Plaintext: Gartner's 2022-2023 Predictions
Welcome to Dark Reading in Plaintext, where each day we focus on one topic or theme important to cybersecurity professionals. In this issue, we look at the latest cybersecurity predictions for 2022-2023 from Gartner.
Security teams should prepare for a?challenging?environment through 2023,?with increased pressure from government regulators, partners, and threat actors. That was the message out of Gartner’s Security & Risk Management Summit in Sydney. The analyst firm shared its 2022-2023 predictions, and we list them here, along with some context.
“Most security and risk leaders now recognize that major disruption is only one crisis away. We can’t control it, but we can evolve our thinking, our philosophy, our program, and our architecture."
?Richard Addiscott, Gartner’s senior director analyst.
1 Through 2023, government regulations requiring organizations to provide consumer privacy rights will cover 5 billion citizens and more than 70% of the global GDP.
Governments have been introducing various forms of privacy regulations around the world. In the U.S., Connecticut just became the fifth state to pass a comprehensive consumer data privacy law.
?On the federal level, there have been a number of different drafts, with the latest one being the bipartisan draft bill of the American Data Privacy and Protection Act (ADPPA).
2 By 2025, 80% of enterprises will adopt a strategy to unify Web, cloud services, and private application access from a single vendor’s security service edge (SSE) platform.
Vendors are reacting to the shift to a permanent hybrid workforce with integrated security service edge offerings. The integrations would lead to tighter integration, fewer consoles, and fewer locations where data must be decrypted, inspected and re-encrypted, Gartner said.
3 Sixty percent of organizations will embrace zero trust as a starting point for security by 2025. More than half will fail to realize the benefits.
According to a new survey out from the Cloud Security Alliance (CSA), 80% of CxO technology leaders report that zero trust is a significant priority for their organizations, with 77% of executives saying that they'll increase spending to support this prioritization. Everyone is talking zero trust, but it isn’t easy without the organization rethinking its approach and making cultural changes.
领英推è
“Some people hear "zero trust" and think it means that you simply cannot or should not establish trust in employees. This approach really misses the mark and sets up everyone involved for failure,†Josh Yavor, Tessian
4 By 2025, 60% of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements.
Companies need to take steps to minimize the risk posed by third-party software in the supply chain, which has grown significantly over the past few years. Make sure your organization conducts due diligence to ensure that SaaS providers are taking care of your organization's information and data.
5 Through 2025, 30% of nation-states will pass legislation that regulates ransomware payments, fines, and negotiations, up from less than 1% in 2021.
Pay or not pay – that’s always been a conundrum for ransomware victims. Gartner says the decision to pay the ransom or not is not a security one, but a business-level decision. Brad Moldenhauer, CISO of the Americas region at Zscaler, discusses his experience helping a small business negotiate a ransom payment.
“While I am still not a complete advocate of giving cybercriminals what they want, there are conditions where it may make sense.†Brad Moldenhauer, Zscaler?
6 By 2025, threat actors will have weaponized operational technology environments successfully to cause human casualties.
This is a hard prediction to read, especially in light of 56 vulnerabilities uncovered in OT products from 10 vendors, including notable ones such as Honeywell, Siemens, and Emerson. Many of the vulnerabilities are the result of device vendors not including basic security mechanisms, such as authentication and encryption, in their technologies. Often they exist in older products that asset owners are continuing to use even though more secure options are available. Significantly, the vulnerabilities are present in products that have gone through some sort of auditing process and were certified as being safe for OT networks, a new study by Forescout found.
7 By 2025, 70% of CEOs will mandate a culture of organizational resilience to survive coinciding threats from cybercrime, severe weather events, civil unrest, and political instabilities.
We suggest reading 6 Steps to Ensure Cyber Resilience.?Separately, in a recent Ask the Experts column, Yogesh Badwe, CSO of Druva discusses how to conduct a resilience review.
Black swan cyber events are incidents with high impact and low frequency that are impossible to predict.
8 By 2026, 50% of C-level executives will have performance requirements related to risk built into their employment contracts.
Should CEOs be fired if their company suffers a data breach? It’s a question that keeps coming up and again – what does accountability and responsibility look like in the C-suite?