My Account
Conferences About Newsroom Careers
  • Insights
    Featured
    • All Insights
    • New Topic Guides
    • Gartner Business Quarterly
    • Strategic Planning
    • Leadership Vision
    • Recession Guidance
    • Future of Work Reinvented
    • Sustainable Business Strategy
    • Diversity, Equity and Inclusion
    By Function
    • Audit & Risk
    • Customer Service & Support
    • Cybersecurity
    • Data & Analytics
    • Finance
    • Human Resources
    • Information Technology
    • Legal & Compliance
    • Marketing & Communications
    • Product
    • R&D & Corporate Strategy
    • Sales
    • Supply Chain
    By Industry
    • Education
    • Energy & Utilities
    • Financial Services
    • Government & Public Sector
    • Healthcare
    • High Tech & Telecom
    • Investment Services
    • Manufacturing
    • Retail
    Expert Guidance
    Tools
    Overview
    • Tools to Make Smarter, Faster Decisions
    Featured Tools
    • BuySmart: Buy Technology with Confidence
    • Critical Capabilities: Analyze Products & Services
    • Digital IQ: Power of My Brand Positioning
    • Hype Cycle: Measure Technology Lifecycle
    • Magic Quadrant: Market Analysis of Competitive Players
    • Product Decisions: Power Your Product Strategy
    Templates & Frameworks
    • Benchmarking: Best in Class Diagnostics
    • Cost Optimization: Drive Growth and Efficiency
    • Strategic Planning: Turn Strategy into Action
    Connect with Peers
    Overview
    • Connect with Peers on Your Mission-Critical Priorities
    Conferences
    • All Conferences
    • Asia/Pacific and Japan
    • Europe, Middle East and Africa
    • North America
    Communities
    • Peer Insights: Guide Decisions with Peer-Driven Insights
    • Evanta: Connecting C-Level Executives
    Conferences
    About
    Newsroom
    Careers
  • Become a Client

    or call

  • Audit & Risk
  • Roles
    • Internal Audit Leaders
    • Enterprise Risk Management (ERM) Leaders
  • Research
    • Audit Benchmarking
    • Risk Benchmarking
  • Experts
  • Insights
    • Trending Topics
  • Events
    • Webinars
  • Audit & Risk
  • Roles
    • Internal Audit Leaders
    • Enterprise Risk Management (ERM) Leaders
  • Research
    • Audit Benchmarking
    • Risk Benchmarking
  • Experts
  • Insights
    • Trending Topics
    • Smarter with Gartner
  • Events
    • Webinars
  • Client Success Stories
  • Become a Client

    or call

Menu
    • Audit & Risk
    • Roles
      • Internal Audit Leaders
      • Enterprise Risk Management (ERM) Leaders
    • Research
      • Audit Benchmarking
      • Risk Benchmarking
    • Experts
    • Insights
      • Trending Topics
      • Smarter with Gartner
    • Events
      • Webinars
    • Client Success Stories
    • Conferences
    • About
    • Newsroom
    • Careers
  • Gartner client? Log in for personalized search results.

What Is Cybersecurity?

Cybersecurity is the practice of deploying people, policies, processes and technologies to protect organizations, their critical systems and sensitive information from digital attacks.

Table of Contents

  • What does cybersecurity mean for your business?
  • What is the cybersecurity impact of Russia’s invasion of Ukraine?
  • What are the cybersecurity concerns for critical infrastructure?
  • What is a cyberattack?
  • What is a DDoS attack?
  • What are cybersecurity controls and cyber defense?
  • Why does cybersecurity fail?
  • What is the future of cybersecurity?
  • Who is responsible for managing cybersecurity?
  • What cybersecurity metrics do I need?
  • How much should I spend on cybersecurity?
Hidden Comment
  • Latest Cybersecurity Insights
  • Cybersecurity Initiatives
  • Resources for Cybersecurity Leaders
  • Conferences for Cybersecurity Leaders

What does cybersecurity mean for your business?

Cybersecurity is a business problem that has been presented as such in boardrooms for years, and yet accountability still lies primarily with IT leaders. 

In the 2022 Gartner Board of Directors Survey, 88% of board members classified cybersecurity as a business risk; just 12% called it a technology risk. Still, a 2021 survey showed that the CIO, the chief information security officer (CISO) or their equivalent were held accountable for cybersecurity at 85% of organizations.

Organizations have become far more vulnerable to cyberthreats because digital information and technology are now so heavily integrated into day-to-day work. But the attacks themselves, which target both information and critical infrastructure, are also becoming far more sophisticated. 

