Three Key Themes for CISOs in 2024

As we get ready to kick off 2024 engagements with our CISO communities, we like to reflect on key topics, conversations and current events of the past year and synthesize them into critical focus areas for security leaders in the year ahead. In the midst of a volatile 2023, CISOs managed through economic uncertainty, protected their organizations against an expanding threat landscape, evaluated the risks and opportunities of AI, prepared for new regulations, and honed their communication strategies with the board and other stakeholders. 

Going into a new year, economic concerns have abated somewhat, but CISOs need to communicate the value of security measures. The pressure to keep up on AI –  creating efficiencies, finding use cases and securing tools and usage – has increased. The proliferation of data, end users, tools and technologies require an integrated cybersecurity strategy and a holistic approach to risk management. 

As this Gartner report notes, this is a key moment for CISOs and their ability to help businesses maintain operations: “With ransomware attacks, global pandemics, supply chain disruptions and growing geopolitical concerns, most organizations are reevaluating their operational resilience.” 

With that environment in mind, here are the three themes we think CISOs will focus on in 2024:
 

1. Improve and Achieve Operational Resilience

CISOs are being tasked with improving their organizations’ overall operational resilience, including considering how legacy operational systems are linked to IT systems. The more operational systems are connected, the more they expand the attack surface. In Gartner’s Market Guide for Operational Technology Security, they write: “As OT continues to connect to IT systems, and newly designed CPS are deployed, OT management, governance, infrastructure and security are evolving.”

In fact, we added OT Security and Cyber-Physical Security (CPS) as a priority for CISOs to select in our annual Leadership Perspective Survey, where we get more specific data on how many CISOs in our communities are focused on this initiative. 

As more new CPS technologies are deployed, security leaders have to expand their strategies to include CPS Security. The Gartner report goes on to encourage CISOs to adopt “an integrated security strategy beyond legacy systems. Include all CPS — e.g., OT, Internet of Things, industrial IoT or Internet of Medical Things — and IT in a joint governance model.”
 

1. Enable AI's Potential through Trust, Risk and Security Management

AI was a hot topic throughout in-person and virtual discussions in 2023, and it shows no signs of slowing down. At a recent Town Hall discussion, CISOs talked about securing AI tools, especially generative AI tools, their concerns about what data and information might be shared on those sites and their inability to fully block access to AI tools. At the same time, security and technology leaders alike want to harness the potential value of AI and do not want to serve as a roadblock for their organizations’ AI initiatives.

We believe CISOs will continue to focus on how to enable initiatives while mitigating the risks to proprietary data and potentially to their organizations’ reputation. In Gartner’s Top Strategic Technology Trends for 2024: AI Trust, Risk and Security Management, their recommendations include “upscaling your application security and risk management programs to cover new AI attack and compromise surfaces” and “keeping up with the increasing maturity of available controls to design, train and operate AI models and applications.” 

We expect many more collaborative conversations on this topic this year, and again, we are monitoring the importance of AI to our members by adding Generative and Traditional AI as a priority in our Leadership Perspective Survey. We are still capturing responses, but the initiative is in the top five for CISOs thus far.
 

1. Create Alignment with the Enterprise to Unlock True Value

As is the case with launching AI and other new technologies, there is some level of push and pull between the business’ desire to move forward with new initiatives and security leaders’ efforts to protect the enterprise from risk. This year, we expect that CISOs will try to create closer alignment with the business to maximize the value and impact of cybersecurity.

One area in which CISOs can impact alignment is in what Gartner research calls shifting the “abundance mindset.” This is when business leaders believe that additional technology will deliver better protection. However, Gartner research has found that this mindset contributes to extra efforts and misalignment and recommends that security leaders promote a “minimum effective” mindset instead. Shifting this mindset will change how CISOs engage at the enterprise level and potentially how they support the organization. 

In addition to these three themes, we expect regulations and privacy to be top of mind for CISOs this year. In July of 2023, the Securities & Exchange Commission adopted final rules that will require public companies to disclose both material cybersecurity incidents they experience and, on an annual basis, material information regarding their cybersecurity risk management, strategy, and governance. This has been a huge topic of interest among security executives of publicly traded companies, and we expect to bring the SEC back to Evanta events this season to talk about examples and challenges with these disclosures.

As the responses to this year’s Leadership Perspective Survey continue to grow, we will be sharing more about the specific priorities, opportunities and challenges CISOs are facing this year. To stay fully up-to-date on key topics for CISOs, join a CISO community near you. If you are already a member of an Evanta CISO community, check out MyEvanta to view upcoming opportunities to collaborate in-person and virtually with your CISO peers.