Gartner on Monday released a series of eight cybersecurity predictions for 2022-2023, imploring top executives at companies that given the threat landscape and the rise of ransomware, companies can’t operate the way they have in the past.
“Most security and risk leaders now recognize that major disruption is only one crisis away,” said Richard Addiscott, senior director analyst at Gartner. “We can’t control it, but we can evolve our thinking, our philosophy, our program and our architecture.”
In speaking at the opening keynote at the Gartner Security & Risk Management Summitt in Sydney, Australia, Addiscott and Gartner’s Rob McMillan advised cybersecurity leaders to make the following assumptions in the years ahead:
- By 2025, 80% of enterprises will adopt a strategy to unify web, cloud services, and private application access from a single vendor’s secure service edge (SSE) platform.
With a hybrid workforce and data everywhere accessible by everything, Gartner said vendors now offer an integrated SSE solution to deliver consistent and simple web, private access and SaaS application security. Gartner said single-vendor solutions offer significant operational efficiency and security effectiveness compared with best-of-breed solutions, including tighter integration, fewer consoles to use, and fewer locations where security teams must decrypt, inspect, and re-encrypt data.
- 60% of organizations will embrace zero trust as a starting point for security by 2025, but more than 50% will fail to realize the benefits.
The term zero trust has become prevalent in security vendor marketing and in security guidance from governments. The idea of replacing implicit trust with identity- and context-based risk appropriate trust has become extremely powerful. However, because zero trust functions as both a security principle and an organizational vision, it requires a cultural shift and clear communication that ties it to business outcomes to achieve the benefits.
- By 2025, 60% of organizations will primarily use cybersecurity risk to conduct third-party transactions and business engagements.
Cyberattacks related to third parties are increasing. However, Gartner said only 23% of security and risk leaders monitor third parties in real-time for cybersecurity exposure. As a result of consumer concerns and interest from regulators, Gartner believes organizations will start to mandate cybersecurity risk as a significant factor when conducting business with third parties, ranging from simple monitoring of a critical technology supplier to complex due diligence for mergers and acquisitions.
A single-vendor solution with a unified interface and capabilities has become an ideal solution for many organizations to simplify deployment and reduce operational complexity, said John Yun, vice president, product strategy at ColorTokens. Yun said while SSE aims to deliver these benefits by consolidating several existing categories of cloud security capabilities, organizations will have unique requirements that a single vendor may not adequately cover.
“Some 80% of enterprises adopting and standardizing on a single SSE platform seems very optimistic given the rapid adoption of cloud services today and the increasing number of solutions expected in a few years," said Yun.
Tarun Desikan, co-founder and COO at Banyan Security, said with regard to the “50% won't fully realize the benefits of zero trust,” most zero-trust initiatives fail because enterprises often seek to rip-and-replace the incumbent network security “bundle” with another security bundle.
“It’s like swapping out Comcast Cable for Time Warner Cable, and expecting a major change,” Desikan said. “Rip-and-replace approaches rarely work in transforming enterprise security. Instead, security teams should look to leverage their existing investments, and choose just the ‘unbundled’ security features they need to roll out to accomplish their zero-trust objectives.”
Chuck Everette, director of cybersecurity advocacy at Deep Instinct, added that zero trust is not a product or solution that security teams can just implement and slap into their environments. Security pros must think of zero trust as a fundamental shift in process and thinking of how to do security.
“Zero trust is an evolution to an organization's security framework, allowing industries to adapt a number of changes to the nature of networks, data storage, user interactions, locations, devices, and authorized actions,” Everette said. “A zero-trust strategy can fit perfectly into cloud and legacy organizations due to its ability to allow authorized users to have secure access to critical applications and data by using patterns based on identity, time, geolocation, and device posture giving the workforce their choice of devices and location flexibility."