Cyber-security: compliance and beyond

Sabeen Malik at Rapid7 navigates the emerging technologies and regulations in cyber-security

It’s been a turbulent time for IT leaders who find themselves constantly at the mercy of evolving expectations. They face the challenge of keeping up with regulatory changes stemming from the rapid advancements in artificial intelligence (AI), machine learning (ML), Internet of Things (IoT), and other emerging technologies, as well as managing their own knowledge and concerns surrounding these technologies’ security and privacy risks. 

At the same time, a vast underground network supports cyber-criminals as they continuously craft a range of threats against the emerging technologies businesses are adopting. The additional complication, however, is that cyber-criminals are now leveraging AI as a part of their attacks. This necessitates a vigilant and informed approach focusing on emerging attack capabilities and advanced persistent threats that pose significant risks to organisational security.

At Rapid7, we’ve witnessed some recurring patterns in the cyber-security space. Here are some of the top technology and regulatory trends we’re seeing and how they might further take shape as we progress through 2024 and beyond. 

The impact of AI on cyber-security

The surge in Generative AI (GenAI) development has been remarkable, particularly with the increasing mainstream use of large language models (LLMs). OpenAI’s ChatGPT is a prime example that has catapulted AI into widespread attention.

Consequently, many security vendors are now integrating GenAI/ML into their solutions to stay competitive. This advancement represents a significant leap in the data and AI sector, yet it also presents a challenge. Attackers are now exploiting AI technologies for sophisticated cyber-attacks. They benefit from readily available AI-generated malware and employ GenAI for more convincing social engineering and phishing attempts, elevating the threat landscape.

Therefore, organisations need to worry about ‘when’ an attack takes place rather than ‘if’ an attack happens, and ensure that they have the right protocols in place. 

It’s unlikely that we will see global GenAI regulation or GenAI attack data any time in the near future, but the types of attacks and the risks associated with those attacks are getting more scrutiny through regulations requiring risk governance and cyber-risk management disclosure and transparency around incidents. Therefore, understanding the true impact of “AI” on cyber-security will be a bit rear-view looking for the near term. 

Cyber-risk disclosure regulations

Businesses now face an increasing number of regulatory requirements for cyber-risk management and incident reporting. Compounding this, the rising threat from GenAI-driven cyber-attacks and ransomware has made the challenge of defining and managing cyber risk more complex. This situation demands that businesses dedicate more time to understanding their risk profile and choosing the right tools and services for risk mitigation.

Leaders are at a crossroads, deciding between focusing on compliance risk mitigation and developing agile cyber-risk management strategies. However, this perceived dilemma could actually be an opportunity to elevate discussions about systemic risks and position the business for success.

Rather than sinking into a game of compliance ’whack-a-mole,’ leaders should invest in strategic approaches to managing cyber-risk. Businesses should also ensure they have visibility into the systems, effective security solutions and are following government regulations around data management.

Government entities and disclosure regulations

Governments are grappling with how to encourage risk management without falling into a pattern of reactive, compliance-driven regulations. The ideal regulatory approach would focus on harmonising best practices and ensuring product security, rather than racing to implement regulations.

For instance, in the United States, the Securities and Exchange Commission mandates that registrants must report significant cyber-security incidents. They must also provide yearly updates on their cyber-security risk management, strategy, and governance. This requirement also extends to foreign private issuers, who are expected to provide similar disclosures.

Similarly, in the EU, the NIS2 directive is designed to bolster the security of network and information systems in the EU. It obliges operators of critical infrastructure and essential services to adopt suitable security protocols and to report any incidents to the appropriate authorities. Furthermore, NIS2 broadens the scope of its security requirements across the EU, implementing stricter measures and sanctions.

The expansion of regulations is positively transforming the cyber-security industry into a more unified framework, enhancing efficiency and resilience against cyber-threats, thus actively shaping a robust future landscape for cyber-security management.

Public-private sector collaboration

Government and private sector entities both play crucial roles in ensuring the security of the society. Hence a collaboration between the two is highly essential and mutually beneficial. A public-private partnership (PPP) refers to a sustained collaboration or agreement involving both public and private sector entities, which has evolved over time across various domains.

Rather than the traditional approach of sharing general threat intelligence, governments and businesses are expected to collaborate more closely. This partnership focuses on sharing specific threat intelligence, pooling resources, and fortifying defences against particular threats. The goal is to evolve from periodic meetings to a more dynamic, real-time sharing framework.

This shift is crucial to respond effectively to the rapidly decreasing time between the initial breach and the deployment of payloads.

The success of such proactive and action-oriented partnerships will largely depend on a culture of open communication and a commitment to sharing information. These enhanced collaborations are anticipated to significantly boost capacity and strengthen cyber-defences across sectors.

The UK’s Industry 100 (i100) programme is a good example of effective PPP. This initiative, led by the National Cyber Security Centre (NCSC), is a collaboration platform that unites public and private experts to tackle emerging security challenges. The initiative fosters a joint effort to stimulate innovative thinking, experiment with new ideas, and deepen understanding of cyber-security issues. 

The rapid advancement in GenAI and the complexities of regulatory requirements highlight the need for businesses to balance compliance with agile cyber-risk management. Enhanced public-private partnerships will become more crucial for sharing specific threat intelligence and resources, so that industry can be moving towards more dynamic and real-time collaboration.

Going forward, the focus will likely be on regulating emerging technologies like synthetic media and managing risks in identity and access management, shaping the future trajectory of cyber-security and its regulatory environment.

Sabeen Malik is VP of Global Government Affairs and Public Policy at Rapid7

Main image courtesy of iStockPhoto.com