Cyber-risk incidents can have operational, financial, reputational and strategic consequences for an organization, all of which come at significant costs. This has made existing measures less effective, and it means that most organizations need to up their cybersecurity game. 

Cybersecurity Roadmap

What is the cybersecurity impact of Russia’s invasion of Ukraine?

The Russian invasion of Ukraine is marked by both military and destructive malware attacks. As the invasion expands, the threat of attacks to critical infrastructure — and the potential for fatal outages — grows. No business is immune. 

Many organizations already face a range of lurking security failures, but now, it’s especially important to rely on threat intelligence tailored for your organization and to watch for guidance from your government contacts around how to prepare for attacks you may not be ready to handle. 

As the C-suite strategizes its response to the Russian invasion of Ukraine, prioritize cybersecurity planning. Focus on what you can control. Make sure your incident response plans are current. Increase awareness and vigilance to detect and prevent potential increased threats, but be mindful of the added stress and pressure your organization is feeling. A human error due to these forces may have a greater impact on your organization than an actual cyber attack.

Incident Planning Must-Haves

What are the cybersecurity concerns for critical infrastructure?

Critical infrastructure sectors include energy production and transmission, water and wastewater, healthcare, and food and agriculture. In many countries, critical infrastructure is state-owned, while in others, like the U.S., private industry owns and operates a much larger portion of it.

Not only are each of these sectors critical to the appropriate functioning of modern societies, but they are also interdependent, and a cyberattack on one can have a direct impact on others. Attackers are increasingly choosing to deploy attacks on cyber-physical systems (CPS).

The risks were very real even before Russia invaded Ukraine. Attacks on organizations in critical infrastructure sectors rose from less than 10 in 2013 to almost 400 in 2020, a 3,900% increase. It’s not surprising, then, that governments worldwide are mandating more security controls for mission-critical CPS. 

The Russian invasion of Ukraine increases the threat of cyberattacks for all organizations. You need to develop a holistic, coordinated CPS security strategy while also incorporating into governance emerging security directives for critical infrastructure. The U.S. “National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems,” for example, is prioritizing the electricity and natural gas pipeline sectors, followed by the water/wastewater and chemical sectors.

The crux of the problem is that traditional network-centric, point-solution security tools are no longer sufficient to combat the speed and complexity of today’s cyberattacks. This is particularly the case as operational technology (OT), which connects, monitors and secures industrial operations (machines), continues to converge with the technology backbone that processes organization’s information technology (IT). 

Conduct a complete inventory of OT/Internet of Things (IoT) security solutions in use within your organization. Also perform an evaluation of standalone or multifunction platform-based security options to further accelerate CPS security stack convergence.

CPS Security Vendors

What is a cyberattack?

The most common and notable types of cybersecurity attacks include:

  • Phishing and social-engineering-based attacks.
    Attackers trick legitimate users with proper access credentials into taking action that opens the door for unauthorized users, allowing them to transfer information and data out (data exfiltration).
  • Internet-facing service risks (including cloud services).
    These threats relate to the failure of enterprises, partners and vendors to adequately secure cloud services or other internet-facing services (for example, configuration management failure) from known threats.
  • Password-related account compromises.
    Unauthorized users deploy software or other hacking techniques to identify common and reused passwords they can exploit to gain access to confidential systems, data or assets.
  • Misuse of information.
    Authorized users inadvertently or deliberately disseminate or otherwise misuse information or data to which they have legitimate access.
  • Network-related and man-in-the-middle attacks.
    Attackers may be able to eavesdrop on unsecured network traffic or redirect or interrupt traffic as a result of failure to encrypt messages within and outside an organization’s firewall.
  • Supply chain attacks.
    Partners, vendors or other third-party assets or systems (or code) become compromised, creating a vector to attack or exfiltrate information from enterprise systems.
  • Denial-of-service attacks (DoS).
    Attackers overwhelm enterprise systems and cause a temporary shutdown or slowdown. Distributed DoS (DDoS) attacks also flood systems, but by using a network of devices. (Also see “What is a DDos attack?”)
  • Ransomware.
    This malicious software infects an organization’s systems and restricts access to encrypted data or systems until a ransom is paid to the perpetrator. Some attackers threaten to release data if the ransom isn’t paid.
Security & Risk Strategy

What is a DDoS attack?

Cyber attackers deploy DDoS attacks by using a network of devices to overwhelm enterprise systems. While this form of cyber attack is capable of shutting down service, most attacks are actually designed to cause disruption rather than interrupt service completely.

Thousands of DDoS attacks are now reported each day, and most are mitigated as a normal course of business with no special attention warranted. But cyber attackers are capable of increasing the scope of the attack — and DDoS attacks continue to rise in complexity, volume and frequency. This presents a growing threat to the network security of even the smallest enterprises.

