Bring on 2024

For CRMG, 2023 has been another bumper year that has seen us foster deeper relationships with our customers, expand and enhance our suite of services and solutions and welcome new joiners to our growing team of consultants and experts.

Thanks to partnerships with some incredible organisations that address the technical aspects of cybersecurity, we are now able to meet the full range of cyber-related challenges faced by any organisation and keep pace with the ever-changing threat landscape. We continue to champion taking a risk-based approach to cybersecurity and will continue our mission to reinforce this over the coming 12 months.

And what a 12 months it’s set to be. The threat landscape will continue to evolve, no doubt driven by the rise in the use of AI by both organisations and criminals. The cyber industry itself will keep maturing, bringing new challenges and opportunities to explore.

Here are just some of the key themes and trends that we will be paying close attention to throughout 2024 and beyond.

Shifting cybersecurity from being an IT issue to a top-level business risk

This is a conversation that we will continue to push as there still needs to be a mass change in how cybersecurity is perceived by many organisations (and mid-size businesses in particular). This point may seem obvious to many in our profession now, but the reality is that cybersecurity is still seen as predominantly an IT issue in too many organisations, rather than a business risk issue that is just as much about culture and people as it is about IT. And yes, the Board MUST be engaged, owning cyber risk and setting the right tone from the highest level.

Arguably, getting the technical aspect of cybersecurity right is the straightforward bit. The real challenge comes in getting the right risk management mindset and structures in place and coupling this with the right people and process capabilities.

Only once this shift is substantially achieved is meaningful cyber resilience across our society likely to follow.

More focus on integrity when making risk decisions

There’s a tendency for our profession to focus heavily on confidentiality and availability when evaluating the impact side of the risk equation. Too few organisations think deeply enough about the true impact of integrity-related compromises, but this will continue to change over the next 12 months.

While many will highlight cultural differences in the way in which IT and Operational Technology-related risk is managed, there is much we can learn from ‘safety first’ approaches to OT risk management.  As an example, the way in which risk appetite is referenced in day-to-day operations in an OT setting (such as the oil and gas industry) is quite different from information-centric environments. There is more we can do to learn from each other in this regard.

We’ll be bringing some of the best minds to bear on this issue in 2024, so watch this space!

The inevitable shift to risk-based deployment and use of AI

AI is the elephant in the room in many a cyber risk-related conversation these days. It offers both the potential to supercharge our ability to counter cyber threats whilst offering the bad guys ever more sophisticated and scalable means by which to harm us.

AI is so fast moving, and the scope of the possible so unknown, that we will have no choice but to deploy and use AI-powered technologies within very clearly managed, risk-based, guardrails. The tricky part here will be to allow enough flexibility to harness the potential of AI whilst limiting its ability to adversely impact critical environments or information.

We’ve already started some innovative work on how to achieve meaningful AI Assurance in partnership with our friends at Advai. We’ll be sharing more on this through the early part of 2024.

Moving on the qualitative/quantitative debate  

A lot has been said about whether organisations should take qualitative or quantitative approaches to cyber risk assessment – and I hope that 2024 will be the year that we move on from this. The reality is that a range of techniques – supported by the most reliable information we can lay our hands on – should be brought to bear in understanding, communicating and managing cyber risk.

In our view, “qualitative” and “quantitative” labels are unhelpful in this regard and do little more than perpetuate an already polarised debate.

As we move into 2024, we will continue to do our bit to offer reliable, pragmatic support that is shaped to the realities of each business we work with.

The entire team is genuinely motivated by our ability to make a difference, so please do get in touch if you think we can support your organisation in taking a risk-based approach to cybersecurity.

Lastly, we will continue to nurture our partnerships with leading organisations such as the Information Security Forum and Chartered Institute of Information Security – as through these partnerships, we can have the greatest impact.

All that’s left for me to say is that I hope everyone has a safe, healthy and successful festive period – and bring on 2024.

Simon and the CRMG team