
Predicting the future of cybersecurity is an impossible task, but getting some expert advice doesn’t hurt.
Way back in February, Coro hosted a webinar—as part of our Cybersphere series—featuring our Co-Founder and Chief Marketing Officer, Dror Liwer. Joining Dror to discuss trends in 2024 was cybersecurity consultant Joseph Steinberg.
In their free-ranging discussion, the pair bounced ideas around on what we can expect from this year in cybersecurity, including AI, regulations, and what’s happening with the industry’s workforce.
You can watch the full webinar here, or read a slightly abbreviated transcript version.
Dror: Until recently, we never even heard of ChatGPT or AI in a real way. Everybody was talking about AI, but not really seriously. And suddenly ChatGPT and AI becomes a common, household name in 2023. And of course, it had some impact on cyber security as well. And I’d like to start with that because if there was one trend that we saw in 2023 was the adoption of AI by the bad guys. Any thoughts about that?
Joseph Steinberg: I think what you said about AI is exactly the point. In 2022 very few people in the world had ever thought about Something like a chat GPT and if they had, it was probably in a science fiction movie or something about the future and then all of a sudden the tool becomes available to everyone and within a very short period of time, it dramatically changes the world, right? Not just the business world, not just security teachers have to worry about students using it. It’s everybody, right? And then you start seeing AI image generation becoming common. AI adoption is much, much faster than a lot of people might have thought. And that is going to be true with a lot of developments in AI.
And so I think that’s the point that you brought out; that from 2022 to 2023, there’s this monstrous jump. We should keep in mind that those kinds of jumps are going to keep happening and we don’t always anticipate them in advance because if we did, then they wouldn’t be monstrous jumps. They’d be slower transitions.
So when it comes to security, I think it’s important that everybody understands that there are going to be monstrous jumps, right? They’re going to be developments when it comes to artificial intelligence that play major roles in terms of attacks and defenses. Some of which we’re starting to see now. But some of these could come in 2024 or 2035.
It’s not a question of if they’ll come; it’s when they’re going to come. And they can be transformative where the entire world needs to react to the change, or face serious consequences. So I think that’s the first message, which is this is here, this is not future. This is here now, and there are going to be things happening, and there are already things happening, that require immediate big responses, or the game is over.
It’s almost the change from the typewriter to the computer. If you ignore it, you’re in trouble from a business perspective. It’s the same kind of thing. If you ignore AI, when AI is being used by attackers, you’re in trouble.
Dror: So in 2023, what we’ve seen was two trends from an AI perspective.
One was we saw an order of magnitude leap in phishing emails, where they’ve become a whole lot more difficult to detect because they were so much better written because of AI. And because the attackers were using AI to personalize and to write extremely convincing emails that seemed very legitimate.
And the second area where we’ve seen was, AI being used to research for social engineering purposes. But also as a sort of a side note to that, maybe credentials theft: the usage of AI in order to predict what people’s passwords might be through really good research. And these two or three areas that we’ve seen in 2023, at least from our perspective, we’re expecting them to expand in 2024 into other areas of attacks that are being used, that AI is being used in. Predominantly in the world of emulation and voice as well.
So if the one thing that we’ve always recommended was, if you see a suspicious request from your CFO, give them a call and find out if it really came from them. And now with the voice simulation at the level of where it is, even that phone call could be spoofed.
So that’s really one of the key things that we’re seeing moving forward into 2024. More usage of AI on the attack side to impersonate. Write better, and research in a much more effective way, a much faster way, something that would have taken a human a week’s worth of time to do the legwork on the attack side, now might take them a minute, which of course takes things into a different scale.
Joseph Steinberg: I think it’s February 1 and we don’t even need to say that we think this is going to happen in 2024 because we see it already starting. I wrote a piece a week ago about the most perfect voice social engineering attack I’ve ever seen. And I’ve been studying these things since they’ve been around a perfect impersonation of a utility company, voice, language, music.
prompts, everything was identical, even when speaking with the rep. And again, whether that was AI changing voice, I can’t tell you, but this was not something that could have been perpetrated a few years ago. It just wasn’t. And now it’s happening. One of the things that we were seeing is also psychological.
