Sercan Azizoğlu's Personal Website
January 14, 2024

World Economic Forum's Cybersecurity Outlook

Posted on January 14, 2024  •  5 minutes  • 993 words

The World Economic Forum has published its 2024 Global Cybersecurity Outlook based on research from around 200 participants’ responses. It focuses on global inequality, geopolitical and technological transitions, skill shortages, a new approach for cyber resilience, and building a better cybersecurity ecosystem. For more information, please check the official publication page. In that text, I’ll cite and highlight some points from the report.

the cybersecurity economy grew exponentially faster than the overall global economy, and outpaced growth in the tech sector (p.4)

The largest organizations say that the highest barrier to cyber resilience is transforming legacy technology and processes. (p.5)

41% of the organizations that suffered a material incident in the past 12 months say it was caused by a third party. (p.5)

54% of organizations have an insufficient understanding of cyber vulnerabilities in their supply chain. Even 64% of executives who believe that their organization’s cyber resilience meets its minimum requirements to operate say they still have an inadequate understanding of their supply-chain cyber vulnerabilities. (p.5)

Regulations seem to reduce risks:

Talent shortage continues to be a problem for the world, especially with the support of new technologies that make access to creating and using attack tools easier for attackers. This creates pressure on the need for qualified defenders and experts.

3rd party risk seems to be a problem that is difficult to assess and manage for all organizations.

In 2022, the cybersecurity economy5 grew twice as fast as the world economy.6 In 2023, it grew four times faster. Although organizational investment in cyber resilience overall is on the rise, rapid innovation and growth often lead to uneven development (p.9)

…a 2023 report from SecurityScorecard and the Cyentia Institute, which found that “98% of organizations have a relationship with at least one third party that has experienced a breach in the last two years. (p.9)

Cybersecurity poverty line (CPL) generally refers to the prohibitive cost of securing robust cybersecurity for an organization’s personnel, technology and systems. (p.10)

As the Atlantic Council puts it, “Cyber poverty exhibits dynamics very similar to real-world poverty: simply providing money or free expertise does not necessarily address poor technological designs, poor market incentives, misaligned sociocultural attitudes towards security, or other barriers. (p.10)

Security solutions are becoming too sophisticated, to the point where many SMEs struggle to operate them, let alone afford them. (p.10)

This year, 32% of 37 CISOs surveyed separately said they are adjusting their cybersecurity strategy by increasing the use of threat intelligence reports and further developing their incident response plans. (p.13)

Although information warfare is not a new concept, the decentralization of information sources, and the rapid advance of technology, makes defending against these types of malicious threats a key concern in the coming year and beyond. (p.13)

Chatbots … are lowering the skills required to commit complex and convincing campaigns. (p.15)

Generative AI is predicted to increase global GDP by 7% over a 10-year period. (p.16)

…only illustrations of how generative AI can be used to alleviate some of the issues with established cybersecurity challenges … In its current state, it will not be able to fully replace skills that are grounded in creativity or human judgement nor require nuanced communication decisions, which include roles such as information security analysts. (p.16)

In 2022, 6% of leaders reported that they were missing the skills and people they needed to respond to a cyber incident. In 2023, this doubled to 12%. This year, when asked whether their organization has the skills it needs to accomplish its cyber objectives, 20% said that they do not. Leaders who are unsure if they have the required skill sets also rose from 4% in 2022 to 11% this year (p.18)

Some 78% of respondents reported that their organizations do not have the in-house skills to fully achieve their cybersecurity objectives. (p.18)

…Although many employers are still looking to hire experienced cybersecurity professionals (33%), the number one way in which organizations are filling these roles is by upskilling existing employees (41%). In fact, to upskill the workforce, as many as 91% of organizations are willing to pay for cybersecurity training and certification for their employees. (p.18)

World Economic Forum research indicates that by 2027, 44% of workers’ core skills will be disrupted because technology is moving faster than companies can design and scale their training. … To address this, organizations must tap into new talent pools … and provide employees with upskilling opportunities like certification programmes. (p.19)

…when leaders were asked what personally keeps them up at night, they said that losing access to important goods and services and cyber extortion are the most concerning. (p.21)

…a 10-minute phone call to the organization’s help desk, sparked a 10-day critical disruption. (p.22)

For the largest organizations by revenue, 44% of survey respondents said that securing legacy technology is their highest barrier to cyber resilience. (p.22)

…most organizations either do not upgrade older systems or do so much more slowly than the speed at which they introduce more tools and new technologies. This in turn expands their technological footprint and adds risk. (p.23)

In this year’s Outlook report, the vast majority of leaders (81%) responded that they feel more exposed or similarly exposed to cybercrime than last year. (p.24)

Some 78% of respondents who are confident in their organization’s cyber resilience also report that cyber resilience has been integrated into their enterprise risk management. (p.25)

…You could send your paperwork to a tax audit firm. Then the tax audit firm gets hacked. …So, even if it’s not you that got hit, you are still going to suffer financial losses and reputational damage. (p.27)

in May 2023, former Uber CISO, Joseph Sullivan, was fined and sentenced to three years’ probation after being the first cybersecurity executive to be convicted of covering up elements of a data breach perpetrated by external attackers. (p.28)

…even for larger organizations, insurance is sometimes not economically viable and that security budgets can be more usefully spent elsewhere. (p.32)

Social Media

LinkedIn