Gartner identifies key cyber security trends for risk managers in 2023

“A human-centred approach to cyber security is essential in order to reduce security failures,” explained Richard Addiscott, senior director-analyst at Gartner. “Focusing on people in control design and implementation, as well as through business communications and cyber security talent management, will help to improve business risk decisions and cyber security staff retention.”

In order to address cyber security risks and sustain an effective cyber security programme, security and risk management leaders must be focused on three key domains: the essential role of people for security programme success and sustainability, technical security capabilities that provide greater visibility and responsiveness across the organisation’s digital ecosystem and restructuring the way in which the security function operates to enable agility without compromising security itself.

Gartner has identified nine key trends that will have a broad impact for security and risk management leaders throughout 2023:

Trend 1: Human-centric security design

Human-centric security design prioritises the role of employee experience across the controls management lifecycle. By 2027, 50% of large enterprise CISOs will have adopted human-centric security design practices to minimise cyber security-induced friction and maximise control adoption.

“Traditional security awareness programmes have failed to reduce insecure employee behaviour,” said Addiscott. “CISOs must review past cyber security incidents to identify major sources of cyber security induced-friction and determine where they can ease the burden for employees through more human-centric controls or otherwise retire controls that add friction without meaningfully reducing risk.”

Trend 2: Enhancing people management for security programme sustainability

Traditionally, cyber security leaders have focused on improving technology and processes that support their programmes, with little attention paid to the individuals that create these changes. CISOs who adopt a human-centric talent management approach to attract and retain talent have seen improvements in their functional and technical maturity.

By 2026, Gartner predicts that 60% of organisations will shift from external hiring to ‘quiet hiring’ from internal talent markets in order to address systemic cyber security and recruitment challenges.

Trend 3: Transforming the cyber security operating model to support value creation

Technology is moving from central IT functions to lines of business, corporate functions, fusion teams and individual employees. A Gartner survey found that 41% of employees perform some kind of technology work. This is a trend that’s expected to continue growing over the next five years.

“Business leaders now widely accept the fact that cyber security risk is a top business risk to manage and not a technology problem to solve,” asserted Addiscott. “Supporting and accelerating business outcomes is a core cyber security priority and yet it remains a clear challenge.”

CISOs must modify their cyber security operating model to integrate how work is done. Employees must know how to balance a number of risks including cyber security, financial, reputational, competitive and legal risks. Cyber security must also connect to business value by measuring and reporting success against business outcomes and priorities.

Trend 4: Threat exposure management

The attack surface of modern enterprises is complex and creates fatigue. CISOs must evolve their assessment practices to understand their exposure to threats by implementing continuous threat exposure management programmes. Gartner predicts that, by 2026, organisations prioritising their security investments based on a continuous threat exposure management programme will suffer two-thirds fewer breaches.

“CISOs must continually refine their threat assessment practices in order to keep up with their organisation’s evolving work practices,” affirmed Addiscott, “using a continuous threat exposure management approach to evaluate more than just technology vulnerabilities.”

Trend 5: Identity fabric immunity

Fragile identity infrastructure is caused by incomplete, misconfigured or vulnerable elements in the identity fabric. By 2027, identity fabric immunity principles will prevent 85% of new attacks and thereby reduce the financial impact of breaches by 80%.   

“Identity fabric immunity not only protects the existing and new IAM components in the fabric with identity threat and detection response, but it also fortifies it by completing and properly configuring it,” said Addiscott.

Trend 6: Cyber security validation

Cyber security validation brings together the techniques, processes and tools used to validate how potential attackers exploit an identified threat exposure. The tools required for cyber security validation are making significant progress to automate repeatable and predictable aspects of assessments, enabling regular benchmarks of attack techniques, security controls and processes.

Through 2026, more than 40% of organisations – including two-thirds of mid-size enterprises – will rely on consolidated platforms to run cyber security validation assessments.

Trend 7: Cyber security platform consolidation

As organisations look to simplify operations, vendors are consolidating platforms around one or more major cyber security domains. For example, identity security services may be offered through a common platform that combines governance, privileged access and access management features.

Security and risk management leaders need to continuously check their security controls to understand where overlaps exist and reduce any redundancy through consolidated platforms.

Trend 8: Composable businesses need composable security

Organisations must transition from relying on monolithic systems to building modular capabilities in their applications in order to respond to the accelerating pace of business change.

Composable security is an approach whereby cyber security controls are integrated into architectural patterns and then applied at a modular level in composable technology implementations.

By 2027, more than 50% of core business applications will be built using composable architecture, in turn requiring a new approach to securing those applications.

“Composable security is designed to protect composable business,” observed Addiscott. “The creation of applications with composable components introduces undiscovered dependencies. For CISOs, this is a significant opportunity to embed privacy and security by design by creating component-based and reusable security control objects.”

Trend 9: Boards expand their competency in cyber security oversight

The Board’s increased focus on cyber security is being driven by the trend towards explicit-level accountability for cyber security to include enhanced responsibilities for Board members in their governance activities.

Cyber security leaders must provide Boards with reporting that demonstrates the impact of cyber security programmes on the organisation’s goals and objectives.

“Security and risk management leaders must encourage active Board participation and engagement in cyber security decision making,” stated Addiscott. “They must act as a strategic advisor, providing recommendations for actions to be taken by the Board, including the allocation of budgets and resources for security.”