Tags: Gartner; Risk Management; Predictions
Source: Gartner
Unveils the Top Eight Cybersecurity Predictions for 2022-23
Relevance: Cyber security risk management runs as a
central theme throughout each of these predictions.
- Formal
risk management critical thinking and processes have been central to peer
conversations for more than 10 years. It’s now time to bring
quantitative and qualitative measurement and evaluation into business
decisions regarding controls that protect critical assets. We do this to protect our business.
- Just
as importantly, perhaps more so, risk management must be part of product
security decision making. We do this to protect
our customers… which protects our business.
Gartner recommends that cybersecurity leaders build the following
strategic planning assumptions into their security strategies for the next two
years.
- Through
2023, government regulations requiring organizations to provide consumer
privacy rights will cover 5 billion citizens and more than 70% of global
GDP.
As of 2021, almost 3 billion individuals had access to consumer
privacy rights across 50 countries, and privacy regulation continues to expand.
Gartner recommends that organizations track subject rights request metrics,
including cost per request and time to fulfill, to identify inefficiencies and
justify accelerated automation.
- By
2025, 80% of enterprises will adopt a strategy to unify web, cloud
services and private application access from a single vendor’s SSE
platform.
With a hybrid workforce and data everywhere
accessible by everything, vendors are offering an integrated security service
edge (SSE) solution to deliver consistent and simple web, private access
and SaaS application security. Single-vendor solutions provide significant
operational efficiency and security effectiveness compared with best-of-breed
solutions, including tighter integration, fewer consoles to use, and fewer
locations where data must be decrypted, inspected and re-encrypted.
- 60%
of organizations will embrace Zero Trust as a starting point for security
by 2025. More than half will fail to realize the benefits
The term zero trust is now prevalent in
security vendor marketing and in security guidance from governments. As a
mindset — replacing implicit trust with identity- and context-based risk
appropriate trust — it is extremely powerful. However, as zero trust is both a
security principle and an organizational vision, it requires a cultural shift
and clear communication that ties it to business outcomes to achieve the
benefits.
- By
2025, 60% of organizations will use cybersecurity risk as a primary
determinant in conducting third-party transactions and business
engagements.
Cyberattacks related to third parties are increasing. However,
only 23% of security and risk leaders monitor third parties in real time
for cybersecurity exposure, according to Gartner data. As a result of consumer
concerns and interest from regulators, Gartner believes organizations will
start to mandate cybersecurity risk as a significant determinant when
conducting business with third parties, ranging from simple monitoring of a
critical technology supplier to complex due diligence for mergers and acquisitions.
- Through
2025, 30% of nation states will pass legislation that regulates ransomware
payments, fines and negotiations, up from less than 1% in 2021.
Modern ransomware gangs now steal data as well
as encrypt it. The decision to pay the ransom or not is a business-level
decision, not a security one. Gartner recommends engaging a professional incident response team as well as law
enforcement and any regulatory body before negotiating.
- By
2025, threat actors will have weaponized operational technology
environments successfully to cause human casualties.
Attacks on OT – hardware and software
that monitors or controls equipment, assets and processes – have become more
common and more disruptive. In operational environments, security and risk
management leaders should be more concerned about real world hazards to humans
and the environment, rather than information theft, according to Gartner.
- By
2025, 70% of CEOs will mandate a culture of organizational resilience to
survive coinciding threats from cybercrime, severe weather events, civil
unrest and political instabilities.
The COVID-19 pandemic has exposed the
inability of traditional business continuity management planning to support the
organization’s response to a large-scale disruption. With continued disruption
likely, Gartner recommends that risk leaders recognize organizational
resilience as a strategic imperative and build an organization-wide resilience
strategy that also engages staff, stakeholders, customers and suppliers.
- By
2026, 50% of C-level executives will have performance requirements related
to risk built into their employment contracts
Most boards now regard cybersecurity as a business risk rather
than solely a technical IT problem, according to a recent Gartner survey. As a result, Gartner expects
to see a shift in formal accountability for the treatment of cyber risks
from the security leader to senior business leaders.