According to analysis, the objective behind creating simple, practical and pragmatic risk appetite statements is to break the cultural disconnect that exists between cybersecurity teams and different business units. For Gartner, this is one of seven security and risk management trends that are changing the role of CISOs within organizations.
"These key trends highlight ongoing strategic shifts in the security ecosystem that are not yet widely recognized but are expected to have broad industry impact and significant potential for disruption," says Peter Firstbrook, VP Analyst at Gartner. "Reacting to these developments provides an opportunity for security and risk management leaders to improve resilience, better support business objectives and elevate their position in the organization."
Gartner believes that CISOs must understand emerging cybersecurity trends and assess their potential impacts in order to build a resilient and future-proof organization. The trend list includes:
1 – Security and risk management leaders are creating more pragmatic risk appetite statements linked to business outcomes, with the goal of engaging all stakeholder teams more effectively. Gartner assessments have shown that one of the most serious challenges for security and risk management leaders is the inability to effectively communicate their plans with business leaders. While CISOs are more involved in strategic meetings, executives are often unable to assess whether a technology or project is creating too much risk and exposure, or whether the organization is missing opportunities because it is too risk-averse.
Risk appetite statements link business goals and risk treatment plans to inform teams and partners about the organization's intentions in taking risks. When it comes to risk appetite statements, be clear, consistent and relevant, and make sure you choose the right delivery method for the organization.
2 – There is renewed interest in implementing or maturing security operations centers (SOCs) with a focus on threat detection and response. Due to the increasing impact of cyber attacks and the increasing complexity of the security tools that generate alerts, organizations are looking to build or revitalize their operations centers or outsource this function. By 2022, 50% of all SOCs will transform into more modern security operations centers with integrated incident response, threat intelligence and threat hunting capabilities, compared to less than 10% in 2015.
Organizations are now investing in more sensitive tools focused on the balance between response and detection versus prevention. The rise of more sophisticated tools and alerts has led to a greater need to centralize and streamline operations, which means that operations and security centers are now a critical business asset.
3 – Leading organizations are using new governance structures dedicated to data security to prioritize investments aimed at protecting information. Data security is not simply a technology issue. Effective information protection may require a comprehensive data security and governance framework that is capable of providing an information-centric data plan. This framework should allow the organization to identify and classify structured and unstructured data sets across all of the company's computing assets and define security policies for its information. Once security and risk management teams have addressed business strategy and risk tolerance, the framework can be used as a guide to prioritize technology investments.
4 – “Passwordless” authentication is gaining traction in the market, driven by the demand and availability of biometric and hardware-based authentication methods. Eliminating passwords has been a long-standing goal, but it's only now starting to become a real option in the market. Passwords are a magnet for attackers and are susceptible to a variety of attacks such as social engineering, phishing, credential stuffing and malware.
Emerging technology standards and the increased availability of devices that support fast authentication methods are increasing the adoption of these new passwordless solutions. Biometrics has become increasingly popular as a “passwordless” method for stronger identification, but other options include hardware tokens, phone as a token, online identification, and analytics based on passive behaviors.
5 – Security product vendors are increasingly offering premium services to help customers get more immediate value and help with skills training. The number of unfilled cybersecurity roles globally is expected to gradually increase to 1.5 million positions by the end of 2020. Organizations are struggling to fill these vacancies and may find it difficult to retain current employees. At the same time, the proliferation and complexity of security software is increasing. Some technologies, especially those that use Artificial Intelligence, require constant monitoring or investigation by a human security expert.
It is possible that soon there will not be enough qualified people to use these products. As a result, vendors are increasingly offering premium services that combine product offering, implementation, configuration, and ongoing operational services. This means vendors can help customers get more immediate value from the tools, and organizations can improve administrators.
6 – Leading organizations are investing and maturing their cloud security competency as this technology becomes the mainstream computing platform. The more organizations engage with Cloud-based platforms, the more security teams will see the complexity of dealing with security in the Cloud environment. Leading organizations are establishing Cloud centers of excellence and investing in people, processes and tools to master this rapidly changing environment. Tools such as CASBs (Cloud Access Security Brokers), CSPM (Cloud Posture Management) and CWPPs (Cloud Workload Protection Platform) offer security capabilities for overlapping Cloud structures to deal with risks, but organizations must also invest in people and processes, adopting Style SecDevOps workspace.
7 – The CARTA (Continuous Adaptive Risk and Trust Management) strategic approach to security is starting to appear in more traditional security markets. Maintaining an adaptive and continuous security policy (CARTA) is a strategic approach to security that recognizes that there is no such thing as perfect protection and that security needs to be adaptive, everywhere, all the time. Traditional LAN network security and email security are two markets that are starting to adopt a CARTA mindset, focusing on perimeter detection, detection and response capabilities.
EN 
PT 
