/cdn.vox-cdn.com/uploads/chorus_asset/file/24016885/STK093_Google_04.jpg)
/cdn.vox-cdn.com/uploads/chorus_asset/file/24808816/Starfield__The_Settled_Systems___Supra_Et_Ultra_____Starfield__The_Settled_Systems___Supra_Et_Ultra_2023_7_25_94252.263_1440p_streamshot.png)
Gartner’s 2023-2024 cyber security outlook, which the consultancy presented this week, contains good news and bad news. There has been a significant change compared to three years ago when chief information security officers were struggling to make an impact at the board level.
Partly due to increasingly sophisticated attacks, along with emerging technologies such as Web 3.0, conversational artificial intelligence, quantum computing and supply chain, security leaders now have more influence in the C-suite. However, as advisor Craig Porter, director of Gartner’s security research and advisory team, noted, “Dangerous actors have access to powerful tools such as ChatGPT, which can generate polymorphic malware code that can evade detection, or Even better, could compose a reliable email. What a fun time to be a security professional!”
jump to:
Look: Thales reports on cloud assets, an added security headache (TechRepublic)
What is security compromised? the teams are tense
Gartner estimates that nearly half of cyber leaders will change jobs by 2025, with 25% moving to different roles entirely due to multiple work-related stressors.
“This is another uptick caused by the pandemic and labor shortages across the industry,” Porter said. He said that when things go wrong, the security teams are in the limelight, but when the attacks are not successful, there is no celebration.
“The stress of work for cyber security is increasing and becoming untenable. It seems like it’s always the ‘good dog’, never the ‘great dog’. The only possible outcome in our jobs as security risk management professionals is either getting hacked or not getting hacked. This puts security risk management leaders at the edge of their limits and has deep psychological effects that affect decisions and performance,” he said.
An April study by security firm Splunk agrees with Gartner’s findings. In Splunk’s 2023 State of Security Report:
- In North America, Western Europe and Asia-Pacific, 88 percent of respondents reported challenges with cybersecurity staffing and skills.
- Fifty-three percent said they generally can’t keep enough staff, and 59 percent reported they are unable to find talent with the right skills.
- Eighty-one percent said serious staff members had left the organization for another job because of burnout.
- More than three-quarters of respondents revealed that an increase in their workload has resulted in them considering looking for a new role.
- 77 per cent said that one or more projects/initiatives have failed.
Solutions include adjusting expectations
Gartner suggests that security and risk management leaders need to change the culture.
“Cybersecurity leaders can change the rules by engaging with stakeholders through collaborative design, delegating responsibility and being clear on what is possible and what is not, and why,” Porter said. Creating a culture where people can make autonomous decisions about risk is “very important,” he said.
Look: Google offers low-cost online certificate in cyber security (TechRepublic)
He added that organizations must prioritize a change in culture to increase autonomy, make risk-aware decisions, and manage expectations with an accurate profile of the strengths and limitations of their security programs.
“And use human error as a leading indicator of cybersecurity fatigue within the organization,” Porter said.
Organizations must make privacy a competitive advantage
Gartner estimates that by 2024, modern privacy regulation will cover most consumer data, but fewer than 10% of organizations will be able to successfully make privacy a competitive advantage. He added that, as the pandemic escalates privacy concerns, organizations have a clear opportunity to strengthen business by leveraging their privacy advancements.
“As a general figure to illustrate the evolution of this trend, the percentage of the world’s population with access to many fundamental privacy rights exceeds that with access to clean drinking water,” he added.
He said that the avoidance of fines, infringement and reputation are the most important benefits offered to organizations that implement privacy programs; But in addition, enterprises are recognizing that privacy programs are enabling companies to differentiate themselves from competitors and to build trust and confidence among customers, business partners, investors, regulators and the public.
“With more countries introducing more modern privacy laws similar to the EU’s General Data Protection Regulation, we have passed a threshold where the European baseline is the de facto global standard for handling personal information,” Porter said. He advised security and risk management leaders to implement a comprehensive privacy standard in line with the General Data Protection Regulation. Doing so, he said, would be a differentiating factor for companies in an increasingly competitive market.
“It is a business opportunity. It’s kind of the new ‘go green’ or ‘cruelty free’ or ‘organic’. All these labels tell you about the company’s value proposition, so why not use secrecy as a competitive advantage? he said, pointing out that Apple has marketed privacy heavily, and according to some reports that privacy campaign has led to a 44% increase in some markets.
Other predictions include more large enterprises with zero trust.
Here are Gartner’s predictions for this year and next:
- By 2025, 50% of leaders will have unsuccessfully attempted to use cyber risk quantification for enterprise decision making.
- By 2026, 10% of large enterprises will have a comprehensive, mature and measurable zero-trust program, compared to less than 1% today.
- By 2026, more than 60% of threat detection, investigation and response capabilities will leverage exposure management data to validate, prioritize, and address threats.
- By 2026, 70% of boards will include a member with cyber security expertise.
- By 2027, 50% of large enterprise CISOs will have adopted human-centered security practices to reduce cyber-induced friction and maximize control.
- By 2027, 75% of employees will acquire, modify, or create technology outside of IT’s visibility, up from 41% today.
Evolve to deal with threats, but do it quickly
One of the key findings from Gartner’s observation was that organizations need to patch the tire while biking. “If you haven’t done that, you need to adapt,” Porter said, adding that most company boards will view cyber risk as the top business risk for management. “…we anticipate that technology work will largely shift to a decentralized model over the next four to five years,” he added.
Porter also noted that there has been a sea change when it comes to how CISOs are viewed by the C-suite and boards: Three years ago, CISOs had a seat within the C-suite about risks and threats. Struggling to get by. “We’ve seen a huge change in that landscape,” Porter said.
Gartner’s presentation included an apt quote from self-development guru Brian Tracy, “…in a time of rapid change, standing still is the most dangerous course of action.”
