Gartner identifies top security and risk management trends for 2021

“The first challenge is a skills gap,” urged Firstbrook. “80% of organisations tell us that they have a hard time finding and hiring security professionals, while 71% say this is impacting their ability to deliver security projects.”

Other key challenges facing security and risk leaders in 2021 include the complex geopolitical situation and increasing global regulations, the migration of workspaces and workloads from traditional networks, an ‘explosion’ in endpoint diversity and locations and a shifting attack environment. In particular, the challenges of ransomware and business e-mail compromise are noted.

The top trends represent business, market and technology dynamics that are expected to have broad industry impact and significant potential for disruption.

Trend 1: Cyber Security Mesh

Cyber security mesh is a modern security approach that consists of deploying controls where they’re most needed. Rather than every security tool running in a silo, a cyber security mesh enables tools to interoperate by providing foundational security services and centralised policy management and orchestration. With many IT assets now resident outside of the traditional enterprise perimeters, a cyber security mesh architecture allows organisations to extend their security controls to distributed assets.

Trend 2: Identity-First Security

For many years, the vision of access for any user, anytime, and from anywhere (often referred to as ‘identity as the new security perimeter’) was an ideal. It has now become a reality due to technical and cultural shifts, coupled with a now majority remote workforce during COVID-19. Identity-first security puts identity at the centre of security design and demands a major shift from traditional LAN edge design thinking.

“The SolarWinds attack demonstrated that we’re not doing a great job of managing and monitoring identities,” suggested Firstbrook. “While a lot of money and time has been spent on multifactor authentication, single sign-on and biometric authentication, very little has been spent on effective monitoring of authentication to spot attacks against this infrastructure.”

Trend 3: Security Support for Remote Work is Here to Stay

According to the 2021 Gartner CIO Agenda Survey, 64% of employees are now able to work from home. Gartner surveys indicate that at least 30%-40% will continue to work from home post COVID-19. For many organisations, this shift requires a total reboot of policies and security tools suitable for the modern remote workspace. 

For example, endpoint protection services will need to move to cloud delivered services. Security leaders also need to revisit policies for data protection, disaster recovery and back-up in order to make sure they still work for a remote environment.

Trend 4: Cyber-Savvy Board of Directors

In the 2021 Gartner Board of Directors Survey, directors rated cyber security the second-highest source of risk for the enterprise after regulatory compliance. Large companies are now beginning to create a dedicated Cyber Security Committee at Board level, led by a Board member with security expertise or a third-party consultant.

Gartner predicts that, by 2025, 40% of Boards of Directors will operate a dedicated Cyber Security Committee overseen by a qualified Board member. That figure is up from less than 10% at present.

Trend 5: Security Vendor Consolidation

Gartner’s 2020 CISO Effectiveness Survey found that 78% of CISOs have 16 or more tools in their cyber security vendor portfolio. 12% have 46 or more. The large number of security products in organisations increases complexity, integration costs and staffing requirements. In a recent Gartner survey, 80% of IT organisations said they plan to consolidate vendors over the next three years.

“CISOs are keen to consolidate the number of security products and vendors they must deal with,” explained Firstbrook. “Having fewer security solutions can make it easier to properly configure them and respond to alerts, in turn improving the security risk posture. However, buying a broader platform can have downsides in terms of cost and the time it takes to implement. We recommend focusing on total cost of ownership over time as a measure of success.”

Trend 6: Privacy-Enhancing Computation

Privacy-enhancing computation techniques are emerging that protect data while it’s being used – as opposed to while it’s at rest or in motion – in order to enable secure data processing, sharing, cross-border transfers and analytics, even in untrusted environments. Implementations are on the rise in fraud analysis, intelligence, data sharing, financial services (eg anti-money laundering), pharmaceuticals and healthcare.

Gartner predicts that, by 2025, 50% of large organisations will adopt privacy-enhancing computation for processing data in untrusted environments or multi-party data analytics use cases.

Trend 7: Breach and Attack Simulation

Breach and attack simulation tools are emerging to provide continuous defensive posture assessments, challenging the limited visibility provided by annual point assessments like penetration testing. When CISOs include breach and attack simulation as part of their regular security assessments, they can help their teams identify gaps in their security posture more effectively and prioritise security initiatives more efficiently.

Trend 8: Managing Machine Identities

Machine identity management aims to establish and manage trust in the identity of a machine interacting with other entities, such as devices, applications, cloud services or gateways. Increased numbers of non-human entities are now present in organisations, which necessarily means that managing machine identities has become a vital part of the security strategy.