Humans Needed To Avoid Cybersecurity Missteps, Gartner Says

Gartner identifies top cybersecurity trends for 2023, and says organisations need to adopt a human-centric focus to avoid cyber failures

Gartner has identified the top cybersecurity trends for 2023, and has advised organisations to pivot to a human-centric focus so as to establish an effective cybersecurity programme.

This is the central thrust of Gartner’s “Top Trends in Cybersecurity 2023” report (account needed), in which it said security and risk management (SRM) leaders must rethink their balance of investments across technology and human-centric elements when creating and implementing cybersecurity programmes in line with nine top industry trends.

It comes as organisations continue to struggle to fullfill much needed cybersecurity skills, against a constantly wave of threats and risks.

Human-centric approach

Despite this, automating security processes does not seem to be the answer, with Gartner advising organisations to look to the human angle as well.

“A human-centered approach to cybersecurity is essential to reduce security failures,” said Richard Addiscott, Sr director analyst at Gartner. “Focusing on people in control design and implementation, as well as through business communications and cybersecurity talent management, will help to improve business-risk decisions and cybersecurity staff retention.”

Gartner said that in order to address cybersecurity risks and sustain an effective cybersecurity program, SRM leaders must be focussed on three key domains:

  1. the essential role of people for security program success and sustainability;
  2. technical security capabilities that provide greater visibility and responsiveness across the organisation’s digital ecosystem;
  3. and restructuring the way the security function operates to enable agility without compromising security.

And Gartner identified nine trends that it believes will have a broad impact for SRM leaders across the above three areas:

Trend 1: Human-Centric Security Design

Human-centric security design prioritises the role of employee experience across the controls management life cycle.

By 2027, Gartner says 50 percent of large enterprise chief information security officers (CISOs) will have adopted human-centric security design practices to minimise cybersecurity-induced friction and maximise control adoption.

“Traditional security awareness programs have failed to reduce unsecure employee behaviour,” said Addiscott. “CISOs must review past cybersecurity incidents to identify major sources of cybersecurity induced-friction and determine where they can ease the burden for employees through more human-centric controls or retire controls that add friction without meaningfully reducing risk.”

Trend 2: Enhancing People Management for Security Programme Sustainability

Traditionally, cybersecurity leaders have focused on improving technology and processes that support their programmes, with little focus on the people that create these changes, Gartner noted.

CISOs who take a human-centric talent management approach to attract and retain talent have seen improvements in their functional and technical maturity.

By 2026, Gartner predicts that 60 percent of organisations will shift from external hiring to “quiet hiring” from internal talent markets to address systemic cybersecurity and recruitment challenges.

Trend 3: Transforming the Cybersecurity Operating Model to Support Value Creation

Technology is moving from central IT functions to lines of business, corporate functions, fusion teams and individual employees. A Gartner survey found that 41 percent of employees perform some kind of technology work, a trend that is expected to continue growing over the next five years.

“Business leaders now widely accept that cybersecurity risk is a top business risk to manage – not a technology problem to solve,” said Addiscott. “Supporting and accelerating business outcomes is a core cybersecurity priority, yet remains a top challenge.”

CISOs must modify their cybersecurity’s operating model to integrate how work gets done, Gartner advised. Employees must know how to balance a number of risks including cybersecurity, financial, reputational, competitive and legal risks. Cybersecurity must also connect to business value by measuring and reporting success against business outcomes and priorities.

Trend 4: Threat Exposure Management

The attack surface of modern organisations is complex and creates fatigue. CISOs must evolve their assessment practices to understand their exposure to threats by implementing continuous threat exposure management (CTEM) programmes. Gartner predicts that by 2026, organisations prioritising their security investments based on a CTEM programme will suffer two-thirds fewer breaches.

“CISOs must continually refine their threat assessment practices to keep up with their organisation’s evolving work practices, using a CTEM approach to evaluate more than just technology vulnerabilities,” said Addiscott.

Trend 5: Identity Fabric Immunity

Fragile identity infrastructure is caused by incomplete, misconfigured or vulnerable elements in the identity fabric. By 2027, identity fabric immunity principles will prevent 85 percent of new attacks and thereby reduce the financial impact of breaches by 80 percent.

“Identity fabric immunity not only protects the existing and new IAM components in the fabric with identity threat and detection response (ITDR), but it also fortifies it by completing and properly configuring it,” said Addiscott.

Trend 6: Cybersecurity Validation

Cybersecurity validation brings together the techniques, processes and tools used to validate how potential attackers exploit an identified threat exposure, said Gartner. The tools required for cybersecurity validation are making significant progress to automate repeatable and predictable aspects of assessments, enabling regular benchmarks of attack techniques, security controls and processes.

Through 2026, more than 40 percent of organisations, including two-thirds of midsize organisations, will rely on consolidated platforms to run cybersecurity validation assessments, the firm said.

Trend 7: Cybersecurity Platform Consolidation

As organisations look to simplify operations, vendors are consolidating platforms around one or more major cybersecurity domains, said Gartner. For example, identity security services may be offered through a common platform that combines governance, privileged access and access management features.

SRM leaders need to continuously inventory security controls to understand where overlaps exist and reduce the redundancy through consolidated platforms.

Trend 8: Composable Businesses Need Composable Security

Organisations must transition from relying on monolithic systems to building modular capabilities in their applications to respond to the accelerating pace of business change, said Gartner.

Composable security is an approach where cybersecurity controls are integrated into architectural patterns and then applied at a modular level in composable technology implementations.

By 2027, more than 50 percent of core business applications will be built using composable architecture, requiring a new approach to securing those applications.

“Composable security is designed to protect composable business,” said Addiscott. “The creation of applications with composable components introduces undiscovered dependencies. For CISOs, this is a significant opportunity to embed privacy and security by design by creating component-based, reusable security control objects.”

Trend 9: Boards Expand Their Competency in Cybersecurity Oversight

The board’s increased focus on cybersecurity is being driven by the trend toward explicit-level accountability for cybersecurity to include enhanced responsibilities for board members in their governance activities, said the analyst house.

Cybersecurity leaders must provide boards with reporting that demonstrates the impact of cybersecurity programmes on the organisation’s goals and objectives.

“SRMs leaders must encourage active board participation and engagement in cybersecurity decision making,” said Addiscott. “Act as a strategic advisor, providing recommendations for actions to be taken by the board, including allocation of budgets and resources for security.”