Parents don’t want to accept the fact that they can’t tell the difference between their children and someone impersonating their child. It’s very hard to accept that psychologically. It’s painful, right? How could that possibly be? But the reality is that criminals can now impersonate people so well, their voices, their way of speaking.
You take TikTok videos that a kid has made and feed it into an AI, and it can speak like that person. And so you get calls to parents where it’s a child pretending to be in trouble and it’s coming from a criminal and that’s happening now. That’s already happening. And as you said, it’s only getting worse.
And as we said before, it only gets worse much faster. The criminals are getting much, much better with this. So when it comes to social engineering essentially any party contacting you is no longer trustworthy. And I think that one of the ways of defending is that, for any sort of transactional activity or anything where you need to verify information or that you’re going to be giving information that’s private, you need to initiate the communication.
So if you get a message from your CFO about something. It doesn’t matter what the voice is, you’re going to need to contact the CFO back through whatever channel you’ve pre-established, such as a private cell number that criminals may not have. But even these are not perfect, right?
Because there are cases where numbers get stolen; SIM swapping and the like. So there’s no perfect defense, but we’ve reached the point where you can’t rely on voice. And in fact, I’ve advised parents that they need a password to have with their children. That if it’s really you calling and you’re in trouble, you need to use the password.
And that’s the only time you use that password. Because the reality is, You’re not going to be able to tell the difference. Phishing is easy. That’s happening now. The voice is happening. And soon it’s going to be video. We’ve already seen deepfakes. Soon it’s going to be real time.
So you get on a Zoom, you have a call like this, and it’s not Joseph sitting here. It’s somebody impersonating me, and it looks exactly like me because they’re using a real-time deepfake. And this is not far off. So yes, 100% AI. This is the year where we’re going to see to the general population (encounter) AI-based social engineering attacks that are going to be much scarier than anything we’ve seen in the past.
Dror: And just one last word, and not to be too much of an alarmist about this, is the one key thing that we’ve heard a lot about in 2023 was about regulations. Regulating AI and having some clear guidelines. The problem is that the bad guys don’t follow regulations. They’re not bound by anything. They’re criminals.
So trying to regulate AI on the one side, but allowing sometimes, state-driven criminals or state-supported criminals to conduct attacks using AI leaves us very vulnerable. Because if you regulate one side, but the other side can do whatever they want, it limits the response capabilities.
But enough about AI. There’s more stuff that happened in 2023. And we’re expecting to see more off or some changes in 2024.
So one of the key things that we saw in 2023, from a cyber security perspective was a buying pattern. Whereas in the past, the buying pattern was driven by, rither concerns about cyber security or economic justification.
What we’ve seen in 2023, mainly because of the safeguard rules that came out, was a push towards a regulatory response. Buying cyber security and investing in cyber security due to some regulatory concerns or regulatory guidelines that are coming down either from federal or state or sometimes the EU.
So it’s even one level above federal. But mandates that are coming down that are impacting for the first time, everyone, not just public companies, not just enterprise, but everyone. And we’ve seen that have a massive impact on how people think about cyber security because it suddenly became a regulatory requirement and not just a defense mechanism.
What are your thoughts about that?
Joseph Steinberg: First of all, I agree 100% about regulating AI. If you put in a regulation that says you can’t improve this kind of technology because it’s got bad uses. The people who are going to use it for the bad are going to continue developing it. And in fact, you’ve only encouraged them to do it more by saying that it can be used for that.
And that it can successfully carry out such attacks. So I agree with you on that. There needs to be very smart regulation of AI, but that’s not the way to do it. The second thing in terms of regulations, I think we’re seeing a general trend towards changing the wild west, let’s call it, of cyber security and of the internet into a much more regulated environment in terms of responsibilities, right?
So it used to be, if you think back a generation, every company did whatever they did for cyber. Some did nothing, some did a lot. And if there were breaches, maybe there were lawsuits and there really weren’t standards, especially when you spoke about the mid-market and small business. What has happened is over time, there have been different series of regulations, right?
You had things that affected, let’s say, health care in the United States, right? You had the HIPAA requirements. And so those that started affecting. Maybe not directly, right? They weren’t written as cyber security requirements, but they had significant impacts on the requirements that you had for cyber if you were in an environment that was regulated.
