16 CIS Experts Cybersecurity Predictions for 2024

The popularization of ChatGPT and other large language models (LLMs)...geopolitical concerns surrounding social media...greater specialization in cybercrime...these developments created new risks for organizations like yours in 2023. In doing so, they shifted the conversation around your cybersecurity priorities going forward.

There's so much change in the cybersecurity field to decipher. Where do you focus your efforts?

To put next year into context, we spoke to more than a dozen experts at the Center for Internet Security, Inc., (CIS®) about their cybersecurity predictions for 2024. Here's what they had to say.

Marci Andino | Sr. Director of EI-ISAC

Cyber threats will include many tactics used in previous election cycles and in other industries, including phishing attempts, distributed denial-of-service (DDoS) attacks, scanning of public-facing sites, exploitation of known and new vulnerabilities, alleged voter registration data leaks, and ransomware. In 2024, election officials can expect cyber threat actors (CTAs) to take advantage of generative Artificial Intelligence (AI) technologies to improve phishing attempts and campaigns targeting U.S. elections.

Election officials, including poll workers, can also expect an increase in physical threats.

Sean Atkinson | CISO

AI and ChatGPT: ChatGPT and other advanced language models are poised to significantly impact cybersecurity in 2024. While offering immense potential for improved threat detection, response, and personalized training, their deployment necessitates careful attention to potential risks, including adversarial AI, exploited vulnerabilities, and misinformation. Implementing robust security protocols, embracing a human-in-the-loop approach, and continuously monitoring and evaluating AI systems will be crucial for mitigating these risks and harnessing the power of AI for a more secure future.

Quantum Threats on the Horizon: While the full potential of quantum computing is still a few years away, the need for organizations to assess potential risks is now primed for introductory discussions. Efforts are underway to develop both quantum-resistant technologies and deployable architectures. A clear focus on building quantum resistance is expected to gain significant traction in 2024.

Rising Tides of Hacktivism: The events of 2023 suggest a potential increase in hacktivism, particularly during major global events like the 2024 Paris Olympics. Additionally, global conflicts and the U.S. Presidential Election could present further opportunities for such activity.

Deja Vu? Same Attacks, Same Success: Unfortunately, 2024 is likely to see a continuation of successful attacks against organizations using familiar tactics. Despite numerous case studies highlighting past vulnerabilities, many organizations are failing to implement lessons learned and provide adequate user training. Social engineering, password reuse, and lack of multi-factor authentication (MFA) remain common weaknesses, fueling cybercrime in the coming year.

Jared Dearing | Sr. Director of Elections Best Practices

The cybersecurity insurance market for election system vendors is facing significant challenges. A drastic increase in costs associated with cybersecurity, coupled with a decrease in overall coverage over the past four years, presents significant risks for managing election critical infrastructure. Vendors, particularly those under multi-year contracts requiring cybersecurity insurance, are at risk of serious operational and legal complications if they fail to maintain coverage, which is becoming increasingly difficult to obtain given the heightened risk associated with elections critical infrastructure. Additionally, the demand for detailed information by insurers, such as system architecture and security controls, creates potential 'honeypots' of sensitive data, further increasing the risk surface for this already challenged ecosystem. These escalating costs and requirements not only strain election vendors but also foreshadow potential future challenges for the broader IT community, especially for vendors serving U.S. State, Local, Tribal, and Territorial (SLTT) entities.

Curt Dukes | EVP & GM of SBPA Group

Focus on the Human Element When It Comes to Cybersecurity: New technology brings new risks and new attack vectors, and many of them target users. Adversaries target the fact that the user typically makes bad choices when it comes to cybersecurity – for example, the user acting on a "phishing" or "smishing" lure.

User awareness training only goes so far. Use technology that focuses on the basics, patching, configuring, and monitoring.

Jason Emery | Director of the Cybersecurity Advisory Services Program

AI Security Tools: Machine learning (ML) and AI have rapidly brought massive changes to many sectors in the SLTT community. This has brought many challenges, as well. I believe there will or should be a significant focus put on proactive defensive tools based on ML/AI. Adversaries have been very successful in ramping up the offensive use of these technologies, and without investments in technology to counter these threats, I fear defenders will be at a distinct disadvantage. These technologies will be used to react to rapid malware development, deepfakes, privacy concerns, and advanced social engineering.

