Industry leader Gartner released Top Cybersecurity Trends for 2023 in April. It highlights the growing significance of the human element in mitigating risks and maintaining a strong cybersecurity posture for an organization.
In the words of Richard Addiscott, Sr. Director Analyst at Gartner, “A human-centered approach to cybersecurity is essential to reduce security failures. Focusing on people in control design and implementation, as well as through business communications and cybersecurity talent management, will help to improve business-risk decisions and cybersecurity staff retention.”
In this article, we will learn about the nine cybersecurity trends predicted by Gartner that will impact security and risk management (SRM) leaders across the globe. We will also look at some of the statistics supporting these cybersecurity trends. So, buckle up.
9 cybersecurity trends for 2023
SRM leaders must focus on the following three domains to address cybersecurity risks effectively and sustain the cybersecurity program of their organization.
- The essential role of people for the security program’s success and sustainability
- Technical security capabilities that provide greater visibility and responsiveness across the organization’s digital ecosystem
- Restructuring the way the security function operates to enable agility without compromising security
The nine cybersecurity trends for 2023 that will impact SRM leaders are based on the above three domains.
Trend 1: Human-centric security design
The Hacker-Powered Security Report says that 92% of ethical hackers were able to find vulnerabilities the scanner couldn’t.
While security automation has made significant progress, it has not yet reached a point where it can fully replace human creativity. The statistics mentioned above emphasize the ongoing need for human-centric security design in 2023 to bolster cybersecurity posture effectively.
The same report also mentions that in 2022, the hacking community found over 65,000 customer vulnerabilities. However, 50% of the hackers chose not to disclose the vulnerability they found.
The report claims that having a vulnerability disclosure program and an impressive bounty can make your website attractive to hackers, who can then disclose the vulnerabilities they discover.
Additionally, preparing your in-house security personnel and training them for the worst can also enhance their performance and sustain your cybersecurity program.
CISOs should review the past mistakes made by their organization that led to cybersecurity incidents and develop future plans to reduce risks.
They should pivot the controls to more human-centric approaches to reduce the burden on employees to ensure greater security.
Trend 2: Enhancing people management for security program sustainability
Gartner predicts that by 2026, 60% of organizations will shift from external hiring to quiet hiring, i.e., hiring from internal talent pools to address cybersecurity and recruitment challenges.
Organizations have tended to prioritize adopting newer technologies over investing in comprehensive employee training. However, for optimal results, a perfect balance should be struck between introducing advanced technologies and providing continuous employee training. CISOs who have focused on both areas have seen improvements in their functional and technical maturity.
Did you know that according to Verizon, 82% of breaches involved a human element in 2022? Whether it is the use of stolen credentials, phishing, misuse, or simply an error, people continue to play a very large role in incidents and breaches alike.
In 2023, SRM leaders would have no option but to train and retain their employees. Cybersecurity training is an inevitable part of business management in the coming years.
Trend 3: Transforming the cybersecurity operating model to support value creation
Cybersecurity is not just an IT function but should be treated as a business enabler. It should not be siloed but should be woven into the fabric of the organization.
Each and every act performed by employees should be designed, considering the cybersecurity of the organization in mind. Following are the ways in which an organization can weave cybersecurity into regular business operations:
- Develop a security-conscious culture throughout the organization by promoting awareness, education, and training programs. It has been observed by IBM that with the right employee training, the cost of a data breach can be reduced by $247,758.
PWC noted that 46% of companies increased engagement of CEO in cybersecurity matters in 2022, and 43% increased employee report rate on phishing tests as a part of instilling a cybersecurity culture in the organization.
- Integrate security considerations early in the development lifecycle of products, services, and processes. Implement a “security by design” approach, where security features are built into the design and architecture rather than being added as an afterthought.
PWC also found that 43% of the organizations increased the number of cyber and privacy assessments before project implementation in 2022. This trend will continue in 2023.
- Identify and understand the business objectives and priorities of the organization. Determine how cybersecurity can contribute to achieving those objectives, such as protecting customer data, preserving brand reputation, or ensuring regulatory compliance.
According to PWC, 42% of the organizations increased alignment of cyber strategy to business strategy in 2022.
- Develop metrics and key performance indicators (KPIs) that align with business objectives and demonstrate the value of cybersecurity initiatives. Regularly report on the effectiveness and impact of cybersecurity efforts to senior management and stakeholders.
Cybersecurity leaders should use less technical jargon while communicating with management to help them understand the issues better. World Economic Forum reported that 17% of security executives are concerned about the level of cyber resilience in their businesses.
Trend 4: Threat exposure management
Threat exposure management relates to attack surface management. Attack surface refers to all the points from which a cybercriminal can enter the network of an organization.
The Hacker-Powered Security Report describes the attack resistance gap as the gap between what organizations are able to protect and what they need to protect.
The main factors contributing to this gap are incomplete knowledge of digital assets, insufficient testing, and a shortage of the right skills.
CISOs need to adapt their assessment approaches to gain insights into their vulnerability to threats through the implementation of Continuous Threat Exposure Management (CTEM) initiatives.
CTEM initiatives refer to the proactive and ongoing efforts taken by organizations to continuously assess, understand, and manage their exposure to threats.
CTEM programs focus on real-time monitoring, analysis, and response to evolving threats and vulnerabilities.
