Dave DeWalt (13:12)

NightDragon, as you probably know, is an investment advisory firm. We focus in on what I call the security tech space growth stage primarily and we look at all aspects of spending and trends and threats that are happening in that space. And as a result we have a very large access and influence to chief security officers around the world. And this report each year is pretty instrumental to, you know, obviously not just what's happening from a budget point of view with this particular report, but also trends and outlooks that really shape the industry. So this is our third annual one and this one's probably the most comprehensive of all because it really gives you a sense of 2024 and the outlook for 2025.

Dave Bittner (14:01)

I think it's noteworthy, as I was reading through the report, the level of access that you had here. I mean these are high level folks that you got to contribute to this anonymous survey.

Dave DeWalt (14:12)

Yeah, it really is. It's 100 plus member advisory council. Even more, it's got representation from nearly every critical infrastructure vertical and nearly every major geography. So we're able to see not just trends from a particular segment of the market but you know, a pretty comprehensive view across many markets. So very, very depth oriented but also breadth oriented as well.

Dave Bittner (14:38)

Well, let's dig into the report here. I mean, looking at budget trends, the report indicates that over 50% of CISOs expect their cybersecurity budgets to increase in 2025. What factors are driving this anticipated rise in spending?

Dave DeWalt (14:55)

Yeah, it's a combination of events and confluences. I've talked about this for nearly 20 years, so I apologize if it's a similar kind of analogy, But I call it the perfect cyber stor. Continue to see the threat environment increase dramatically. And that comes from a variety of things that are going on in the industry. Probably most notable is the technology inertia that we continue to benefit from. New devices, new phones, you know, new ways to Access the Internet, IoT industrial situations, which is incredible to watch. The, you know, AI kind of tailwinds and things happening there as well. But that creates vulnerabilities, and it creates an expanded attack surface, and that attack surface gets exploited. And we do not have, in this community that we live in of technology and what I call security by design, which is really hardening of platforms before the release to the consumers and corporations and governments, which creates a plethora of vulnerabilities that enables a plethora of attackers to exploit those vulnerabilities. And we continue to see that cyberstorm grow. The number of threat actors, the number of attacks, the number of breaches, the number of really payments for ransomware, almost every category of threat increased year over year. You add to that the geopolitical tensions that we all are living with. And we've created this. This environment that really has chief security officers, chief information security officers guarded as it does the boardroom, as it does the leadership of nearly every company. And so here we have, you know, budgets that are pretty consistent with that threat environment and this, you know, kind of unsafe environment that we live in. So, you know, that's what's driving it.

Dave Bittner (16:54)

What specific areas or types of technologies do you see CISOs planning to prioritize with these budgets?

Dave DeWalt (17:02)

Yeah, there's a number of things that are kind of new areas of exploits that we really have seen, and we've seen a number of new areas of technology inertia that are essentially areas that they need to protect and create better visibility to. You know, the obvious big trend there is AI. AI, AI. It's hard not to say it three times is almost worthy of saying three times. But, you know, it's a game changer. And our report really showed that, you know, it's a game changer from the attacker's perspective, because we're seeing AI is now a tool that can be used to automate malware and exploitation. Access to vulnerabilities have never been easier for the attackers to do. To assemble exploit kits against those vulnerabilities has never been easier for them to do. You know, you're a chat GPT question away from learning about just about anything you want to know in this security space, but also on the defensive side now we're starting to see autonomy driven from magentic AI that's providing ways to scale the SOC and the security operations center, that's very positive. I mean, if there was ever an era in my career where you have a game changing defensive opportunity where if you might have 5, 10, 20 or 100 people in your SoC, you can multiply them by millions, literally millions, using agentic capabilities, automation capabilities that really enable the defender to also be as cutting edge as the offense can be. So this asymmetric environment we've always lived in, where the offense was always a little ahead of the deep bounce AI is an interesting promise for the future. Other areas that are really concerning that we're seeing short up, where budget increases have clearly have happened, is supply chains. You know, it's, you know, you say supply chains, but you, you really mean not just third party risk management, tprm, but really fourth and fifth chains of suppliers as well. Because what we've learned in the last couple years, supply chain attacks have a massive ripple effect. You know, we all saw this with CrowdStrikes outage on July 18, 2024, where 30,000 or so customers were affected directly, but 674,000 companies were affected, you know, indirectly and causing billions of dollars of damage. Even though crowdstrike spend might not have been high on many Fortune 500 lists of suppliers, it became a critical juncture. So you start to how do you manage third party risk better? How do you monitor it? How do you detect anomalies in it? Could be a physical event, a cyber event, it could be just about anything affecting it. So a lot of chief security officer types are now learning that they got to monitor that much like they monitor their endpoint or their network or their cloud. Because if you don't monitor it, there could be a breach in that which could affect a breach for you. So, you know, AI and third party risk management and then an area that continues to be really an environment that we've always had to watch cloud and identity security. This area continues to be a problem because we see the emanation of spear phishing and credential harvesting and usage of darknet to gain access to These credentials as something that continues to exist. So how do we better manage multifactor authentications? The ability to look for anomalous behaviors, east, west traffic, movement by the attackers, privileged access controls. This is an area that's got to evolve better. And CISOs are looking at this because they know identity detection and response and a life cycle around protecting identities is important and made even bigger because at one point it was the identity of humans in your network, then it was the identity of humans and devices in your network, and now it's the identity of humans, devices and RPAs or robotic processes made possible through agents and agentic AI, multiplying it into a much bigger problem of not just access to systems, but authorization of these types of devices to these systems and types of agents as well. So those are a couple of the really big ones. Just to summarize, you know, the report.

