Gartner has published a checklist of eight strategic planning assumptions that organizations should consider in their security strategies for the next two years.
50 percent of chief information security officers (CISOs) will adopt human centric design to reduce cyber security operational friction; large enterprises will focus on implementing zero trust programs; and half of cyber security leaders will have unsuccessfully tried to use cyber risk quantification to drive enterprise decision making, according to the top cyber security predictions revealed by Gartner, Inc. at the Gartner Security & Risk Management Summit, in Sydney.
In the opening keynote, Richard Addiscott, Senior Director Analyst and Lisa Neubauer, Senior Director, Advisory at Gartner discussed the top predictions prepared by Gartner cyber security experts to help security and risk management leaders be successful in the digital era.
“There’s no question that CISOs and their teams must be laser focused on what’s happening today to ensure their organizations are as secure as possible,” Addiscott said. “But they also need to make time to look up from their daily challenges and scan the horizon to see what’s coming down the track that might impact their security programs in the next couple of years.
“These predictions are a signal flare for some of those things we see emerging and should be considered by any CISO looking to build an effective and sustainable cyber security program.”
Gartner recommends that cyber security leaders build the following strategic planning assumptions into their security strategies for the next two years.
Through 2027, 50 percent of CISOs will formally adopt human-centric design practices into their cyber security programs to minimize operational friction and maximize control adoption.
Gartner research shows that over 90 percent of employees who admitted undertaking a range of non-secure actions during work activities knew that their actions would increase risk to the organization but did so anyway. Human-centric security design is modeled with the individual — not technology, threat or location – as the focus of control design and implementation to minimize friction.
By 2024, modern privacy regulation will blanket the majority of consumer data, but less than 10 percent of organizations will have successfully weaponized privacy as a competitive advantage.
Organizations are beginning to recognize that a privacy program can enable them to use data more broadly, differentiate from competitors, and build trust with customers, partners, investors and regulators. Gartner recommends security leaders enforce a comprehensive privacy standard in line with GDPR to differentiate in an increasingly competitive market and grow unhindered.
By 2026, 10 percent of large enterprises will have a comprehensive, mature and measurable zero trust program in place, up from less than 1 percent today.
A mature, widely deployed zero trust implementation demands integration and configuration of multiple different components, which can become quite technical and complex. Success is highly dependent on the translation to business value. Starting small, an ever evolving zero trust mindset makes it easier to better grasp the benefits of a program and manage some of the complexity one step at a time.
By 2027, 75 percent of employees will acquire, modify, or create technology outside IT’s visibility – up from 41 percent in 2022.
The CISO role and purview of responsibility is shifting from being control owners to risk decision facilitators. Reframing the cyber security operating model is key to the changes coming. Gartner recommends thinking beyond technology and automation to deeply engage with employees to influence decision making and ensure they have appropriate knowledge to do in an informed way.
By 2025, 50 percent of cyber security leaders will have tried, unsuccessfully, to use cyber risk quantification to drive enterprise decision making.
Gartner research indicates that 62 percent of cyber risk quantification adopters cite soft gains in credibility and cyber risk awareness, but only 36 percent have achieved action-based results, including reducing risk, saving money or actual decision influence. Security leaders should focus firepower on quantification that decision makers ask for, instead of producing self-directed analyses they have to persuade the business to care about.
By 2025, nearly half of cyber security leaders will change jobs, 25 percent for different roles entirely due to multiple work-related stressors.
Accelerated by the pandemic and staffing shortages across the industry, the work stressors of cyber security professionals are rising and becoming unsustainable. Gartner suggests that while eliminating stress is unrealistic, people can manage challenging and stressful jobs in cultures where they are supported. Changing the rules of engagement to foster cultural shifts will help.
By 2026, 70 percent of boards will include one member with cyber security expertise.
For cyber security leaders to be recognized as business partners, they need to acknowledge board and enterprise risk appetite. This means not only showing how the cyber security program prevents unfavorable things from happening, but how it improves the enterprise’s ability to take risks effectively. Gartner recommends CISOs get ahead of the change to promote and support cyber security to the board and establish a closer relationship to improve trust and support.
Through 2026, more than 60 percent of threat detection, investigation and response (TDIR) capabilities will leverage exposure management data to validate and prioritize detected threats, up from less than 5 percent today.
As organizational attack surfaces expand due to increased connectivity, use of SaaS and cloud applications, companies require a broader range of visibility and a central place to constantly monitor for threats and exposure. TDIR capabilities provide a unified platform or ecosystem of platforms where detection, investigation and response can be managed, giving security operations teams a complete picture of risk and potential impact.
Learn more about the top priorities for security and risk leaders in 2023 in the complimentary Gartner ebook: 2023 Leadership Vision for Security & Risk Management Leaders.