What we’ve seen is two trends. Number one, this is across industries now. There’s no more, okay in my industry, it doesn’t matter. Everybody’s using data that’s got value to their customers. Everybody’s got data that can be a problem if it’s abused. So there’s no more of that. Regulators are coming in and saying, ‘Look, you’ve got to meet certain standards, right? You can’t keep gold bars on your front lawn, right? The same way in the physical world, you’ve got to use reasonable precautions and do care.’
This is the same kind of thing. And, it’s being pushed down, right? It’s not just the giant corporations that have this. Everybody needs to do it.
And we saw it from industry standards like PCI in the, past, but now you’re talking about from government and government has a lot more bite if you don’t do something correctly than industry standards. And we’re talking about civil penalties and in some cases, potentially criminal charges. So I think the regulations that are being pushed, and we saw it last year, are the beginnings of it.
And there’s more that’s going to happen this year, especially towards the mid-market and down in the US and overseas. I think these things in general are good. Again, the devil’s always in the details, but the concept of taking the wild west and saying, okay there’s got to be certain minimums. If you want to handle data that belongs to other people, you’ve got to be doing certain things. If you get breached, you need to report it to them. Things of that nature. I think that’s a good thing in general.
Dror: And you mentioned something almost in passing that I want to highlight. You mentioned the word ‘criminal,’ and I think that 2023 was the first time when we saw criminal cases against senior executives as a result of a cyber security breach.
And what are your thoughts about 2024? Are we going to start seeing more of those criminal cases coming out from the federal and state governments against individuals in companies that have been breached?
Joseph Steinberg: I don’t want to speak about those specific two cases in terms of the merits and lack of merits of those particular cases, but it doesn’t matter. Those were wake up calls. You can’t get a better wake up call to a chief information security officer about doing anything that might cover up a breach than appear being charged with a crime for that or being even convicted, right?
So these are wake up calls and the same goes with regulatory activity. It’s one thing to put regulations in place. It’s another thing when the first bite comes. And I think the real wake up call of regulations for many organizations, especially at the mid-tier and the small-business tier are going to happen when the first bites come, right?
When the first companies in their world, in their universe of competitors, or the people that they associate with at conferences, when you start seeing charges come in there, there’s going to be a huge wake up call.
Because yes this is a change and regulators are, and prosecutors are saying, ‘There’s a reason we put these into place. And if you don’t cooperate you’re going to pay a penalty for it, whether it’s civil or criminal and being charged as an individual, someone can go to prison, that’s very different from a company paying a fine, right?’
Nobody suffers individually and doesn’t see their family. If they pay a fine that does happen on the criminal charges.
So I think it wakes people up in a very different way. And I do believe it’s going to happen. I don’t know if it’s 2024 or 2025. I don’t know what the prosecutors have to build a case and an incident has to happen that warrants prosecution, but it’s going to happen.
And when it does happen, you’re going to see a huge wake up at those two levels of business.
Dror: So what we have seen, and I agree with you a 100%, it was a massive wake up call to see those criminal charges brought. And I think every single CISO And every single board member and every single CEO and every single CFO, took notice of that.
What happened also in 2023 was the enactment of several regulations that govern cybersecurity. The one that I think made the most waves was the FTC safeguard rules, which pretty much impacts every company that has anything to do with accepting or sending money electronically. So basically anybody. And there were stories about private trainers who were impacted by that and car dealerships and anybody.
What didn’t happen in 2023 was enforcement. The government basically put that rule out there and said, ‘Okay, so we delayed this enough.’ If you remember, it was actually supposed to take effect in 2022, but then the government decided to give people a six month grace period and ended up being enacted in 2023.
But having said that, they didn’t do any enforcement. No fines, no charges were made in 2023. I’m willing to bet it’s going to happen in 2024. I think what they’re doing is they’re giving people time to adjust and get their houses in order. And in 2024, there’s not going to be excuses anymore and they’re going to make an example of someone.
And I think that the first example they’re going to make is probably going to be a relatively large company. But let’s not forget these FTC rules impact any company, mid market or small. And the question here is, and this is really an open question is: how can a mid market or small business comply with these very onerous rules?
They don’t have the budgets. They don’t have the team. They don’t have the technology or the expertise to deal with all of that the same way that an enterprise has the budget, the team, amd can compete there. It’s really disrupting the level playing field; not that there was one to begin with between a small business and an enterprise, but it’s even disrupting it more.
