Novel Approaches to Digital Security in 2024

Novel Approaches to Digital Security in 2024

The ancient site of Westminster Abbey hosted cybersecurity leaders and CISOs across two roundtable discussions to compare and contrast one of the most critical parts of their roles. 

This HotTopics Food for Thought breakfast, in partnership with Cloudflare, enjoyed transparent, revealing conversations on what new strategies CISOs and the C-suite can and should be doing as a way to combat the novel mix of challenges facing businesses in 2024. 

Moderated by HotTopics Editor Peter Stojanovic, guests also enjoyed a VIP guided tour of the UNESCO World Heritage Site, as well as a chance to widen their networks amongst peers. Read the summary of the debates, below, and comment underneath to share your experiences.

The morning housed executives from a range of industries, including banking and pharmaceuticals, and IT, cybersecurity, banking and media, focusing on the balance between security and compliance as leaders consider novel approaches to digital security in 2024. The central focus was on the challenges of managing organisational risk, especially when regulations conflict with the need for quick action, such as in data access for security investigations. 

Leaders shared personal experiences regarding the challenges of adhering to security rules, the role of insurance in enforcing cybersecurity standards, and how preparedness and response frameworks are vital but often flawed when tested by real-world incidents.

Digital security in 2024: 10 key learnings

1. Balancing rule-breaking and compliance:  

Several participants, including those in IT risk and compliance, acknowledged that in certain situations, breaking or bending rules is necessary to protect the organisation. This often happens when immediate access to sensitive data is required for security investigations. This formed the first question of both roundtables—a controversial question led by Cloudflare to stimulate good debate from the outset of each discussion. A pragmatic approach is preferred, as Cloudflare put forward, acknowledging its market position provides a good view of successful compliance practice. This means understanding the red lines you and your company are not prepared to cross in any situation, and being comfortable operating in ‘grey areas’ as you rapidly prioritise in high-risk scenarios.

2. Risk management and digital security:  

The group debated the effectiveness of a risk-based approach, particularly in compliance-heavy industries like pharmaceuticals and banking. The consensus was that while regulations are necessary, they can sometimes be too restrictive and hinder operational efficiency.

3. Third-party and vendor risk:  

Managing third-party risk was a recurring theme, with participants sharing concerns about vendors not meeting high security standards. In some cases, vendors couldn’t afford to comply, leading to discussions around "risk acceptance" when dealing with large organisations that resist stricter security measures.

"We spend ages reviewing low-risk vendors we've had for 20 years that every bank uses. How about we just accept some of these things and move on?" as one leader said, reflecting frustration with over-regulation in vendor management.

4. Ransomware and crisis management:  

A provocative question was raised about whether companies would break their own principles and pay a ransom in a cybersecurity crisis. The group highlighted that while paying ransoms is against most organisational policies, real-world pressure could force executives to reconsider in high-stakes situations.

Maintaining principles under ransomware attack can be difficult, as one executive mused: "When the pressure's off, it’s easy to be principled, but when you're in the ring and someone's hitting you, that's when the real decisions are made."   

5. Preparedness and stress testing:  

Participants emphasised the importance of preparedness through stress testing and scenario planning. Financial institutions, in particular, are required by regulators to run these exercises, which often highlight vulnerabilities that wouldn’t otherwise be identified. Cloudflare in particular recommended working more diligently with partners to understand roles and responsibilities during breaches, noting that a breakdown of communication and accountability is one of the key sources of failure.

"The regulators are really fearful of everyone moving to the cloud because if AWS goes down, you suddenly lose the whole market." Across the roundtable, a key concern centred on systemic risk of cloud (over)reliance.

6. Data governance and innovation:  

From the pharmaceutical perspective, flexible governance models are needed to adapt to evolving use cases. One speaker emphasised the importance of capturing metadata and traceability, particularly when dealing with sensitive patient data across borders.

7. Budget constraints and flexibility: 

Participants noted that security budgets often do not align with the rapid evolution of threats. Some described how they had to think beyond budget constraints to ensure sufficient security, sometimes seeking additional funding to address immediate risks.

As one leader put it pithily, “A million pounds of money is not going to buy you a million pounds of security.”

8. Regulatory challenges and risk management:  

The group discussed regulatory hurdles and how outdated rules (like VPN mandates) sometimes force organisations to take risk-based approaches, such as adopting zero-trust models. In some cases, this meant going against the rules, only to later demonstrate the decision was the right one. New Forrester research from Forrester found that Cloudflare security services improved security efficiency via centralised visibility, faster detection, and more, boosting security team efficiency by 29%.

“If you can't work within the rules, you change the rules. You don't break the rules.” This memorable quote won laughs during the debate, showing that one can adapt to security policies without violating them.

9. Shadow IT as a double-edged sword:  

Shadow IT (unauthorised tools used by employees) was highlighted as both a risk and a source of innovation, and the single biggest challenge facing CISOs. The topic is still divisive. Participants acknowledged that shadow IT often indicates a gap in provided tools, and instead of fighting it, organisations can harness it to better understand employee needs.

One provocative take heard: “Shadow IT is the greatest asset an organisation could have for innovation because it shows where the company isn't providing the right tools.”

10. Closing thoughts on digital security

This roundtable highlighted several critical challenges facing modern cybersecurity and risk management. There was consensus that while rules and regulations are essential, they must evolve to meet current threats. Organisations sometimes find themselves compelled to break or bend rules to protect themselves, especially when regulations are outdated or misaligned with modern technologies. Shadow IT was discussed as a significant risk but also a potential driver for innovation, showcasing gaps in provided tools and services.

Preparedness, both in terms of budget and operational frameworks, remains a persistent challenge. Many noted that even with established protocols, real-world incidents often expose gaps in organisational readiness. The role of cyber-insurance emerged as a critical tool for enforcing compliance and shaping security policies, but it also highlighted how reliant organisations are on external guidelines to ensure internal improvements.

Ultimately, the discussion underscored that while frameworks and policies are essential, leadership engagement, cultural shifts, and adaptability are key to improving cybersecurity across industries. As threats evolve, so must the rules and the way organisations approach both protection and response.

Next steps

To discover more about how Cloudflare can support you and the C-suite in better preparing your organisations, search the solutions that protect thousands of businesses, here. 

To discover more HotTopics events for the C-suite, review our upcoming events calendar, here.