Thanks everyone for being here. So my name is Marina Iantorno. I am a research Analyst at Kuppinger Coal Analyst
And as Wick mentioned Christopher Schutt. And I'm on the one hand for responsible for the practice cybersecurity and also for our own information security.
And today, as Warwick mentioned, we will talk about a study that we run during the year due to multiple participants. Marina, you have some details?
Yes. We got over 2000 responses and we analyzed the numbers and we came out with a very interesting study. The slides that you will see today are part of that study and the PDF will be available to download from our website and from our LinkedIn page as well. So you will be welcome to actually download it afterwards.
Exactly.
And the most important thing for CSOs, for people working in security is to minimize how many incidents do we have And we ask our participants, how many incidents did you have last year?
Yes. Well what we can see is that there are so many incidents, as you can see in in the graph, we have almost 50% of the respondents said that they had up to 50 incidents in the year, which Which is a lot.
That is really a lot. And we as Analysts, we are not only analyzing existing data, we are also doing predictions and surprise.
We really expect also that the number of in incidents due to the next year's will increase and increase dramatically. And why some, some sneak preview to the last slide. Artificial intelligence is for sure one thing using automated attack to really get access to organizations and to harm them on one level. On the one hand,
And of course there are consequences after a cyber attack. When we ask our respondents what was the main consequence after a cyber attack, we could see that most of them said that the main issue is the reputational damage.
And we see in many companies that it actually happened. For example, SolarWinds when they face a cyber attack, it was really hard for them to actually come back to the trust of their customers.
Yeah. And reputational damage as one of the most important things here. We see this for the future still being number one, but on the other hand, think about all popular social networks, maybe one with a blue logo or something like that for them it doesn't count. And that's really a strange thing. And that is something I, I've mentioned this every time.
If we talk about something like that, will this change in the future? Is the benefit we have with something like those services connecting with people, do we then accept that there might be some data breach? Why? Why is general reputational damage? That's really very interesting thing. And coming to threats for organizations, we ask again our participants what is number one and surprise. It's ransomware. It's still ransomware.
It was the same number last year.
It is the same number this year and it is still on the top of the list because it is actually very easy if we say, you know, along all the threads that exist nowadays and especially with the use of AI because they can actually make it more similar to something real. So then it is very easy if the employees are not really trained or they don't really have a fully understanding, they just click in their own link and that's it. I think like all of us receive eventually an email that seems to be from someone in our company or even an SMS. So
Yeah.
And I mean ransomwares are, or this is the combination of maybe starting with a phishing attack, maybe using some zero days, maybe some other things really to get access as a prediction for the next years for sure. Ransomware, this is a valid and good business model unfortunately, and it'll keep one of the top things here, but on the other hand, maybe you remember my statement about supply chain risk management or suppliers in general regarding our gamification and the students that used a little bit basic hacking skills to manipulate the rating.
All this APIs, those services in the web that we use, maybe even frameworks, this is something which will increase also dramatically. So everything around supplier security and supplier risk management. And the next big thing is really we need to handle that and we have a skill gap. We have also not enough people. And Marina, this
Is unfortunate actually because as well, if we talk about how hard it is to find proper professionals or professionals who are really skilled, it's very hard.
So what we can see is that more than 50% of the respondents say that the problem is the lack of qualified candidates. And it is really an issue because it doesn't really depend on the company. It is something that is actually happening. And I believe as well that with cyber threats evolving very fast, it is actually very hard to have professionals who are in the same level. And I believe that they will have to learn how to use AI as well to defend in the system cybersecurity system.
Yeah.
And the bad news is, I mean in the panel on opening keynote, Sunil mentioned something like the CSO is not needed anymore in in one of those future scenarios it was comparable to I think North Korea whatever in that direction. But I don't think it will be that true in that case, in the reality we live today. And so future skills are needed. And everything around artificial intelligence, those of you who played around with Jet GPT or any other GPT service that is out there might realize is also it changes the way you use it, it changes the way you get your information.
And it also started to change whether you get all the information. So what Martin mentioned yesterday in his keynote, the misinformation, disinformation and mal information stuff. So these skills are all needed to deal with this technologies using those technologies for sure. For protecting organizations, for making them more resilient.
Well, so the main point as well is how the companies assess the suppliers. Because Christopher mentioned the cybersecurity supply chain risk management. Yes it is important to have it in place, but the thing is there are suppliers that are there and the point is how do the companies assess them? And we can see that most of organizations say that they request certifications like ISO for example. This is a mark of quality for companies.
And on the other hand as well, the guidelines, the policies, knowing that there is a proper plan or some actions that will be in place in the case of a cyber attack, it is something that help organizations to decide who will be their suppliers.
Exactly. And the topic of assessing suppliers is really an important thing. I mean keeping a call, we are roundabout in total 100 people and I'm as a CSO, get so many requests from from vendors, from people we work with. They need to, I need to fill out such a questionnaire. Every CSO or person in information security in the room knows this.
