Gartner's Top 8 Cybersecurity Predictions for the Coming Year

• By Rhea Kelly
• 06/23/22

In the realm of cybersecurity and risk management, "major disruption is only one crisis away," according to Richard Addiscott, senior director analyst specializing in cybersecurity at research firm Gartner. "We can't control it, but we can evolve our thinking, our philosophy, our program and our architecture." Speaking in the opening keynote at the recent Gartner Security & Risk Management Summit in Sydney, Australia, Addiscott emphasized that security and risk leaders must not "fall into old habits and try to treat everything the same as we did in the past."

The key: looking toward the future to develop a security and privacy strategy that will enable organizations to thrive even in hostile environments. To inform cybersecurity leaders' strategic planning, Gartner offered the following predictions for 2022-2023.

1) "Through 2023, government regulations requiring organizations to provide consumer privacy rights will cover 5 billion citizens and more than 70% of global GDP." Worldwide, privacy regulations continue to expand, Gartner pointed out. The firm's recommendation: Organizations should "track subject rights request metrics, including cost per request and time to fulfill, to identify inefficiencies and justify accelerated automation."

2) "By 2025, 80% of enterprises will adopt a strategy to unify web, cloud services and private application access from a single vendor's SSE platform." Particularly in today's hybrid work environments, an integrated security service edge (SSE) solution helps provide "consistent and simple web, private access and SaaS application security," Gartner noted. The firm favors single-vendor over best-of-breed solutions for efficiencies such as "tighter integration, fewer consoles to use, and fewer locations where data must be decrypted, inspected and re-encrypted."

3) "Sixty percent of organizations will embrace zero trust as a starting point for security by 2025. More than half will fail to realize the benefits." Zero trust, the security model in which endpoint devices are not trusted by default and instead given context-based network access, has become a buzzword among security vendors as well as government guidance. Unlocking the true power of zero trust, however, "requires a cultural shift and clear communication that ties it to business outcomes to achieve the benefits," Gartner said.

4) "By 2025, 60% of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements." Currently, "only 23% of security and risk leaders monitor third parties in real time for cybersecurity exposure," Gartner said. With cyberattacks increasing and consumer and regulator concerns on the rise, "organizations will start to mandate cybersecurity risk as a significant determinant when conducting business with third parties, ranging from simple monitoring of a critical technology supplier to complex due diligence for mergers and acquisitions," the firm predicted.

5) "Through 2025, 30% of nation states will pass legislation that regulates ransomware payments, fines and negotiations, up from less than 1% in 2021." As Gartner put it, "The decision to pay the ransom or not is a business-level decision, not a security one." Increased government regulation will further complicate incident response — perhaps that's why the firm recommends "engaging a professional incident response team as well as law enforcement and any regulatory body before negotiating."

6) "By 2025, threat actors will have weaponized operational technology environments successfully to cause human casualties." Operational technology — defined by Gartner as "hardware and software that monitors or controls equipment, assets and processes" — has become an increasingly common target of cyberattacks, the firm noted. In these environments, concerns of information theft take a back seat to "real-world hazards to humans and the environment."

7) "By 2025, 70% of CEOs will mandate a culture of organizational resilience to survive coinciding threats from cybercrime, severe weather events, civil unrest and political instabilities." The COVID-19 pandemic has made clear that traditional approaches to business continuity planning can't keep up with a large-scale disruption, Gartner pointed out. Risk leaders must "recognize organizational resilience as a strategic imperative and build an organization-wide resilience strategy that also engages staff, stakeholders, customers and suppliers," the firm recommended.

8) "By 2026, 50% of C-level executives will have performance requirements related to risk built into their employment contracts." According to a fall 2021 Gartner survey, 88% of boards of directors now view cybersecurity as a business risk rather than a risk within IT. And while Gartner data suggests that the CIO, CISO or equivalent role is still the top person held accountable for cybersecurity in 85% of organizations today, over the coming years the firm "expects to see a shift in formal accountability for the treatment of cyber risks from the security leader to senior business leaders."

A Gartner e-book on the top strategic priorities for security & privacy leaders is available for complimentary download here (registration required).