Today’s security and risk management (SRM) leaders face a difficult, yet vital objective. They must effectively monitor, manage, and mitigate the barrage of ever-evolving threats that their organization faces on a daily basis. Yet at the same time, they must support productivity, performance, and overall business ambitions.
In order to help SRM leaders rise to the occasion, Gartner has highlighted nine trends that will drive organizational resilience and overall cybersecurity performance in 2024 (please note these are numbered for simplicity and ease-of-reference, and are not listed in order of importance).
Trends driving organizational resilience | Trends driving overall cybersecurity performance |
---|---|
1. Continuous threat exposure management (CTEM) programs | 5. Generative AI |
2. Extending identity and access management’s (IAM) cybersecurity value | 6. Security behavior and culture programs |
3. Third-party cybersecurity risk management | 7. Cybersecurity outcome-driven metrics |
4. Privacy-driven application and data decoupling | 8. Evolving cybersecurity operating models |
9. Cybersecurity reskilling |
We dive deeper into each of these trends below.
Trends driving organizational resilience
1. Continuous threat exposure management (CTEM) programs
The size of the organizational attack surface has increased dramatically in recent years. This is due to a combination of factors, including: increased adoption of SaaS platforms and tools; expanding digital supply chains; more custom app development; increased corporate social media presence; increased internet-based customer interaction, and of course, the massive growth in remote and hybrid working.
The larger and more complex attack surface has exposed weaknesses in traditional cybersecurity models, which primarily focus on securing software systems and patching. While these are still essential, they are not enough to identify and address the ever-growing list of vulnerable (and potentially vulnerable) threat vectors.
To close this gap, organizations should focus on the following CTEM-related actions and strategies:
- Align CTEM scope with business objectives, while using familiar and easy-to-understand language to explain the impact on business — not technology.
- Use validation steps and associated technologies (e.g., breach and attack simulation, automated penetration testing, etc.).
- Engage all relevant business departments and asset owners by clearly explaining the residual risk that emerges when remedial efforts are postponed. Provide both short and long-term options, while remaining focused on reducing (or ideally eliminating) exposure.
2. Extending identity and access management’s (IAM) cybersecurity value
Just like CTEM, IAM has become more crucial in recent years, as hackers and rogue users set their sights on privileged accounts that may confidential and proprietary data (a.k.a. “the keys to the kingdom”).
Despite this, some organizations continue to believe that identity management and access management are synonymous. While there is some overlap, they are distinct areas of focus. As we have discussed previously here in our blog:
- Identity management combines digital elements and entries in a centralized database, in order to create a unique designation for each individual user. These designations are monitored, changed, and removed as needed in order to enforce security, while at the same time granting users with the permissions that they need to carry out various work-related tasks.
- Access management governs whether or not users have permission to access networks, resources, apps, databases, etc. This concept embraces all of the policies, processes, methods, systems, and tools required to maintain access that is privileged within a digital environment.
Essentially, identity management is concerned with who a user is, while access management is concerned with what a user is authorized to do.
Worsening matters is that many organizations struggle to enforce IAM, because certain technologies such as legacy systems, phones, and cameras cannot use a federated system. And while the notion of manually creating and maintaining unique identity accounts for each user is theoretically possible, it is highly impractical.
An effective way forward out of this dilemma is implementing a PAM solution that extends the protection offered by an IAM system into the non-federated identity space. It closes the gap between identity management (authenticating users) and access management (granting appropriate permissions to users).
Other recommendations for extending IAM’s cybersecurity value include:
- Increase the effort to implement suitable identity hygiene.
- Expand identity threat detection and response (ITDR) through training SecOps teams in IAM.
- Evolve towards an identity fabric — start by using a composable tool strategy.
