Gartner predicts that Generative AI, IAM, and culture-based programs will be instrumental in shaping cybersecurity in 2024

Generative AI is the technology of the moment — and the future — but cybersecurity leaders have yet to truly implement it. It’s challenging to identify “optimal practices,” when so many are exploring “novel practices” that haven’t yet been validated to produce results and ROI.

Suppliers are increasingly making gestures and commitments regarding AI’s advantages — nurturing innovation, providing enhancements in speed and productivity — but the groundbreaking technology has yet to offer real feasibility in terms of cybersecurity.

Nevertheless, as per Gartner, 2024 will be the year that gen AI-driven security products finally emerge, and by 2025, those tools will be generating genuine risk-management results.

This forecast is one of the IT consulting firm’s primary cybersecurity trends for 2024 (amid other trends explored below).

VB Event

The AI Impact Tour – NYC

We’ll be in New York on February 29 in partnership with Microsoft to talk about how to balance risks and rewards of AI applications. Request an invite to the exclusive event below.

 

Request an invite

“CISOs are worried about how to enable their organization to safely, securely and ethically introduce gen AI and leverage the technology to help achieve or accelerate the achievement of their strategic objectives,” Richard Addiscott, Gartner senior director analyst, told VentureBeat.

CISOs are both hesitant and optimistic about generative AI

In the not-so-distant future, gen AI can aid security departments in enhancing their defensive capacities, including in areas like vulnerability management and threat intelligence and response, Addiscott highlighted.

“Gen AI also possesses the potential for a security team to increase operational efficiency — something that is a crucial business driver given the current global cybersecurity talent shortages,” he mentioned.

Presently, staff members are more prone to encounter immediate fatigue rather than an uptick in productivity, he remarked. However, organizations should still promote experiments and manage expectations — both internally within the security department and externally.

Ultimately, even though many organizations are initially uncertain, there is “substantial long-term optimism for the technology,” according to Addiscott.

Security Behavior and Culture Programs taking root

Culture is critical to any cybersecurity program. According to Gartner, CISOs are increasingly embracing this concept and implementing security behavior and culture programs (SBCPs).

The firm anticipates that by 2027, 50% of CISOs at large enterprises will have embraced human-centric security practices.

“SBCPs embody a more comprehensive and integrated approach, where the goal is to cultivate and embed more secure behaviors and work practices across the entire organization,” elucidated Addiscott.

This strategy adopts a broader perspective across all enterprise roles and functions, instead of exclusively focusing on the actions of the end-user employee.

To support organizations in transitioning to this model, Garter has crafted PIPE (practices, influences, platforms, enablers), a framework guiding practices not typically used in security awareness programs — such as organizational change management, human-centric design practices, marketing and PR and security coaching.

PIPE also encourages organizations to integrate employee demographics, enterprise budgets, executive risk cultures, and digital and cyber literacy into their cybersecurity programs. Furthermore, these should be customized by integrating employee usage data from various security tools (and gen AI can assist in this regard).

Addiscott pointed out that SBCPs enable organizations to delve deep into data to ascertain which employee behaviors led to certain security incidents. For instance, if they compromised credentials, clicked on unsafe links, or misused email. They can then adopt a more balanced approach moving forward.

Executive support is essential, he stated, along with having a vision of what ‘good looks like’ that employees can comprehend. Leaders should understand that there is no “one-size-fits-all” approach to learning and should also routinely evaluate program effectiveness.

“SBCPs are a much broader initiative than traditional security awareness training programs,” Addiscott admitted, “and not all organizations have the capabilities, maturity, or capacity to expand beyond what they are currently doing.”

Nevertheless, he stressed, it does not have to be an “all or nothing” approach either.

Bridging boardroom communications gaps with metrics

As regulators worldwide aim to bolster rules around cybersecurity, boards of directors must familiarize themselves with organizational risks in 2024, Gartner underscores. The predicament, however, is that boards often lack “deep-level cybersecurity expertise,” Addiscott pointed out.

“Technology-centric, operationally focused, and backward-looking/lagging” cybersecurity performance indicators are unintelligible to them, he emphasized, and do not help them truly grasp company risk and how to mitigate it.

This is fueling the emergence of outcome-driven metrics (ODMs), which essentially establish a direct connection between cybersecurity investments and the protections they provide. Security leaders can exhibit their program’s performance in a “line-of-sight” and demonstrate results being achieved (or not) based on an organization’s risk tolerance.

“ODMs are pivotal in crafting a defensible cybersecurity investment strategy, reflecting agreed protection levels with potent features and in straightforward language that is comprehensible to non-IT executives,” Gartner emphasizes.

Third-party risk management a must

The software supply chain is under perpetual attack — so it’s nearly inevitable that third parties will undergo a cybersecurity incident sooner or later.

Consequently, CISOs are concentrating more on “resilience-oriented investment” instead of “front loaded due diligence,” Addiscott observed.

He recommended reinforcing contingency plans for third-party engagements that pose high cybersecurity risk. Also, develop third-party-specific incident playbooks, conduct tabletop exercises, and define a clear offboarding strategy (such as prompt access revocation and data destruction).

“Establishing a robust and resilient supply chain for your digital capabilities is pivotal to broader organizational resilience,” Addiscott said.

Cybersecurity reskilling

There’s no denying the cybersecurity talent scarcity. Gartner reports that in the U.S. alone, there are only adequate qualified cybersecurity professionals to meet 70% of the current demand.

Cloud migration, generative AI adoption, operating model transformation, an expanding threat landscape, and vendor consolidation only compound this trend and necessitate a multitude of new skills.

Consequently, cybersecurity leaders need to veer away from traditional practices mandating ‘X’ years of experience or specific skill sets (as these can be acquired). They should instead aim to recruit for “adjacent skills”; “soft skills” such as business acumen, verbal communication, and empathy; and novel skills that will be a part of entirely new cybersecurity roles.

Gartner advises organizations to devise a cybersecurity workforce plan that outlines required skills and demonstrates how roles will evolve. They should also nurture learning cultures that integrate hands-on skills development via “iterative, short bursts” as opposed to “waterfall-based” training.

Notably, “recruit for the future, not the past,” Gartner emphasizes. Job descriptions should eliminate language that describes ‘unicorns’ — or “ideal applicants that do not exist or are nearly impossible to find, recruit, and retain.”

IAM evolving; continuous threat exposure management (CTEM) gaining momentum

With attack surfaces expanding immensely in recent years — propelled by accelerated SaaS adoption, widening digital supply chains, remote working, and other factors — organizations are left with numerous blind spots. They possess limited visibility, and their technologies are often isolated.

To tackle this, many businesses are embracing continuous threat exposure management (CTEM), Gartner states. Instead of attempting to identify and patch every vulnerability, CTEM aids security teams in assessing and managing exposure consistently. This enables them to remediate based on their organization’s specific threat landscape.

Gartner predicts that by 2026, organizations prioritizing CTEM will witness a two-thirds reduction in breaches.

Simultaneously, identity access management (IAM) is becoming increasingly crucial. Gartner advises organizations to “double efforts to implement proper identity hygiene.” They should also expand identity threat detection and response (IDTR), implement security posture assessments, and “refactor” identity infrastructure by “evolving toward an identity fabric.”

VentureBeat’s mission is to be a digital town square for technical decision-makers to acquire knowledge about transformative enterprise technology and transact. Discover our Briefings.

Leave a Reply

Your email address will not be published. Required fields are marked *