Rebalance cyber investment towards human-centric elements
In creating and implementing cyber security programmes, security leaders must rethink how they balance their investments to prioritise so-called human-centric security in line with industry trends, according to analysts at Gartner.
To address risk and sustain an effective security programme, Gartner said decision-makers must focus on three key domains: the essential role of people for programme success and sustainability; technical capabilities that provide greater visibility and responsiveness; and restructuring how security functions operate to prioritise more agile responses, without compromising on actual security.
It set out nine key trends that it believes will epitomise these domains going forward, of which human-centric security design is the most important.
“A human-centred approach to cyber security is essential to reduce security failures,” said Richard Addiscott, senior director analyst at Gartner. “Focusing on people in control design and implementation, as well as through business communications and cyber security talent management, will help to improve business risk decisions and cyber security staff retention.”
Human-centric security design prioritises the employee experience across the security control management lifecycle, minimising security-induced friction, and maximising the adoption of appropriate controls and processes. Currently, a minority of large enterprises have adopted such design, and Gartner does not believe we will reach the 50% mark until at least 2027.
“Traditional security awareness programmes have failed to reduce unsecure employee behaviour,” said Addiscott. “CISOs must review past cyber security incidents to identify major sources of cyber security-induced friction and determine where they can ease the burden for employees through more human-centric controls, or retire controls that add friction without meaningfully reducing risk.”
Alongside human-centric programmes pitched at everybody in the enterprise, the second trend on Gartner’s list centres on the need for security leaders to enhance how security teams are run to ensure the resulting programmes are sustainable.
Up to now, this has not been well prioritised, with security leaders traditionally more focused on improving technology and processes. But taking a human-centric talent management approach to attract and retain talent will bring improvements in functional and technical maturity and resilience, said Gartner.
“Business leaders now widely accept that cyber security risk is a top business risk to manage – not a technology problem to solve. Supporting and accelerating business outcomes is a core cyber security priority, yet remains a top challenge”
Richard Addiscott, Gartner
It claimed that by 2026, 60% of organisations will have shifted from external hiring to “quiet” internal hiring to address systemic cyber and recruitment challenges.
With technology moving from centralised functions towards lines of business, corporate functions, fusion teams and individual employees, and over 40% of employees now performing some kind of technology work, the third trend on Gartner’s list centres on the need to modify cyber security operating models to account for this.
Among other things, employees now increasingly need to know how to balance risks – including security, financial, reputational, competitive and legal – and as such, the security function must also now begin to connect to business value by measuring and reporting success against the enterprise’s priorities and desired outcomes.
“Business leaders now widely accept that cyber security risk is a top business risk to manage – not a technology problem to solve,” said Addiscott. “Supporting and accelerating business outcomes is a core cyber security priority, yet remains a top challenge.”
Technology priorities
The move towards human-centric approaches to security does not, however, discount the very real utility of technology, as the remainder of the trends set out by Gartner demonstrate.
Fourth on the list is the need to implement continuous threat exposure management programmes to address the complex attack surface of most modern businesses, while fifth is the need to address fragile identity infrastructure caused by incomplete, misconfigured or vulnerable elements in the identity fabric.
The sixth trend identified in the forecast is the need for cyber security validation, bringing together the techniques, processes and tools used to validate how threat actors exploit identified exposures. This need will incorporate more automated and repeatable elements to establish informative benchmarks.
The remaining three trends identified in the report are cyber security platform consolidation, composable security for composable businesses, and expanding boardroom competency in overall security oversight.