Takeaways from ISC2 2024 Security Congress – Las Vegas

It was my first time at this event, and I was struck by how large and diverse a crowd attended. This was clearly not just a group of hackers / technologists. ISC2’s stated goal is to train, certify and bring into the profession 1 million new members from around the globe.
My takeaways from the sessions I saw are:
-
Growth and Complexity of Cybersecurity Threats
- Criminal Organisations: Attackers are increasingly organised, with ransomware groups reportedly generating over $2 billion in revenue. These groups are also investing in research and development.
- Low-Cost Cyber Attacks: Both state actors and criminals find cyber-attacks cost-effective, with minimal financial investment and few consequences.
For example, stolen cyber-attack tools are deployed almost immediately, unlike stolen military plans.
State-sponsored cyberattacks rarely lead to significant repercussions, while criminal organisations operate transnationally with little fear of prosecution.
-
Physical World Impacts of Cyber Attacks
Given the scale of attack on critical infrastructure it’s inevitable that attacks begin to go beyond impact on data and start impacting the “real” world. The session that brought this home for me, was one by Christian Dameff, a professor and an emergency medical doctor. He focused on the United Healthcare incident and ransomware:
- Some companies went out of business: The United attack on payment systems caused a cash flow crisis across the whole industry, forcing some healthcare providers to shut down. It was caused by a data processor, who even Dameff did not know was involved in the supply chain.
- Ransonware attacks on hospitals affects patient outcomes: More dramatically a study by Dameff revealed that out of hospital cardiac arrest (OCHA) intervention success rates dropped drastically (from 40% to 4.5%) when patients were diverted to his hospital due to a ransomware attack nearby.
-
AI’s Role in Cybersecurity
You can’t attend a conference these days without focus on AI. The use of AI in defending against attacks is long standing as is attackers using AI for deep fakes and code automation. Newer to me at this conference was the governance challenge AI is posing for data integrity and confidentiality within enterprises.
- It’s Shadow IT on steroids according to one presenter. All business users are experimenting, often on tools and LLMs of which IT governance has no knowledge.
- The danger to both confidentiality and integrity is real with many of the LLMs. Users rarely pay attention as to how the data will be used, stored, resold…
- Governance professionals see a long road ahead in educating users on the risks and opportunities around AI.
-
Corporate Responsibility and posture to take
- Regulation around the world is raising expectations on disclosures and on need to prove a well-structured cyber security program.
- There is growing pressure not to pay ransomware, although it’s still the case that both insurance companies and enterprises still default to paying.
- Enterprise boards and senior management need to revisit their policies on transparency and seriously work on resiliency as most still believe it’s a matter of when, not if, enterprises will suffer serious cyber security incidents.