion of revenue (or budget for government organizations).

Despite budget constraints across the board, security budgets as a proportion of IT budgets have increased year over year for organizations of all sizes and across industries.

Ivo Wiens: “We used to see that security was never the top line spend. Or never the growing spend in organizations. Now, we’re starting to see a shift in that conversation. I am assuming security has become a kitchen table conversation rather than just a boardroom conversation.”

Wiens remarked that the need for cybersecurity as a practice is prioritized higher now with more budget being allocated to improving security posture. Further, Boi-Doku shares why that may be the case.  

Ben Boi-Doku: “The impact of security threats are more real today. Whether it’s ransomware or denial of service for a healthcare organization or theft in financial services – they impact individuals more than they did in the past.” 

He also comments on how IT professionals can present risks in front of senior management to better account for cybersecurity spends.

Ben Boi-Doku: “When you look at the language of senior leadership, you’re really looking at – can I explain a risk to my environment as an organization to the executives in a financial matter? What’s our maturity around quantitative risk analysis or risk assessments? That’s how you’re going to be able to speak better to your C-suite.”

On choosing security frameworks 

A security framework offers best practices and rules for implementing security across an organization. Choosing the right framework is pivotal to meeting compliance requirements and controlling security expenditures.

Ivo Wiens: “Sometimes, we have clients who say that they don’t have a compliance requirement or they don’t need to be compliant. Why would they choose a security framework if I don’t have compliance requirements specifically for my business? And how will choosing that requirement help me prioritize the spend?” 

Roshan Abraham: “Not every customer has a defined compliance need. They may want to get compliant because the customers they’re dealing with want them to. From a C-suite perspective, putting everything on the table on what you need doesn’t actually right-size your response to compliance needs.”

“Having a security standard that is industry applicable, fits your business and aligns your requirements, gives you a chance to have a conversation with the leadership as to how far you should go and how far you should pull back to address maturity.” 

Abraham mentioned compliance requirements (such as PCI or ISO 27001) as the main factor for choosing a framework. Boi-Doku adds thoughts on how organizations should view security vis-à-vis frameworks.  

Ben Boi-Doku: “Contrary but, you don’t necessarily need to start off with a framework. The security journey has multiple horizons and picking a framework right from the start may not make sense for every business.”

“If you’re an organization that’s just started – you’re going to put in the fit for purpose security technologies before you even know they’re called security controls that align to a framework. Therefore, I’d like to mention the basic cyberhygiene covered by CIS security controls and I’ll have Roshan expand on it.”

Roshan Abraham: “When we talk about security standards, every standard is different and caters to a different purpose and audience. For instance, ISO 27001 is written to give leadership the ability to course correct. Something like CMMC is good when you have to do work for a really sensitive contract – so, it’s going to be prescriptive and difficult.”

 “Or CIS, which isn’t a framework as much as a set of controls defined with safeguards. But those safeguards align pretty much with every other standard.” 

“Most senior IT persons I have talked to who don’t want to deal with compliance don’t seem to hate CIS because it’s all the things that they are used to doing anyway. It gives them a bit more practical guidance as to what to do first.” 

In the cloud era, zero-trust security has rapidly gained traction. However, while zero-trust access (ZTA) is an essential component of zero-trust security, it should not be the sole focus. Threat detection and response are equally important measures to ensure comprehensive security and to meet the long-term objectives of the zero-trust strategy.

Compared with the 2023 study, there is little change to security policies supporting zero trust. Noteworthy is the fact that less than one third of organizations have a policy that mandates security monitoring for threat detection.

Ivo Wiens: “Seven or eight years ago when we were doing this study, zero trust was something people didn’t even know about. And now we’re getting to the point in this study where we’re getting down to breaking the philosophy of zero trust into its foundational pieces.”

Ben Boi-Doku: “If you just look at the security journey conversation, of course, prevention would be the very first piece. So, you’re going to stack your controls to prevent a breach. But the thing is, we all know we should be acting as if we’re already breached.”

“Another thing is that there’s no overall zero-trust architecture that one could pick up and follow. So, organizations are going through the zero-trust journey with what they feel is the best.”

“I’d also like to add that betting it all on just the prevention piece is a significant risk. It’s part of the overall strategy but it’s not everything.”

Zero-trust architecture is a nuanced conversation

Wiens talked about increased zero-trust adoption compared to a few years ago while Boi-Doku described how zero trust could be misconstrued as a limited set of prevention measures. Zero-trust security must include supporting components and an overarching strategy.

Ivo Wiens: “It starts with you defining the way you’re going to approach this. The big story when it comes to protecting your business and what it means for your business.”

“There is no one-size-fits-all zero-trust compliance. When clients ask how they can be zero-trust compliant – I usually say that doesn’t exist. What does exist is a lot of other frameworks that support it and a lot of technology that can help you on that path.”

Wiens added that navigating the zero-trust journey requires nuanced decisions about technology and strategy. It shouldn’t be looked at as a one-stop solution for security needs. Until the missing pieces such as threat detection and response are built into zero trust, it’s hard to realize its benefits.

Roshan Abraham: “I think detection and response requires you to be able to filter out things that are truly important to you. So, once you have detection and response capabilities in play, you must be able to assist them in focusing their attention on what’s truly important by having a good handle on what your critical assets are, who are your critical users and what they should have access to.”

The move to public cloud, which accelerated during the pandemic, has not gone unnoticed by adversaries. Cyberattackers have adapted their tactics, techniques and procedures (TTPs) to target public cloud environments, recognizing the increasing reliance on these platforms for data storage and processing.

They exploit the shared responsibility model of public cloud security, where the cloud provider is responsible for infrastructure security, while the customer is responsible for the security of their data and applications.