Workforce Development with AI: Most SLTTs around the nation are struggling with an inability to attract and retain skilled cybersecurity professionals. This can be somewhat offset by the use of traditional automation with things like Security Orchestration, Automation, and Response (SOAR). I believe AI tools can add additional force-multiplying capabilities to traditional automation tools, even to the point of the AI tool actively managing the SOAR. This technology, if affordable, could offer the SLTT community a path to sustainable cybersecurity programs. As these tools improve and learn in a specific environment, they take on more and more of the daily tasks, thereby leaving the limited human resources for the things that still need independent thought. I think this is especially important when look at typical blue team tasks like vulnerability management, incident response, and network defense. Improving the power of AI tools not only benefits the cybersecurity folks but empowers IT operations professionals to take on more cyber functions, especially in organizations that cannot afford dedicated cybersecurity staff.

Don Freeley | VP of IT Services

AI Enhancements Drive Authenticity Concerns: AI is developing at a pace where it is becoming increasingly difficult to distinguish real content from AI-generated. This will drive an increase in social engineering and disinformation campaigns, leading to distrust in un-verified content and creating a need for mechanisms where producers and consumers can validate authenticity.

Ransomware Attacks Grow Significantly: Ransomware attacks will become more common and easier for threat actors to launch. This increase will result in a greater impacts on organizations of all sizes. Ransomware defense, remediation, and recovery plans should be on every business leader’s radar.

Privacy and Personal Information Protections Concerns Rise: Individuals and institutions will become more protective of their personal and privacy data. Users will want more control over how information is shared and stored. More governmental agencies will move towards requiring companies to adopt more European-style (GDPR) data protections. This may result in privacy laws that vary state by state.

James Globe | VP of Strategic Cybersecurity Capabilities

Continued Cybersecurity Workforce Challenges for Public Sector Organizations: According to Cyberseek.org, there are over 572,392 available cybersecurity jobs. My prediction is that the gap between available skilled and experienced cybersecurity and information technology talent and unfilled cybersecurity positions will continue to increase in particular for public sector organizations that struggle to recruit, hire, and retain needed technically skilled cybersecurity talent.  For public sector organizations, the hiring challenge is magnified due to a lack of available personnel to generate skills-based detailed job descriptions for their open positions as well as legacy government-based pay grades that have not remained competitive for the current cyber talent recruitment environment.

Cyber Defense-in-Depth Challenges for Small- and Medium-Sized Organizations: Small- and medium-sized organizations that require their skilled workforce of engineers, network administrators, IT system administrators, and cybersecurity analysts to wear multiple hats (roles) are just too busy to fully implement a comprehensive defense-in-depth strategy that includes network segmentation, multi-factor authentication with zero-trust concepts, incident response procedures, disaster recovery policies and procedures, as well as a hybrid perimeter defense strategy to support virtual (in the cloud) and on-premises IT environments. Their IT management struggles and cyber defense strategy are further complicated when you introduce the fact that some of their systems are managed by a managed service provider (MSP). Therefore, they rely on webinars, sales engineers, or even better yet vendors' websites to determine what they can afford to implement in order to avoid the next major cyber attack. These organizations need help with IT systems assessments against sound frameworks like the CIS Critical Security Controls® (CIS Controls®) as well as help with analyzing the assessment results to determine priorities based on threat intelligence for attacks against their sector. These organizations need the “essentials” guide for cyber defense-in-depth.

The Great Migration of IT Talent from IT Infrastructure Upgrades and Replacement Projects to AI Projects: As public sector organizations start to pilot AI and generative pre-trained transformers (GPTs) as well as utilize public or general purpose large language models for usual suspect brand name vendors, this will pull needed IT and engineering talent from core activities like network segmentation, comprehensive out-of-band system back-up and recovery projects, cloud migration projects, and API security, to assure sensitive and private data are protected from unauthorized access. The sheer promise of scalability and increased citizen support systems from generative AI systems that take milliseconds to find answers to citizens’ questions plus generate a human-friendly response to seemingly complex topics that range from immigration and local criminal/zoning laws to what forms are needed to obtain a firearms license, will “pressure” governors, mayors, CISOs, and CIOs to divert skilled talent from needed cyber defense and other cybersecurity projects. This will impact these organizations' ability to defend against next-generation AI-based phishing and fraud-motivated attacks. The attention to AI projects will inevitably cause public sector organizations' attack vectors to widen, their risks of data breaches affecting sensitive and private information to grow, as well as public services not being available due to next-generation denial-of-service attacks that more efficiently exploit unsecure network services and misconfigurations.

