Security and risk management leaders face disruptions on multiple fronts: technological, organisational and human. Preparation and pragmatic execution are vital to address these disruptions and deliver an effective cyber security programme.
Gartner believes investing in effective risk management of third-party services and software, enhanced security for the identity fabric and continuous monitoring of hybrid digital environments can harden an organisation’s attack surface and strengthen its resilience.
Gartner also expects IT security leaders will improve the security function’s reputation and performance by using generative artificial intelligence (GenAI) in proactive collaboration with business stakeholders. This will help lay the foundations for ethical, safe and secure use of this disruptive technology. It recommends aligning security governance efforts with the use of business-aligned cyber security reporting, to improve the security function’s performance and reputation as a trusted partner and key enabler of an organisation’s strategic objectives.
In this article, these themes are explored further.
Generative AI
As Gartner points out, large language model (LLM) applications, such as ChatGPT, have put GenAI on the agenda for inclusion in many business, IT and cyber security roadmaps. The term GenAI describes techniques that learn from representations of data and model artefacts to generate new artefacts.
GenAI introduces new attack surfaces, which need protecting. This requires changes to application and data security practices and to user monitoring. GenAI will also change the cyber security market’s dynamics.
From a risk perspective, Gartner recommends IT security leaders start by tackling unmanaged and uncontrolled uses of ChatGPT to minimise risks. The most notable issues are the use of confidential data in third-party GenAI applications and the potential copyright infringement and brand damage from the use of unvetted, AI-generated content. Business initiatives have driven requirements to secure GenAI applications that add new attack surfaces to those defended by traditional application security.
Cyber security providers have made a wave of hyperbolic AI announcements designed to spark interest in what GenAI might be able to do. These early announcements mostly involve interactive prompts. These have raised expectations, mostly from leaders outside the security field, about the benefits for security teams’ productivity, although most of these announcements were only early previews, sometimes verging on “AI washing”.
Gartner analysts note that GenAI features are already used in security operations and application security, but they have yet to observe cyber security products using GenAI techniques directly to detect or prevent threats.
As IT security and risk management leaders plan for 2024, they are raising legitimate questions about new risks and threats, due to privacy issues and threat actors accessing LLM technologies.
As more teams – potentially almost every team – within organisations seize the opportunity to integrate GenAI capabilities into their systems, it’s critical for cyber security teams to keep adapting to changes in processes.
Although organisations with existing AI projects can tune their existing governance policies, those pivoting to GenAI will need to build policies from scratch. Among other things, determining responsibility for data confidentiality, output biases and drifts, copyright infringement, trustworthiness and explainability of GenAI applications requires new or updated governance principles.
CTEM programmes gain momentum
Organisational attack surfaces have expanded enormously in recent years. According to Gartner, this growth has been driven notably by accelerated adoption of software as a service, expanding digital supply chains, increased corporate presence on social media, custom application development, remote working and internet-based customer interaction.
This increased attack surface has left organisations with potential blind spots, as well as huge numbers of potential exposures to address.
To cope, IT security and risk management leaders have introduced pilot processes that govern the volume and importance of threat exposures and the impact of dealing with them through continuous threat exposure management (CTEM) programmes. They are now expanding these pilots beyond cyber security validation activities. The more mature organisations are starting to offer security optimisations to better mobilise business leaders, not just short-term remediations.
Most organisations’ efforts to manage threat exposure focus too single-mindedly on finding and correcting technology-based vulnerabilities. This focus is encouraged by SecOps compliance initiatives, but often does not consider significant shifts in the operational practices of modern organisations, such as the move to cloud-driven applications and containers. Security teams must enhance their current model – in which patching and securing physical and self-managed software-based systems is the primary objective – and move beyond it.
IT security and risk management leaders have realised that existing practices are not broad enough and that staffing constraints limit the volume of work that can be completed. Gartner recommends they focus on relevant issues by aligning CTEM scope with business objectives.
Security and risk management leaders should aim for visibility into exposures and attract the interest of other senior leaders by highlighting the issues with the most potential impact on an organisation’s critical operations. They should define a narrower scope for CTEM, aligned with business objectives, using familiar language, and explaining the impact on the business, not technology.
Gartner also urges IT security and risk management leaders to reduce the number of prioritised issues through validation. Introducing validation steps and supporting technologies such as breach and attack simulation and automated penetration testing tools can reduce the burden imposed by the outputs of exposure assessment tools, such as vulnerability assessment solutions, by highlighting discovered issues that may result from genuine compromises using real-world techniques.
As part of a CTEM plan, security leaders should expand communication with other department heads, asset owners and third parties to have clear paths to mobilise responses and remediations. They should also get traction with business departments and asset owners by clearly articulating and discussing the residual risk associated with the postponement of remediation efforts, offering short-term and long-term options to reduce or eliminate exposure.
Evolving IAM to improve cyber security
An identity-first approach to security shifts the focus from network security and other traditional controls to identity and access management (IAM). It makes IAM a key contributor to organisations’ cyber security outcomes, and therefore to business outcomes.
Gartner urges organisations adopting this approach to pay closer attention to fundamental IAM hygiene and the hardening of IAM systems to improve resilience. This includes closing long-standing gaps in prevention capabilities by, for example, expanding control over cloud entitlements and machine identities, and introducing advanced capabilities for identity threat detection and response (ITDR).
IAM architecture is evolving towards an identity fabric and taking on new functions to enable real-time identity controls in a composable manner.
To support these trends, Gartner says IT security leaders should redouble efforts to implement proper identity hygiene and make this a priority for the security programme by using outcome-driven metrics to provide directional guidance and set the bar for improvement.
Looking at ITDR, Gartner advises IT security leaders to implement security posture assessments and threat detection and response capabilities for key enterprise identity systems such as Microsoft Active Directory and cloud-delivered access management services.
Gartner also recommends that IT security teams refactor identity infrastructure to support identity-first security principles to evolve towards an identity fabric. IT security leaders should start by improving integration between IAM tools using a composable tool strategy.
A plan for 2024
Overall, Gartner advises IT security leaders to improve organisational resilience by implementing continuous, pragmatic, business-aligned risk management efforts across their organisations’ digital and third-party ecosystems. This includes expanding the role that identity and access management plays in reducing cyber security risk.
To support decentralised technology projects, IT security leaders will need to coordinate cyber security decision-making. Gartner recommends that they measure the security function’s performance using business-aligned, outcome-driven metrics aligned with protection-level agreements.
They should also take a strategic, human-centric approach to improving the security function’s performance by reskilling existing security talent, using GenAI to augment – not replace – human efforts, and implementing contextually appropriate security behaviour and culture programmes.
Gartner analysts will explore the topic and the most significant challenges that security and risk leaders face as they respond to and drive change with a global community of experts and peers at the Gartner Security & Risk Management Summit, which will take place on 23-25 September 2024 in London.
This article is based on the Gartner report “Top trends in cyber security for 2024” by analysts Richard Addiscott, Jeremy D’Hoinne, Chiara Girardi, Pete Shoard, Paul Furtado, Tom Scholtz, Anson Chen, William Candrick and Felix Gaehtgens.