An InfoSec professional, Cary Vidal has years of experience behind him when it comes to data privacy. Passionate about protecting organisations from cyber threats, he has held positions at Zego, Rated People, and SEGA.
We caught up with Cary, to ask him some important questions about the current threat landscape, and what we should be looking out for in 2024.
Here’s what he had to say.
Cyber-attacks are becoming more sophisticated, particularly with the increased use of Artificial Intelligence (AI) and Machine Learning (ML). There has always been an ongoing battle between attackers and defenders, but with the availability of more advanced tools and automation, it takes less skill and effort to perform the same attacks that were previously reserved for experts.
Additionally, when we think of "AI" or any technology that rapidly gains widespread adoption, data loss is probable just from our interactions. As product/service providers rush to innovate and "AI everything", we depend on them to take the necessary steps to ensure data security. To be clear, I'm not against this approach necessarily, as context is key, but the risk exists, and we should be aware of it.
I don't generally think about specific tools, but more the type of tool, what problems it intends to solve and the associated risks. Tools are forever evolving and changing, so focusing on one tool can be counterproductive. That being said, Identity Access Management (IAM) SaaS tools are particularly tasty targets, as seen recently with Okta. Continuous Integration and Continuous Deployment (CI/CD) and IAM tools have always been attractive, but the risk-reward ratio changes as we outsource them more to third parties.
In my humble opinion, we probably haven't nailed GDPR completely. Regardless of the framework or regulation, the trend is towards giving consumers more rights over their data. Generally, we do our best to get it right, but usually, that comes with the question of how we can effectively leverage data for the business, and if those things come into conflict, one side usually wins out.
This goes back to my answer to question one. Security leaders must be aware of evolving threats and trends to protect their organisations effectively, particularly the increasing sophistication of cyberattacks and the growing use of AI. But also, don't underestimate the power of the basics done well.
I'm an enthusiast of shaping culture when securing an organisation. Having the appropriate security culture in an organisation is the best complementary tool you can use to secure an organisation. If you can get your employees to be genuinely curious about good security and the impact it can have on them, as individuals as well as the organisation, they are less likely to take software tools for granted and more likely to be able to see where there are gaps and potential failures in security.