- Leveraging advanced technologies like Generative AI and outcome-driven metrics is crucial for improving cybersecurity strategies and boardroom confidence.
- Emphasizing a human-centric approach, including security behavior programs and identity-first security, enhances organizational resilience and reduces risks.
Generative AI (GenAI), unsecure employee behavior, third-party risks, continuous threat exposure, boardroom communication gaps and identity-first approaches to security are the driving forces behind the top cybersecurity trends for 2024, according to Cybersecurity Experts at Fortray.
GenAI, a significant force in the cybersecurity landscape, is occupying a considerable portion of security leaders' attention. It presents both a challenge to manage and an opportunity to harness its capabilities to enhance security at an operational level. As Mazhar Minhas, CEO of Fortray, points out, despite GenAI’s inescapable force, leaders must not overlook other external factors outside their control this year.
Security leaders will respond to the combined impact of these forces by adopting a range of practices, technical capabilities, and structural reforms within their security programs in 2024 to improve organizational resilience and the cybersecurity function’s performance.
Six Leading Trends
The following six trends will have a broad impact across these areas:
Trend 1: Generative AI - Short-term Skepticism, Longer-Term Hope
Security leaders need to brace themselves for the rapid evolution of GenAI. The emergence of large language model (LLM) applications like ChatGPT and Gemini is just the beginning of its disruptive journey. Amidst the promises of productivity increases, skills gap reductions, and other new benefits for cybersecurity, Experts advise using GenAI through proactive collaboration with business stakeholders to lay the foundations for its ethical, safe, and secure use.
It’s important to recognize that this is only the beginning of GenAI’s evolution, with many of the demos we’ve seen in security operations and application security showing real promise. There’s solid long-term hope for the technology, but we’re more likely to experience prompt fatigue than two-digit productivity growth. Things will improve, so encourage experiments and manage expectations, especially outside the security team.
Trend 2: Cybersecurity Outcome-Driven Metrics: Bridging Boardroom Communication Gap
The frequency and negative impact of cybersecurity incidents on organizations continue to rise, undermining the confidence of the board and executives in their cybersecurity strategies. Outcome-driven metrics (ODMs) are increasingly being adopted to enable stakeholders to draw a straight line between cybersecurity investment and the delivered protection levels it generates. 
ODMs are central to creating a defensible cybersecurity investment strategy. They reflect agreed protection levels with powerful properties in simple language that is explainable to non-IT executives. This provides a credible and defensible expression of risk appetite that supports direct investment to change protection levels.
Trend 3: Security Behavior and Culture Programs Gain Increasing Traction to Reduce Human Risks
Security leaders recognize that shifting focus from increasing awareness to fostering behavioral change will help reduce cybersecurity risks. By 2027, 50% of large enterprise CISOs will have adopted human-centric security design practices to minimize cybersecurity-induced friction and maximize control adoption. Security behavior and culture programs (SBCPs) encapsulate an enterprise-wide approach to minimizing cybersecurity incidents associated with employee behavior.
Organizations using SBCPs have experienced better employee adoption of security controls, reducing unsecured behavior and increasing speed and agility. This leads to a more effective use of cybersecurity resources as employees become competent at making independent cyber risk decisions.
Trend 4: Resilience-Driven, Resource-Efficient Third-Party Cybersecurity Risk Management
The inevitability of third parties experiencing cybersecurity incidents pressures security leaders to focus more on resilience-oriented investments and move away from front-loaded due diligence activities.  Security leaders enhance risk management of third-party services and establish mutually beneficial relationships with important external partners to ensure their most valuable assets are continuously safeguarded.
Organizations must start by strengthening contingency plans for third-party engagements that pose the highest cybersecurity risk. They need to create third-party-specific incident playbooks, conduct tabletop exercises, and define a clear offboarding strategy that involves, for example, timely revocation of access and data destruction.
Trend 5: Continuous Threat, Exposure Management Programs, Gain Momentum
Continuous threat exposure management (CTEM) is a pragmatic and systemic approach organizations can use to continually evaluate the accessibility, exposure, and exploitability of digital and physical assets. Aligning assessment and remediation scopes with threat vectors or business projects rather than an infrastructure component highlights vulnerabilities and unpatched threats.
By 2026, organizations prioritizing their security investments based on a CTEM program will realize a two-thirds reduction in breaches. Security leaders must emphasize the need for continuous monitoring of hybrid digital environments. This will enable early identification and optimal prioritization of vulnerabilities, thereby helping to maintain a hardened organizational attack surface.
Trend 6: Extending the Role of Identity & Access Management (IAM) to Improve Cybersecurity Outcomes
As more organization’s move to an identity-first approach to security, the focus shifts from network security and other traditional controls to IAM, making it critical to cybersecurity and business outcomes. While Experts see an increased role for IAM in security programs, practices must evolve to focus more on fundamental hygiene and hardening of systems to improve resilience.
Security leaders focus on strengthening and leveraging their identity fabric and identity threat detection and response to ensure that IAM capabilities are best positioned to support the breadth of the overall security program.
Conclusion
The year 2024 presents some unique cybersecurity challenges with new technologies' growth and threats' constant evolution. Generative AI, unsecure employee behavior, third-party risks, continuous threat exposure, and boardroom communication gaps are now considered paramount trends shaping the industry. Even Fortray’s experts, including its CEO Mazhar Minhas, admit that it is in a ‘fast data’ and real-time paradigm necessary to sustain the organization in today’s hyper-competitiveness. Thus, generative AI has the potential to be disruptive and offer immense value when used properly and with adherence to high standards of ethical conduct. This outcome-based result will go a long way in collapsing this security investment-output gap in a way that boardrooms can always have their back fully covered as they commit resources to cybersecurity. The message is that focusing on security behavior and culture programs can achieve significant risk reductions relating to people and create a more security-aware workforce.
Third-party risk management, unceasing threat exposure, and identity security approaches are important for strengthening an organization’s shields. Overall, using the given approaches allows security leaders to establish solid and flexible security frameworks that meet the complex requirements of contemporary cybersecurity. Finally, emphasis should be placed on applying new technologies in security contexts while keeping a person at the center of attention. In this way, organizations can improve their preparedness levels, safeguard their resources and accomplish better cybersecurity operations in today’s dynamic digital environments.