Predicting the five security trends that will impact Canadian organizations in 2024
By David Senf, National Cybersecurity Strategist (former Research Vice President at IDC)
As we celebrate another year, I can’t help but dust off my crystal ball to unveil my top security predictions for 2024. I’ve authored numerous annual prediction and forecast reports, and I always look forward to preparing perspectives for the year ahead.
This year, I’m going to lean on the latest edition of the Bell Security Outcomes Study (BSOS). The study revealed a number of surprising findings that will help shape future security strategies of Canadian organizations.
My focus here is primarily on end-user organizations, rather than trends directly involving threat actors and the cybersecurity industry. That being said, I do have a few thoughts to share on these specific topics before we turn the focus to organizations:
- Threat actor activity. Largely fueled by advancements in generative AI and improved automation, 2024 sees threat actors poised to escalate their operations significantly, compared to 2023. This escalation is notable not just in scale, but also intensity – continuing the aggressive behaviour observed in 2023. Moreover, the noisy nature of threat groups such as ALPHV / UNC4466 will further embolden copycats. We’ll most likely see little innovation around initial access or anywhere else along the attack chain – merely a lot more of the same.
- Security industry dynamics. Surprisingly, despite much lower security vendor valuations in 2023, the cybersecurity industry did not witness as many acquisitions as anticipated. However, there will likely be an accelerated pace of consolidation in 2024 as large vendors, private equity and venture capital put more capital into play. If we use start-up activity as a guide to market direction, we can see there are many new entrants focussing on “everything posture management,” securing GenAI and data security. Moreover, there is a decided move towards integrated platforms fostering a “winner-take-all” push in the industry as discussed below.
Now let’s dive into my five top trends for 2024.
The rest of the cloud security iceberg surfaces
In 2023, cloud-native workloads and the use of advanced PaaS/IaaS capabilities claimed the cloud security spotlight. Cloud security posture management (CSPM) and (to some extent) cloud workload protection platform (CWPP) took centre stage. However, in 2024 these solutions could be upstaged by SaaS security posture management (SSPM) and data security posture management (DSPM).
Organizations are realizing that, although cloud-native platform security is critical, it is the tip of the proverbial iceberg. There is a considerable amount of additional exposure from misconfigurations and overprovisioned access in SaaS. SSPM is still evolving with a number of smaller vendors, so expect a fair amount of consolidation through 2024/2025.
Whether it’s an uptick in CSPM, SSPM or secure access to the cloud through SASE, expect a surge in cloud security activity in 2024. This is because Canadian organizations are likely to cross a major milestone in cloud adoption in 2024 as data storage in the cloud surpasses 50%. Our BSOS research indicates that, on average, 42% of an organization’s data is in the cloud today – and that number is expected to balloon to 59% in two years.
Data security renaissance
In the late 2000s and through the 2010s, data loss prevention (DLP) initiatives sprouted up in large, typically regulated organizations – and the results were often met with varying degrees of disappointment. Data security has remained somewhat elusive. Instead, organization have relied on layers of controls around data, in addition to encryption and various masking techniques. However, as data security technology and practices advance, there is renewed focus heading into 2024. Moreover, generative AI proliferation for myriad business use cases opens new calls for tighter security guardrails around sensitive data. And of course, regulatory compliance is a prime motivator for security spend in Canada, with increased scrutiny on data security on the way.
In fact, our BSOS research shows that data security now ranks as the second-highest attack surface priority for 2024, trailing only cloud security. Discovery, classification and protection of data is becoming increasingly automated, with AI capabilities and API integration to track the flow of data, particularly in the cloud with some on-premises reach. Similar to my comments on SSPM, DSPM solutions are maturing rapidly, and I expect more acquisitions here (there were a few in 2023 already).
Integration overtakes curation for security deployments
Rapidly changing threats and attack surfaces once prompted procurement of point solutions aimed at addressing a particular hole in the organization’s defence. This led to an industry characterized by fragmented markets, one where each vendor represented no more than a single digit percentage share. As our industry matures, however, bigger platform players are emerging from their initial base in hardware, software and cloud, with contenders including Palo Alto Networks, Microsoft, Cisco (plus Splunk in 2024), Fortinet, and others. In turn, organizations are starting to place longer-term bets on their go-to all-in-one vendor as the heart of their security practice.