Stephen Jensen | Sr. Director of Plans, Programs, and Exercises

AI Integration into Operations – Race to Adopt Increases Risk Exposure: 2023 was the year AI became truly accessible to most organizations. 2024 is the year those same organizations will need to get AI integrated into everyday use. As more organizations identify possible uses in their daily operations, security leaders will need to become knowledgeable about frameworks, such as the NIST Artificial Intelligence Risk Management Framework (AI-RMF), that can help them identify and evaluate risks of AI to their operations. Security leaders will be working hard in 2024 to prevent proprietary data from being fed into public AI engines. AI will become specifically relevant to security analysts working on malware analysis as more tools become available for assessing malicious code. The race to adopt AI-based tooling will also open organizations up to unexpected risk. To avoid falling behind, many organizations will purchase AI-based tooling that they don’t fully understand. Developed cyber hygiene, robust controls, and thorough evaluation mechanisms will be required to limit this unintentional risk exposure.

Angelo Marcotullio | CIO

2024 will continue to see the migration of on-premises applications to cloud-hosted Software as a Service (SaaS) environments. While there are many benefits to implementing applications using SaaS, it also presents unique challenges. Two challenges that information technology and information security departments face is managing the lifecycle of user accounts and data security. Traditional methods of managing user accounts often don’t work in a SaaS environment. This makes it difficult to track staff leaving the company or changing roles. This difficulty may expose application access to departed employees. Some SaaS environments have complex terms around third-party access to their environments. This may expose your data to entities of which you are not aware. SaaS environments require extra attention regarding user access and data exposure.  

Josh Moulin | SVP & Deputy General Manager of OSS

Ransomware Continues to Evolve: In a significant shift, more ransomware threat actors will report their own attacks to the U.S. Securities and Exchange Commission (SEC) and other regulatory bodies when their victims fail to report the cyber attack. This tactic will be used as a means to pressure organizations into complying with ransom demands under the threat of public disclosure and potential regulatory consequences. This development will necessitate a reevaluation of incident response strategies, with an increased focus on transparency and legal compliance.

Rise of Deepfakes and AI in Social Engineering Attacks: The use of deepfakes and AI-generated content in phishing and social engineering attacks will to rise sharply. These sophisticated techniques will make scams more convincing and harder to detect, as attackers will create highly realistic video and audio content to impersonate trusted individuals or fabricate scenarios. This trend will challenge existing cybersecurity measures, pushing for advanced detection tools and heightened awareness training among users to identify and combat these more nuanced threats.

Lee Myers | Director of the SOC

Targeting of Cloud Service Providers: Most organizations, including federal and local governments, have moved at least some architecture to the cloud. Even as the push for sustained remote work has decreased in 2023, the business world has adapted to more and more cloud-native services. With so much infrastructure relying on the uptime of the systems provided by a handful of cloud service providers (CSP), these providers become juicy targets for cyber threat actors focused on large impact attacks. Even the perception of an attack on a CSP has wide-ranging consequences, and outages due to misconfigurations or other IT-centric issues that have nothing to do with a cyber attack can lead to panic and mistrust. As a result, some cyber threat actors may claim responsibility to gain notoriety or sow discord in target communities.

Move Toward Automated Prevention of Threats: The development of technology continues to outpace the speed of adoption. To help address rapidly evolving threats, many organizations are likely to refocus their security efforts on tools and capabilities that leverage automated processes to detect, prevent, or mitigate cyber threats in real time. High confidence heuristics and machine learning based off baselines of known good activity allow machine-speed reactions, effectively removing the human element for initial triage. In an increasingly hostile cyber environment of continuous and rapid attack code evolution, the organization that can respond quickly has a much higher chance to limit the potential impact to operations. In preparation to deploy more automation, organizations will likely need to implement more control over applications and take a more proactive role in restricting unauthorized applications and services to run in their environments.

Anthony Perez | VP of Engineering & Product Management

I believe secure by design will become a new mantra for the private sector in 2024. Given the new SEC rules and the additional scrutiny around cybersecurity incidents, companies will now begin implementing security best practices from the start rather than in response to an incident.

