Gartner’s 2023-2024 cybersecurity outlook, which the consultancy presented this week, contains good news and bad. There has been a significant shift from three years ago when chief information security officers were struggling to exert board-level influence.
Partly due to emerging technologies such as Web 3.0, conversational artificial intelligence, quantum computing and supply chains, along with increasingly sophisticated attacks, security leaders now have more influence in the C-suite. However, as Craig Porter, director advisory for Gartner’s Security Research and Advisory team said, “Threat actors have access to powerful tools like ChatGPT, which can generate polymorphic malware code that can avoid detection, or even better, write a convincing email. What a fun time to be a security professional!”
Jump to:
SEE: Thales report on cloud assets, an additional security headache (TechRepublic)
Gartner predicts that by 2025 nearly half of cyber leaders will change jobs, with 25% moving to different roles entirely due to multiple work-related stressors.
“It’s another acceleration caused by the pandemic and staffing shortages across the industry,” said Porter, adding that security teams are in the spotlight when things go wrong, but not celebrated when attacks aren’t successful.
“The work stressors are on the rise for cybersecurity and becoming unsustainable. It seems like it’s always ‘good dog,’ never ‘great dog.’ The only possible outcomes in our jobs as security risk management professionals are either get hacked or don’t get hacked. That puts security risk management leaders on the edge of their limits with profound and deep psychological impacts that affect decisions and performance,” he said.
An April study by security firm Splunk concurs with Gartner’s findings. In Splunk’s 2023 State of Security report:
Gartner suggests security and risk management leaders need to change the culture.
“Cybersecurity leaders can change the rules of engagement through collaborative design with stakeholders, delegating responsibility and being clear on what’s possible and what’s not, and why,” said Porter. He added that creating a culture where people can make autonomous decisions around risk “Is an absolute must.”
SEE: Google offers low-cost online certificate in cybersecurity (TechRepublic)
He said organizations should prioritize culture shifts to enhance autonomous, risk aware decision making and manage expectations with an accurate profile of the strengths and limitations of their security programs.
“And use human error as a key indicator of cybersecurity fatigue within the organization,” Porter added.
Gartner predicts that by 2024, modern privacy regulation will blanket the majority of consumer data but less than 10% of organizations will have successfully made privacy a competitive advantage. He noted that, as the pandemic accelerated privacy concerns, organizations have a clear opportunity to strengthen business by leveraging their privacy advancements.
“Just as a general statistic to exemplify the growth of this trend, the percentage of the world’s population with access to several fundamental privacy rights exceeds that with access to clean drinking water,” he said.
He said that avoiding fines, breaches and reputation are the most significant benefits conferred to organizations implementing privacy programs; but additionally, enterprises are recognizing that privacy programs are enabling companies to differentiate themselves from competitors and build trust and confidence with customers, business partners, investors, regulators and the public.
“With more countries introducing more modern privacy laws in the same vein as the European Union’s General Data Protection Regulation, we have crossed a threshold where the European baseline for handling personal information is the de facto global standard,” said Porter. He counseled security and risk management leaders to enforce a comprehensive privacy standard in line with the General Data Protection Regulation. Doing so, he said, will be a differentiator for companies in an increasingly competitive market.
“It’s a business opportunity. This is kind of the new ‘go green’ or ‘cruelty free’ or ‘organic.’ All of these labels tell you about the value proposition of the company, so why not use privacy as a competitive advantage?” he said, pointing out that Apple has marketed privacy strongly, and by some reports has grown 44% in some markets from that privacy campaign.
Among Gartner’s predictions for this year and next are:
A key takeaway from Gartner’s overview was that organizations need to patch the tire while riding the bike. “If you have not done so, you need to adapt,” said Porter, adding that most company boards will see cyber risk as a top business risk to manage. “… We estimate that technology work will shift to a decentralized model in a big way in the next four to five years,” he said.
Porter also said that there has been a sea change when it comes to how CISO’s are perceived by the C-suite and boards: Three years ago, CISOs were struggling to have a seat within the C-suite about risks and threats. “We have seen that scenario change drastically,” said Porter.
Gartner’s presentation included an apt quote from self-development guru Brian Tracy, “…in a time of rapid change, standing still is the most dangerous course of action.”