A more holistic platform is good news (despite potential consequences of vendor lock-in) because security operations simply can’t be effective in the absence of greater integration – particularly given increased threat actor activity and the sheer breadth of points of initial access. Comprehensive coverage by a single platform means more data inputs, which in turn means better context to enable more accurate detection, analysis, and the ability to respond faster to true positives.
In the security outcomes research, we analyzed the results of organizations that outperformed their peers – the data showed that migrating to a platform-first strategy has a significant positive impact. Integration of security capabilities enables broader visibility of and faster reaction times to an incident. Organizations appear to be adopting integrated platforms first for cloud workloads, but usage is quickly expanding across multiple attack surfaces / use cases.
GenAI joins the security team in key roles
Generative AI is set to enhance the capabilities of security teams in a number of ways. This includes adding context to threat intelligence, analyzing attack patterns, aiding report writing, as well as a light form of integration by generating scripts / querying across solutions. The year 2024 is expected to see giant improvement in GenAI following the trends of 2022 and 2023. OpenAI’s GPT-5 (and equivalent LLMs from Anthropic, Google, Meta and others) promises a number of large improvements including multi-step reasoning, math capabilities, and far better accuracy.
Applied to security: consider employee security training and simulations being far more personalized – akin to a proactive coach that builds on competency levels. Also, consider contextually aware orchestration that can sequence and prioritize actions based on deeper analysis.
I’d be remiss if I didn’t mention one obvious downside: in addition to GenAI helping threat actors, it creates a lot of work for security and privacy professionals to ensure that employee input into the models and the output that they receive back is secure and meets company data, application, legal and ethical policies.
Our 2023 security research showed significant interest and use of AI and its sub-domain of GenAI. In fact, 12% of organizations in Canada already use GenAI in security operations, while an additional 77% are experimenting with or considering its use. Furthermore, organizations are ramping up their AI skills: security leaders reported AI capabilities as the third most-sought-after skill set. This does not necessarily mean that new team members need to know their ‘neural networks’ from their ‘random forests,’ but they should still be aware of where and how AI makes a difference, and where its limitations lie.
Continued emphasis on compliance obligations
It seems like every month introduces new Canadian, US, European, or other international legislation, national strategies, executive orders, rulings, and industry regulations – all affecting security, privacy, governance and AI’s impact on these domains.
Continuing this trend in 2024, there will be important updates to prepare for. I’ll cite just a few here: PCI DSS 4.0 takes effect on March 31, 2024, and the countdown begins to mandatory compliance in precisely one year. Quebec’s Law 25 (Bill 64) is already in effect – ahead of the federal privacy legislation as of fall 2023. Continue to watch Canada’s Bill C-27 evolve through 2024; it extends consumer privacy, data protection, and now also AI requirements. The AI requirements of this law will likely target a foundation model providers and other major players in the AI ecosystem, as opposed to the average Canadian organization. That being said, there are other jurisdictional restrictions on using AI to improperly profile consumers. Canada Bill C-26 concerning cybersecurity of critical infrastructure across telecommunications, transportation, energy and finance industries will continue to evolve and could pass into law in 2024.
Our BSOS research underscores how significant good governance is for achieving successful security outcomes, which far outweighs any technology. When it comes to security outcomes, organizations adept at translating compliance requirements and business objectives far surpass their peers. They begin with governance, embed the results in policy, and then enforce policy through the technology layers. Many organizations that I speak with start with technology-focussed discussions; it should be the other way around.
Some concluding thoughts
There were a number of security predictions that didn’t make the cut, such as third-party risk management, changing perspectives on employee security awareness, OT security, and recent updates on the quantum threat. Also, there are wildcards in 2024 that could constrain or actually accelerate these predictions, including unexpected trends in macroeconomic conditions, geopolitical events, the US presidential election, and other surprises. And with billions of dollars of new investment pouring into AI at all levels of the technology stack, 2023’s number one game-changer may repeat as the most significant development in 2024.
I am available to provide further detail on these predictions and offer insights from the Canadian security study that I reference throughout this report. Connect with me on LinkedIn and share your thoughts.