“CISOs must continually refine their threat assessment practices to keep up with their organization’s evolving work practices, using a CTEM approach to evaluate more than just technology vulnerabilities,” said Addiscott.
Trend 5: Identity fabric immunity
Vulnerabilities in an organization’s network are caused by incomplete or misconfigured elements in the identity fabric.
IBM reported that organizations with strong Identity and Access Management (IAM) saved $224,396 at the time of a data breach in 2022.
IAM is a framework or set of processes, policies, and technologies designed to manage and control user identities, their authentication, and their access to resources within an organization’s IT environment.
It focuses on ensuring appropriate access to systems, applications, data, and other digital assets while mitigating the risk of unauthorized access or data breaches.
Key components of IAM typically include user provisioning, authentication mechanisms (such as passwords, multi-factor authentication, or biometrics), access control policies, identity lifecycle management, role-based access control, and centralized identity repositories.
IAM solutions help organizations enforce security policies, streamline user management, and ensure compliance with regulations.
Trend 6: Cybersecurity validation
Cybersecurity validation brings together the techniques, processes, and tools used to validate how potential attackers exploit an identified threat exposure.
The tools utilized for cybersecurity validation are advancing considerably in automating repetitive and foreseeable elements of assessments. This advancement facilitates frequent evaluations of attack techniques, security controls, and processes, allowing for consistent benchmarking.
After a survey, Deloitte reported that compared to 53% in 2021, 76% of respondents reported using automated behavior-analytic tools to detect and mitigate potential cyber risk indicators among employees.
It indicates that more and more organizations are leaning towards artificial intelligence (AI) and machine learning (ML) tools to carry out mundane tasks as well as analytical tasks to get better results. This trend will continue in the future.
Trend 7: Cybersecurity platform consolidation
Vendors of cybersecurity, compliance, and related activities are consolidating more services under their domains. So, organizations should verify whether there are any overlaps of the services and whether they are paying multiple times for the same service.
For example, governance may be offered by the same vendor offering compliance services and cybersecurity services. It is crucial for SRM leaders to reduce redundancy across the organization to save precious resources.
Moreover, as organizations have to deal with fewer vendors in the future, they will have to vet fewer of them.
There is a difference between the behavior of trust leaders in the market and other organizations. While 75% of the trust leaders vet third-party personnel and/or vendors prior to using their AI platforms and/or services, only 34% of the other organizations do so, making them more vulnerable to cyberattacks (McKinsey).
Vendor assessment is one of the crucial aspects of cybersecurity and compliance. Without vendor risk assessment, you might fall prey to a cyber attack.
Trend 8: Composable businesses need composable security
To keep up with the rapidly evolving business landscape, organizations need to shift away from dependence on monolithic systems and instead focus on developing modular capabilities in their applications.
Composable security is an approach that involves integrating cybersecurity controls into architectural patterns and applying them at a modular level within composable technology implementations.
Gartner predicts that by 2027, more than 50% of core business applications will be built using composable architecture, requiring a new approach to securing those applications.
“Composable security is designed to protect composable business,” said Addiscott. “The creation of applications with composable components introduces undiscovered dependencies. For CISOs, this is a significant opportunity to embed privacy and security by design by creating component-based, reusable security control objects.”
Trend 9: Boards expand their competency in cybersecurity oversight
PWC found that some of the organizations with the best cybersecurity outcomes over the past two years are 14 times more likely to provide significant CEO support across all categories of issues.
Also, their data showed that in 2022, 42% of organizations increased their assessment of board understanding of cyber matters, and 43% increased the time allotted for discussion of cybersecurity at board meetings.
The above figures show two things: (1) CEO support can improve cybersecurity outcomes
(2) Organizations are moving towards higher dependence on CEO support.
Executives in most regions and industries opined that the most important activity for a more secure digital environment by 2030 is educating CEOs and board members to help them fulfill their duties and responsibilities.
Moreover, the board’s growing emphasis on cybersecurity arises from the shift towards clear accountability for cybersecurity, which includes augmented responsibilities for board members in their governance duties.
Cybersecurity leaders are required to furnish boards with reports showcasing the influence of cybersecurity programs on the organization’s goals and objectives.
The release of Gartner’s Top Cybersecurity Trends for 2023 highlights the increasing importance of the human element in cybersecurity and the need for a human-centered approach to mitigate risks and maintain a strong cybersecurity posture.
As stated by Richard Addiscott from Gartner, focusing on people in control design, implementation, communication, and talent management can improve business-risk decisions and cybersecurity staff retention.
The article explores the nine cybersecurity trends predicted by Gartner, which will impact security and risk management leaders worldwide. These trends revolve around three key domains: the role of people in security program success, technical security capabilities for greater visibility and responsiveness, and restructuring the security function for agility without compromising security.
Each trend is supported by relevant statistics and insights. From the importance of human creativity in security design to the need for comprehensive training and retention of employees, the trends highlight the evolving landscape of cybersecurity and the strategies organizations must adopt to stay resilient.
Overall, Gartner’s cybersecurity trends for 2023 provide valuable insights for security and risk management leaders, emphasizing the significance of the human factor, proactive measures, and adaptive approaches to address emerging threats and protect organizations in an increasingly digital world.