Gartner’s 2023-2024 cybersecurity outlook, which the consultancy presented this week, contains good news and bad. There has been a significant shift from three years ago when chief information security officers were struggling to exert board-level influence.
Partly due to emerging technologies such as Web 3.0, conversational artificial intelligence, quantum computing and supply chains, along with increasingly sophisticated attacks, security leaders now have more influence in the C-suite. However, as Craig Porter, director advisory for Gartner’s Security Research and Advisory team said, “Threat actors have access to powerful tools like ChatGPT, which can generate polymorphic malware code that can avoid detection, or even better, write a convincing email. What a fun time to be a security professional!”
SEE: Thales report on cloud assets, an additional security headache (TechRepublic)
What is compromising security? Teams under stress
Gartner predicts that by 2025 nearly half of cyber leaders will change jobs, with 25% moving to different roles entirely due to multiple work-related stressors.
“It’s another acceleration caused by the pandemic and staffing shortages across the industry,” said Porter, adding that security teams are in the spotlight when things go wrong, but not celebrated when attacks aren’t successful.
“The work stressors are on the rise for cybersecurity and becoming unsustainable. It seems like it’s always ‘good dog,’ never ‘great dog.’ The only possible outcomes in our jobs as security risk management professionals are either get hacked or don’t get hacked. That puts security risk management leaders on the edge of their limits with profound and deep psychological impacts that affect decisions and performance,” he said.
An April study by security firm Splunk concurs with Gartner’s findings. In Splunk’s 2023 State of Security report:
- Eighty-eight percent of respondents across North America, Western Europe and Asia-Pacific reported challenges with cybersecurity staffing and skills.
- Fifty-three percent said that they cannot hire enough staff generally, and 59% reported being unable to find talent with the right skills.
- Eighty-one percent said critical staff member(s) left the organization for another job due to burnout.
- Over three-quarters of respondents revealed that the resulting increase in their workload has led them to consider looking for a new role.
- Seventy-seven percent said one or more projects/initiatives have failed.
Solutions include adjusting expectations
Gartner suggests security and risk management leaders need to change the culture.
“Cybersecurity leaders can change the rules of engagement through collaborative design with stakeholders, delegating responsibility and being clear on what’s possible and what’s not, and why,” said Porter. He added that creating a culture where people can make autonomous decisions around risk “Is an absolute must.”
SEE: Google offers low-cost online certificate in cybersecurity (TechRepublic)
He said organizations should prioritize culture shifts to enhance autonomous, risk aware decision making and manage expectations with an accurate profile of the strengths and limitations of their security programs.
“And use human error as a key indicator of cybersecurity fatigue within the organization,” Porter added.
Organizations should make privacy a competitive advantage
Gartner predicts that by 2024, modern privacy regulation will blanket the majority of consumer data but less than 10% of organizations will have successfully made privacy a competitive advantage. He noted that, as the pandemic accelerated privacy concerns, organizations have a clear opportunity to strengthen business by leveraging their privacy advancements.
“Just as a general statistic to exemplify the growth of this trend, the percentage of the world’s population with access to several fundamental privacy rights exceeds that with access to clean drinking water,” he said.
He said that avoiding fines, breaches and reputation are the most significant benefits conferred to organizations implementing privacy programs; but additionally, enterprises are recognizing that privacy programs are enabling companies to differentiate themselves from competitors and build trust and confidence with customers, business partners, investors, regulators and the public.
“With more countries introducing more modern privacy laws in the same vein as the European Union’s General Data Protection Regulation, we have crossed a threshold where the European baseline for handling personal information is the de facto global standard,” said Porter. He counseled security and risk management leaders to enforce a comprehensive privacy standard in line with the General Data Protection Regulation. Doing so, he said, will be a differentiator for companies in an increasingly competitive market.
“It’s a business opportunity. This is kind of the new ‘go green’ or ‘cruelty free’ or ‘organic.’ All of these labels tell you about the value proposition of the company, so why not use privacy as a competitive advantage?” he said, pointing out that Apple has marketed privacy strongly, and by some reports has grown 44% in some markets from that privacy campaign.
Other predictions include more large enterprises with zero trust
Among Gartner’s predictions for this year and next are:
- By 2025, 50% of leaders will have tried unsuccessfully to use cyber risk quantification to drive enterprise decision making.
- By 2026, 10% of large enterprises will have a comprehensive, mature and measurable zero-trust program in place, up from less than 1% today.
- Through 2026, more than 60% of threat detection investigation and response capabilities will leverage exposure management data to validate, prioritize and detect threats.
- By 2026, 70% of boards will include one member with cybersecurity expertise.
- By 2027, 50% of large enterprise CISOs will have adopted human-centric security practices to minimize cyber induced friction and maximize adoption of controls.
- By 2027, 75% of employees will acquire, modify or create tech outside of IT’s visibility, up from 41% today.
Evolve to meet threats, but do it quickly
A key takeaway from Gartner’s overview was that organizations need to patch the tire while riding the bike. “If you have not done so, you need to adapt,” said Porter, adding that most company boards will see cyber risk as a top business risk to manage. “… We estimate that technology work will shift to a decentralized model in a big way in the next four to five years,” he said.
Porter also said that there has been a sea change when it comes to how CISO’s are perceived by the C-suite and boards: Three years ago, CISOs were struggling to have a seat within the C-suite about risks and threats. “We have seen that scenario change drastically,” said Porter.
Gartner’s presentation included an apt quote from self-development guru Brian Tracy, “…in a time of rapid change, standing still is the most dangerous course of action.”