Chief information security officers (Cisos) are encouraged to incorporate more strategic assumptions into their corporate plans in the next few years to keep up with an evolving IT security landscape, a new study from Gartner has found.
While there is "no question" that Cisos and their IT teams should be "laser focused" on the present, the constant threat of cyberattacks and their complexities require foresight to counter them and prevent any disruption in their operations, the US-based research company said on Tuesday.
“They need to make time to look up from their daily challenges and scan the horizon to see what’s coming down the track that might impact their security programmes in the next couple of years," said Richard Addiscott, senior director analyst at Gartner.
Cybersecurity attacks can cause reputational and financial damages to companies. The global average for a data breach in 2022 was $4.35 million, up from $4.24 million the previous year, according to the latest edition of IBM's Cost of a Data Breach report.
Gartner has listed eight cybersecurity trends to look out for in the coming years, noting how this can be achieved and their implications on enterprises and individuals.
Almost half of cybersecurity leaders will change jobs
The demands of keeping up with a changing cybersecurity landscape will take its toll on leaders, with half of them projected to switch jobs and a quarter jumping to entirely different roles by 2025, Gartner said.
This is because the "work stressors" of cybersecurity professionals will rise and become unsustainable, it said. However, this can be countered by organisations providing a work culture that supports their roles.
While Gartner acknowledges that eliminating stress is unrealistic, "people can manage challenging and stressful jobs in cultures where they are supported. Changing the rules of engagement to foster cultural shifts will help".
Expertise at the board level
By 2026, about 70 per cent of company boards are expected to include one member who has cybersecurity expertise, according to Gartner.
This would help an organisation's top brass to have a better understanding of their cybersecurity strategy, which, in turn, would establish a closer relationship to improve trust and support within a company, it said.
"This means not only showing how the cybersecurity programme prevents unfavourable things from happening, but how it improves the enterprise’s ability to take risks effectively," Gartner said.
Human factor to minimise friction and maximise adoption
Through 2027, half of Cisos are expected to formally integrate human-centric design practices into their cybersecurity programmes to reduce operational friction and maximise control adoption.
The aim of this is to minimise the chances of employees taking unsecure actions during work activities, knowing that these actions would increase risk, but did so anyway — with more than 90 per cent admitting to doing so, the study said.
"Human-centric security design is modelled with the individual — not technology, threat or location — as the focus of control design and implementation," it said.
Adherence to privacy standards to be an advantage
Modern regulations on privacy will dominate the majority of consumer data by 2024, Gartner said.
However, less than 10 per cent of companies will have successfully utilised privacy as a competitive advantage, it noted.
Adhering to privacy standards, such as the EU's General Data Protection Regulation, will allow enterprises to use data more broadly, which will differentiate them from competitors and build trust with their customers, partners, investors and regulators, the study said.
Zero-trust model implementations to grow
About 10 per cent of large enterprises are expected to have a comprehensive zero-trust programme in place, up from just 1 per cent at present, to boost their cybersecurity infrastructure, Gartner said.
A zero-trust model, by default, means that a user should trust no one trying to access data and information unless the identity is verified.
"Starting small, an ever-evolving zero-trust mindset makes it easier to better grasp the benefits of a program and manage some of the complexity one step at a time," the research showed.
Will cyberrisk quantification drive decision-making?
By 2025, half of cybersecurity leaders will have tried, unsuccessfully, to use cyberrisk quantification — the measuring of IT and cyberrisk exposure in monetary terms — to drive decision-making within organisations, the study said.
About 62 per cent of quantification adopters cite soft gains in credibility and risk awareness, but only 36 per cent have achieved action-based results, according to Gartner.
"Security leaders should focus firepower on quantification that decision-makers ask for, instead of producing self-directed analyses they have to persuade the business to care about," it said.
More visibility to boost engagement
By 2027, about three quarters of employees will acquire, modify or create technology outside IT’s visibility, up from 41 per cent in 2022, the study said.
senior director analyst at Gartner
In technology, visibility is the awareness of a network's components and data. Reorganising cybersecurity models to cater to this coming change will be needed, Gartner said.
Enterprises must "think beyond technology and automation to deeply engage with employees to influence decision-making", it said.
Improvements in threat detection
With the increased use of connectivity, software-as-a-service and the cloud, organisations will require systems that have more visibility and constantly monitor security threats.
As such, more than 60 per cent of threat detection, investigation and response capabilities will use exposure management data to validate and prioritise detected threats through 2026, up from less than 5 per cent at present, Gartner said.
"These predictions are a signal flare for some of those things we see emerging and should be considered by any Ciso looking to build an effective and sustainable cybersecurity programme," Mr Addiscott said.
