By Sam Olyaei
The security landscape is changing rapidly – and security and risk leaders need to keep up.
Security and risk leaders are being pulled in numerous directions at once, faced with challenges ranging from powerful attacks against cyber-physical systems, to new and increasing privacy regulations, to the need to secure a distributed global workforce. Cybersecurity is now a top board-level concern, putting security at the forefront of business decisions and CISOs in the spotlight.
In this new cyberthreat and business landscape, it’s critical that security and risk leaders don’t fall into the old habit of trying to treat everything the same as it was in past. This is a new world, and enterprises need to evolve their thinking, their philosophy, their programs, and their security architecture accordingly. Acting sooner than later will enable security and risk leaders to prepare for the continued changes that will affect the threat and privacy landscape in the years to come.
Here are eight strategic cybersecurity predictions from Gartner analysts that security and risk management leaders can use to anticipate the changes that are on the horizon. Security leaders should build these strategic planning assumptions into their roadmaps for the year ahead.
1. By the end of 2023, modern privacy laws will cover the personal information of 75 per cent of the world’s population.
GDPR was the first major legislation for consumer privacy, but it was quickly followed by others; including Brazil’s General Personal Data Protection Law (LGPD), and the California Consumer Privacy Act (CCPA). The sheer scope of these laws suggests enterprises will be managing data protection legislation in various jurisdictions, and customers will want to know what kind of data is being collected and how it’s being used. It also means that enterprises will need to focus on automating privacy management systems. In the year ahead, focus on standardizing security operations using GDPR as a base, which will make it easier to adjust for individual jurisdictions as new legislation is introduced.
2. By 2024, organizations adopting a cybersecurity mesh architecture will reduce the financial impact of security incidents by an average of 90 per cent.
Organizations now support a variety of technologies in different places, so they need a flexible security solution. Cybersecurity mesh extends to cover identities outside the traditional security perimeter and create a holistic view of the organization. It also helps improve security for remote work. These demands will drive adoption in the next two years.
3. By 2024, 30 per cent of enterprises will adopt cloud-delivered Secure Web Gateway (SWG), Cloud Access Security Brokers (CASB), Zero Trust Network Access (ZTNA), and Firewall as a Service (FWaaS) capabilities from the same vendor.
Organizations are leaning into optimization and consolidation. Security leaders often manage dozens of tools, but they plan to consolidate to fewer than ten. SaaS will become a preferred delivery method, and consolidation will impact adoption timeframes for hardware.
4. By 2025, 60 per cent of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements.
Investors, especially venture capitalists, are using cybersecurity risk as a key factor in assessing opportunities. Increasingly, organizations look to cybersecurity risk during business deals, including mergers and acquisitions and vendor contracts. The result is more requests for data about a partner’s cybersecurity program via questionnaires or security ratings.
5. The percentage of nation states passing legislation to regulate ransomware payments, fines and negotiations will rise to 30 per cent by the end of 2025, compared to less than one per cent in 2021.
While broader regulations may currently apply to ransomware payments, security experts should expect a more aggressive crackdown on payments. Given the mostly unregulated cryptocurrency market, there are ethical, legal and moral implications to paying ransoms, and it’s vital to consider the impact of doing so. The decision to pay (or not) should fall to a cross-functional team who can address all these concerns.
6. By 2025, 40 per cent of boards of directors will have a dedicated cybersecurity committee overseen by a qualified board member.
As cybersecurity becomes (and remains) top of mind for boards, expect to see a board-level cybersecurity committee and stricter oversight and scrutiny. This increases the visibility of cybersecurity risk across the organization and requires a new approach to board reporting, the details of which may depend on the specific board members’ background and experience. Focus messaging on value, risk, and cost.
7. By 2025, 70 per cent of CEOs will mandate a culture of organizational resilience to survive coincident threats from cybercrime, severe weather events, civil unrest and political instabilities.
It’s time that security and risk leaders move beyond cybersecurity and into organizational resilience to account for broader security environments. Digital transformation adds complexity to the threat landscape, which will impact how enterprises produce products and services. Work to define organizational resilience and objectives, and create an inventory of cyber risks that impact them.
8. By 2025, threat actors will have weaponized operational technology environments successfully enough to cause human casualties.
As malware spreads from IT to operational technology (OT), it shifts the conversation from business disruption to physical harm with liability likely ending with the CEO. Focus on asset-centric cyber-physical systems, and make sure there are teams in place to address proper management.
Sam Olyaei is a Research Director at Gartner, Inc. covering cybersecurity strategy, governance, staffing/talent management, policies, metrics, and executive/board reporting. Sam and other Gartner analysts will present additional insights on security and risk trends during the Gartner Security & Risk Management Summit, taking place virtually in the Americas November 16-18.