Human-Centered Approach Can Reduce Cybersecurity Failures, Gartner Predicts
A human-centered approach to cybersecurity where people are prioritized for their expertise will become a necessity to creating and implementing modern security programs and policies, researcher Gartner predicts in its 2023 cybersecurity trends report.
People-First Cybersecurity Strategy Advocated
Technology and processes that underlie strong cybersecurity postures, but focus on people in control design and implementation, will help organizations make better business decisions and retain critical staff, said Gartner.
As Richard Addiscott, Gartner senior director analyst, explained:
“Traditional security awareness programs have failed to reduce unsecure employee behavior. CISOs must review past cybersecurity incidents to identify major sources of cybersecurity induced-friction and determine where they can ease the burden for employees through more human-centric controls or retire controls that add friction without meaningfully reducing risk.”
To address cybersecurity risks and sustain an effective cybersecurity program, security and risk management (SRM) leaders will need to focus on three key areas:
- The essential role of people for security program success and sustainability
- Technical security capabilities that provide greater visibility and responsiveness across the organization’s digital ecosystem
- Restructuring the way the security function operates to enable agility without compromising security
Trends Making an Impact
Gartner identified nine trends will have a “broad impact” for SRM leaders across the three areas, according to Gartner:
Human-Centric Security Design.
- By 2027, 50% of large enterprise chief information security officers (CISOs) will have adopted human-centric security design practices to minimize cybersecurity-induced friction.
Enhancing People Management for Security Program Sustainability.
- By 2026, 60% of organizations will shift from external hiring to “quiet hiring” from internal talent markets to address systemic cybersecurity and recruitment challenges.
Transforming the Cybersecurity Operating Model to Support Value Creation.
- A Gartner survey found that 41% of employees perform some kind of technology work, a trend that is expected to continue growing over the next five years. Employees must know how to balance cybersecurity, financial, reputational, competitive and legal risks.
Threat Exposure Management.
- Gartner predicts that by 2026, organizations prioritizing their security investments based on a continuous threat exposure management (CTEM) program will suffer two-thirds fewer breaches.
Identity Fabric Immunity.
- By 2027, identity fabric immunity principles will prevent 85% of new attacks and thereby reduce the financial impact of breaches by 80%.
- Through 2026, more than 40% of organizations, including two-thirds of midsize enterprises, will rely on consolidated platforms to run cybersecurity validation assessments.
Cybersecurity Platform Consolidation.
- As organizations look to simplify operations, vendors are consolidating platforms around one or more major cybersecurity domains. SRM leaders need to continuously inventory security controls to understand where overlaps exist.
Composable Businesses Need Composable Security.
- Composable security is an approach where cybersecurity controls are integrated into architectural patterns and then applied at a modular level in composable technology implementations. By 2027, more than 50% of core business applications will be built using composable architecture, requiring a new approach to securing those applications.
Boards Expand Their Competency in Cybersecurity Oversight.
- The board’s increased focus on cybersecurity is being driven by the trend toward explicit-level accountability for cybersecurity to include enhanced responsibilities for board members in their governance activities.
“SRMs leaders must encourage active board participation and engagement in cybersecurity decision making,” Addiscott said. “Act as a strategic advisor, providing recommendations for actions to be taken by the board, including allocation of budgets and resources for security.”