The emphasis on data privacy laws, ransomware attacks, cyber-physical systems, and board-level audits drives the priorities of security and risk leaders.
"How do we ensure that our consumers are not physically harmed by fraudsters?" This is the question that security and risk leaders must anticipate for the future and plan accordingly.
The proliferation of cyber-physical systems, which include systems that combine the cyber and physical worlds for technologies such as autonomous cars or digital twins, poses another security risk for organizations, and how cyber-attackers can target these systems is one of our most important predictors for the coming years.
“We’re falling into this old habit of trying to treat everything the same as we did in the past,” Gartner Analyst Sam Olyaei said in his presentation at the Gartner IT Symposium/XPO™ 2021 on this topic adding, "This simply cannot continue. We need to make sure that we are evolving our thinking, our philosophy, our program and our architecture.”
Security and risk management has become a board-level issue for organizations. Security breaches are becoming more common and more complex, resulting in new laws being passed to protect consumers and companies putting security at the center of their decisions.
For the next few years, Gartner analysts envision an environment in which greater decentralization, increased regulation, and security implications will be more severe. Put these strategic planning assumptions on your roadmap for the year ahead.
1. By the end of 2023, modern data privacy laws will cover the personal information of 75% of the world's population.
GDPR was the first major consumer privacy legislation, but others quickly followed, including Turkey's Personal Data Protection Act (KVKK), Brazil's General Personal Data Protection Act (LGPD), and California's Consumer Privacy Act (CCPA). The scope of these laws means that you will manage multiple data protection laws in various jurisdictions and customers will want to know what kind of data you collect from them and how it is used. This also means that you need to focus on automation of your data privacy management system. As for how to do this, basically, using GDPR, you can standardize security operations and then tailor it to individual jurisdictions.
2. By 2024, organizations that adopt a cybersecurity network architecture will be able to reduce the financial costs of security incidents by an average of 90%.
Organizations now support a variety of technologies in different locations, so they need a flexible security solution. The cyber safety net expands to include identities outside the traditional security perimeter and creates a holistic view of the organization. It also helps improve security for remote working. These demands will accelerate the transition to this approach over the next two years.
3. By 2024, 30% of enterprises will deploy cloud-based Secure Web Gateway (SWG), Cloud Access Security Brokers (CASB), Zero Trust Network Access (ZTNA), and Firewall as a Service (FWaaS), sourced from the same vendor.
Organizations are turning to optimization and consolidation. Security leaders typically manage dozens of tools, but they plan to reduce that number to even less than 10. From this perspective, SaaS will become the preferred delivery method and consolidation will affect hardware adoption times.
4. By 2025, 60% of organizations will use cybersecurity risk as the primary determinant in conducting third-party transactions and business relationships.
Investors, especially venture capitalists, use cybersecurity risk as an important factor in evaluating opportunities. Organizations are increasingly looking at cybersecurity risk during business deals, including mergers and acquisitions and vendor agreements. As a result, there may be requests for more data about a partner's cybersecurity program, through surveys or security ratings.
5. The percentage of states that enact laws regulating ransomware payments, fines and negotiations will increase from less than 1% in 2021 to 30% by the end of 2025.
While broader regulations currently apply to ransomware payments, security experts may face stricter measures on payments. Given an as yet unregulated crypto-currency market, paying the ransom has ethical, legal and moral implications, and it's vital to consider the implications. The decision to pay (or not) should be left to a cross-functional team that can address all these concerns.
6. By 2025, 40% of boards will have a dedicated cybersecurity committee overseen by a qualified board member.
As cybersecurity has become (and remains) a top issue for boards of directors, you can expect a board-level cybersecurity committee and tighter oversight. This increases the visibility of cybersecurity risk across the organization and requires a new approach to board reporting, the details of which may depend on the background and experience of specific board members. In this respect, you should conduct a communication that focuses on risk and cost values.
7. By 2025, 70% of CEOs will build a culture of corporate resilience to protect themselves from threats from cybercrime, severe weather events, social events, and political instability.
Go beyond cybersecurity and enterprise resilience to account for broader security environments. Digital transformation adds extra complexity to the threat landscape, which will affect how you produce products and services. Try to define organizational resilience and objectives and create an inventory of cyber risks affecting them.
8. By 2025, cyber-attackers will be able to use operational technology environments as weapons successfully enough to cause human casualties.
As malware spreads from IT to OT, the focus is shifting from business interruptions to physical harm, with the final responsibility resting with the CEO. Focus on asset-centric cyber-physical systems and ensure teams are in place to handle the appropriate management.
As Gartner has demonstrated through its global research, if you want to ensure data privacy or centrally manage your organization's data and access security infrastructure against ransomware attacks, you can contact us to benefit from the world's leading Privileged Access Management (PAM) solutions.