Share this article on:
Gartner predicted almost one-third of nations will regulate ransomware response within the next three years; security platform consolidation designed to help organisations is set to thrive in hostile environments, and executive performance evaluations will be increasingly linked to capability of managing cyber risk.
Speaking at Gartner's recent Security & Risk Management Summit in Sydney, Richard Addiscott, senior director analyst and Rob McMillan, managing vice president at Gartner explained that moving forward in the digital era requires fresh solutions.
"We can’t fall into old habits and try to treat everything the same as we did in the past," Addiscott said.
"Most security and risk leaders now recognise that major disruption is only one crisis away.
"We can’t control it, but we can evolve our thinking, our philosophy, our program and our architecture."
According to Gartner analysts, government regulations requiring organisations to provide consumer privacy rights will cover five billion citizens and more than 70 per cent of global GDP in 2023.
Consumer privacy rights set to expand
As of 2021, almost three billion individuals had access to consumer privacy rights across 50 countries, and privacy regulation continues to expand. Gartner recommends that organisations track subject rights request metrics, including cost per request and time to fulfill, to identify inefficiencies and justify accelerated automation.
Consolidation strategy will be key
By 2025, 80 per cent of enterprises will adopt a strategy to unify web, cloud services and private application access from a single vendor's SSE platform.
With a hybrid workforce and data everywhere accessible by everything, vendors are offering an integrated security service edge (SSE) solution to deliver consistent and simple web, private access and SaaS application security. Single-vendor solutions provide significant operational efficiency and security effectiveness compared with best-of-breed solutions, including tighter integration, fewer consoles to use, and fewer locations where data must be decrypted, inspected and re-encrypted.
Zero-trust as standard
Gartner data revealed that about 60 per cent of organisations will embrace zero trust as a starting point for security by 2025, but more than half will fail to realise the benefits.
The term zero trust is now prevalent in security vendor marketing and in security guidance from governments. Gartner analysts further explained that as a mindset, replacing implicit trust with identity, and context-based risk appropriate trust is "extremely powerful". As zero trust is both a security principle and an organisational vision, however, it requires a cultural shift and clear communication that ties it to business outcomes to achieve the benefits.
Cyber security track record to inform business partnership decisions
By 2025, 60 per cent of organisations will use cyber security risk as a primary determinant in conducting third-party transactions and business engagements.
Cyber attacks related to third parties are increasing, but, only 23 per cent of security and risk leaders monitor third parties in real time for cyber security exposure, according to Gartner data.
As a result of consumer concerns and interest from regulators, Gartner analysts believe organisations will start to mandate cyber security risk as a significant determinant when conducting business with third parties, ranging from simple monitoring of a critical technology supplier to complex due diligence for mergers and acquisitions.
Ransomware legislation set to be widely adopted
By 2025, 30 per cent of nation states will pass legislation that regulates ransomware payments, fines and negotiations, up from less than 1 per cent in 2021.
Modern ransomware gangs now steal data as well as encrypt it. The decision to pay the ransom or not is a business-level decision, not a security one. Gartner analysts suggest engaging a professional incident response team as well as law enforcement and any regulatory body before negotiating.
Hackers poised to weaponise OT environments
By 2025, threat actors will have weaponised operational technology environments successfully to cause human casualties.
Attacks on OT hardware and software that monitors or controls equipment, assets and processes have increased in frequency causing major disruptive impact. In operational environments, security and risk management leaders should be more concerned about real world hazards to humans and the environment, rather than information theft, according to Gartner.
Organisational resilience to span beyond cyber security
By 2025, 70 per cent of CEOs will mandate a culture of organisational resilience to survive coinciding threats from cyber crime, severe weather events, civil unrest and political instabilities.
The COVID-19 pandemic has exposed the inability of traditional business continuity management planning to support the organisation's response to a large-scale disruption. With continued disruption likely, Gartner analysts recommend that risk leaders recognise organisational resilience as a strategic imperative and build an organisation-wide resilience strategy that also engages staff, stakeholders, customers and suppliers.
Cyber security accountability to extend to senior executives
By 2026, 50 per cent of C-level executives will have performance requirements related to risk built into their employment contracts.
Most boards now regard cyber security as a business risk rather than solely a technical IT problem, according to a recent Gartner survey. As a result, Gartner analysts expect to see a shift in formal accountability for the treatment of cyber risks from the security leader to senior business leaders.
For the next two years, Gartner analysts recommend that cyber security leaders build the listed strategic planning predictions into their security strategies.
[Related: Russia escalates cyber espionage against Ukraine and allies]