Skip to content

Cybersecurity in 2024: Challenges, Actions, and Industry Insights

With 2024 marking yet another year where cybersecurity incidents dominated the media agenda - and with cybersecurity awareness month wrapping up for another year -  we sat down with Manoj Bhatt, Founder and Director of cybersecurity consultancy Cyberhash, to discuss this landscape in depth. Named as one of the top 30 leaders in cybersecurity by CSO30, Manoj has spearheaded cybersecurity initiatives for major global brands including Telstra, Accenture and Sopra Steria, as well as serving on the advisory board of ClubCISO. This experience has given Manoj extensive insights into the cybersecurity hurdles businesses face and the challenges for CISOs when communicating with their stakeholders. Manoj is also driven to improve the sector from the inside out, with mental health initiatives and a commitment to drive honesty and transparency throughout the industry.

What are the biggest concerns for CISOs right now?

CISOs need to improve how they deliver cybersecurity messaging at the executive level. This problem is twofold: CISOs need to speak the language of the board, and boards don’t understand the language of the CISOs.

Executive and internal communications are important for CISOs to grasp. By more effectively communicating cyber security at a board level, CISOs can defend against cybersecurity budget cuts, reduce the impact of stress on their cybersecurity teams and ensure the entire organisation understands what is needed to protect themselves.

Another challenge for CISOs is that they are seen as solely responsible for cybersecurity and it is not recognised as a business-wide function. Cybersecurity can only work when all individuals and departments understand the role they have to play - it cannot be owned and managed by one team.

Finally, CISOs across various sectors, verticals and sizes of organisations have different concerns. Some organisations like local authorities, education and charities struggle with retaining staff and have to provide cybersecurity on a shoestring. Others, like financial services and insurance, experience challenges around new regulations and compliance. Where operational technology is becoming more connected, CISOs are dealing with threats at an operational technology level, and in organisations that might have a large operational technology footprint, this becomes a key challenge for them.

What cybersecurity challenges need more attention?

Some common cybersecurity challenges have existed for several years and continue to be a problem. They are in the “too hard” bucket and are still being ignored. These include areas like management of third-parties and third-party assurance. New regulations in financial services such as DORA will place a greater focus on this, but the problem will continue to grow as ecosystems of third, fourth, and sometimes fifth parties continue to become more complex in the integrated society we live in.

In addition, we’re starting to see the merge of cybersecurity and IT roles happening more often, particularly at the small and medium enterprise level. Historically there were tensions between IT and cyber security however these roles have become more collaborative. But when companies want to make headcount savings they tend to combine these roles, assuming they are the same. This leads to either a cybersecurity person having to take on IT or an IT person having to take on cybersecurity. This merging of roles often means less focus on cybersecurity, especially at the small and medium enterprise level.

I also believe the industry needs to re-focus on cybersecurity resilience. Being pragmatic and ensuring business resilience will direct what cyber initiatives need to be considered. i.e. you can’t patch all systems all the time, so you should select the most critical systems that are vulnerable and patch them. Others that are non-critical could be considered “nice to have.”

Finally, I would like to see more support for our cybersecurity staff to keep them in the industry or encourage talent to join - communications has a key role to play here. We need to increase the range and breadth of individuals working in cybersecurity and ensure that we foster an industry culture that retains them. Many CISOs are already trying to change the makeup of the industry but it's an area that needs continued action to ensure diversity across neurodivergence, gender and age, ethnic and economic backgrounds.

Given how many cybersecurity stories dominate the headlines, do you think we still need a cybersecurity awareness month? 

An awareness month is a great way to build on what happens naturally throughout the year but on its own it means nothing. It has to be partnered with action. I think the security stories in the headlines have the opposite effect. People are becoming desensitised: “Oh well, another data breach,” is typically what people say.

Security awareness should be a cultural transformation. We need to make it relevant and personal. People need to experience how it could happen to them. This means demonstrating to them how it could impact their day-to-day life - the adage “just show me, don’t tell me” is a powerful communication tool in this context.

The rise of deepfakes and internet scams is more likely to raise awareness about the dangers of not protecting yourself online but we also have a social responsibility to educate people during cyber security awareness month on topics that they might not have considered. We want people to be passionate about cyber security and educate them on how to keep themselves and their children safe online by sharing tools they can use to protect their families.

Do you think there's too much FUD (Fear, Uncertainty and Doubt) in cybersecurity reporting? 

Security vendors are often the ones peddling FUD as a sales and marketing tactic - sometimes under the guise of creating a "teachable moment”.  But it has negative consequences - people are put on the defensive, shy away from support, and can feel ashamed or hopeless. I would like to see this line of messaging stop, as it has implications for how organisations approach cybersecurity incident reporting. It should be noted that there are a number of vendors which provide really good and honest insights, but are tarred with the same brush as those that peddle FUD.

For companies, we should encourage companies to report and support their staff through the process so that they are more likely to come forward. The challenge is that we have two types of organisations: those that actively report and those that fear reporting.

There have to be consequences for companies not reporting cyber security incidents and authorities taking actions against negligent companies. Historically companies have not feared organisations such as the ICO because they have not followed through with action. If they do and make examples of companies, regulation will be taken more seriously.

Finally, I think that regulators and authoritative bodies have a role to play in feeding back the information they receive. For instance, if the ICO, FCA or another regulator obtain information about reported cyber incidents this should be shared back with the market. If companies feel they are anonymously contributing to the good of the nation or industry, they will be more inclined to actively report.

We use cookies to give you the best experience of using this website. By continuing to use this site, you accept our use of cookies. Please read our Cookie Policy for more information.