“How do we make sure our consumers aren’t physically harmed by rogue agents?” That's the kind of question security and risk leaders need to predict and plan for in the future.
The proliferation of cyber-physical systems — which includes systems that combine the cyber and physical worlds for technologies like autonomous cars or digital twins — represents yet another security risk for organizations, and how threat actors will target these systems is one of our top predictions for the coming years.
Download roadmap: How to Mature Your Information Security Program
“We’re falling into this old habit of trying to treat everything the same as we did in the past,” said Sam Olyaei, Director Analyst, Gartner, during his presentation at the Gartner IT Symposium/Xpo™ 2021 conference. “This simply cannot continue. We need to make sure that we are evolving our thinking, our philosophy, our program and our architecture.”
Security and risk management has become a board-level issue for organizations. The number and sophistication of security breaches is rising, spurring increased legislation to protect consumers and putting security at the forefront of business decisions.
Read more: Gartner Top Security and Risk Trends for 2021
Gartner experts predict more decentralization, regulation, and safety implications over the next few years. Build these strategic planning assumptions into your roadmap for the year ahead.
1. By the end of 2023, modern privacy laws will cover the personal information of 75% of the world’s population.
GDPR was the first major legislation for consumer privacy, but it was quickly followed by others, including Brazil’s General Personal Data Protection Law (LGPD) and the California Consumer Privacy Act (CCPA). The sheer scope of these laws suggests you’ll be managing multiple data protection legislation in various jurisdictions, and customers will want to know what kind of data you’re collecting and how it’s being used. It also means you’ll need to focus on automating your privacy management system. Standardize security operations using GDPR as a base, and then adjust for individual jurisdictions.
2. By 2024, organizations adopting a cybersecurity mesh architecture will reduce the financial impact of security incidents by an average of 90%.
Organizations now support a variety of technologies in different places, so they need a flexible security solution. Cybersecurity mesh extends to cover identities outside the traditional security perimeter and create a holistic view of the organization. It also helps improve security for remote work. These demands will drive adoption in the next two years.
3. By 2024, 30% of enterprises will adopt cloud-delivered secure web gateway (SWG), cloud access security brokers (CASB), zero trust network access (ZTNA) and firewall as a service (FWaaS) capabilities from the same vendor.
Organizations are leaning into optimization and consolidation. Security leaders often manage dozens of tools, but they plan to consolidate to fewer than 10. SaaS will become a preferred delivery method, and consolidation will impact adoption timeframes for hardware.
4. By 2025, 60% of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements.
Investors, especially venture capitalists, are using cybersecurity risk as a key factor in assessing opportunities. Increasingly, organizations look to cybersecurity risk during business deals, including mergers and acquisitions and vendor contracts. The result is more requests for data about a partner’s cybersecurity program via questionnaires or security ratings.
5. The percentage of nation states passing legislation to regulate ransomware payments, fines and negotiations will rise to 30% by the end of 2025, compared to less than 1% in 2021.
While broader regulations may currently apply to ransomware payments, security experts should expect a more aggressive crackdown on payments. Given the mostly unregulated cryptocurrency market, there are ethical, legal and moral implications to paying ransoms, and it’s vital to consider the impact of doing so. The decision to pay (or not) should fall to a cross-functional team who can address all these concerns.
Listen now: Are You Prepared for a Ransomware Attack?
6. By 2025, 40% of boards of directors will have a dedicated cybersecurity committee overseen by a qualified board member.
As cybersecurity becomes (and remains) top of mind for boards, expect to see a board-level cybersecurity committee and stricter oversight and scrutiny. This increases the visibility of cybersecurity risk across the organization and requires a new approach to board reporting, the details of which may depend on the specific board members’ background and experience. Focus messaging on value, risk and cost.
7. By 2025, 70% of CEOs will mandate a culture of organizational resilience to survive coincident threats from cybercrime, severe weather events, civil unrest and political instabilities.
Move beyond cybersecurity and into organizational resilience to account for broader security environments. Digital transformation adds complexity to the threat landscape, which will impact how you produce products and services. Work to define organizational resilience and objectives, and create an inventory of cyber risks that impact them.
8. By 2025, threat actors will have weaponized operational technology environments successfully enough to cause human casualties.
As malware spreads from IT to OT, it shifts the conversation from business disruption to physical harm with liability likely ending with the CEO. Focus on asset-centric cyber-physical systems, and make sure there are teams in place to address proper management.