Security & Risk Management Experts Answer

COVID-19 will drive most of the challenges for security and risk teams in the next year, but in different ways. Engaging with executives and communicating the value of security investments while adapting to a rapidly changing cybersecurity landscape will be major issues for these teams. Ahead of Gartner Security & Risk Summit, Smarter with Gartner reached out to security experts to learn what they see as the biggest challenges for security and risk teams over the next year. 

What are the biggest challenges for security and risk teams in the next year?

Paul Proctor
Distinguished VP Analyst

The biggest challenge in the next year is resetting engagement with executives on technology risk and cybersecurity. Our research shows that the big funding uplifts on security programs that they have enjoyed for the past 5–7 years are over. The board wants to know what they got for all that money. Quantification is not going to solve this problem, and neither is the current execution of aligning security investment with “the business.”

Tom Scholtz
Distinguished VP Analyst

The challenges mostly relate to dealing with the impact of the COVID-19 pandemic. Inasmuch as the pandemic has accelerated digitalization adoption in many enterprises, security and risk teams must come to terms with the drastically changed risk posture, as well as the implicit new risk appetite, facing their organizations. In addition, they have to start planning for any cost optimization pressure resulting from the pandemic-induced global recession.

Sam Olyaei
Director Analyst 

In this climate, the biggest challenge for security and risk leaders will be identifying, measuring and communicating tangible value to the business, both as an individual leader and as a function. It isn’t (and never was) about the ability to stop attacks, protect infrastructure or achieve compliance but rather about the tangible benefits that the role/function provides to the business. This climate highlights the need to deliver value. Have you contributed to the bottom line? Improved customer experience? Increased safety protocols? Managed recovery protocols as a result of the pandemic?

Leaders must:

  1. Focus on value generation and socialize it across the enterprise
  2. Focus on making risk-based decisions to sustain business outcomes
  3. Open lines of communication with business stakeholders to address their needs. If there is no business to run (a reality for many), then no security is required.

For ALL leaders, this climate is ripe with opportunities to truly become pioneers of the future, trusted partners and C-level executives in charge of a business function that is a competitive differentiator (rather than a cost center buried in IT).

Katell Thielemann
VP Analyst

In a time of continued uncertainty, the biggest challenge will be to manage the paradox of having to open their security and risk apertures while prioritizing at the same time. We’ve seen in 2020 that with increased sudden remote work and remote operations, technology is now truly ubiquitous, and the risk envelope is everywhere.

As more cyber-physical systems emerge and are deployed, risks, vulnerabilities and threats go beyond data security, and to the heart of operations and mission-critical environments. Witness, for instance, the recent attack on an Israeli water system, followed by retaliation against an Iranian port. Or the rise in warnings from government agencies of stepped-up attacks across all critical infrastructure sectors.

While bad actors look for the weakest links wherever they are, security and risk leaders also need to open their apertures. But budgets are going to get tighter, so they will need to prioritize. They will first need to discover all connected assets wherever they are, and engage the business or mission leads in discussions around which ones are of highest business value, and deploy targeted strategies as a result.

In 2020 and beyond, security and risk teams will need leaders and partners like never before.

Richard Addiscott
Senior Director Analyst 

Security and risk teams must ensure that they are able to best position themselves in a way that minimizes the organization’s exposure to an altered cyberthreat environment while taking proactive steps to aid in the organization’s economic recovery following recent impacts to global markets and economies.

First and foremost, it is critical to acknowledge that the organization’s strategic objectives, operating model and cyberthreat landscape will likely have changed. This sounds like common sense; however, Gartner research shows that 82% of security and risk management leaders do not adapt their budgets to reflect business and environmental impacts. With this acknowledgment, security and risk leaders must then recognize that their current, in-flight security enhancement roadmaps may no longer be appropriate for the organization’s short- to midterm plans.

As a result of recent impacts on the global economy, information security spending growth forecasts are expected to drop by over half, from 9.1% to 4.1% in 2020. However, the cyberthreat environment remains unabated and has amplified as a result of COVID-19, with attackers seeking to exploit natural concerns people have with regard to their health, the health of their loved ones and their own financial livelihoods.

Engaging early with senior business executives will be key to understanding what, if any, changes there will be to the organization’s strategic trajectory over the next 12 months and how it plans to achieve its objectives. Taking the outcome of those discussions and the review of the cyberthreat environment into consideration, security teams should proactively review, and recast as necessary, their existing security enhancement roadmaps. This will help to ensure that the portfolio of security initiatives over the next 12 months are the right ones to optimally address the current and foreseeable cyberthreat environment within the limits of new security investment budgets.