Key Takeaways

• Attack Surface Expansion. A dramatic increase in attack surface is emerging from changes in the use of digital systems, including new hybrid work, accelerating use of public cloud, more tightly interconnected supply chains, expansion of public-facing digital assets, and greater use of operational technology.
• Identity Threat Detection and Response (ITDR). ITDR describes the collection of tools and best practices to successfully defend identity systems from endemic levels of attacks.
• Digital Supply Chain Risk. As widespread vulnerabilities such as URGENT/11 and Log4j spread throughout the supply chain via reuse across all types of technology stacks, more attacks will emerge.
• Vendor Consolidation. Security technology convergence is accelerating, driven by the need to reduce complexity, leverage commonalities, reduce administration overhead and provide more effective security. 
• Cybersecurity Mesh. Cybersecurity mesh creates and leverages interoperable connections between security tools to promote a consistent security posture, allowing tools to share and leverage security intelligence and apply a dynamic policy model. 
• Distributing Decisions. By 2025, a single, centralized CISO will no longer be sufficient to manage the cybersecurity needs of a digital organization.
• Beyond Awareness. Human errors continue to feature in the majority of data breaches, a clear signal that traditional approaches to security awareness training are no longer effective.

Learn more about the top trends in security and risk management for 2022 in the associated Gartner press release.

Key Takeaways

• “CISOs operate in a silo, and thus they are often overworked, met with unrealistic expectations and serve as a scapegoat. At the end of the day there is rarely anyone at the organization that shares the same accountability as the CISO does.”
  
• “Gartner considers four key factors when evaluating CISO effectiveness: functional leadership, information security service delivery, enterprise responsiveness and scaled governance.”
  
• “Few CISOs excel in every category, and in fact only 12% of CISOs that Gartner surveyed excel in all four categories of effectiveness.”
  
• “Effective CISOs are far less likely to report business-disrupting security incidents or project delays due to information security, and on the personal side, fewer effective CISOs feel overwhelmed by security alerts or by stress at work.”
  
• “There are 14 controllable differentiators of CISO effectiveness, which we’ve nested under four categories. An effective CISO is an executive influencer, a future-risk manager, a workforce architect and a stress navigator.” 
  
• “We are seeing a great deal of experimentation as organizations realize that old org charts no longer fit new digital ecosystems.”
  

Learn more about how to be an effective chief security officer in the complimentary Gartner ebook Four Factors of Effective CISO Leadership.

Key Takeaways

• Through 2023, government regulations requiring organizations to provide consumer privacy rights will cover 5 billion citizens and more than 70% of global GDP: “Security and risk management leaders should enforce a comprehensive privacy standard in line with the GDPR. This will allow their businesses to differentiate themselves in an increasingly competitive market and grow unhindered.”
  
• By 2025, 80% of enterprises will adopt a strategy to unify web, cloud services and private application access from a single vendor’s SSE platform: “Create a dedicated team of security and networking experts with a shared responsibility for secure access engineering spanning on-premises, remote workers, branch offices and edge locations.”
  
• 60% of organizations will embrace Zero Trust as a starting point for security by 2025. Over half will fail to realize benefits: “Communicate business relevance of ZT by aligning resilience and agility.”
  
• By 2025, 60% of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements: “Leverage risk-based evaluations that highlight transparency and reward participants.” 
  
• Through 2025, 30% of nation states will pass legislation that requires ransomware payments, fines and negotiations, up from less than 1% in 2021: “Recognize the impact of paying. Modern ransomware gangs have shifted to steal data as well as encrypt it. Payment means the stolen data won’t be published, but it may very well be sold or otherwise disclosed at a later date if the information has value.”