The (Cybersecurity Threat) Beat Goes On

At Pythia Cyber warn you not to rely solely on skills or knowledge when choosing people to work in your cybersecurity program. Familiar as skills and knowledge may be for hiring, and comforting as that familiarity may be, you cannot rely on them alone. You need more than that because change is the one constant in cybersecurity and skills and knowledge get out of date. Talent is evergreen.

We keep keep beating the drum of the importance of talent in building and maintaining your cybersecurity program because your people are the beating heat of your cybersecurity program. Those people need to keep up with the pace of change in the threat environment because the beat goes on and on and on.

Modern life changes more swiftly and widely than life has ever changed before. Technology changes more swiftly and widely than it has ever changed before. Cybersecurity, sitting at the juncture of technology, crime, hardware failure and human error, changes more swiftly and widely than just about any other profession. However the relentless pace of change makes us all a bit numb, so every now and then I like to review the top cybersecurity threats of the past five years to remind us of the speed and scope of these changes. Here is my highly subjective list, but even you choose different biggest threats you will see a pattern of swift and wide change.

2026: AI's Rapid Development

It is early days yet, but for 2026 the industry is focusing on the rapid pace at which AI is getting better at making existing threats more potent. As for finding vulnerabilities, AI can review source code and configurations for known vulnerabilities and poor coding with unprecedented speed and accuracy. This is bad if the user is an evildoer and good if the user is well-intentioned. AI can analyze emails and documents for important information which is good if you are the owner of that important information and bad if you are a thief. AI can learn from its mistakes and craft ever-better spear phishing attacks which is bad. Agentic AI can relieve you of tedious work but it can also delete all your data.

2025: AI Hits The Scene

In a dark parallel to AI's legitimate promise criminals and bad state actors really embraced AI as a way to make existing threats more potent. Ransomware got a shot in the arm, because a franchise business. Voice was added a medium for scams. Identity theft became much easier. 

2024: Supply Chain Attacks

My pick for 2024 is the supply chain attack where evildoers manage to compromise someone's code base not to attack the owners of the code base but rather to attack the users of the code base. Thus began the challenge of cybersecurity responsibilities that extend beyond your organization's borders.

2023: Ransomware

In 2023 Ransomware came of age. It became a mature business with a great pricing model and an enviable reputation for honesty: pay quickly and move on. It became part of the cost of doing business. Large organizations--companies, hospitals, school, municipal government--were suddenly adept at paying ransoms with cryptocurrency.

2022: New Discovery of Old Vulnerabilities

Many of our tried-and-true subsystems turned out to have old bugs for which we needed new patches. A legion of malevolent eyes were turned onto our basic infrastructure and bugs were found. Stable, trusted systems which no longer were actively supported had to be decomissioned despite working perfectly well. I joined the streams of people arriving at technology recycling centers laden with computers that were suddenly too dangerous to keep using.

Conclusion

Even if you choose different "biggest threat" options for each of these year you will have to agree that the spread is wide. In 2022 you would have done well to hire the kind of systems engineer who know where their drivers come from and could keep your devices clean and up-to-date. In 2023 your ideal was someone with a network intrusion and back/restore background. In 2024 your ideal hire was a diplomat who was adept at getting supplies to share information. In 2025 your ideal hire was a generalist who could help with the wave of AI-powered retooled classic threats. In 2026 who is your ideal hire? Who knows?

The point is that your ideal cybersecurity engineer hire cannot be defined solely by their current skills and knowledge because those skills and knowledge will wax and wane in their importance. You need to balance your team's skills and knowledge, yes, but you also need to balance their talents. At least some of your team has to be a generalist who specializes in not specializing. New stuff happens. Old skills and knowledge are not a reliable way to guard against new stuff.

Hiring the right people and building the appropriate team is hard. Writing good policies and good procedures to implement those policies is hard. We can help with both. Ask us how.