The Gartner Top Cybersecurity Predictions 2023-2024 (8 of theirs, 2 of ours)
Hi there, and welcome to Ragnar on Security.
Last week, Gartner hosted their annual top security prediction webcast for the years 23 and 24 hosted by Craig Porter, I wanted to share Ragnar’s take on the top Aid predictions from Gartner.
1. Data Privacy
By 2024, modern privacy regulations such as GDPR, CCPA, etc., will cover over 70% of the consumers in the world. Still, less than 10% of organizations will have successfully weaponized privacy as a competitive advantage. The words “weaponized as a competitive advantage” were an interesting choice of vocabulary. Still, they say you must reach out to your customers and explain how you are doing a better job of keeping their data private. At the same time, you’re a better partner when you have better data privacy and can show how you will help protect them as a supply chain partner.
2. Talent Shortages will Grow, Especially for CISOs
By 2025, nearly half of cybersecurity leaders will change jobs, 25% for different roles entirely due to multiple work-related stressors. In this comment, Gartner is talking about three primary things. The first is that recruiting talent will be even more challenging and complex as we progress. The second is that CISOs and cyber folks deal with stressors that will create incremental fatigue and human error in cybersecurity execution and configurations. The third is that the more we can address these challenges, the more secure your environments will be and the better partner you’ll be for your customers and supply chain vendors.
3. Cyber Risk Quantification
By 2025, 50% of cybersecurity leaders will have unsuccessfully tried to use cyber risk quantifications to drive enterprise business decision-making. The net of this trend is to consider attempting to quantify the risk related to business assets or specific applications versus an overall risk quantification score; the balance between the efficacy of the products and the impact on the business is not always the same, and even though boards and executives are demanding defensible data, this is still a challenge for many CISOs
4. Zero Trust
By 2026, 10% of large enterprises will have a comprehensive, mature, and measurable zero trust program, up from less than 1% today. The first item to note here is that zero trust is implemented at about a 10% level, so this market will continue to grow for many years. Again, one of the things Gartner focuses on is that zero trust is a concept, not an individual product that can be purchased. When talking about the details, they focused on prioritization of risk mitigation, setting up an expectation that this is not a one-time investment. It’ll be an ongoing effort, and you need to combine your zero-trust initiative with your other preventative security strategies. The other footnote is the DoD mandating a zero-trust architecture implementation by 2027.
5. TDIR (Threat Detection and Incident Response)
Through 2026, more than 60% of threat detection, investigation, and response (TDIR) capabilities will leverage exposure management data to validate and prioritize detected threats, up from less than 5% today. The big takeaway from this threat is that people need to focus on the expanding attack surface—and I apologize for stating the obvious. Still, the current toolset we have doesn’t necessarily always look at IoT and other types of edge devices that we need to move from a footing of responding to incidents to more of a continuous monitoring mode.
6. Boards
By 2026, 70% of boards will include one member with cybersecurity expertise. The growing trend of adding cybersecurity expertise to boards will be familiar to everyone. It does mean that there will be increased oversight. The questions will be more pointed and more on target as we progress. One of the other things mentioned was the need for CISOs to establish a closer relationship with those keyboard members with the cyber experience to help manage the expectations for the board and your organization overall. This should help CISOs set the board’s agenda, justify budgeting, and explain why those Investments are required to keep the company within governance rules and regulations.
7. Ghost IT
By 2027, 75% of employees will acquire, modify, or create technology outside IT’s visibility, up from 41% in 2022. So, Gartner names this “one-third party,” but I changed it to Ghost IT based on the nature of the comments and the statistics they provided. Ghost IT, or employees finding their tools, is nothing new in IT. Still, in the cyber world this continues to present new threats and unknown risks within the organization and is one of the areas in which CISOs and CIOs need to partner so they know where those risks are coming from. It fundamentally affects governance risk management, and people have to understand that if they pick up a new tool, they have a responsibility to ensure that it has been appropriately vetted by security.
8. Human-Centric Security
By 2027, 50% of large enterprise CISOs will have adopted human-centric security practices to
minimize cybersecurity-induced friction, and maximize control adoption. One of my mentors in the cybersecurity world is a gentleman named Malcolm Harkins. His mantra and Twitter (X) handle @ProtectToEnable states that CISOs should take a human-centric approach to reduce friction and minimize the impact of adopting security principles on human beings in the organization. This is not a big surprise in the trends, but it will continue to improve the relationship between users and CISOs and make users more willing to trust SecOps when they start their Ghost IT projects.
9. Third Party Risk
This is a new trend that the Ragnar group is adding to the Gartner list: third-party risk management. It’s a surprise that this was not on their list specifically called out, but so be it. Third-party risk goes to a combination of things, but the most important is that one is only as strong as our weakest link. We know that’s true in the military, we know that’s true in business, and we know that’s true in our supply chain, and it’s also true in cybersecurity. It’s vital to have a Consortium, a set of best practices, and a commitment from the extended third party and supply chains to uphold your organization’s proper security standard and meet your compliance and governance requirements. Don’t leave this off your list of things to look at.
10. AI Security and Policy
Ah, yes, AI. How can you have a list of projections for the next two years and not talk about AI when we think about it for cybersecurity? There are three major areas to consider: First, what is shared on AI platforms as part of queries or prompts and whether that discloses IP or exposes risk from a security perspective. Second obviously is threat actors using AI to change the rate at which they modify and accelerate their attacks on your organization and supply chain partners. And third, is the policy that CISOs and CIOs need to set for their corporations on how to use AI now. We are big fans of AI—we think it can be an incredible tool and asset to improve productivity. Still, it’s not without its risk, and just like when social media came out, we had to establish a whole new set of policies and rules. We need to do the same for AI, so ensure that’s on your agenda for the following year.
Author
Shaun Walsh, AKA “The Marketing Buddha,” is a long-time cloud, security, and AI/ML tech practitioner. When I walk away from the keyboard, I love lifting heavy things for strongman, planning for Comic Con, and rolling on the mat OSS!