This is annoying. Do you have on the one hand, one hand you have your ISO certification, you have your TAC certification and still you need something else. And as a hope and prediction for the future, I think really this, it gets a bit more streamlined and focused because it's a mess. There are so many standards out there and everyone is cooking his own soup basically around it.
And then we decided to see, okay, so where is the money that is in the budget for cybersecurity well in place this year and what professionals actually think that it should be actually designated to.
And what we can see is that many professionals say that there should be more investment in identity access management solutions in comparison to what was in this year.
Yeah, and budget or invest investments are really an interesting topic because for sure we ask the thesis, how much do you invest or do you plan to invest? So this is the planned raise of the investments for the next year. So 24 or this year and for sure everything, everybody says we need more budget. But on the other hand the question is where to invest first. I mean we have so many, many topics.
So your trust covers if you do the full blown way, everything more or less in the organization, then you have information security, you have the the policies, you have identity and access management and things like that.
Security analytics as
Well, security analytics as well. And then there is those new thing, new and versus like artificial intelligence, which is also blowing up the tools, offering new capabilities. And the questions then when to start to invest in that direction, when to investigate, when to really use it.
When do we have real artificial intelligence in the tool that helps here. So the forecast definitely is the budget will grow within the next years.
Yes. Surprisingly, when we asked the respondents how do they think that their budget will be next year, most of them replied that it will remain stable. And for us it was a surprise because what we saw was, okay, if you compare 2022 to 2023 and you saw that your budget grew or increase significantly more than 20% as you could see in the previous slide and you see that there is an increase in the cyber threats.
So how come do you think that you will remain stable, your budget? So probably you actually need to grow it. And this is actually the prediction that we have.
Yeah. And again that the topic, artificial intelligence and skill gap is here really highly related. I mean we need more people to overcome the technology. We have new technology and more or less stable or bit more budget. So that's really a thing here. Saving money or preparing for the worst, more or less the same.
Ransomware is number one still and there are so many other incidents outside 50 or up to 50 for most of the companies a year. And preparation is really key here. And we ask the participants also how frequent do they do some simulations. I mean in the car industry for instance, destroying a prototype on the computer and a model is much cheaper than destroying a real one. And also cybersecurity, doing exercises, practice preparing the people, but also maybe simulating attacks. So prototyping the attack is something that really helps. And also here we have some figures.
Yes.
So what we can see is that most of the respondent, almost 60% of them said that at least twice a year they play simulations. And as Christopher said here, this is actually key. If you think in any other aspect, for example, for safety or security, there are simulations in the building where you say okay, so there is an alarm. What are the procedures, what are the protocols? It should be actually something similar with cybersecurity because in the end it is actually protecting your assets. This is what you're doing.
Yeah.
And last but not least, artificial inte intelligence for attackers on defenders. So on the one hand I already mentioned within your organization or in our organizations, we can use some kind of artificial intelligence, especially around detection mechanisms, finding uncommon behavior and the combination log files, whatever is there, identifying patterns pattern that have been identified in other organizations. That's the good thing AI helps you or some cool other technology combinations. But on the other hand, the attackers use AI as well.
And I can tell you some insight of the capture flag event. Yesterday there was one challenge which was rated as hard and one team, it was an crypto cryptography challenge and one team just used jet GPT for analyzing and giving them some hints and they needed 25 minutes instead of planned four hours.
And and we are talking about Jet G pt which is something that is openly available for everybody. So then you know like you can go create ancon, it is for free.
And we are talking about the famous script kites, sorry if you are.
But the thing here, and just think about the professionals that use those tools really. Maybe they don't inter are interested in your organization and on a specific purpose they just brute force more or less the or broadcast the whole internet or what is available.
Something that they would like to mention as well. And in relation to this, because Christopher is talking about probably you saw them, the students that were here sitting outside yesterday.
Well as we mentioned the skill gaps, well luckily for us there are still people who are interested in studying cybersecurity and this is why we, we had them here participating but re related to artificial intelligence. There is one more thing that I would like to mention and it is, as we said, artificial intelligence is there for defenders and for attackers as well. So as the threats are rebecoming more sophisticated at the same time we believe that using AI to actually protect your assets is the correct way to go.
Now recently we, we started with a leadership compass about synthetic data because this is another thing that will be very useful in cybersecurity. Why? Because it has been proved that synthetic data is mimicking the real data, taking the patterns of the data, but it actually covers the gaps. So then every model that you can actually place will prove to be more robust in the end. And it will be actually super helpful.
I believe that it is another trend that is common in terms of artificial intelligence because to place the models in machine learning using machine learning and using artificial intelligence and the data will actually help a lot.
Definitely. And with that we are already achieved the last slide. Thank you very much Marina.
Thank you Chris,
You an expert for this study.
