There's plenty to say about the failures that let hackers inside companies this year.

• But senior officials and industry executives say there's also a lot to be proud of in 2024.

I spent the last week asking them what those successes — and failures (see below) — actually are. Here's what they said:

Todd McKinnon, CEO of Okta: "There was more collaboration across the industry. Security is a team sport, and we're all focused on the same threats. We have to work together to win — we can't rest on our laurels."

Hari Ravichandran, founder and CEO of Aura: "There has been a lot of enthusiasm around consumer education and security awareness, so I think consumers are getting a lot smarter about what to look for to identify threats."

Frederic Rivain, chief technology officer at Dashlane: "Confidential computing is starting to be a thing."

• "Apple, OpenAI, Signal and others have announced plans to invest into confidential computing and ensure privacy of data in use. I have been a strong advocate for a long time that we should do better to protect the privacy of sensitive user data."

Dave Zilberman, general partner, Norwest Venture Partners: "AI for security" was the biggest win, with "security companies embedding generative AI capabilities to improve operational automation and efficiency."

Richard Cassidy, field CISO at Rubrik: "More organizations are adopting a data-first approach, enabling them to maintain operations and safeguard stakeholders even when attackers breach initial defenses."

• "This evolution in strategy reflects a more profound understanding that prevention is not the answer, and a shift in mindset to preparation and recovery is critical."

Danny Allan, CTO at Snyk: "We're beginning to see [machine learning] filters becoming increasingly more effective at triage, while Gen AI is providing ready-made solutions for security issues."

• "We might be early on truly autonomous acceptance, but it drastically reduces the cognitive load on the organization to address the problems that are prioritized."

Omer Grossman, chief information officer at CyberArk: "The biggest cyber win was the CISA campaign to bolster trust in the U.S. elections."

• "CISA's #Protect2024 efforts to mitigate malicious influence operations were truly commendable and Jen Easterly provided consistent, visible leadership and messaging — including in song(!)."

What we're watching: Cybersecurity is far from solved — there's a reason we all still work in this space.

The cybersecurity industry has a lot of room to grow in the new year — as evidenced by the long list of attacks that started with simple mistakes.

Why it matters: Companies keep repeating the same mistakes that allow malicious actors to break into their systems.

• Finding new solutions will be a huge focus of 2025 and beyond, experts say.

Along with the wins, I also asked experts to share the biggest failures of 2024. This is what they said:

Mike Wiacek, founder and CEO of Stairwell: "2024 showed that even the best-in-market tools remain vulnerable to increasingly evasive attackers, as seen in incidents like the UnitedHealth Change Healthcare ransomware attack."

• "Companies need to have plans to investigate and respond to threats, even if frontline tools fail to catch them — one could call it 'planning for failure.'"

Todd McKinnon, CEO of Okta: "We continue to see companies locking customers into purchasing all-in-one bundles."

• "By doing this, they're limiting their customers' ability to choose security tools that lead to the best outcomes for their businesses. Choice is critical for the best security — choosing one technology vendor for everything doesn't give companies the layered resilience of a best-of-breed ecosystem that will keep them more secure."

Bob Lord, senior technical adviser at CISA: "Although some software manufacturers have reduced the prevalence of the most common classes of coding error, as a whole, the software industry has not."

• "The most popular classes of coding error from 2007 are still at the top of the list in 2024. How is this the customers' fault? We see articles about the companies that are compromised because of unsafe software, but rarely articles about the companies that make little effort to build safer software."

M.K. Palmore, director at Google Cloud's Office of the CISO: "2024 showed us how critical human capital is in addressing cybersecurity challenges."

• "The cost of neglecting our human capital — billions lost to breaches, ransomware, and eroded public trust — underscores the urgent need to invest in leadership and talent development, and is one of the biggest learnings within our industry this year."

Mandy Andress, CISO at Elastic: "We saw older technologies being targeted in 2024. Think Fortinet, MOVEit, etc. As we improve security in newer technologies, threat actors have started focusing more on older or infrastructure tech that is often not upgraded or patched frequently."

Nicole Carignan, VP of strategic cyber AI at Darktrace: "Attackers continued to target cloud environments."

• "Cloud environments contain enormous troves of sensitive data that appeal to bad actors. The distributed nature of cloud infrastructure, rapid provisioning of resources, and prevalence of misconfigurations have posed major security challenges and will continue to be an issue in 2025."

Allan Liska, ransomware expert at Recorded Future: "We need to do more to prevent ransom payments."

• "Law enforcement is doing great work, but as long as criminals see billions in payments coming in, there will always be a new ransomware actor/initial access broker/developer ready to step in."

Darren Shou, chief strategy officer at RSA Conference: "A huge (global) fail was businesses around the world handing out jobs and paying hundreds of millions to North Korean IT workers."

• "Safeguards against this happening again are currently weak, and I'm sure we'll hear about more fake personas infiltrating enterprises, followed by sophisticated fraud and reputation attacks."

💡 Skim through the rest of the insights I collected on LinkedIn (I promise, it's actually fun over there).

🎙️ Have your own thoughts? Reply to this and let me hear them.

@ D.C.

🚨 The Commerce Department is weighing a ban on routers from China-based manufacturer TP-Link, which account for 65% of the U.S. router market, amid growing hacking concerns. (Wall Street Journal)

🏛️ Congress approved $3 billion in new funding for the Federal Communications Commission's effort to rip and replace Chinese equipment from telecom networks. (Washington Post)

👋 Rob Silvers, undersecretary for policy at the Department of Homeland Security, left his post this week after giving notice before Thanksgiving. (The Record)

@ Industry

💰 Bureau, a fast-growing cybersecurity startup focused on user-identity fraud prevention, raised a $30 million round led by Sorenson Capital. (Reuters)

📲 The European Union has opened an investigation into TikTok following allegations that Russia used the platform to interfere in the Romanian presidential election. (Politico)

@ Hackers and hacks

⚠️ BeyondTrust, a popular privileged access management company, said that earlier this month, hackers breached some of its remote support SaaS tools. (BleepingComputer)

💸 North Korean hackers stole $1.34 billion worth of crypto during attacks this year, according to new Chainalysis research. (TechCrunch)

Editor's note: One of the summaries in this section was corrected to show Rob Silvers gave notice before Thanksgiving.

🗓️ Codebook is back in your inbox Jan. 3 — and I'd love to feature your predictions for 2025.

• 📩 Hit reply on this email with your quick, snappy thoughts!