Compared with the 2023 study, fewer organizations stored their confidential and secret data in public cloud. The top reason cited by 74 percent of respondents in the 2024 study was concerns about security.

Abraham addressed that concerns about cloud security stem from the operational maturity of an organization that is leveraging the cloud. There needs to be a good understanding of the risks involved in addition to the ways in which the risks can be countered.

Cloud security is a two-way street

Roshan Abraham: “It’s a story of maturity in terms of how you operate in your security controls. If you are going to the cloud, the idea that you can just offload the risk to your cloud vendor is not true.”

 “Do I think cloud is a significant part of most organization strategies, especially as they move to AI and truly global workforces? Yes. But we’re in the midst of a change in terms of cost structures and subscription models.”

Boi-Doku added that in order to ensure proper security in the cloud, organizations need to look into cloud-native capabilities and security controls. They could be quite different from on-premises implementations.

Ben Boi-Doku: “When a client says their security expectations were not met in the cloud, I would look into things like how did they implement in the cloud? Did they just transition their workload from on-prem to the cloud? Or did they really take advantage of cloud efficiencies? So, there’s a lot of security controls and technologies that are cloud native, and have those been adopted in the overall governance or security framework?”

Roshan Abraham: “The organizations that are actually seeing a good return on investment have gone to a DevOps model. For instance, they’re using containers. Containerization of assets in the cloud is a good way to manage risk. But if you’re just trying to run VMs in the cloud, that’s probably not worth the return from a CFO’s perspective.”

Ivo Wiens: “Part of managing cloud vendors is also understanding what risks are you taking internally. It’s just not a matter of making sure that the billing is done right. It’s about understanding the gaps between you and the vendor from a security perspective.”

AI and ML are crucial in cybersecurity implementations, thanks to their ability to analyze vast amounts of data rapidly, identify patterns and predict future threats. They can also adapt to evolving IT landscapes and threats and, despite significant initial investment, can operate with limited resources, making them invaluable in the face of increasing threats, budget shortages and fast-evolving IT landscapes.

According to the study, enterprise organizations are the most advanced, and the financial services industry leads the way with 37.5 percent reporting mature and advanced AI/ML cybersecurity implementations.

AI holds great potential across cybersecurity use cases

The experts share their views on how AI could potentially help in improving cybersecurity for organizations. According to them, AI has a significant role to play in enhancing threat detection, automating security functions and reducing the workload on policy side.

Roshan Abraham: “I think the thing where AI is going to really show some progress or really early returns is identifying if a threat is AI-driven or not. It’s no longer sufficient to do end-user training and assume they’re going to pick up badly crafted emails. That’s a challenge AI-enhanced tools could help us with.”

Ben Boi-Doku: “So if you even look at the accelerated incident response times [with the help of AI], you’re really looking at AI leveraging user behavioural analysis, being able to comb through volumes of data lakes to identify what’s normal and what’s not. And protect, detect and respond in an automated fashion. So, that’s where we’re looking at AI really benefitting the security industry.”

Roshan Abraham: “From a risk and policy perspective, AI is relevant to many organizations. You’ve got three different customers with three different sets of requirements in contracts. There are products out there that can ingest these contracts and give you a consolidated compliance framework. That would’ve taken someone days, weeks, months.”

Wiens warns that although AI systems have advanced, there still needs to be proper oversight on their outputs. Organizations must consider using AI with caution.

Ivo Wiens: “But obviously, every output needs to be highly verified and edited, right? As there are opportunities for errors and it’s not a straight up copy paste in a policy document.”   

AI and ML can empower cyberattackers by enhancing their ability to exploit vulnerabilities and evade detection. Cybercriminals can use AI to automate the process of finding vulnerabilities by increasing their efficiency and reach. In addition, AI can be misused to create sophisticated phishing and social engineering tactics, making it harder for victims to recognize fraudulent activity.

The 2024 study showed that Canadian organizations have grave concerns about the risk of AI empowering their adversaries. The top three risks cited include giving cyberattackers the ability to:

1. Automate the process of discovering and exploiting vulnerabilities (58.4 percent)
2. Identify new attack vectors (50.3 percent)
3. Speed up development of new malware strains (42.6 percent)

Boi-Doku warned against cyberattacks that are sophisticated in nature and may come in large volumes. He suggested that prioritizing the weak links in the organization against such attacks is the first step towards prevention.

Adversarial AI may give rise to rampant cyberattacks

Ben Boi-Doku: “The growth of adversarial AI would increase the sophistication and volume of attacks. That’s something to be very concerned with. How do you prevent them? We need to ensure that the low hanging fruits – the most vulnerable in an organization – are protected. Also, we need to ensure that we are drastically reducing the attack surface exposure.”

Abraham, along the same lines, suggested using AI for vulnerability analysis and fixing loopholes with greater foresight.

Roshan Abraham: “I am interested to see how AI can help organizations analyze their own environments to understand where vulnerability may be. I also look forward to asset management with AI.”

Wiens touched upon the use of AI within the organization as a threat in itself. Boi-Doku and Abaraham suggested the implementation of zero trust for limiting AI’s access to organizational data.

Ivo Wiens: “Another area of it is insider threats. Where do you start setting policies within the organization about the use of AI?”

Ben Boi-Doku: “Zero trust! Treat AI as another actor in your zero-trust journey. Make sure that it only has access to as much information as it needs and the individuals who can leverage it can only pull data that’s fit for their roles.”

Roshan Abraham: “You have to be careful with the parameters you set on what AI is going to have access to and you have to control it. And anytime there’s something exposed to it, you have to treat it like a breach.”

The conversation delved into several aspects of cybersecurity’s modern landscape with pieces of useful advice for decision-makers.

To access the data points and insights mentioned in this blog, download the 2024 Canadian Cybersecurity Study below.