Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm an Advisor and Analyst with KuppingerCole Analysts. Today, we want to have a look at strategic cybersecurity recommendations for 2025 and far beyond. And we want to explore how the cybersecurity landscape will shape through 2025. We want to explore the increasing complexity of attack surface. And we want to look at how organizations should focus on improving their resilience and their ability to recover in cybersecurity in case things happen. So a bit of a shift in what organizations should look, not only cybersecurity, but away from that. We want to, of course, have a look at the dual role of AI in cybersecurity. So it could be good and could be bad. And to discuss all of that, I've invited one of our Senior Analysts. I want to welcome Annie Bailey. Hi Annie, good to have you.
Hi, Matthias. Thanks for having me back.
Good to have you. And this is really an analyst episode. So this is analyst chat because for that to look forward to 2025, and we are also talking about a document which dares to look at the span of time from now to 2033, that's quite a bold move. So you need to have very good crystal ball to look at what will be happening at least starting at 2025. And starting with 2025, what are your key cybersecurity trends that organizations should be aware when we approach 2025? So what will be next?
Yeah, and I think before I dive in, trends are an indicator to getting to recommendations about the future. As you rightly said, daring to make predictions and recommendations about 2033, 2035 is a really bold move. And so that has to be founded in a strong methodology. Why else should you listen to that? And one of the methodologies, the one that we followed actually is to use scenario planning. So looking at concrete scenarios that we can identify today about where the future could be going in several different directions. We can't say exactly which direction our futures are going, but we can look for indicators on which path they will go down and then start to make observations, identify trends that we can then spin out what would happen if this happened and then that and then that and spin out these stories farther and farther to find those trends that exist today that would likely exist in those possible futures and then develop the recommendations around what to do about those trends as we see them developing.
So you just killed my myth of having a crystal ball, this is all methodology. These are facts. This is really derived from what you observe and what we recommend as analysts, right?
Mm-hmm, exactly. And so trends that we can see today that we expect will continue in the future are, of course, the increasing complexity of cybersecurity, of the attack surface. Part of this complicating factor is AI, but it's also something that we saw across the different scenarios that we worked with. So looking at different geopolitical influences, decisions around that businesses may make to either expand and become more globalized, more interdependent with more complex supply chains or choosing the opposite of that as well of shrinking back and becoming more independent but less flexible perhaps. In all of those directions, a common theme that we saw was increasing complexity and the expansion of the attack surface. That's something that organizations really need to be aware of. And there'll be different flags and indicators of what flavor that complexity may have. But that's a base that we can move forward assuming about our future, whatever flavor it has. Another key trend is the importance of resilience and recovery, where we have been moving away for quite some time, but it's becoming even more clear that it's not a question of if your organization will be attacked, but when. And that means resilience and recovery with that assumption that attack and breach a matter of time, not a matter of black and white, good or bad defense strategies. And so it's about preparing for that eventuality, getting up and again as quickly as possible. And of course we come to another very important trend is that AI is here in whatever capacity. Is it a friend? it a foe? Is it a tool? Is it a weapon? This is a topic that organizations must grapple with. And this will exist in the future. So these are the trends, things that we expect to see in the years to come.
Right. And we are just a few weeks away from or past actually an event that really hit global infrastructures quite heavily. So the impact on businesses when it comes to cybersecurity threats, but also just to mismanagement of technology that can be quite striking. How do you expect the evolution of these cyber threats as you just described your observations, how do you expect them to impact businesses over the next few years? Will it increase? You mentioned the supply chain. There is a lot to digest here.
Mm-hmm. So cyber threats will take on different flavors depending on which futures come about. Again, we worked with scenarios that looked very much at geopolitical influences, choices of investment and innovation, different business environments that could evolve. And depending on those different environments, that a business would exist in, the future that is approaching us, there will be different types of threats that will come. Perhaps more a likelihood of state-sponsored threats, more lone wolves in a different scenario. There's the range of threats, or the menu maybe of threats that may come at you will be more dependent on the business environment. Another impact on the business environment mentioned before as a trend is the broadening attack surface. Due to digitalization of businesses, this choice will likely become even more part of businesses' strategies that of course expands the attack surface as more and more parts of business operations become dependent on digitalization. And so this threat is known and will become even more concrete in the future.
