We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 - 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!
The devastating impacts of cyberattacks on a business’s ability to operate will become more severe in the future for organizations that fail to treat cybersecurity as a business investment.
That’s the message Gartner’s top eight cybersecurity predictions released today have for the world’s CISOs, CIOs and security and risk management leaders. It’s a sobering reminder for the many IT and cybersecurity teams who continue to be overwhelmed by remote work, hybrid cloud integration and digital transformation projects, that the threat landscape is changing faster than most organizations can react.
What Gartner’s predictions are saying
Together, Gartner’s top eight cybersecurity predictions warn organizations that they need to employ greater resilience to reduce the impact of more severe cyberattacks. Reducing the blast radius of larger, more potentially devastating attacks is key.
Implied in the predictions is advice to focus not just on ransomware or any other currently trending type of cyberattack, but to prioritize cybersecurity investments as core to managing risks and see them as investments in the business. By 2025, 60% of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements, according to Gartner‘s predictions.
Doubling down with greater resilience across every threat surface is key. For example, while Gartner mentions zero-trust network access (ZTNA) in just one of the eight predictions, the core concepts of ZTNA and its benefits are reflected in most of the predictions. The predictions also note that investing in preventative controls is not enough, and that there needs to be a much higher priority placed on resilience. This is because threat surfaces grow faster than many organizations can gain visibility to and protect.
By 2025, it is expected that 80% of enterprises will adopt a strategy to unify web, cloud services and private application access from a single vendor’s secured service edge (SSE) platform. ZTNA is one of the core technologies enabling SSE platforms. For additional information on SSE and SASE’s (secure access service edge) relationship to ZTNA, as well as an insightful view of the market, please see the 2022 Gartner Market Guide for Zero Trust Network Access, courtesy of Absolute Software.
The following are Gartner’s top eight cybersecurity predictions for 2022-2023:
- Through 2023, government regulations requiring organizations to provide consumer privacy rights will cover 5 billion citizens and more than 70% of global GDP. As of last year, nearly 3 billion individuals were covered under consumer privacy rights across 50 countries, and there’s progress on expanding privacy regulations globally. Gartner suggests organizations track subject rights request metrics, including cost per request and time to fulfill, to identify inefficiencies and justify accelerated automation.
- By 2025, 80% of enterprises will adopt a strategy to unify web, cloud services and private application access from a single vendor’s SSE platform. There’s a groundswell of activity happening already around the unification of web, cloud services, private applications and more. Stand-alone ZTNA providers are looking to integrate into SSE and SASE platforms, with merger and acquisition activity continuing to increase. Palo Alto Networks acquiring CloudGenix, Fortinet acquiring OPAQ, Ivanti acquiring MobileIron and PulseSecure, Check Point Software Technologies acquiring Odo Security, ZScaler acquiring Edgewise Networks, Cisco acquiring Portshift and Absolute Software acquiring NetMotion are examples of this trend.
“One of the key trends emerging from the pandemic has been the broad rethinking of how to provide network and security services to distributed workforces,” said Garrett Bekker, senior research analyst, security, at 451 Research, in his research report.
- 60% of organizations will embrace zero trust as a starting point for security by 2025. More than half will fail to realize the benefits. Gartner’s pessimism reflects how challenging it is becoming for organizations to secure the exponentially growing number of machine identities they’re generating, combined with identity access management (IAM) and privileged access management (PAM) failures in organizations today. Attempting to protect hybrid cloud configurations with ZTNA while adhering to the shared responsibility models of public cloud providers, including Amazon, has also proven difficult for many organizations. Getting hybrid cloud security right is hard, making any organization’s attempts to pursue a ZTNA framework challenging.
- By 2025, 60% of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements. This prediction implies that cybersecurity must be prioritized as a business investment, focusing on reducing operating risk. However, with Gartner observing that cyberattacks aimed at third parties are increasing, only 23% of security and risk leaders monitoring the third-party threat shows how broad of an attack surface this leaves open. A sure sign cybersecurity will be integral to business operations is when risk assessments will need to be completed before contracts with third-party companies, a prediction Gartner sees happening within three years.
- Through 2025, 30% of nation-states will pass legislation that regulates ransomware payments, fines and negotiations, up from less than 1% in 2021. Today, French cybersecurity insurance firms refuse to pay a ransom if one of their clients is hit with a ransomware attack. Gartner predicts nation-states will follow the French cyber insurer’s lead and regulate ransomware payments. This prediction also shows how much of a business decision that risk management, deterrence and resilience are becoming.
- By 2025, threat actors will have weaponized operational technology environments successfully to cause human casualties. Unfortunately, air gaps aren’t enough to protect energy, oil, gas and processing refineries and manufacturing centers that run on industrial control systems (ICS) not designed to protect against cyberattacks. So, it’s not surprising that 46% of known operational technology (OT) cyberthreats are poorly detected or not detected. In addition, Honeywell finds that 11% are never detected and most detection engines and techniques catch just 35% of all attempted breaches.
- By 2025, 70% of CEOs will mandate a culture of organizational resilience to survive coinciding threats from cybercrime, severe weather events, civil unrest and political instabilities. Another prediction shows how CEOs are looking more at cybersecurity as a risk management issue, not purely an IT one. Gartner’s inquiry calls must be heavily slanted to fighting the most popular cyberattack strategies for a given month or period, when what’s needed is a rethinking of the cybersecurity tech stack for more severe threats and risk. Gartner’s prioritizing of resilience shows that their clients want stop-gap help with current cybersecurity weaknesses when a more complete cybersecurity tech stack overhaul is needed.
- By 2026, 50% of C-level executives will have performance requirements related to risk built into their employment contracts. Forward-thinking boards of directors started holding CEOs accountable for their environmental, social and governance (ESG) initiatives more than three years ago. CIOs have had their pay indexed to how much their departments help reduce roadblocks to more revenue and, most importantly, how well they serve sales to help them drive more revenue. Risk management is a core skill a CIO and CISO need for excelling in their work, much the same way a CEO needs to know how to excel at ESG initiatives. The background support for this prediction has been steadily growing for years.
Resiliency in tech stacks
Together, the eight cybersecurity predictions are useful for CIOs, CISOs and their teams to start thinking about how they’re doing to become more resilient and redefine their tech stacks to handle entirely new types of attacks. Cybersecurity becomes a business decision when CISOs have their pay indexed to risk management. That’s a step in the right direction of seeing resilience as a core business strength to be improved.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.