Share with Your Network
CISOs who recently attended the Gartner Security & Risk Management Summit in Sydney heard in no uncertain terms that the future is about reducing risk. While that’s no surprise—taking a risk-based approach to essential security programs like vulnerability management (VM) has been remaking VM for years—they also heard a prediction that underscores the sobering importance of security resilience: CISOs’ compensation is increasingly tied to their ability to create “a culture of organizational resilience” capable of blunting the business impact of disasters, including and especially cyber attacks.
Those revelations come from eight predictions made by Gartner’s leading cybersecurity experts. The predictions paint a picture of a future marked by escalating disruption, increasingly sophisticated threats, and the inevitable fallout for organizations whose cybersecurity defenses must evolve quickly and strategically.
While the entire list is worth reviewing, a handful of those predictions should make a strong impression on any security executive trying to determine where to make their next round of cybersecurity investments. Because it’s clear the margin for error is shrinking, as attackers strive not only to steal information but also to harm operations and even human beings.
Resilience is key to reducing risk
Every corporate board is in the risk reduction business, and CEO priorities highlight just how much. By 2025, Gartner anticipates seven out of 10 CEOs will mandate a culture of organizational resilience to more effectively respond to and emerge from an array of threats, both manmade and natural. Cybercrime is among the most concerning because cyber attacks can bring large-scale disruption to any organization, no matter its location or industry.
Investments in security resilience is a business investment
Until fairly recently, cybersecurity was seen as an IT cost center. This is changing, says Gartner, because investments in cybersecurity should be viewed as business investments—and because organizations have made the job of security even harder, with 81% of enterprises saying they’re adopting a multi-cloud strategy. Within three years, Gartner expects 80% of enterprises to adopt a strategy to unify web, cloud services, and private application access from a single vendor platform. They’ll do this because it’s more efficient and because securing hybrid multi-cloud environments is hard, especially with the proprietary limitations sometimes imposed by public cloud and infrastructure-as-a-service (IaaS) providers. In this emerging reality, a single, unified security platform only makes sense. But it also must be open enough to work with the many tools already in place in today’s organizations. Adopting that unified strategy will require an investment in security resilience, but as we’ve argued in the past, an investment in security resilience is an investment in business resilience.
Reducing risk third-party risk is a priority
Gartner says supply chain attacks—essentially those targeting trusted third parties with whom organizations share information and conduct transactions—are increasing, and with them the need to ensure those third parties meet certain cybersecurity criteria. By 2025, predicts Gartner, 60% of organizations will use cybersecurity risk to determine which companies can be trusted with their business. This once again highlights how crucial cybersecurity is to lowering business risk. However, supply chain security is not the priority it should be: Just 23% of security and risk leaders are monitoring the threat posed by third parties with weak or incomplete security environments. Notes VentureBeat’s Louis Columbus, “A sure sign cybersecurity will be integral to business operations is when risk assessments will need to be completed before contracts with third-party companies, a prediction Gartner sees happening within three years.”
CISOs are risk managers
In a way, CISOs are already risk managers, and many see themselves as such. But Gartner says for half of CISOs, this role will be codified into their performance evaluations by 2026. That’s right: Within four years, 50% of C-level execs will be signing employment contracts with built-in performance requirements related to risk. A recent Gartner survey says most boards now regard cyber risk as a business risk. This shift toward more formal accountability for managing cyber risk signals a growing acknowledgment that working toward security resilience is mission critical. “Cybersecurity becomes a business decision when CISOs have their pay indexed to risk management,” observes VentureBeat’s Columbus. “That’s a step in the right direction of seeing resilience as a core business strength to be improved.”
But where should CISOs begin their hunt to address these shifting priorities? Many are starting with zero-trust network access solutions and expanding from there. That’s certainly a worthy approach. But ultimately, the move toward a single-unified platform is the only way to address the next-level problem of securing a modern organization. And next-level problems call for next-level solutions.
Learn more about how you can make Gartner’s predictions—and recommendations—come true for your organization. Watch this RSA Conference 2022 keynote from Jeetu Patel, Cisco’s executive vice president, and manager for security and collaboration.
>> WATCH THE RSAC 2022 KEYNOTE