And you've mentioned the topic of AI friend or foe, and that has been discussed quite extensively already. But nevertheless, will AI and machine learning play different roles in cybersecurity strategies and what can it do as the final observation or maybe one of the most important observations before we come to recommendations, what we're aiming at actually. What can AI do and what for us and what will it do to us?
It became really clear in this exercise and this research that there is room for agency of the organization. Organizations can choose what to do with AI in a sense. There's some which is difficult to influence, which would be AI as the weapon, as a tool in the hands of malicious actors. But what organizations do have agency over is how do they treat it within their organization? Can it be applied to their cybersecurity needs, to elevate their cybersecurity posture? Can it be used to advance or find efficiencies for their own employees, for their own products? And does that in itself open them up to vulnerabilities which they weren't expecting? So in the realm of things that an organization has relative control over, there is still this dual nature of using it as a tool against malicious actors or in pursuing their business interests, does it open them up to more vulnerabilities?
Right. And maybe a final observation that I can contribute because as most of the listeners know, I'm more the advisor in the game and you are more the analyst. So when I talk to end user organizations, there's always one driver for improving their governance, their compliance, their cybersecurity, and that is as boring as it can be, regulations. So regulations will have and do have really an impact on how strategies evolve, how organizations spend their money in improving their cybersecurity, driven by the need to fulfill these regulations, to fulfill the requirements imposed by these regulations. Will this continue to evolve? Will there be more regulations and will there be a common denominator or do we just have to prepare? Is this a final observation that we just have to deal with?
Mm hmm. This is... the regulation landscape is more dependent on which future approaches will be, does your organization exist in a more protectionist, less globalized environment? If so, then regulation will likely be more regionalized. If your organization is existing in a very global market with with a more open and proactively international trade and supply chain environment, then there will be more intention about coming to international standards for regulations. And so the purpose of this research didn't reveal what the regulation will look like in the next years, but it's a very helpful exercise in becoming aware of what are the indicators of different futures which may approaching, which that in itself helps to prepare for a more regionalized regulatory landscape or a more open and approaching standardized regulations across different geographies. So that was a very analyst answer to the advisor. Your clients may not be happy with that.
They have to be, that's easy. But in the end, we are looking at a document that you've provided, at a research document, running up to cyberevolution in December, 2024 in Frankfurt. But that is a really useful and helpful and really great read document when it comes to planning for cybersecurity in general and for getting to recommendations that can be applied to many organizations, but then it needs to be translated for the actual organizations. So the document that you provided is an Advisory Note. It's published. It was published in early July and it has the title, Securing Tomorrow - Strategic Cybersecurity Recommendations for 2024 to 2033 and it's recommendations. It's really actionable information for those who are in command, to those who spend the budget. And when we come to these eight recommendations, of course, I have to ask you, if you quickly walk us through these recommendations that you derive from the observations and that then need to be applied to organizations and translated into actual measures.