DDos attacks also increasingly target applications directly. Successful and cost-effective defense against this type of threat therefore requires a multilayered approach:

  • Internal: defenses inside your network behind the firewall.
  • Edge: on-premises solutions (physical devices on or in front of the enterprise firewalls and edge routers)
  • External/cloud provider: outside the enterprise, such as internet service providers (ISPs)
  • People and process: include incident response and the mitigation playbook along with the skill sets needed to stop an attack

DDoS mitigation requires skills distinct from those required to defend against other types of cyberattacks, so most organizations will need to augment their capabilities with third-party solutions.

Security IT Innovations

What are cybersecurity controls and cyber defense?

A range of IT and information system control areas form the technical line of defense against cyberattacks. These include:

  • Network and perimeter security.
    A network perimeter demarcates the boundary between an organization’s intranet and the external or public-facing internet. Vulnerabilities create the risk that attackers can use the internet to attack resources connected to it.
  • Endpoint security.
    Endpoints are network-connected devices, such as laptops, mobile phones and servers. Endpoint security protects these assets and, by extension, data, information or assets connected to these assets from malicious actors or campaigns.
  • Application security.
    It protects data or code within applications, both cloud-based and traditional, before and after applications are deployed.
  • Data security.
    It comprises the processes and associated tools that protect sensitive information assets, either in transit or at rest. Data security methods include encryption, which ensures sensitive data is erased, and creating data backups.
  • Identity and access management (IAM).
    IAM enables the right individuals to access the right resources at the right times for the right reasons.
  • Zero trust architecture.
    It removes implicit trust (“This user is inside my security perimeter”) and replaces it with adaptive, explicit trust (“This user is authenticated with multifactor authentication from a corporate laptop with a functioning security suite”).

Technology controls aren’t the only line of defense against cyberattacks. Leading organizations critically examine their cyber-risk culture and relevant functions’ maturity to expand their cyber defense. This includes building employee awareness and secure behaviors.

test ▶
▶

Why does cybersecurity fail?

Simply put, cybersecurity fails because of a lack of adequate controls. No organization is 100% secure, and organizations cannot control threats or bad actors. Organizations only control priorities and investments in security readiness. 

To decide where, when and how to invest in IT controls and cyber defense, benchmark your security capabilities — for people, process and technology — and identify gaps to fill and priorities to target.

Notably, the human element features heavily in cybersecurity risks. Cybercriminals have become experts at social engineering, and they use increasingly sophisticated techniques to trick employees into clicking on malicious links. Making sure employees have the information and know-how to better defend against these attacks is critical.

Employees and Cyber Bait

What is the future of cybersecurity?

The environment itself is evolving in several key ways:

  • Growing network, infrastructure and architectural complexity create a greater number and variety of connections that can be targets of cyberattacks.
  • Increasing sophistication of threats and poor threat sensing make it hard to keep track of the growing number of information security controls, requirements and threats.
  • Third-party vulnerabilities will persist as organizations continue to struggle to establish minimum but robust controls for third parties — especially as most vendors, in particular cloud vendors, are themselves relying on third parties (which become your fourth parties and so on).
  • Cybersecurity debt has grown to unprecedented levels as new digital initiatives, frequently based in the public cloud, are deployed before the security issues are addressed.
  • Cyber-physical systems are engineered to orchestrate sensing, computation, control, networking and analytics to interact with the physical world (including humans). Connecting the digital and physical worlds (as in smart buildings) presents a unique and growing area of vulnerability.

test ▶
▶

Who is responsible for managing cybersecurity?

Cybersecurity is interconnected with many other forms of enterprise risk, and the threats and technologies are evolving quickly. Given this, multiple stakeholders must work together to ensure the right level of security and guard against blind spots. But despite the growing view that cybersecurity is a business risk, accountability for cybersecurity still falls mostly on the shoulders of IT leaders. 

A 2021 Gartner survey found that the CIO, CISO or their equivalent were held accountable for cybersecurity at 85% of organizations. Non-IT senior managers held accountability in only 10% of organizations surveyed, and only 12% of boards have a dedicated board-level cybersecurity committee.

To ensure adequate security, CIOs should work with their boards to ensure that responsibility, accountability and governance are shared by all stakeholders who make business decisions that affect enterprise security.

Evaluate the Security Team

What cybersecurity metrics do I need?

Most cybersecurity metrics used today are trailing indicators of factors the organization does not control (e.g., “How many times were we attacked last week?”). Instead, focus on metrics related to specific outcomes that prove your cybersecurity program is credible and defensible.