What needs to be done to help or support these mid market or small businesses that are being impacted by one rule after another, that is coming down from the federal or state governments?
Joseph Steinberg: So first of all, I agree with you that the FTC was a very significant change. Essentially, again, in that wild west of cybersecurity, I think also the SEC requiring and this would be for public companies. So the larger ones putting more responsibility on boards of directors for overseeing cyber security and increasing their liability if they don’t do it properly, also something late in 2023. So I think at the top and the middle and the small we’re seeing this change.
I agree with you 100% that the big companies woke up with the CISOs being charged last year. I do think that, in terms of smaller businesses, it will happen with the first enforcement actions. I liken the regulations to the alarm clock when the regulations go into effect.
That’s like setting it before you go to bed. You gotta get up at a certain time, but the first enforcement action is when that alarm goes off, right? That’s when people really wake up.
And I think, as you said, it’s likely that this could happen later in 2024. There has to be good prosecutors and they have to have a good case and they don’t want to make an example of a three person company. That’s not where they’re going to do it.
So it’s gotta be something that lets the world know we’re serious about this and everybody better wake up. So again, whether it’s 2024 or 2025, it really doesn’t matter. It’s going to happen, right? And if you’re not ready for it, you might be the one that happens to. That’s something to keep in mind.
But again if, they want it to be taken seriously, they have to enforce. There’s still 11 months left. That’s plenty of time.
In 2024, I do think one thing that we will have seen is that when regulations go into effect, the free market generates the solutions for businesses to comply.
We’ve seen that with every kind of regulation that’s gone into effect in the past. So I do believe the same way that we have MSPs that have come out and software companies that have come out that have helped. Organizations comply with all sorts of other regulatory requirements. We’re going to see a lot more in the cybersecurity world related to regulatory requirements for the medium-and-small size businesses to help them along the process.
So I don’t think it’s a case of that small business has no way of doing it. I think there’ll be different offerings that will come out. Some of which are out. And there’ll be continued enhancements and ultimately we will get to a point where a small business can do a far better job protecting the security and privacy of its data than might be possible now, not just because they can do it, but because they can measure it better.
As a regulator would require so that they can say, yes, we know we are doing X, Y, Z which is a good thing for everybody.
Dror: For sure. So first of all, of course, I think all of us agree that better safeguards on data are good. It’s just that the cost-per-capita for a mid market or small business is so much higher than that for the enterprise.
And that is where the disruption is. And I honestly have thought for a very long time that the government should have tax incentives for mid-market and small businesses to be able to comply in order to level the playing fields. And they’ve done this in other areas. So why not here? But that’s a whole other story.
Joseph Steinberg: I agree, and I’ve made that recommendation to government officials on more than one occasion. If you could take your investment in cyber technology, right? That might be capitalized in some cases or and you could write it off immediately. Or if you got a benefit from it not just in reduced insurance costs, but something immediate from the government like they’ve done, for example, with electric cars and things like that.
I think you’d see much more investment in it. And it’s a national security concern as far as I’m concerned. So I think it would be a very good thing at the federal and the state level.
Dror: For sure. You mentioned the SEC rules, but they only apply to publicly-traded companies.
What we’ve discovered is that’s actually not the case because mid-market and smaller organizations are always a part of a supply chain. And if somebody at the top of the supply chain is regulated, you’re regulated, whether you like it or not. Whether that regulation doesn’t apply to you directly, it applies to you indirectly because for that public company at the top of the supply chain to be able to comply.
So now they’re forcing rules that are designed for very large enterprise public companies that now, mid-market and small businesses need to comply with to be able to work, to be able to conduct business with these larger organizations. And again, I go back to government help here, because if enacting these rules, which I agree completely that they’re necessary, they should help the little guy to comply with them.
The big guy has the capability to deal with it. They have the teams, they have the lawyers, they have the budgets, they have the software, but it’s the middle market and the smaller businesses that are left a little bit hung out to dry on this. But yeah, I think we’ve spoken a lot about regulation.
