Trends in Security and Compliance: Five Takeaways From Infosecurity Europe 2024

Every year, the cybersecurity industry comes together at Europe’s largest industry event: Infosecurity Europe. The scale of the show—at London’s cavernous ExCeL exhibition and conference centre—is a testament to the sector’s strength. Over 14,000 people made the trip to London’s Docklands, where hundreds of security vendors exhibited their latest tech.

Cyber is an increasingly important part of a fast-growing UK tech sector worth an estimated $1 trillion (£790bn). The government estimates that around 2,000 companies listed in the country sell cybersecurity products and services, generating more than £10.5bn for the UK economy and employing over 58,000 staff.

But Infosecurity Europe isn’t just about hunting down the latest tech. Its conference programme offers a great chance to hear from some of the industry’s leading figures, CISOs, and compliance professionals. With that in mind, here are our top takeaways from this year’s show:

Finding And Retaining Cyber Talent Is Still A Challenge

The cybersecurity workforce gap currently stands at four million globally, with UK employers short of an estimated 73,000 workers, a 29% annual increase. Compliance professionals are also spread too thin in many organisations. Panellists at the show argued that organisations should cast their net wider in the search for candidates, including adjacent roles like the IT helpdesk. Even organisations without the resources of deep-pocketed rivals can appeal to talent by focusing on career progression and flexible working benefits, they claimed.

They said that retention is just as necessary, which is where it pays to find the right mix of remuneration, work-life balance and development opportunities. In a separate discussion, the University of Manchester CISO, Heather Lowrie, and former Trainline CISO, Munawar Valiji, emphasised the importance of nurturing a tight-knit team to mitigate the risk of burnout. They argued that building a positive culture must come from the top down; for example, CISOs should always be there for emotional and strategic support.

Compliance Is Getting Tougher

Ropes & Gray partner Rohan Massey shared his years of expertise as a data protection lawyer, warning that the regulatory compliance landscape is only getting more complex. For example, 104 existing or pending pieces of EU legislation related to cybersecurity currently exist, none of which define “cyber” in the same terms. The single most important thing to bear in mind when tackling compliance is to understand the principle of “proportionality”, Massey argued. This is how laws apply to your specific organisation in the context of its size, risk profile and the nature, scale and complexity of its services and operations.

Massey’s three-point plan for streamlined compliance focuses on accountability and governance, supply chain risk and risk assessment/management. Fortunately, best practice standards like ISO 27001 can give organisations a fantastic head start. As many regulations are based on shared best practices anyway, complying with one of these frameworks or standards can significantly reduce the workload.

Changing User Behaviours Remains A Critical Endeavour

User error remains one of the key contributors to elevated cyber risk in most businesses. A recent Keepnet study found an alarming number of employees fell for a vishing simulation run by the vendor – many of them in IT roles. That’s bad news for organisations as threat actors are increasingly targeting the helpdesk with fake requests for password resets. At the show, security experts argued that the key to changing user behaviours lies with real-world simulation exercises that try to engage users rather than catch them out. Outreach helps them understand the repercussions of poor security awareness on their organisation.

CISOs at law firm Dentons and Aston Martin Lagonda claimed that close collaboration with the business is essential—explaining why and how security helps everyone meet their goals. This could range from explaining how cyber can help win new business to adding value to the design process and, therefore, driving competitive advantage. The bottom line: it has to be made relevant for end users to take it seriously.

New Ransomware Groups Are Changing The Rules Of The Game

As Infosecurity Europe kicked off, news broke that multiple London hospitals and NHS primary care services had been destabilised by a ransomware breach at a critical pathology supplier. It was a timely example of just how significant the threat is to UK organisations today—and its potentially life-threatening implications. Experts at the show explained that the recent takedown and disappearance, respectively, of LockBit and BlackCat groups had led to a reordering of the ransomware market.

Affiliates are now less loyal to a particular “brand” and instead move between multiple ransomware-as-a-service (RaaS) operators; they said – adding that vulnerability exploitation in edge devices has become particularly common. The good news is that best-practice cybersecurity standards can help. Organisations should enforce continuous risk-based patching and put defences in place to detect and block post-exploitation activity like lateral movement.

AI Is An Opportunity But Also A Critical Risk

No discussion about cybersecurity today would be complete without mention of AI. It was a recurring theme at the show, with experts sharing tips on how to safeguard its use. Synopsys executive director for application security engineering Lucas von Stockhausen argued that coders should select their AI assistants with great care and always review any output. They should also define AI use policies and practices before getting started, prioritising IP protection.

University College London (UCL) CISO Sarah Lawson added that organisations must develop acceptable use policies and then hold users accountable for the decisions they make using AI tools. On the other hand, employers must give these users the knowledge they need to ensure those decisions are well-informed, she added.

There was also plenty of discussion around AI-powered threats – notably deepfakes. The ISMS.online State of Information Security 2024 report reveals that 30% of cybersecurity professionals have encountered a deepfake attack over the past 12 months. An expert in such matters, Henry Adjer, kicked off the show with a warning about the threat to democracy of deepfake audio leaks masquerading as hidden recordings of politicians. There are no silver bullet solutions to the problem, but he stood by “content provenance” as offering the best hope. This refers to cryptographically secured metadata attached to media as soon as it’s captured on a device or generated using an algorithm.

Whether it takes off or not is anyone’s guess. In the meantime, security teams should focus on getting the basics right: people, processes, and technology.