Security and risk management are critical components of any digital business initiative: Gartner expects worldwide...
spending on information security products and services to reach $124 billion in 2019. But adoption of new technologies, changing business models and an expanding threat landscape are forcing security teams to revamp conventional approaches to cybersecurity.
At the recent Gartner Symposium 2018, Peter Firstbrook, research vice president at Gartner, discussed top emerging trends in security for this year and next, and he delineated what leading security organizations are doing to adapt.
"What we really mean [by emerging trends in security] is these are ongoing ... strategic shifts in the security ecosystem that are expected to have a significant potential for disruption," Firstbrook told the audience.
Trend No. 1: Senior business executives are recognizing the importance of cybersecurity
Senior business executives are finally aware that cybersecurity has a significant impact on an organization's brand name, reputation and ability to meet their business goals, and they are also recognizing the value of security professionals, he said.
In order to capitalize on this trend, he suggested security practitioners understand the company's risk appetite and "speak the language of business" when talking about how they can help the business meet its new digital goals, while avoiding potential threats.
"Our job as security practitioners is to explain to them what could possibly go wrong, what we can do to fix it, how much it might cost to fix it, and let them decide what to do and accept that residual risk," Firstbrook said. "That's OK, as long as they know what they're accepting. And we need to articulate risks in the context of business objectives."
While skilled security practitioners are hard to find, security leaders are addressing the issue by looking at internal recruitment, outsourcing, increasing automation and adopting cloud-delivered security services, he said.
Trend No. 2: Tough, new regulations around data protection
One of the important emerging trends in security is legal and regulatory mandates on data protection practices are affecting digital business plans by demanding increased attention on potential data liabilities. As companies are forced to comply with regulations like GDPR, Firstbrook said the big change is companies not only have to protect customer data, but also consider the expansion of customer rights. Customers now have the right to see that data, to correct that data and to know exactly what companies are doing with that data, he explained.
"Everybody understands that information is valuable; it has power," he said. "But it also has liabilities, so we have to evaluate both the liabilities and the asset value when we're thinking about our digital business plans."
Leading digital businesses are focusing not just on the asset value of data, but also the liability side -- and eliminating or offloading data when the liability exceeds value, he said.
Trend No. 3: Security products are utilizing cloud delivery
Security products are exploiting cloud delivery to provide more agile services, Firstbrook said. Delivering a cloud security service is a very different design than the traditional client-server model that most organizations use today, however. Vendors like Zscaler that have embraced cloud-delivered models didn't just take the old management infrastructure and move it to the cloud, Firstbrook said, but rethought how they're going to scale the cloud.
"As security practitioners, we've been late to this game, and we need to step up," he said. "We need to start accepting that cloud-delivered products are here to stay."
Companies should review new purchases to make sure they have looked at cloud alternatives when renewing on-premises security services and justify why they need to stay on premises, he said. When looking at cloud security vendors, he suggested companies consider whether they have data management and machine learning competencies, staff augmentation services and API-enabled services.
Trend No. 4: Machine learning is providing value in simple tasks
Machine learning in security is providing value by completing simple tasks and elevating suspicious events for human analysis, he said. But, in most cases, it's difficult to use machine learning in the security space, because it is going to increase the false-positive rate, he said.
"Its biggest value is in providing assistance to humans," Firstbrook said. "Humans and machines complement each other. And, together, they can outperform either alone."
Organizations are implementing machine-learning-enhanced products to augment human resources and are investing in skills to interpret and augment machine learning, he said.
Trend No. 5: Geopolitical factors are affecting security purchases
Peter Firstbrookresearch vice president at Gartner
Security buying decisions are increasingly based on geopolitical factors, he said. For example, companies have to consider foreign actors that target company trade secrets and business practices.
As a result, organizations need to take geopolitical risk into consideration during purchasing decisions and be sensitive to the geopolitical concerns of their business partners, he said.
"If you're doing business with the U.S. government, you probably don't want to be using applications like Kaspersky, because that will make ... you a suspect in their eyes," Firstbrook said.
Trend No 6: Decentralization efforts on the rise
Dangerous concentrations of digital power are driving decentralization efforts at several levels in the ecosystem, he said.
This is a response to the current wave of centralization when it comes to providing digital trust certificates, compute power, social networks, search services or digital advertising, he said. While this centralization makes sense for economic reasons, too much creates a monopoly and an easy target for attack, he explained.
There's now a countermovement, and blockchain is the biggest digital technology driving the decentralization of power, he said. Another example of decentralization is edge computing -- distributing processing, sensing and transactions to edge components so there is no central attack point, he explained.
"Organizations are starting to understand and communicate the security implications of centralization on trust, availability, confidentiality and resiliency and [starting to] explore alternative decentralized architecture in digital business planning initiatives where centralization increases the risks to the business goals," Firstbrook said.