Security leaders should rethink their balance of investments across technology and human-centric security design practices, Gartner says in a new report detailing the top cybersecurity trends for 2023.
By 2027, 50 per cent of large enterprise chief information security officers (CISOs) will pivot towards a human-centred approach, one that prioritises employee experience across the controls management life cycle.
“Traditional security awareness programs have failed to reduce unsecure employee behavior,” said Richard Addiscott, senior director analyst at Gartner. “CISOs must review past cybersecurity incidents to identify major sources of cybersecurity induced-friction and determine where they can ease the burden for employees through more human-centric controls or retire controls that add friction without meaningfully reducing risk.”
This, Addiscott added, could reduce security failures, improve business-risk decisions and cybersecurity staff retention.
Additionally, Gartner predicts that 60 per cent of organizations will shift from external hiring to “quiet hiring” of internal talent to address systemic cybersecurity and recruitment challenges.
“CISOs who take a human-centric talent management approach to attract and retain talent have seen improvements in their functional and technical maturity,” the report said.
Further, the report highlighted these following trends that security leaders should pay attention to:
- Cybersecurity must connect to business value as technology moves from IT functions to business processes and individual employees. “Business leaders now widely accept that cybersecurity risk is a top business risk to manage – not a technology problem to solve,” stated Addiscott.
- CISOs should continually assess their threat exposure and implement continuous threat exposure management (CTEM) programs. Gartner predicts that by 2026, organizations prioritizing their security investments based on a CTEM program will suffer two-thirds fewer breaches.
- By 2027, identity fabric immunity principles will prevent 85 per cent of new attacks and reduce the financial impact of breaches by 80 per cent.
- Through 2026, more than 40 per cent of organizations will rely on consolidated platforms to run cybersecurity validation assessments. Cybersecurity validation combines the tools and processes to assess how threat actors exploit an identified threat exposure. Repeatable and predictable aspects of assessments can also be automated with new tools to enable regular benchmarks of attack techniques, security controls and processes.
- Vendors are consolidating platforms around cybersecurity domains to inventory security controls, understand where overlaps exist, and reduce redundancies.
- More than 50 per cent of core business applications will be built using composable architecture which will require a new approach to secure applications. “The creation of applications with composable components introduces undiscovered dependencies,” stated Addiscott. “For CISOs, this is a significant opportunity to embed privacy and security by design by creating component-based, reusable security control objects.”
- The board should get more involved in cybersecurity oversight, to allocate budget and resources adequately. Security leaders are also responsible for demonstrating the impact of cybersecurity programs on the organization’s goals and objectives.