3. Third-party cybersecurity risk management
Traditionally, supplier relationship management (SRM) leaders have focused heavily on due-diligence activities when evaluating and ultimately choosing third-party cybersecurity suppliers. This focus only intensified in 2021, when the massive SolarWinds/Solarigate breach came to light. However, despite this substantial effort and investment in front-end testing and vetting, the results have been concerning. A survey by Gartner carried out in late 2023 found that 45% of respondents said that the volume of business disruptions triggered by third-party cybersecurity-related incidents increased in the last two years.
To stay ahead of bad actors, SRM leaders should prioritize resilience-oriented third-party contracting and control decision. This effort should include the following actions and strategies:
- Build contingency plans, develop incident playbooks, and conduct tabletop exercises for all third-party agreements that represent the greatest cybersecurity risks.
- Make front-end due diligence more relevant and effective by reallocating resources. This could include using industry-standard questionnaires (e.g., SIG or CAIQ) instead of customized risk questionnaires.
- Establish and evolve strong, bi-directional relationships with key third-party suppliers, and where necessary help them mature. As Gartner pragmatically points out: “In a hyperconnected environment, your suppliers’ risk is also your risk.”
4. Privacy-driven application and data decoupling
The need to meet nationalistic and regional privacy and data protection requirements (e.g., GDPR) has forced multinational organizations to re-visit and re-imagine single-tenant apps — many of which have been used for decades, but are no longer compliant. The resulting fragmentation of app architectures and data localization practices have created a slew of cybersecurity risks and vulnerabilities.
To address and mitigate this risk, organizations should focus on the following actions and strategies:
- Map out all data localization requirements for countries and regions where operations currently exist, and where expansion is planned. Work with business, legal, and IT teams to identify and address all instances of non-compliance.
- Establish a data inventory to identify all information assets that must comply with various localization requirements. Prioritize tools that are capable of continuously monitoring and detecting sensitive data in the cloud.
- Implement various secure development practices within the software development life cycle, such as those found in the Secure Software Development Framework (SSDF) and the LINDDUN privacy-focused threat modeling framework.
Trends driving cybersecurity performance
5. Generative AI
Generative AI (GenAI) is a subset of machine learning, which focuses on creating new data samples and content such as images, text, and music that is similar — and in some cases to an astonishing extent — to the training set. That is the good news.
The bad news is that GenAI introduces new attack surfaces, such as the prompts or the orchestration layers that are used to instrument AI models. These attack surfaces must be identified and fortified. Otherwise, organizations could face a litany of risks and threats as bad actors hunt for access to large language model technologies.
To make GenAI an asset instead of a liability, organizations should focus on the following actions and strategies:
-
Discover, monitor, manage, and mitigate new use cases for third-part GenAI apps, as well as newly introduced GenAI features that are implemented into existing legacy apps.
-
Revisit supplier and technology requirements to include challenges related to privacy, copyright, and traceability. Evaluate technologies that support the AI trust, risk, and security management (AI TRiSM) framework.
-
Many teams are eager to use — or are already using — GenAI, such as HR to craft job descriptions, sales to build proposals, etc. These teams urgently need to understand how GenAI-based products should and should not be bought into organization.
-
Run proof of concepts before implementing GenAI into cybersecurity operations. Start with app security and SecOps.
-
Monitor security controls and pay close attention to any decline in detection accuracy and general performance.
6. Security behavior and culture programs
Security behavior and culture programs (SBCPs) aim to reduce cybersecurity incidents that are triggered by employees. Research has found that human error accounts for more than 80% of incidents, and some of the most notorious and costly data breaches in history have been carried out by insiders.
To ensure that their workforce is part of the cybersecurity solution vs. the problem, organizations should focus on the following actions and strategies:
- Regularly review a sample of historical cybersecurity incidents, in order to glean associations between insecure employee behavior with incident type, volume, and frequency.
- Use outcome-driven, behavior-centered metrics to demonstrate the business value of the SBCP.
- Adopt the Gartner PIPE Framework to guide sustainable, comprehensive, and scalable SBCP. The PIPE framework helps leaders understand the practices they need to undertake, the aspects that influence the shape and delivery of the program, the right technologies and platforms to use, and the enables that need to support the program to keep it from “dying on the vine.” For an excellent summary of the PIPE Framework, read this article by one of its creators Richard Addiscott.