How about a term that I’ve heard for the first time in 2023. I think it was at the Gartner security summit in Washington, D. C. And the term was “platformization,” where cyber security is moving away from, or the trend or the desire really is to move from multiple disparate products that don’t really talk to each other to consolidated platforms that behave very differently.
Have you heard about that term? What are your thoughts about it?
Joseph Steinberg: First of all, I think people have wanted that for many years because it’s become, I don’t want to use the word impossible, but pretty close to that for many security people to manage the systems that they have if you’re running security for a large organization.
The number of different types of systems that you have running is sometimes so large that there’s just no way that any one person can really understand what all of them are providing. Complexity leads to mistakes, which leads to breaches.
It also leads to accounting mistakes, right? Sometimes you’re renewing subscriptions of things you’re not using. And you’re not even using features in one because it doesn’t talk to the other one and you’re duplicating functionality. Complexity is not a good thing. The expression I’ve used is: ‘complexity is the enemy of security,’ right?
You want to keep things as simple as possible. Both because of technological problems and because of human mistakes, and I think it may be tied to the regulatory stuff. I think as things are more formalized, right? You’re moving from a Wild West kind of world to a much more structured, formal world. I think this goes along with that.
People want things that can be much more easily managed. And measured to know exactly what everything is doing when that’s the kind of thing that regulators like, that kind of structure. And I think this is a big trend.
There’s always been some level of it, but I think in many cases it was theory because as people were consolidating one product, they were buying five other ones for some other new risk that came out. You began the year saying, ‘Okay, we’re going to reduce the number of vendors we’re dealing with from 80 to 70.’ And then, at the end of the year, you realize, yeah, we reduced to 70, but we added 15 new ones. So now we’re at 85.’
I think now we’re seeing the serious effort to try to keep things much more standardized. And I think that will help with the regulatory issues as well. And I think it will actually help from a security perspective.
But I think it’s real now, as opposed to talk that we had heard for years. So I agree with you.
Dror: So what we’ve seen is and it actually started a little bit in 2022 and even a little further back and into 2022 and 2023 was what we call consolidation or platformization of the invoice. And what do I mean by that?
It’s really still disparate products. They’re just bought from the same vendor and are on the same invoice, but they don’t talk to each other. They don’t share information. They have completely different user interfaces and experiences, and the learning curve on each one of those disparate products is extremely high.
When people talk about platformization or consolidation, I think we need to be careful about what that actually means.
From our perspective, true platformization means all of the different security items or modules, if you will,need to talk to each other, be easily turned on and off.
Use the same data lake to share information. So it’s one set of eyes basically looking at across all of the different domains. And not disparate products that happen to be on the same invoice by the same vendor. Sometimes not even by the same vendor, but by the same supplier.
Joseph Steinberg: That’s not platformization That’s really giving the appearance of platformization. But you’re not really doing it and you’re not getting the benefit of it. The only thing that’s happening is that the CFO is processing, fewer invoices. That’s about it.
Dror: At a price advantage because if they buy 15 different products from the same vendor, they’ll probably get a price break on it. And that’s also important, but it’s not platformization. It’s not.
Joseph Steinberg: It’s a CFO issue. It’s not a security benefit. It’s the CFO who’s benefiting from it.
Dror: It’s a CFO and operations issue. I’d like to leave time for questions. So I have one last trend that I wanted to talk about that is moving from ‘23 to ‘24.
So for the last 10 years, we’ve been talking about the cyber security personnel shortage, right? That there’s been a phenomenal shortage and depending on whose numbers you believe, there are anywhere between a million to 3 billion jobs open out there for cybersecurity professionals that are on staff because there aren’t enough people out there.
And that’s been the case forever. And I’m exaggerating, of course, but the real number (I heard) just late last year, they were talking about 1.6 million on staff jobs in the U.S. alone in cybersecurity, which is a mind-boggling number.
What we’ve seen a big change in late 2023, and we’re expecting that to be a lot more aggressive in 2024, is churn. Where in 2023, early 2023, ‘22, ‘21 and even ‘20, we saw very little voluntary churn in cybersecurity because people—because of the situation with COVID and the economy—were holding on to their jobs and not moving as much.
Whereas now that the economy is better, and people are beginning to look at their options and we’ve started seeing churn in late 2023 and we’re definitely expecting it to grow. And in a conversation you and I had you mentioned something else that is impacting it, which is very interesting I didn’t I didn’t think of it originally
Joseph Steinberg: Yeah, I think there’s a fundamental change that has happened to the workforce.