I can see engineering teams incorporating vulnerability scans into their development pipelines as well as better governance of cloud environments.

Randy Rose | VP of Security Operations & Intelligence

Cybersecurity Sustainability: There are many natural overlaps between the cybersecurity domain and most other areas of life, particularly regarding critical infrastructure and services. Future growth in cybersecurity will be dependent on aligning with global sustainability goals including environmental sustainability, inclusive and equitable cyber education, deliberately recruiting neurodivergent talent, protecting sustainable communities, promoting responsible consumption, and building resilient infrastructure. The cybersecurity community is largely comprised of brilliant problem solvers with a desire to make the world a little better than they found it. Like open-source software development and consensus-based best practices, the cybersecurity community will come together to help solve some of the toughest problems facing humanity today.

Improved Social Engineering Attacks At Scale: Cyber threat actors have rapidly adopted generative AI and LLMs that will allow them to create more tailored and convincing social engineering attacks, such as customized and personal phishing emails, text messages, and business email compromise (BEC) injects. Generative AI for voice and video may also begin to be used against victims to take attacks to a whole new level. In 2023, the evolution of deepfakes led to celebrities and world leaders finding their likenesses and voices used in political propaganda and humorous memes alike. 2024 and beyond could see the same for any person with enough content on the internet for an AI engine to adapt and mirror. Gram scams and other cybercriminal attacks against individuals will likely include some form of generative AI in 2024. The same can be said for more sophisticated attacks at scale against governments and corporations. In addition, it will become harder to discern information operations due to increasingly convincing AI-based inputs. On a positive note, defenders and service providers will likely look to the same technology for detecting deepfakes and similar attacks. Regardless of whether you’re comfortable with using AI today, you may soon be carrying around a powerful AI-based security tool in your pocket.

Tony Sager | SVP & Chief Evangelist

Never Underestimate the Power of Cheap and Easy (AI): It wouldn’t be a cyber thought piece without mentioning AI and ChatGPT.“AI” was always going to change the world in the very near future – every year for the last few decades. But access to low-/no-cost generative AI, and its easy accessibility to the tech public, has taken the world by storm. Countless people are playing, experimenting, learning, and so drawing interest, investment, new vendors, and new opportunities. In the near future, AI will be a near-instant “amplifier” of things we already know and do, for good or bad. And we think that great opportunities for cyber defense are within reach – especially for the incredible amounts of tedious, human-draining data gathering, correlation, and management required for cyber defense today. The mid- and longer-term implications are still being debated and understood – and will inevitably be tied into the way we manage cyber “trust” as a dynamic, context-sensitive, negotiable property of technology.

Intersection of Cyber, Public Policy, and Economics: This had been building up over the last few years – the “mainstreaming” of cyber issues into the broader domain of corporate risk management. Over the years, there’s been an ongoing debate about making cyber actions mandatory vs. voluntary, with the pendulum shifting in the current administration towards mandatory action. But there’s also a lot of momentum, especially among state governments, to incentivize (often through some sort of “safe harbor” provision) the improvement of cyber defense. Because of our ongoing relationship with state and local governments, we’re part of this trend, and we see an upward swing in legislative and regulatory action.

Activism and Cooperation by the U.S. Government: We’re seeing a rising activism by the usual players in the U.S. government. What’s different is the shift towards more visible and direct action (e.g., The Joint Cyber Defense Collaborative, national leadership in major incident response, the Cyber Safety Review Board) and more organized enterprise-level action (e.g., USG and DoD zero trust initiatives, regulatory harmonization). And this includes more joint, multi-agency bulletins, advisories, and guidance. These are healthy signs of recognition that we must face cyber problems as a national imperative with coordinated local action. 

TJ Sayers | Director of Intelligence & Incident Response

Ransomware Upward Trend Continues – A New Extortionware Era Emerges: Ransomware attacks have increased year over year for the last several years, and there is no denying that this trend will continue in 2024. Cyber threat actors have built infrastructure and competitive business models to support sustained efforts to compromise and infect systems worldwide with increasingly sophisticated capabilities. New variants and new evolutions of older variants are expected in 2024, and we are likely to see increased targeting of critical systems, such as industrial technology, transportation, and safety systems. 2024 will also likely see a new “extortionware” era fully emerge, which entails classic ransomware deployments and newer encryption-less ransom campaigns that abstain from deploying ransomware to solely steal data and threaten to post it online lest a ransom is paid.

