- Details
- Published: Thursday, 13 April 2023 10:21
Security and risk management (SRM) leaders must rethink their balance of investments across technology and human-centric elements when creating and implementing cyber security programs in line with nine top industry trends, according to Gartner, Inc.
“A human-centered approach to cyber security is essential to reduce security failures,” said Richard Addiscott, Sr Director Analyst at Gartner. “Focusing on people in control design and implementation, as well as through business communications and cyber security talent management, will help to improve business-risk decisions and cyber security staff retention.”
To address cyber security risks and sustain an effective cyber security program, SRM leaders must be focused on three key domains:
- The essential role of people for security program success and sustainability;
- Technical security capabilities that provide greater visibility and responsiveness across the organization’s digital ecosystem; and
- Restructuring the way the security function operates to enable agility without compromising security.
The following nine trends will have a broad impact for SRM leaders across these three areas says Gartner:
Trend 1: human-centric security design
Human-centric security design prioritizes the role of employee experience across the controls management life cycle. By 2027, 50 percent of large enterprise chief information security officers (CISOs) will have adopted human-centric security design practices to minimize cyber security-induced friction and maximize control adoption.
Trend 2: enhancing people management for security program sustainability
Traditionally, cyber security leaders have focused on improving technology and processes that support their programs, with little focus on the people that create these changes. CISOs who take a human-centric talent management approach to attract and retain talent have seen improvements in their functional and technical maturity. By 2026, Gartner predicts that 60 percent of organizations will shift from external hiring to ‘quiet hiring’ from internal talent markets to address systemic cyber security and recruitment challenges.
Trend 3: transforming the cyber security operating model to support value creation
Technology is moving from central IT functions to lines of business, corporate functions, fusion teams and individual employees. A Gartner survey found that 41 percent of employees perform some kind of technology work, a trend that is expected to continue growing over the next five years.
CISOs must modify their cyber security operating model to integrate how work gets done. Employees must know how to balance a number of risks including cyber security, financial, reputational, competitive, and legal risks. Cyber security must also connect to business value by measuring and reporting success against business outcomes and priorities.
Trend 4: threat exposure management
The attack surface of modern enterprises is complex and creates fatigue. CISOs must evolve their assessment practices to understand their exposure to threats by implementing continuous threat exposure management (CTEM) programs. Gartner predicts that by 2026, organizations prioritizing their security investments based on a CTEM program will suffer two-thirds fewer breaches.
Trend 5: identity fabric immunity
Fragile identity infrastructure is caused by incomplete, misconfigured or vulnerable elements in the identity fabric. By 2027, identity fabric immunity principles will prevent 85 percent of new attacks and thereby reduce the financial impact of breaches by 80 percent.
Trend 6: cyber security validation
Cyber security validation brings together the techniques, processes, and tools used to validate how potential attackers exploit an identified threat exposure. The tools required for cyber security validation are making significant progress to automate repeatable and predictable aspects of assessments, enabling regular benchmarks of attack techniques, security controls and processes. Through 2026, more than 40 percent of organizations, including two-thirds of midsize enterprises, will rely on consolidated platforms to run cyber security validation assessments.
Trend 7: cyber security platform consolidation
As organizations look to simplify operations, vendors are consolidating platforms around one or more major cyber security domains. For example, identity security services may be offered through a common platform that combines governance, privileged access and access management features. SRM leaders need to continuously inventory security controls to understand where overlaps exist and reduce the redundancy through consolidated platforms.
Trend 8: composable businesses need composable security
Organizations must transition from relying on monolithic systems to building modular capabilities in their applications to respond to the accelerating pace of business change. Composable security is an approach where cyber security controls are integrated into architectural patterns and then applied at a modular level in composable technology implementations. By 2027, more than 50 percent of core business applications will be built using composable architecture, requiring a new approach to securing those applications.
Trend 9: boards expand their competency in cyber security oversight
The board’s increased focus on cyber security is being driven by the trend toward explicit-level accountability for cyber security to include enhanced responsibilities for board members in their governance activities. Cyber security leaders must provide boards with reporting that demonstrates the impact of cyber security programs on the organization’s goals and objectives.
