Cybersecurity predictions for the next 24 months

During a recent security and risk management event in Australia, Gartner underscored the pressing need to manage cyber threats and that cyberthreat outcomes will be increasingly tied to the performance evaluation of top corporate executives. In addition, almost a third of countries are expected to regulate their response to ransomware attacks in the next three years.

In this scenario, security platforms will be essential to help organizations thrive in hostile environments, according to Gartner’s top cybersecurity predictions released at the event. “We can’t keep old habits and try to treat everything the same way we did in the past. Most cybersecurity and risk management leaders now recognize that potentially destructive events are only a few feet away and we can’t control them, but we can evolve our ideas, philosophy, programs and architectures,” points out Richard Addiscott, director of analysis at Gartner.

Gartner’s recommendation is that cybersecurity leaders consider the following premises in their strategic planning for the next two years:

• By 2023, regulations requiring organizations to ensure privacy rights will cover 5 billion citizens and more than 70% of global GDP. The recommendation is to track rights request metrics, calculate costs per request and time to fulfil it, identify inefficiencies and justify accelerated automation measures.

• By 2025, 80% of enterprises will adopt strategies to unify web and cloud services and application access from a single vendor’s Security Service Edge (SSE) platform. To meet the demands of a hybrid workforce and access to data everywhere, vendors are offering an integrated SSE solution to ensure security simply and consistently. Single-vendor solutions can ensure operational and security efficiencies.

• By 2025, 60% of organizations will adopt Zero Trust as a starting point for ensuring security. More than half will not realize the benefits. The concept of Zero Trust-replacing implicit trust with risk-adapted trust based on identity in context is powerful, but because it is a principle, not an organizational vision, it requires cultural change and clear communication that links it to business outcomes. As it is not always embraced in this way, it may not easily deliver the expected benefits.

• By 2025, 60% of organizations will use cybersecurity risks as an important criterion when transacting with third parties and entering into business engagements. Cyber-attacks involving third parties are on the rise, yet only 23% of security and risk management leaders monitor third parties in real-time to assess risk exposure, according to Gartner data. Due to consumer concerns and regulatory mandates, organizations are expected to consider cybersecurity risks as a significant determinant when conducting business with third parties.

• By 2025, 30% of countries will pass laws to regulate ransom payments for ransomware, fines, and trades. In 2021, that percentage was less than 1%. Deciding whether to pay ransomware or not is a business decision, not a security decision. Gartner recommends hiring a professional incident response team, as well as contacting law enforcement and regulatory agencies before negotiating.

• By 2025, threat actors will have successfully weaponized technological environments to cause human casualties. Attacks on OT systems – hardware and software that monitor or control equipment, assets, and processes – will be increasingly common and destructive. In these operating environments, security and risk management leaders must become more aware of real-world dangers capable of harming people and the environment, rather than information theft, according to Gartner.

• By 2025, 70% of CEOs will need to have a culture of organizational resilience to survive threats from cybercrime, severe weather events, civil and political instabilities. After the COVID-19 pandemic that exposed the inability of traditional planning to ensure business continuity, it became evident to rely on agile response capabilities in the face of large-scale downtime. Gartner recommends that risk management leaders recognize organizational resilience as a strategic imperative and build resilience throughout the organization, involving employees, stakeholders, customers, and suppliers.

• By 2026, 50% of senior executives will have their performance evaluations related to risk management incorporated into their employment contracts. Most boards of directors now view cybersecurity as a business risk, not just an IT issue, according to a recent Gartner survey. Because of this, it is expected that responsibility for handling cyber risks will shift from the security leader to senior business leaders.

Gartner gives more details about the top priorities for security and privacy leaders in the free e-book 2022 Leadership Vision for Security & Risk Management Leaders.