Gartner’s top predictions include the collapse of the cybersecurity skills gap and the reduction of employee-initiated cybersecurity incidents through the adoption of generative AI (GénAI).
Two-thirds of the world’s 100 organizations are expected to extend their directors’ and officers’ insurance to cybersecurity managers due to their personal legal exposure. Additionally, combating misinformation is expected to cost businesses more than $500 billion.
“As we begin to move beyond what is possible with GenAI, strong opportunities are emerging to help solve a number of recurring issues affecting cybersecurity, particularly skills shortages and insecure human behavior. The scope of this year’s top predictions clearly isn’t about technology, as the human element continues to get much more attention. Any CISO looking to build an effective and sustainable cybersecurity program should make it a priority,” said Deepti Gopaldirector analyst at Gartner.
Critical Assumptions for Cybersecurity Leaders’ Strategic Planning
Gartner recommends that cybersecurity leaders incorporate the following strategic planning assumptions into their security strategies for the next two years.
By 2028, the adoption of GenAI will reduce the skills gap, removing the need for specialized training for 50% of entry-level cybersecurity positions.
GenAI increases will change the way organizations hire and train cybersecurity workers who are looking for the right aptitude, as much as the right training. Consumer platforms already offer conversational augmentations, but they will evolve. Gartner recommends that cybersecurity teams focus on internal use cases that support users in their work; coordinate with HR partners; and identify adjacent talent for more critical cybersecurity roles.
By 2026, companies combining GenAI with integrated platform-based architecture in security behavior and culture programs (SBCP) will experience 40% fewer employee-initiated cybersecurity incidents.
Organizations are increasingly focusing on personalized engagement as a critical component of effective SBCP. GenAI has the potential to generate hyperpersonalized content and training materials that take into account an employee’s unique attributes. According to Gartner, this will increase the likelihood that employees will adopt more secure behaviors in their daily work, leading to fewer cybersecurity incidents.
“Organizations that have not yet adopted GenAI capabilities should evaluate their current external security awareness partner to understand how they are leveraging GenAI as part of their solution roadmap,” Gopal said.
By 2026, 75% of organizations will exclude unmanaged, legacy, and cyber-physical systems from their Zero Trust strategies.
Under a zero trust strategy, users and endpoints receive only the access necessary to perform their jobs and are continuously monitored for evolving threats. In production or mission-critical environments, these concepts do not universally apply to unmanaged devices, legacy applications, and cyber-physical systems (CPS) designed to perform specific tasks in unique environments focused on security and reliability .
By 2027, two-thirds of the world’s 100 organizations will extend directors and officers (D&O) insurance to cybersecurity managers due to personal legal exposure.
New laws and regulations – such as SEC cybersecurity disclosure and reporting rules — expose cybersecurity managers to personal liability. CISO roles and responsibilities should be updated for associated reporting and disclosures. Gartner recommends that organizations explore the benefits of covering the position with D&O insurance, as well as other insurance and indemnification, to mitigate personal liability, professional risk and legal costs.
By 2028, corporate spending on fighting misinformation will exceed $500 billion, cannibalizing 50% of marketing and cybersecurity budgets.
The combination of AI, analytics, behavioral science, social media, the Internet of Things and other technologies allows malicious actors to create and distribute malicious information (or disinformation) very effectively and mass personalized. Gartner recommends CISO define responsibilities for governance, design and execution of enterprise-wide anti-misinformation programs, and invest in tools and techniques that combat the problem using chaos engineering to test for resilience.
By 2026, 40% of identity and access management (IAM) leaders will have primary responsibility for detecting and responding to IAM-related breaches.
I AM Executives often struggle to articulate security and business value to drive accurate investments and are not involved in discussions about security resources and budgeting. As the importance of IAM leaders continues to grow, they will move in different directions, each with increased responsibility, visibility and influence. Gartner recommends CISOs break down traditional IT and security silos by giving stakeholders visibility into the role IAM plays in aligning IAM program and security initiatives.
By 2027, 70% of organizations will combine data loss prevention and internal risk management disciplines with the IAM context to more effectively identify suspicious behavior.
Growing interest in consolidated controls has prompted vendors to develop features that represent an overlap between controls focused on user behavior and data loss prevention. This introduces a more comprehensive set of capabilities allowing security teams to create a single, dual-purpose policy for data security and insider risk mitigation. Gartner recommends that organizations identify data and identity risks and use them in tandem as a primary guideline for strategic data security.
By 2027, 30% of cybersecurity functions will reimagine application security to be used directly by non-cybersecurity experts and owned by application owners.
The volume, variety and context of applications created by enterprise technologists and distributed delivery teams means potential for exposure far beyond what is dedicated. application security teams can manage.
“To bridge the gap, cybersecurity functions must develop effective minimum expertise within these teams, using a combination of technology and training to generate only as many skills as necessary to autonomously make informed cybersecurity decisions. cyber risks,” concluded Gopal.