In addition, Devolutions’ Remote Desktop Manager, Devolutions Hub, and Devolutions Server can all play a key role in keeping employees from wreaking havoc — accidentally or intentionally — thanks to key built-in features such as role-based access control, support for MFA, enhanced PAM functionality, and more.
7. Cybersecurity outcome-driven metrics
Cybersecurity outcome-driven metrics (ODMs) are operational metrics that draw a direct line between a cybersecurity investment, and the delivered protection levels that it generates. Robust and relevant ODMs are crucially important for SRM leaders, who need ongoing support and buy-in from non-IT executives and influencers.
A pivotal aspect of ODMs is that they reframe the risk appetite paradigm. Traditionally, this has been rooted in tolerance for accepting loss (i.e., “We will spend X on Y because we cannot afford to lose Z”). Now, the approach is about achieving agreed-upon protection levels. This should make it easier for SRM leaders to propose and defend investments that align with business needs.
Other actions and strategies to leverage ODMs as part of the overall cybersecurity program include:
- Use tools to choose ODMs that represent a holistic view of current performance vs. the organization’s biggest cybersecurity risks.
- Discuss and negotiate protection levels with business and corporate function leaders for each ODM. Keep in mind that levels may (and likely will) vary between groups and departments.
- Use value benchmark tools to provide stakeholders with an objective and quantitative assessment of ODM performance.
- Report ODM performance at board level to continue generating support and engagement, and to prevent a regression from the new perspective (achieving protection levels) to the old perspective (exclusively about loss tolerance).
8. Evolving cybersecurity operating models
Traditional cybersecurity operating models do not scale with the new landscape upon which: decision rights are dispersed; policy details are owned at the edge; governance (at least to some extent) is centralized; and perhaps most significantly, the role of cybersecurity leader is evolving into a value-enabler. Instead of getting their orders from CIOs, CTOs, and Chief Risk Officers, SRM leaders are forging the path and setting the pace.
To ensure that they head in the right direction in this new reality, organizations should focus on the following actions and strategies:
- Establish a representative steering committee with stakeholders from risk and business functions, with the goal of promoting collaborative and central decision making — while at the same time, empower qualified employees to make autonomous, risk-informed decisions based on their knowledge, experience, and best judgement.
- Implement streamlined and standardized cybersecurity processes, which supports collaboration and efficient risk-related decision-making.
- Develop a flexible policy framework so that resource owners can customize cybersecurity procedures and map controls to their specific needs. If done right, this will support policy compliance, while encouraging a sense of ownership and responsibility for risk management.
9. Cybersecurity reskilling
Even with budgets to offer competitive compensation packages along with attractive working experiences and environments, the unavoidable fact is that there are not enough qualified cybersecurity professionals to fill vacancies. In fact, the cybersecurity workforce shortage has skyrocketed to a record high of just under 4 million — and there is no end in sight.
To mitigate the impact and plug as many holes as possible with the right people (or with those who can become the right people in the near future), organizations should focus on the following actions and strategies:
- Develop a cybersecurity workforce plan that documents emerging skill needs, and maps them to current or new cybersecurity roles. Remember to hire for the future instead of the past.
- Do not set the bar so high that only “unicorns” could apply. Ideal candidates are either non-existent or extremely difficult to find. Be practical, and keep in mind the old saying “the perfect can sometimes be the enemy of the good.”
- Re-invent the cybersecurity learning and development program around agile learning, which prioritizes hands-on skills development through iterative short bursts, instead of traditional waterfall-based training and certification programs.
What’s your view?
What do you think of Gartner’s list of cybersecurity trends for 2024? Which trends do you find the most urgent and influential? Have you experienced any in your organization? Are you planning on focusing on any in the months ahead? And do you think that Gartner missed any trends? Please share your insight and advice below.