Gartner expects that by 2024, 80% of the magnitude of fines regulators impose after a cybersecurity breach will result from failures to prove the duty of due care was met, as opposed to the impact of the breach.

Gartner advocates the “CARE” model of outcome-driven metrics (ODMs):

Consistency

Consistency metrics assess whether controls are working consistently over time across an organization.

Adequacy

Adequacy metrics assess whether controls are satisfactory and acceptable in line with business needs.

Reasonableness

Reasonableness metrics assess whether the controls are appropriate, fair and moderate.

Effectiveness

Effectiveness metrics assess whether the controls are successful and/or efficient in producing a desired or intended outcome.

Assess Cybersecurity Risk

How much should I spend on cybersecurity?

The amount you spend on cybersecurity does not reflect your level of protection, nor does what others spend inform your level of protection compared to theirs.

Most monetary representations of risk and security readiness (i.e., “Is that a $5 million risk or a $50 million risk?”) are neither credible nor defensible, and, even when they are credible, they do not support daily decision making related to priorities and investments in security.

Use outcome-driven metrics to enable more effective governance over cybersecurity priorities and investments. ODMs don’t measure, report or influence investments by threat type; it is outside your control to align spending to address ransomware, attacks or hacking. Rather, align investments to the controls that address those threats. 

For example, an organization cannot control whether it suffers a ransomware attack, but it can align investments to three critical controls: back up and restore, business continuity and phishing training. The ODMs of these three controls reflect how well the organization is protected against ransomware and what that level of protection costs — a business-based analysis that tells a compelling story for the board and other senior leaders.

Note that a control can be any combination of people, process and technology that you own, manage and deploy to create a level of protection for the organization. Take a cost optimization approach to evaluate the cost (investment), value (benefit) and the level of risk managed for each control. Generally, better protection (less risk) will be more expensive.  

Cybersecurity IT Priorities

For executives and their teams

Latest Cybersecurity Insights

5 Security Questions Your Board Will Definitely Ask

Read now

5 Must-Read Ransomware and Cybersecurity Articles

Read Now

Ransomware Attacks: Prepare, Plan and Respond

Watch Webinar

5 Security Questions Your Board Will Definitely Ask

Read now

Cybersecurity Initiatives

Cybersecurity in Your Supply Chain

Download Now

Treat Cybersecurity as a Business Decision

Download Now

Roadmap for Information Security Program

Download Now

Cybersecurity in Your Supply Chain

Download Now

Resources for Cybersecurity Leaders

CISO Role as a Digital Business Leader

Learn More

CIO Role in Digital Transformation

Learn More

U.S. Executive Order on Cybersecurity: What Government Agencies Must Know and Do

Watch Webinar

CISO Role as a Digital Business Leader

Learn More

Experience IT Security and Risk Management conferences

Join your peers for the unveiling of the latest insights at Gartner conferences.

View Conferences

Drive stronger performance on your mission-critical priorities.

Become a Client
TOP
Gartner
  • About Gartner
    Who We Are
    • About Us
    • Corporate Responsibility
    • Investor Relations
    • Newsroom
    What We Do
    • Research & Advisory
    • Conferences
    • Consulting
    • Digital Markets
  • Get in Touch
    Contact
    • Contact Us
    • Become a Client
    • Office Locations
    • Technical Support
    Careers
    • Why Gartner
    • Search Careers
    • Our Culture
    • Careers Blog
  • Latest Insights
    Resources
    • Smarter With Gartner
    • Webinars
    • Glossary
    • Client Stories
About Gartner
Who We Are
  • About Us
  • Corporate Responsibility
  • Investor Relations
  • Newsroom
What We Do
  • Research & Advisory
  • Conferences
  • Consulting
  • Digital Markets
Get in Touch
Contact
  • Contact Us
  • Become a Client
  • Office Locations
  • Technical Support
Careers
  • Why Gartner
  • Search Careers
  • Our Culture
  • Careers Blog
Latest Insights
Resources
  • Smarter With Gartner
  • Webinars
  • Glossary
  • Client Stories
Policies Privacy Policy Terms of Use Ombuds

©2023 Gartner, Inc. and/or its affiliates. All rights reserved.

©2023 Gartner, Inc. and/or its affiliates. All rights reserved.

Become a Client

Clients receive 24/7 access to proven management and technology research, expert advice, benchmarks, diagnostics and more. Fill out the form to connect with a representative and learn more.

Or give us a call 


8 a.m. – 7 p.m. ET
8 a.m. – 5 p.m. GMT
Monday through Friday

By clicking the "Submit" button, you are agreeing to the Gartner Terms of Use and Privacy Policy.

By clicking the "" button, you are agreeing to the Gartner Terms of Use and Privacy Policy.