“By 2025, lack of talent or human failure will be responsible for over half of significant cyber incidents.” How can a human-centric design strengthen your cybersecurity program? Get your report to learn from key predictions, market implications, and recommendations.
Challenges confronting CISOs are evolving beyond technology, cybersecurity, and controls. “By 2025, lack of talent or human failure will be responsible for over half of significant cyber incidents,” as Gartner predictions for 2023 reveal.
How can modern cybersecurity leaders strengthen their programs in the face of these challenges?
The latest report from Gartner®—“Gartner Predicts 2023: Cybersecurity Industry Focuses on the Human Deal”—sheds light on several key areas that risk and security leaders need to pay close attention to as they solidify their strategic plans and predictions for this year.
#1 It’s not machine but human vulnerabilities that cause most cyberattacks
Verizon reported in May 2022 that 82% of data breaches involved the human element — a telling statistic signaling to cybersecurity leaders that human behavior and the user experience need greater consideration.
“Stress and burnout directly impact the quality of decision-making, and overcoming these challenges requires cybersecurity leaders to redouble their focus on people. This means thinking beyond phishing testing and resilience to social engineering.” Gartner adds that: “Far greater returns are to be had in elevating the conversation towards value propositions and operating models” that, we believe, can leverage quantitative data to make decisions.
This finding also indicates that security programs founded on technology-centric investments are not delivering the full risk management outcomes expected, which according to us, suggests that a healthy balance between technology and education investment is needed.
#2 Strong cybersecurity performance is a business enabler
As per our perspective, in order to do business in the 21st century, organizations must show a strong security posture that fosters trust, as companies increasingly use cybersecurity risk data as a primary determinant in selecting business partners.
However, a key stressor of cybersecurity teams is that they often play a game they can’t win because they are always playing defense. As Gartner put it, “We must find opportunities for our teams to be recognized for putting ‘points on the board’ rather than just blocking opponents.”
It is our belief that only meaningful and objective insights empower organizations to make better data-driven risk decisions and engage confidently in the digital economy. By measuring and strengthening security performance management, BitSight allows security teams to take credit for winning deals, reducing third-party risk, attracting investors, and improving insurance coverage.
#3 CISOs must integrate cybersecurity into the overall business
“Compliance-centric cybersecurity programs, significantly low executive support and subpar industry-level maturity are all indicators of an organization that does not view security risk management as critical to business success.”
When CISOs don’t integrate cybersecurity principles into their organization’s culture, it forces them to drive much of the vision across the enterprise as an “outsider” to the value proposition rather than a core component of it.
We believe that to change that, CISOs need to effectively communicate that cyber, like asset maintenance, and safety are core to the enterprise’s value proposition, not something separate. One way to do that is by speaking a language that resonates with the broader company and responds to the overall business goals: metrics.
A cybersecurity program can (and should) be managed and measured just like any other strategic initiative, with relevant data and cybersecurity analytics metrics that facilitate organizational cyber risk oversight. Combining meaningful KPIs with analytical insights, such as the ability to financially quantify cyber risk exposure, BitSight for Security Performance Management helps CISOs answer critical questions such as: How secure is the organization? Are investments in cybersecurity paying off? Are we more or less secure than others in our industry?
These insights extend beyond the perimeter of the organization, with a holistic approach to third-party risk management to drive effective vendor validation, continuously monitor third and fourth-party controls, and ultimately instill confidence across the supply chain.
#4 Process fatigue encourages high-risk workarounds
“No security program can be effective if employees actively seek to circumvent it.” Gartner research shows that 90% of employees who admitted undertaking a range of unsecure actions during their work activities knew that their actions would increase risk to the organization and undertook the actions anyway.
The top reasons for this were:
- Speed and convenience
- Perceived benefits outweigh perceived risk
The combination of a lack of benefit and increased friction encourages employees to seek efficiencies through actions that are both unsecure and contrary to policy.
To address these issues, cybersecurity leaders need to place greater emphasis on understanding how and where employees conduct day-to-day work and design controls that work with that process. A way to achieve this is to adopt human-centric security design practices into their strategic capabilities and operating practices. From our point of view, this starts with establishing program consistency and measuring consistently.
#5 As the attack surface expands, leaders need more visibility
Gartner predicts that: “By 2025, the consumerization of AI-enabled fraud will fundamentally change the enterprise attack surface, driving more outsourcing of enterprise trust and focus on security education and awareness.” As more resources (paid and free) are available, deepfake and impersonation engines will increasingly be utilized for deceiving users.
Organizations must expand end-user awareness of deepfake technology by augmenting training and security awareness programs on exploits that leverage this technology. We believe a strong attack surface management and vulnerability management strategy provides increased visibility over the extended network and the threats and vulnerabilities within an organization’s digital ecosystem.
With BitSight’s attack surface monitoring solution, organizations continuously discover and track the assets, applications, and devices in their growing digital footprint. With real-time insight into current risk exposure, they prioritize high risk assets and take quick action.
Download the Report
We strongly encourage risk managers and cybersecurity leaders to download their complimentary report from Gartner to learn key findings, market implications, and recommendations.
By building these themes into your roadmap, you will be far better equipped to face new challenges when securing your digital supply chain.
Gartner Predicts 2023: Cybersecurity Industry Focuses on the Human Deal, by analysts Deepti Gopal, Leigh McMullen, Andrew Walls, Richard Addiscott, Paul Furtado, Craig Porter, Oscar Isaka, Charlie Winckless, published 25 January 2023.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved.