The Gartner Security & Risk Management Summit, June 20-21 in Sydney, Australia, delivered sobering revelations about the future of cybersecurity — with the aim of helping security and risk management leaders succeed in the digital era.
In their opening keynote address, Gartner’s Richard Addiscott, senior director analyst, and Rob McMillan, managing vice president, pointed to key trends, such as executive performance evaluations being increasingly linked to ability to manage cyber risk.
Gartner’s experts noted that almost one-third of all nations will regulate ransomware response within the next three years. Also, security platform consolidation will help organizations thrive in hostile environments.
“We can’t fall into old habits and try to treat everything the same as we did in the past,” Addiscott told attendees. “Most security and risk leaders now recognize that major disruption is only one crisis away. We can’t control it, but we can evolve our thinking, our philosophy, our program and our architecture.”
Gartner Trends Plot the Future of Cybersecurity
Gartner recommends that cybersecurity leaders build several strategic planning assumptions into their security strategies for the next two years:
- Through 2023, government regulations requiring organizations to provide consumer privacy rights will cover five billion citizens and more than 70% of global GDP. To identify inefficiencies and justify accelerated automation, Gartner recommends that organizations track subject rights request metrics, including cost per request and time to fulfill.
- By 2025, 80% of organizations will adopt a strategy to unify web, cloud services and private application access from a single vendor’s SSE platform. With a hybrid workforce and data everywhere accessible by everything, vendors are offering an integrated security service edge (SSE) solution to deliver consistent and simple web, private access and SaaS application security.
- 60% of organizations will embrace Zero Trust as a starting point for security by 2025, but more than half will fail to realize the benefits. Replacing implicit trust with identity- and context-based risk appropriate trust is extremely powerful. However, zero trust is both a security principle and an organizational vision. That requires a cultural shift and clear communication tied to business outcomes to achieve the benefits.
- By 2025, 60% of organizations will use cybersecurity risk as a primary factor in conducting third-party transactions and business engagements. Cyberattacks related to third parties are increasing, but only 23% of security and risk leaders monitor them in real time. Organizations will start mandating cybersecurity risk as a significant factor when conducting business with third parties.
- Through 2025, 30% of nation states will pass legislation that regulates ransomware payments, fines and negotiations, up from less than 1% in 2021. Modern ransomware gangs now steal data as well as encrypt it. Paying ransom is a business-level decision, not a security one. Gartner recommends engaging a professional incident response team as well as law enforcement and any regulatory body before negotiating.
- By 2025, threat actors will have successfully weaponized operational technology environments to cause human casualties. Attacks on OT — hardware and software that monitors or controls equipment, assets and processes — have become more common and disruptive. Security and risk management leaders should be more concerned about real world hazards to humans and the environment, rather than information theft.
- By 2025, 70% of CEOs will mandate a culture of organizational resilience to survive coinciding threats from cybercrime, severe weather events, civil unrest and political instabilities. The COVID-19 pandemic exposed the failure of traditional business continuity management planning to response to large-scale disruption. Gartner recommends that risk leaders recognize organizational resilience as a strategic imperative and build a strategy that also engages staff, stakeholders, customers and suppliers.
- By 2026, 50% of C-level executives will have performance requirements related to risk built into their employment contracts. Cybersecurity is regarded as more of a business risk rather than solely a technical IT problem, according to a Gartner survey. So, expect to see a shift in formal accountability for the treatment of cyber risks from the security leader to senior business leaders.
Top Priorities for Security and Privacy Leaders in 2022
Gartner provides actionable, objective insight to CIOs and IT leaders to help them drive their organizations through digital transformation and lead business growth. For further reading, check out Gartner’s complimentary eBook: 2022 Leadership Vision for Security & Risk Management Leaders.