Mm hmm. And perhaps before I jump into the big reveal, I should say my name is on the paper, but it was certainly a joint effort. We worked very closely with Jonathan Blanchard Smith of SAMI Consulting, and this is a foresight studies consultant really working very in depth with these methodologies. So that collaboration was really, really helpful, along with the collaborative power of working with attendees from actually last year's cyberevolution event. So working with cybersecurity practitioners, identifying their observations, their worries and concerns, but also opportunities about the future. With our analyst team and advisor team, they contributed as well, and a working group of CISOs who also brought their observations. I was the one who brought all of these together on paper, but the knowledge is really coming from many sources who are very invested in knowing what to do about this future, which is approaching. So with that, the recommendations are recommendations what to do now to prepare for this future. And they shouldn't all be revolutionary. That would be a bit too much, but they should also challenge us to deal with the uncertainties of the future. So part of this is first that CISOs themselves must be advocates for resilience and recovery. This is not something that typically falls under the CISOs job description. This usually is somewhere else in the organization, but here for the future that we see approaching of the not if but when of attacks and breaches. This needs to be a more unified effort within the organization and the CISO can be a great advocate for that. Next, and perhaps it's boring, but it absolutely should not be left behind, especially since we worry so much about bogeymen like AI or deepfakes or things that are very worrisome and very hard to define. So the recommendation here is, do not neglect basic cyber hygiene. There are unknowns in our future, but there's also a lot of constants. And so if we forget about those constant known best practices for our organization, then the game is already lost. Third would be to know the opposition. We touched on this briefly that depending on what happens to the business environment, which is directly impacting your organization, the threat actors may change, maybe dealing with more lone wolves compared to state-sponsored actors. For example. There's of course many different types of threats. motivations behind these threat actors. So knowing your context will help you to know your opposition and inspect more what are you at risk of? What are you a likely target of? And that will help of course to your strategy. Next, the cybersecurity industry must collaborate to bring transparency and security to its supply chains. This is a known weakness in the cybersecurity industry. This is something that we've been talking about for a while, but it's not yet solved. And we've, yes, and the observation from this study is that our environment will become even more complex, including supply chains and that AI for all of its benefits or threats will add complexity. With those two trends, we then heightened the priority of needing transparency and security in supply chains. The stakes are even higher now and will continue to grow. And so this topic really needs attention. The next recommendation, number five, is to accept AI as both a risk and a tool for risk mitigation. It's both sides here. We've talked about this before. It shouldn't be a surprise, but we need to start taking ownership of this and moving forward with own organizational strategies. How will you manage that? How will you utilize that? Next, number six, is to take a holistic approach to a user-centric security. As we talk quite a bit about AI, it tends to overshadow the people behind the security strategies within the organization. they are, they're key, they're center to all of this. And if they're, forgotten. That's, you're already lost there.
Right, and actually that is where we as advisors and we as KuppingerCole analysts come into play because we are originating from the topic of identities, of identity and access management, but the role and the importance of identity and identity or user centric security, which is in the end identity security, is getting more and more important. And this is really something where organizations still can improve. So cybersecurity is not, or identity management is not all of cybersecurity. Without identity management, without proper user centric security, cybersecurity is nothing because I think that is a core component that organizations need to deal with and understand that they are better. And you've mentioned that the basic cyber hygiene, we are all really stressed by all these false phishing mails that we have to deal with all the time. But this is cyber hygiene. We are trained to understand what's going on. We are trained to get better in identifying those fakes and different mails. And that is on the one hand, cyber hygiene. And on the other hand, making sure that users understand their responsibility, apart from all technology that we can apply. But technology alone will not heal that, just from my experience. But I did not want to interrupt you too much, but this holistic approach to user-centric security, that really speaks to me.
And to add another dimension to that, you mentioned the stress of being aware that there are phishing emails out there to be responsible when looking at links and communications, attachments, and of course to the cybersecurity practitioners who are out there actively protecting their organizations, that's a huge amount of stress on a few individuals. And part of this holistic approach is to be aware of their mental health, of their stress levels, and really taking care of people. This has to be part of the way that we move forward. Then two more recommendations. The seventh is to make identity security a central part of the organization's security architecture. This is very much a part of why we as KuppingerCole exist. Identity is the core of organizations and securing this is a huge advantage to organizations. Matthias, you work with customers daily to help them have a future proof approach to identity security. And the last recommendation is that CISOs need to play a more active part in shaping international and national regulations. Mathias, you already pointed out that a lot of your customers that you work with are concerned about compliance with regulations. And taking an active role here in shaping those can be really advantageous to an organization, especially around the changing threat landscape around AI here. Being involved in this process gives you great information, helps to shape regulations so that you can continue doing business in a way that is not putting up too many barriers that don't need to be there, but still protecting the organization in a way that makes sense.
