The emphasis on data privacy laws, ransomware attacks, cyber-physical systems, and board-level audits drives the priorities of security and risk leaders.
"How do we ensure that our consumers are not physically harmed by fraudsters?" This is the question that security and risk leaders must anticipate for the future and plan accordingly.
The proliferation of cyber-physical systems, which include systems that combine the cyber and physical worlds for technologies such as autonomous cars or digital twins, poses another security risk for organizations, and how cyber-attackers can target these systems is one of our most important predictors for the coming years.
“We’re falling into this old habit of trying to treat everything the same as we did in the past,” Gartner Analyst Sam Olyaei said in his presentation at the Gartner IT Symposium/XPO™ 2021 on this topic adding, "This simply cannot continue. We need to make sure that we are evolving our thinking, our philosophy, our program and our architecture.”
Security and risk management has become a board-level issue for organizations. Security breaches are becoming more common and more complex, resulting in new laws being passed to protect consumers and companies putting security at the center of their decisions.
For the next few years, Gartner analysts envision an environment in which greater decentralization, increased regulation, and security implications will be more severe. Put these strategic planning assumptions on your roadmap for the year ahead.
GDPR was the first major consumer privacy legislation, but others quickly followed, including Turkey's Personal Data Protection Act (KVKK), Brazil's General Personal Data Protection Act (LGPD), and California's Consumer Privacy Act (CCPA). The scope of these laws means that you will manage multiple data protection laws in various jurisdictions and customers will want to know what kind of data you collect from them and how it is used. This also means that you need to focus on automation of your data privacy management system. As for how to do this, basically, using GDPR, you can standardize security operations and then tailor it to individual jurisdictions.
Organizations now support a variety of technologies in different locations, so they need a flexible security solution. The cyber safety net expands to include identities outside the traditional security perimeter and creates a holistic view of the organization. It also helps improve security for remote working. These demands will accelerate the transition to this approach over the next two years.
Organizations are turning to optimization and consolidation. Security leaders typically manage dozens of tools, but they plan to reduce that number to even less than 10. From this perspective, SaaS will become the preferred delivery method and consolidation will affect hardware adoption times.
Investors, especially venture capitalists, use cybersecurity risk as an important factor in evaluating opportunities. Organizations are increasingly looking at cybersecurity risk during business deals, including mergers and acquisitions and vendor agreements. As a result, there may be requests for more data about a partner's cybersecurity program, through surveys or security ratings.
While broader regulations currently apply to ransomware payments, security experts may face stricter measures on payments. Given an as yet unregulated crypto-currency market, paying the ransom has ethical, legal and moral implications, and it's vital to consider the implications. The decision to pay (or not) should be left to a cross-functional team that can address all these concerns.
As cybersecurity has become (and remains) a top issue for boards of directors, you can expect a board-level cybersecurity committee and tighter oversight. This increases the visibility of cybersecurity risk across the organization and requires a new approach to board reporting, the details of which may depend on the background and experience of specific board members. In this respect, you should conduct a communication that focuses on risk and cost values.
Go beyond cybersecurity and enterprise resilience to account for broader security environments. Digital transformation adds extra complexity to the threat landscape, which will affect how you produce products and services. Try to define organizational resilience and objectives and create an inventory of cyber risks affecting them.
As malware spreads from IT to OT, the focus is shifting from business interruptions to physical harm, with the final responsibility resting with the CEO. Focus on asset-centric cyber-physical systems and ensure teams are in place to handle the appropriate management.
As Gartner has demonstrated through its global research, if you want to ensure data privacy or centrally manage your organization's data and access security infrastructure against ransomware attacks, you can contact us to benefit from the world's leading Privileged Access Management (PAM) solution, Single Connect.