Top 12 Cybersecurity Topics in 2024 - Part 1 of 4
Alliteration purely accidental!
Just getting back behind the desk after attending Shmoocon 2024 and helping to build the network. 2024 was the Penultimate Shmoocon as it will have it's last run of show in 2025. This has been a great conference for almost 20 years, and this one was no exception. Coming away (and still recovering from sleep deprivation) I've compiled my 12 items of Cybersecurity to watch for in 2024. By the time we get to 12, there may be more! I'll post these in 4 chunks of 3 as I want to see what everyone has to say about these topics before we move along. So without further ado; 1-3. Enjoy, share, ask questions, provide comments and let's hack this world into a safer and more resilient place! (Part 1 of 4)
GenAI will remain a hot topic—especially as a magnifier of an organization’s immaturities, specifically surrounding data and quality assurance. Organizations are going to have to really be diligent about what data exists, who owns it, where it came from, what it can be used for, and if it can be aggregated with other data to be more sensitive than its parts. We’ll also need to make sure that GenAI solutions undergo rigorous QA with Human involvement in almost all of these scenarios with methods of intervention, (i.e., shut down, curtail or adjust models) will be crucial. Also note that the people who can adjust these models are still in short supply. We are witnessing a proliferation of a technology without a wide spread population of people to safely deploy it, and we have a population who are trusting of computers and people who could be adversely affected by it’s malfunction.
Data governance, ownership and provenance are all going to be key areas of focus during the adoption of GenAI solutions. Data lakes, repositories, data ownership, provenance and usage are all key issues that will need to be VERY mature before allowing (Gen)AI solutions to aggregate and make new content. If your data is just sitting around, and you are looking to add it into a GenAI solution, NOW is the time to start getting a data protection officer engaged to figure out all the details (meta and actual) about that data.
Allowing or accepting immature cybersecurity readiness within critical systems is no longer permissible. Operational technology (sewer systems, water systems, supply chain, devices created by startups and being run on a raspberry pi) is still vulnerable to even the simplest of attacks. We’ve seen progress in regulated utilities such as power and gas, but work remains to ensure our critical systems are protected. I’ve also personally seen new startups using cheap hardware like Raspberry Pis in places they shouldn’t be using passwords that haven’t been changed from default. We need to discover what is still out there and correct our past mistakes and not make them again!