And in fact this was actually in the news since we spoke before that is causing churn to occur. What was in the news is that the number of Americans working in the United States from home for foreign companies has skyrocketed in the last year.
There are estimates that it may have gone up by 60% or more, which is dramatic for an economy the size of the U.S. What I had mentioned to you when we spoke is one of the things that’s happened is that the pandemic forced everyone to work from home, but then a lot of companies started asking people to come back and it took a while until the companies’ policies about how much time you could work from home, how much you had to be in the office would got stabilized. But at this point for many organizations, the rules are set.
And what that means is that people who want to work from home now know where they can go and where they can apply for jobs that they will be allowed to stay working from home as opposed to have to worry that, six months from now, the policy is going to be that they have to go into the office every day. And companies can make that commitment because they’ve come up with these policies.
So now you have an economy that’s doing well in terms of this sector. You have unfilled jobs. You have the ability to work for companies all over the world remotely, which never existed anywhere near this magnitude in the past. And you can know for sure that you’re going to be able to work remotely if you want to.
That creates a whole new job market that never existed before. And of course people are taking advantage of it. So I think the churn is a big issue in some ways.
It may actually be the biggest issue, because if you’re trying to deal with cyber problems and your staff all leave, it doesn’t matter what your plans are.You’re not going to be able to do them and you’re not going to be able to implement them. And with the number of unfilled jobs in the U.S. alone, it’s a problem. Especially if U.S. cyber professionals are now working for companies overseas from their homes in the States. So I think this is a major issue.
I don’t think it’s gotten enough attention. But I think the wake up call is going to happen to many organizations as they lose personnel because this the, job market has fundamentally changed.
Dror: So I’d like to put you on the spot and ask for a prediction. Do you predict that companies are going to decide okay, stay at home, work from home, just stay with us. Or are they going to insist on people going back to the office in 2024?
Joseph Steinberg: I think we’re going to see both. It depends on the role and the job. I think in some cyber-related jobs, if companies force people back into the office, they may pay a very hefty price because it’s not hard.
It’s not hard to imagine with the kind of churn we have and the demand out there for cyber professionals, that if you force someone who wants to work remotely to be in the office five days a week, that they’re going to find something else. And it’s not that easy to replace competent cyber people in many specific types of roles.
So I think that in our industry, we’re going to see a little bit less of that pressure to return to the office than in others. I do think that there will be hybrid situations. In the end, I think almost everybody, every company is going to have some form of hybrid role model, right?
There may be some roles where people can be remote all the time. There may be some roles where people have to be in the office all the time. But there’s gonna be, generally speaking, a hybrid. But what that hybrid looks like for cyber people will have to be a lot more flexible than it will have to be in other professions or organizations. Or it will risk losing hard to replace cyber professionals.
Dror: For sure. By the way, as a side note, with the new glasses by Apple, when they first showed them, you know what first came to my mind? SOC anywhere. Because if you have these on and you can have all of your screens in front of you, you can be anywhere and you don’t need that huge real estate that normally a SOC has with all these massive screens.
And the SOC operators with 16 screens on their desk, it’s all right here, which to me, it was crazy, and I take full credit for that idea. If Apple starts developing it, it’s mine.
Joseph Steinberg: Yeah, no I think we are going to see people working on the beach with glasses on.
Doing things that you would never imagine would be done out of an office. You’ve seen people writing on the beach. You’ve seen people reading on the beach. I think we’re going to see this. I think the big question remains how people will communicate if they need to make a voice call.
There are devices that let you make a private phone call in public with a mask. I’ve tried one of those. I don’t think they’re quite that ready for prime time or people sitting on the beach are going to want to wear those and then have a white spot on their face where they tan everywhere else. But I do think we’re going to see it. And in some fashion, this is going to be the case in the world that we live in where people will be able to work on things that normally require 10 screens from anywhere.
And if that exists and you’re telling people they have to be in the SOC five days a week from eight to six or whatever, you’re going to lose many people who would otherwise potentially work for you. And that becomes an issue.
Be prepared for whatever cybersecurity trends 2024 throws at your organization with Coro.