Dave Bittner (21:38)

Mentions that the role of the CISO is becoming more strategic. Can we touch on that? How have we seen a shift in things like organizational priorities relative to CISOs out there?

Dave DeWalt (21:53)

Yeah, we're seeing some really, I think, overdue evolution of the CISO's role. And the reason for it is I've always called it future fusion. For many years, the fusion of these tangential markets in the cyber looked obvious to me as somebody been around for a couple decades watching this. The fusion of cyber and physical, the fusion of cyber and supply chain, the fusion of cyber and AI, the fusion of cyber and industrial networks, the fusion of cyber and other domains like space and communications. And now the CISO's role is beginning to become bigger and bigger and more and more important because you're not just trying to protect your digital architecture. You got to protect the external environment that you might have, the internal environment that you might have. You got to protect that physical environment which is now digitized, that supply chain that we've talked about. And more and more, this role in the company has almost evolved to a chief risk officer that's highly technical. We still call it a chief security officer type. But the business acumen, technical acumen, the capabilities of understanding threats and risks from all aspects of the business is really the. The role it's becoming. And you know, like I said at the beginning, it's long overdue because this role is incredibly important to the shareholder value of companies, because we've seen the ramifications when there is a breach or when there is a threat that it really creates shareholder risk. And shareholder risk is something that every board member and management and CEO have to pay attention to because Their number one thing is care of shareholders value. And now the chief security officer is becoming a part of that.

Dave Bittner (23:46)

What are the take homes for you? What are the things that you hope people reading the report come away with?

Dave DeWalt (23:52)

Yeah, I think there's, you know, a couple things. Number one, you know, we have to keep our guard up, so to speak. Obviously this is a incredibly difficult threat environment that obviously hasn't changed and is growing and continues to be large in terms of risk. But I'd also say it takes a village. We walk away with this where public private partnerships, Private private partnerships. Public public partnerships. It takes a village. As we say, it's a team sport in cyber and a team sport to solve. And we need the communities to come together more and more. And with some of the changes the administration has had going into 2025 and beyond is going to become even more important for the community to work together to solve threats, respond threats and really, you know, solve some of these problems. But the last thing I'd leave you with on that is optimism because for the first time, as I mentioned earlier in the podcast, I see a great equalizer coming and I would really encourage our Chief Information Security officer community to look at AI enablement autonomy. I know they are, but wow, watching the use cases that we're starting to see, watching the young companies that are emerging in this world is fascinating and the multiplicity of scale that they're creating is something we haven't seen in a long, long time. And this is, you know, something that, you know, we look forward to and hopefully in the next one year we start to see real rollout and productions of these system that creates a much better defense architecture than we've ever seen before.

Dave Bittner (25:33)

That's Dave DeWalt from Night Dragon. We'll have a link to the report in the show. Notes. Is your AppSec program actually reducing risk? Developers and AppSec teams drown in critical alerts, yet 95% of fixes don't reduce real risk. Why? Traditional tools use generic prioritization and lack the ability to filter real threats from noise. High impact threats slip through and surface in production, costing 10 times more to fix. AUX Security helps you focus on the 5% of issues that truly matter before they reach the cloud. Find out what risks deserve your attention in 2025. Download the application security benchmark from AUX Security. And finally, ah, tax season. The most wonderful time of the year for cybercriminals. As April 15 looms, Microsoft reports a swarm of phishing campaigns dressed up in IRS garb, all hoping to trick you out of your data and into downloading malware. These scammers are going full Hollywood with QR codes, fake DoConnect pages, and PDF files claiming unusual IRS activity. Once clicked, you might get a bonus gift like Blackrodectus remcos or Brute Rittell C4 malware that's anything but deductible. One charming crew, Storm0249 sent thousands of fake IRS notices designed to land malware on victims devices. Another campaign handed out malicious QR codes like candy. And for the truly social, some attackers even made small talk before zipping over Goo Loader or Ahkbot. The message is if it's tax themed and digital, treat it with suspicion. Because this year the only thing scarier than doing your taxes might be the phishing emails about them. Plus, the way things are going in Washington, there may not be anyone left working at the IRS by the time tax day comes around. Interesting times, my friends, interesting times. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com be sure to check out this weekend's Research Saturday and my conversation with Zach Edwards from Silent Push. The research is titled New Lazarus Group Infrastructure Acquires Sensitive intel related to 1.4 billion dollar Bybit hack and Past Attacks. That's Research Saturday. Check it out. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insight insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next week. Foreign cyber threats are evolving every second, and staying ahead is more than just a challenge, it's a necessity. That's why we're thrilled to partner with Threat Locker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit threatlocker.com today to see how a default deny approach can keep your company safe and compliant.