Many businesses will fail to see the benefits of their zero-trust efforts over the next few years, while legislation around paying off ransomware gangs will be extended and attacks on operational technology might have real-life consequences, according to set of cybersecurity predictions.
The list comes from tech analyst Gartner, which said business leaders should build these strategic planning assumptions into their security strategies for the next two years.
"We can't fall into old habits and try to treat everything the same as we did in the past," said Gartner senior director, Richard Addiscott. "Most security and risk leaders now recognize that major disruption is only one crisis away. We can't control it, but we can evolve our thinking, our philosophy, our program and our architecture."
These certifications can help you enter an industry with a high demand for skilled staff.
Read nowPrivacy regulation continues to expand and the tech analyst predicts it will be extended to cover five billion people, and more than 70% of global GDP. It said organizations should track subject rights request metrics, including cost per request and time to fulfill, to identify inefficiencies and justify accelerated automation.
Garter said with the rise of hybrid work, vendors are offering integrated services across web and cloud-application security. The benefit here is tighter integration, fewer consoles to use, and fewer locations where data must be decrypted, inspected and re-encrypted.
SEE: Cloud computing security: Five things you are probably doing wrong
The tech analyst predicts that by 2025, 60% of organizations will attempt to adopt zero-trust security, a concept that assumes there is no traditional 'perimeter' to the corporate network, so all devices and users have to be regularly re-authenticated. But it said more than half will fail to realize the benefits.
Replacing implicit trust with identity -- and context-based, risk-appropriate trust -- is extremely powerful, said Gartner, but requires a cultural shift and clear communication that ties it to business outcomes to achieve the benefits. And not all companies will be successful.
Gartner predicts that 60% of organizations will use cybersecurity risk as a "primary determinant" in conducting third-party transactions and business engagements by 2025. Only 23% of organisations monitor third parties in real time for cybersecurity exposure, according to Gartner. But as a result of pressure from customers and regulators, it believes organizations will start to insist on measuring cybersecurity risk, ranging from simple monitoring of a critical technology supplier to complex due diligence for mergers and acquisitions.
At the moment there is little legislation around when companies can -- and can't -- pay ransomware demands. That could be about to change; Gartner predicts one in three countries will introduce such laws soon. The decision to pay the ransom or not is a business-level decision, not a security one. Gartner recommends engaging a professional incident-response team as well as law enforcement and any regulatory body before negotiating.
Attacks on OT -- hardware and software that monitors or controls equipment, assets and processes and is often the brains behind industrial systems in factories or power grids -- have become more common and more disruptive, Gartner said, warning that threat actors will have "weaponized" operational technology environments to cause human casualties by 2025. "In operational environments, security and risk management leaders should be more concerned about real-world hazards to humans and the environment, rather than information theft", according to the analyst firm.
By 2025, 70% of CEOs will drive a culture of organizational resilience to deal with threats from cybercrime, but also from severe weather events, civil unrest and political instabilities, Gartner said: "With continued disruption likely, Gartner recommends that risk leaders recognize organizational resilience as a strategic imperative."
By 2026, 50% of C-level executives will have performance requirements related to risk built into their employment contracts, Gartner said. As boards now increasingly regard cybersecurity as a business risk rather than just a technical problem, accountability for cyber risk will shift from the security leader to senior business leaders, it said.