Blurred Lines – Geopolitical Events Fueling Conflation Among Traditionally Distinct Actors: The lines between state actors, cyber criminals, and hacktivists will get less and less distinct in 2024 and beyond, making it more difficult to successfully attribute attacks and associated motivations. Groups without a formal affiliation with foreign states will likely increase attacks on businesses, government organizations, and critical infrastructure in geopolitical solidarity with their own ideology or an allied country. Shadow operations conducted by or through non-state groups will also likely increase, particularly regarding election interference in the United States and other western democracies. Local government organizations in the United States should be prepared to be caught in the crossfire as geopolitical events increasingly drive blurred cyber-enabled activity. Furthermore, the lines between traditional cyber operations, cyber-physical operations (cyber attacks with real-world impacts, such as disabling traffic lights or turning off water sanitation safety systems), influence operations, and threat of violence carried out over cyberspace will also become blurred. The same groups that historically conduct only one type of attack, such as ransomware, will likely become involved in other attack types that shift into new territory, such as targeting operational technology, spreading disinformation, or harassing elections officials in the lead up to a major election. These changing tactics are often more prevalent during periods of high geopolitical tension and global conflict, such as the current wars in Ukraine and the Middle East, and are often intended to disrupt the way of life and decrease public confidence in Western governments. An unfortunate outcome of these threats is that organizational spending combatting information operations will likely be higher in 2024 than any year in history.

Karen Sorady | VP of MS-ISAC Strategy & Plans

Increased Adoption of “Whole of State” Strategies and Solutions: Spurred at least in part by the State and Local Cybersecurity Grant Program, we’ll see continued adoption of whole of state strategies that encompass governments at all levels. The cyber threat landscape for our nation’s governments will continue to be vast and ever-evolving with potential impacts to our way of life. The threat will not discriminate based on size or jurisdiction. The increased collaboration between state, local, tribal governments, and educational entities, as well as amongst states, around cyber defense solutions will increase the baseline of cybersecurity maturity across the nation, bring new perspectives to create innovative solutions, and address some of the concerns governments have with the cyber workforce shortage. States will increasingly broker and administer centralized cyber services/solutions for other levels of government, taking some of the burden off the “cyber underserved” and realizing economies in scale that would otherwise by unachievable to them. Trust will continue to build as collaboration increases and benefits are realized.

Need for Focus on Burnout Among Cyber Professionals as well as Workforce Shortages: Burnout and mental health will continue to be a concern for SLTT cyber professionals in the face of ever-increasing sophisticated threats and emerging technologies, unrealistic expectations, and the weight of responsibility to address years of inattention to cybersecurity. State CISOs, in particular, will increasingly face expanded reach and responsibility with the adoption of whole of state without a corresponding increase in resources. The effects of burnout – feeling disengaged and overwhelmed – will pose a real threat to the security of our networks as skilled professionals leave their employment, or the field altogether, in response to these negative impacts, often taking years of experience and expertise with them. These losses will be particularly acute in an industry and sector that is consistently unable to meet the demand for skilled staff. For those who choose to remain, the organization still faces risk in terms of mistakes made and decreased productivity, which are commonly experienced with burnout and which may jeopardize security. Organizations will need to develop strategies to reduce burnout, including the use of AI support, staffing and resourcing appropriate to workload, wellness programs, and setting realistic expectations for cyber roles.

In addition to combating burnout, new and innovative ideas will be necessary to address the continued workforce shortage. More SLTT organizations will eliminate degree requirements in favor of experience and/or softer skills (problem solving, critical thinking, communication, etc.) Technical skills in cyber can often be learned on the job. Additional creative solutions, which are already being seen, will include flexible and remote work arrangements, tapping non-traditional applicants, collaborating with higher education on internship and training programs, and more competitive compensation and benefits packages.

A Glimpse of the Evolving Cybersecurity Landscape

The predictions above are what stand out to us. They're not all-inclusive of everything that's changing in cybersecurity. If you think we missed something, let us know on Twitter, LinkedIn, or Facebook.

Wondering if our previous predictions came true?