Gartner’s cybersecurity experts gathered in Sydney last week for Gartner’s Security & Risk Management Summit to discuss what security and risk management leaders need to do to be successful in the digital era.
Richard Addiscott, Gartner’s senior director analyst, in a statement, “We can’t fall into old habits and try to treat everything the same as we did in the past. Most security and risk leaders now recognize that major disruption is only one crisis away. We can’t control it, but we can evolve our thinking, our philosophy, our program and our architecture.”
Gartner recommends cybersecurity leaders build these eight assumptions into their security strategies over the next two years:
1. Expanding privacy regulations
Through 2023, government regulations requiring organizations to provide consumer privacy rights will cover 5 billion citizens and more than 70% of global GDP, according to Gartner. As of 2021, almost three billion individuals had access to consumer privacy rights across 50 countries, and privacy regulation continues to expand. Gartner recommends that organizations track subject rights request metrics, including cost per request and time to fulfill, to identify inefficiencies and justify accelerated automation.
2. Enterprises will adopt a strategy to unify web, cloud services and private application access from a single vendor’s SSE platform
With a hybrid workforce and data everywhere accessible by everything, vendors are offering an integrated security service edge (SSE) solution to deliver consistent and simple web, private access and SaaS application security. Gartner predicts by 2025, 80% of enterprises will adopt such a strategy to unify web, cloud services and private application access from a single vendor’s SSE platform. Single-vendor solutions provide significant operational efficiency and security effectiveness compared with best-of-breed solutions, including tighter integration, fewer consoles to use, and fewer locations where data must be decrypted, inspected and re-encrypted.
3. Increased adoption of Zero Trust
The term “zero trust” is now prevalent in security vendor marketing and in security guidance from governments. Gartner predicts by 2025, 60& of organizations will embrace zero trust as starting point for security. However, as zero trust is both a security principle and an organizational vision, it requires a cultural shift and clear communication that ties it to business outcomes to achieve the benefits.
4. Organizations will start to mandate cybersecurity risk as a significant determinant when conducting business with third parties
Cyberattacks related to third parties are increasing. However, only 23% of security and risk leaders monitor third parties in real time for cybersecurity exposure, according to Gartner data. As a result of consumer concerns and interest from regulators, Gartner believes by 2025, 60% of organizations will start to mandate cybersecurity risk as a significant determinant when conducting business with third parties, ranging from simple monitoring of a critical technology supplier to complex due diligence for mergers and acquisitions.
5. Nation states will pass legislation that regulates ransomware payments, fines and negotiations
Modern ransomware gangs now steal data as well as encrypt it. The decision to pay the ransom or not is often a business-level decision, not a security one. Gartner recommends engaging a professional incident response team as well as law enforcement and any regulatory body before negotiating.
6. Threat actors attack operational technology environments successfully to cause human casualties.
Attacks on operational technology, such as hardware and software that monitors or controls equipment, assets and processes are becoming more common and more disruptive. In operational environments, security and risk management leaders should be more concerned about real world hazards to humans and the environment, rather than information theft, according to Gartner.
7. CEOs will mandate a culture of organizational resilience to survive coinciding threats from cybercrime, severe weather events, civil unrest and political instabilities.
The COVID-19 pandemic has exposed the inability of traditional business continuity management planning to support the organization’s response to a large-scale disruption. With continued disruption likely, Gartner recommends that risk leaders recognize organizational resilience as a strategic imperative and build an organization-wide resilience strategy that also engages staff, stakeholders, customers and suppliers.
8. C-level executives will have performance requirements related to risk built into their employment contracts
Most boards now regard cybersecurity as a business risk rather than solely a technical IT problem, according to a Gartner survey. As a result, Gartner expects to see a shift in formal accountability for the treatment of cyber risks from the security leader to senior business leaders.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply