How to Address Threats in Today’s Security Landscape

Exploitation of known vulnerabilities poses a great threat to an organization’s security.

Identity and access management (IAM) and security leaders are grappling with an ever-shifting threat landscape. These leaders are facing increasingly sophisticated hackers and attacks more frequently. They must discern what threats represent the most risk and how they can best address these issues.

Ahead of the Gartner Identity & Access Management Summit, we asked Greg Young, research vice president at Gartner, how IAM and security leaders can successfully recognize and respond to modern threats and secure their organizations.

Q: What are the biggest threats facing IAM and security leaders?

Gartner predicts that, through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year.

A: Ransomware is — and should be — top of mind for IAM and security leaders. In the past, hackers typically targeted an individual person or machine, which posed a challenge, but was more manageable. Today, hackers target entire organizations, encrypting multiple devices before making the demand for payment. There has been a significant increase in new ransomware families, with spam as the top infection vector.

Organizations need to protect against these types of potential vulnerabilities. An organization’s own failures cause a staggering number of attacks. Gartner predicts that, through 2020, 99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year. Imagine an organization as a house. A thief keeps robbing the home, yet the owner continues leaving the doors and windows unlocked. Why not lock the doors and windows and prevent or at least make it harder for the thief to break in?

Fortunately, there has been an increasing monetization of vulnerability research, leading to greater discovery and disclosure of vulnerabilities, increased transparency around vulnerability disclosure and more frequent releasing of patches and blocking solutions. IAM and security leaders have more tools available than ever before to help them protect their organizations against known vulnerabilities.

Design a Data and Analytics Strategy

Advance your organization's strategy by communicating the business value of data and analytics.

Download eBook

Q: What main challenges are IAM and security leaders facing?

A: Evolving tactics in attacks and increased evasion, coupled with staffing shortages, are creating challenges for IAM and security leaders. The rise of connected devices via the Internet of Things (IoT) has created issues with scale. Existing security tools cannot effectively handle the influx in the number of devices that need to be secured and monitored (desktops, laptops, mobile devices), making it harder to effectively monitor for potential vulnerabilities. The industry-wide security skills shortage is only compounding this challenge. Organizations are making larger investments in security tools to combat increased threats and secure more devices, but they are struggling to hire skilled personnel to support these tools.

Q: How can IAM and security leaders secure their organizations against modern threats?

A: IAM and security leaders must first address and patch known vulnerabilities. They should assess existing resources and ensure they are investing in an equal mixture of detection and prevention solutions. They should also consider redesigning their assets and moving different assets into more secure locations, or segmenting to add floodwalls between parts of their organization. Adding these obstacles will make it more challenging for hackers to penetrate an organization.

IAM and security leaders should stay abreast of broader trends and understand how they affect their organization’s security. These leaders tend to miss the bigger trends in threat evolution by examining only the attacks and attackers. We have found that a large majority of organizations think it is very important to know the origin of an attack. Counting attacks is a fruitless effort — it does not matter who threw the rock, it only matters that you need to get stitches. Focusing on attribution only diverts resources, leaving other areas vulnerable when an attack occurs.


Gartner clients can learn more about addressing threats in today’s security landscape in How to Respond to the 2017 Threat Landscape, by Greg Young, et al.

Get Smarter

Follow #Gartner

Attend a Gartner event

Explore Gartner Conferences

Complete Your Data and Analytics Strategy With a Clear Value Proposition

As a data and analytics leader, one of the most important things to articulate in your strategy is the value proposition. Learn how to create a modern, actionable D&A strategy that creates common ground amount stakeholders.

Read Free Gartner Research


Get actionable advice in 60 minutes from the world's most respected experts. Keep pace with the latest issues that impact business.

Start Watching