How will cybersecurity practices inside enterprises and other businesses evolve in the next several years? Analyst firm Gartner provided its list of 8 predictions that evaluate the impact of big market trends such as generative AI, the growth of misinformation campaigns, the growing liability that CISOs face, and ongoing non-compliance of legacy systems with zero trust principals.
The results illuminate a number of opportunities for organizations as they seek to fortify their threat posture in the years ahead.
“As we start moving beyond what’s possible with GenAI, solid opportunities are emerging to help solve a number of perennial issues plaguing cybersecurity, particularly the skills shortage and unsecure human behavior," said Gartner director analyst Deepti Gopal, speaking at the Gartner Security & Risk Management Summit in Sydney.
"The scope of the top predictions this year is clearly not on technology, as the human element continues to gain far more attention. Any CISO looking to build an effective and sustainable cybersecurity program must make this a priority.”
Strategic Planning Assumptions for Cybersecurity Leaders
Gartner recommends that cybersecurity leaders build the following strategic planning assumptions into their security strategies for the next two years.
1. By 2028, the adoption of GenAI will collapse the skills gap, removing the need for specialized education from 50% of entry-level cybersecurity positions.
GenAI will help organizations alleviate the cybersecurity skills gap. Gartner said that GenAI augmentations will change how organizations hire and teach cybersecurity workers in the future.
Recommendation: Cybersecurity teams should focus on internal use cases that support users as they work, coordinate with HR partners and identify adjacent talent for more critical cybersecurity roles.
2. By 2026, enterprises combining GenAI with an integrated platforms-based architecture in security behavior and culture programs will experience 40% fewer employee-driven cybersecurity incidents.
Cybersecurity is an essential part of the services that MSPs and MSSPs can offer to end customers. If you add GenAI to the mix, it has the potential to generate hyper-personalized content and training materials that take into context each employee’s unique attributes. This will increase the likelihood of employees adopting more secure behaviors in their day-to-day work, resulting in fewer cybersecurity incidents.
Recommendation: Gartner recommends that organizations that have not embraced GenAI capabilities should evaluate their service providers to understand how they are leveraging GenAI. That could mean an opportunity for MSPs and MSSPs who are most up to date in providing AI-enhanced training.
3. Through 2026, 75% of organizations will exclude unmanaged, legacy and cyber-physical systems from their zero trust strategies.
Under a zero trust strategy, users and endpoints receive only the access needed to do their jobs and are continuously monitored based on evolving threats. In production or mission-critical environments, these concepts do not universally translate for unmanaged devices, legacy applications and cyber-physical systems engineered to perform specific tasks in unique safety and reliability-centric environments.
That will slowly improve over the next two years. MSSPs and MSPs are positioned to help their clients evaluate those non-compliant systems and make recommendations to evolve them.
4. By 2027, two-thirds of global 100 organizations will extend directors and officers (D&O) insurance to cybersecurity leaders due to personal legal exposure.
New laws and regulations, such as the SEC’s cybersecurity disclosure and reporting rules, expose cybersecurity leaders to personal liability. A key case in point is the former CISO of SolarWinds who faces charges of fraud and internal control failures tied to undisclosed cybersecurity risks. The roles and responsibilities of the chief information security officer (CISOs) need to be updated for associated reporting and disclosures.
Recommendation: Organizations should explore the benefits of covering the role with D&O insurance, as well as other insurance and compensation, to mitigate personal liability, professional risk and legal expenses.
5. By 2028, enterprise spend on battling misinformation will surpass $500 billion, cannibalizing 50% of marketing and cybersecurity budgets.
The combination of AI, analytics, behavioral science, social media, internet of things and other technologies enable bad actors to create and spread highly effective, mass-customized misinformation.
Recommendation: CISOs should define the responsibilities for governing, devising and executing enterprise-wide anti-misinformation programs and invest in tools and techniques that combat the issue using chaos engineering to test resilience.
6. Through 2026, 40% of identity and access management (IAM) leaders will take over the primary responsibility for detecting and responding to IAM-related breaches.
IAM leaders often struggle to articulate security and business value to drive accurate investment and are not involved in security resourcing and budgeting discussions. Gartner says that as IAM leaders continue to grow in importance, they will evolve in different directions, each with increased responsibility, visibility and influence.
Recommendation: CISOs should break traditional IT and security silos by giving stakeholders visibility into the role IAM plays by aligning the IAM program and security initiatives.
7. By 2027, 70% of organizations will combine data loss prevention and insider risk management disciplines with IAM context to identify suspicious behavior more effectively.
Increased interest in consolidated controls has prompted vendors to develop capabilities that represent an overlap between user behavior focused controls and data loss prevention. This introduces a more comprehensive set of capabilities for security teams to create a single policy for dual use in data security and insider risk mitigation.
Recommendation: Organizations should identify data risk and identity risk and use them in tandem as the primary directive for strategic data security.
8. By 2027, 30% of cybersecurity functions will redesign application security to be consumed directly by non-cyber experts and owned by application owners.
The volume, variety and context of applications that business technologists and distributed delivery teams create means potential for exposures well beyond what dedicated application security teams can handle.
Recommendation: To bridge the gap, cybersecurity functions must build minimum effective expertise in these teams, using a combination of technology and training to generate only as much competence as is required to make cyber risk informed decisions autonomously.
Gartner’s Research Road Show
Gartner analysts are presenting the latest research and advice for security and risk management leaders at the Gartner Security & Risk Management Summit in Sydney, Australia this week. Upcoming Gartner Security & Risk Management Summits are June 3-5 in National Harbor, Maryland; July 24-26 in Tokyo; and September 23-25 in London.
