The rapidly evolving cyber security threat landscape has become the top priority for security and risk management leaders, and will be the top driver impacting security teams through 2025, while Covid-19 is driving IT teams to consider more agile security options during the buying process, according to new data presented at the virtual Gartner Security and Risk Management Summit 2020.
“External risk is top of mind for security and risk management leaders in 2020, yet Covid-19 has proved how rapidly and how drastically such risks can change,” said Jonathan Care, senior research director at Gartner.
“Bad actors are always looking to take advantage of worldwide events, such as the pandemic, to exploit new vulnerabilities and circumvent even the most advanced security controls,” he added.
With organisations worldwide pivoting to a semi-permanent culture of remote working spurred by Covid-19, this trend is exemplified in the number of exposed remote desktop protocol (RDP) and virtual private network (VPN) services.
Meanwhile, widespread reliance on collaboration services such as Zoom created new threat vectors, and security teams have also had to develop new protocols for remote endpoint management and patching, said Gartner.
“Before the pandemic, most organisations designed their risk appetites around the assumption that remote working was the exception rather than the norm,” said Care.
“When that scenario was flipped, risks such as always-on VPNs and bring-your-own-device, which were previously a lower priority for security leaders, suddenly became top of mind. This forced security teams to rapidly reassess their enterprise’s risk landscape and deploy new solutions and policies accordingly.”
Investing in agility
In response to the Covid-linked dynamism that has infected the threat landscape, Gartner is now recommending that organisations invest in security services that are agile enough to evolve alongside it, rather than wasting time on legacy security technologies, or on fine-tuning their existing setups.
“Rather than trying to anticipate and block all possible threats, invest in solutions with detect and respond capabilities, which can assist with unknown threats and improve response efficacy when prevention fails,” said Care.
Based on its Security and IAM Solution Adoption Trend Survey, which incorporates data gleaned from 405 decision makers with risk management responsibility from North America, Western Europe and APAC, Gartner predicted that by the end of 2023, more than half of organisations will have swapped out legacy antivirus for products that combine endpoint protection, and endpoint detection and response capabilities.
Gartner is now also recognising security professionals try to pivot to a continuous and adaptive risk and trust assessment (Carta) mindset when it comes to evaluating security products and services, and factor in how they can build adaptive security postures through their decision-making.
Meanwhile, attendees at the virtual summit have also been hearing about the growth in data protection, compliance and privacy legislation – as exemplified by the introduction of California’s far-reaching CCPA rules.
Gartner said that by 2023, 65% of the world’s population will be covered under modern-day privacy regulations – many patterned after Europe’s General Data Protection Regulation (GDPR), which according to research vice-president Nader Henein is now becoming a de facto global standard.
“Lawmakers are introducing new privacy laws that seek parity with the GDPR,” said Henein. “These regulations allow whole countries to move one step closer to achieving adequacy with the EU, where their local businesses can benefit from a larger market with their new ‘trusted’ status.”
Henein advised security and risk management leaders to adopt a number of key capabilities that support the increasing volume and variety of personal data by putting in place a three-stage privacy programme, which he defined as “establish”, “maintain” and “evolve”.
At the “establish” stage, security leaders should put in place the foundational capabilities of a privacy management programme, including discovery and enrichment to allow them to set up and maintain privacy risk registers.
At the “maintain” stage, organisations should be scaling these programmes with a focus on ongoing administration and resource management. This can include augmenting incident responses to address breaches of personal data, as well as adding automation.
Finally, the “evolve” stage brings in specialist tools focused on bringing down privacy risk without impacting the overall utility of the data, a critical feature for, for example, enterprise marketing teams.