Absolutely. It's interesting to see that from those eight recommendations that you just presented, the first and the last are focusing on the role of the CISO, starting with the role of the CISO becoming an advocate for resilience and recovery. That was the starting point. So moving away from traditional cybersecurity, if something goes wrong, switch it off and then fix it. And then let's start it again, but to continue providing services over time. I think that is something of big importance, but on the other hand also the CISO as a player in communicating with standard bodies, with regulatory bodies to make sure that they make their voice heard in these contexts as well. That's quite interesting. So it's really a more communication approach when it comes to the role of the CISO. And we've discussed that many times, but it's shifting towards a more communication aspect of the CISO role, right?
And you pointed that out, it's directed inwards towards the organization, but also outwards, communicating with other CISOs, other organizations working together to influence regulations, to work together on finding solutions for supply chain transparency. There's a big communication role here.
Exactly. And I think you've mentioned that earlier, these... first of all, the document is published, it's available, and it's a great read. So highly recommended to everybody who is just preparing for the next years in cybersecurity. I think there is a lot of good information, of useful information, tangible and actionable information in there that many organizations can just use as is. But you pointed out that the eight recommendations are also playing into what we will do in Frankfurt in December. So it will shape the agenda, right?
Absolutely. cyberevolution will actually dive into these eight different recommendations. The material that we'll discuss, bringing in many different experts, CISOs across different industries, our analysts and advisors will be talking on different aspects of these recommendations to help provide more information, more guidance on how to prepare your organizations for the future to come.
So that will be reflected in that agenda. And I think that that's an important aspect to look forward to. So if you already prepare for these topics and you join us at cyberevolution either virtually or in person, we prefer in person, then that can be topics that we can build upon because this already has been planted into the brains of our readers, of our audience, because I think and I hope, I'm sure you of the same opinion. These are important topics to look into apart from the technology that we do all the time. It's not only tech, it's really preparing and doing things right rather than rather than just looking at technologies to the rescue for solving every issue. I think there's much more more to do, right?
Absolutely. And it's a conversation to be had. There's so much that we can learn from others who have the same goals as we do to protect organizations to do things right instead of doing the cleanup afterwards. There's a lot of value in sharing ideas, insights, and finding ways to collaborate. The event is a great place to do that.
And it's not only an afterwards, it's also during the act of having a breach, having an incident, really making sure that systems keep on running, that customers are continued to be served with their services. And that is something that the mindset still has to move to that, yeah, you have to continue providing the services. So the resilience, the recovery, making sure that there's always a plan B for providing these services. Annie, I really would like to thank you for presenting the results of the document. And I know you said that this is a joint effort of many groups of people, but it's really a great work of compiling all this information into one document. Again, recommended to read this. Any final recommendations that you would say, apart from reading the document, apart from preparing for cyberevolution, anything else that you would like to hint at where people should have a look at until we meet in Frankfurt.
I think being really clear about what questions you have, it's very easy to be uneasy about the future or to be overly optimistic about the future and all the potential that new technologies or new arrangements can have. But when it stays at this really ambiguous level, it's hard to work with. Be clear about your questions, about what you're optimistic about and start moving those forward because that's when we can get away from trends as useful as they are to something actionable like a recommendation.
Exactly. Thank you very much for wrapping this up. That was a great summary. And look forward to just continuing that discussion, running up to a cyberevolution in December, but also just to continue our work in hopefully making organizations more secure, more resilient. And that would be a good starting point. And of course, meet in Frankfurt. Thanks again, Annie, for being my guest today. Thanks for preparing this document and for sharing all the insights in there and there's much more. So read it.
Absolutely. Thanks for having me Matthias. Thanks for the great conversation and look forward to seeing you in Frankfurt.
Looking forward to you as well, we will talk before. Thank you and bye bye.
