7 emerging data security and risk management trends

7 emerging data security and risk management trends

Risk appetite statements, governance frameworks and password-less authentication are among the growing trends that will impact security, privacy and risk leaders, says Gartner.

About these top data security and risk assessment trends

Research firm Gartner has released its list of seven key emerging data security and risk management trends. Gartner defines these trends as ongoing strategic shifts in the security ecosystem that are not yet widely recognized, but are expected to have broad industry impact and significant potential for disruption. “External factors and security-specific threats are converging to influence the overall security and risk landscape, so leaders in the space must properly prepare to improve resilience and support business objectives,” says Peter Firstbrook, research vice president at Gartner.

Risk appetite statements linked to business outcomes

“As IT strategies become more closely aligned with business goals, the ability for security and risk management (SRM) leaders to effectively present security matters to key business decision makers gains importance,” Firstbrook says. “To avoid exclusively focusing on issues related to IT-decision making, create simple, practical and pragmatic risk appetite statements that are linked to business goals and relevant to board-level decisions.This leaves no room for business leaders to be confused as to why security leaders were even present at strategic meetings.”

Security operations centers focus on threat detection, response

“The shift in security investments from threat prevention to threat detection requires an investment in security operations centers (SOCs) as the complexity and frequency of security alerts grow,” Firstbrook explains. “According to Gartner, by 2022, 50 percent of all SOCs will transform into modern SOCs with integrated incident response, threat intelligence and threat-hunting capabilities, up from less than 10 percent in 2015. The need for SRM leaders to build or outsource a SOC that integrates threat intelligence, consolidates security alerts and automates response cannot be overstated.”

Data security governance frameworks to prioritize investments

“Data security is a complex issue that cannot be solved without a strong understanding of the data itself, the context in which the data is created and used, and how it is subject to regulation,” Firstbrook says. “Rather than acquiring data protection products and trying to adapt them to suit the business need, leading organizations are starting to address data security through a data security governance framework, (which) provides a data-centric blueprint that identifies and classifies data assets and defines data security policies. This then is used to select technologies to minimize risk. The key in addressing data security is to start from the business risk it addresses, rather than from acquiring technology first, as too many companies do.”

Password-less authentication gains market traction

“Password-less authentication, such as Touch ID on smartphones, is starting to achieve real market traction,” Firstbrook notes. “The technology is being increasingly deployed in enterprise applications for consumers and employees, as there is ample supply and demand for it. “In an effort to combat hackers who target passwords to access cloud-based applications, password-less methods that associate users to their devices offer increased security and usability, which is a rare win/win for security.”

Security product vendors offer premium training

“The number of unfilled cybersecurity roles is expected to grow from 1 million in 2018 to 1.5 million by the end of 2020,” Firstbrook says. “While advancements in artificial intelligence and automation certainly reduce the need for humans to analyze standard security alerts, sensitive and complex alerts require the human eye. We are starting to see vendors offer solutions that are a fusion of products and operational services to accelerate product adoption. Services range from full management to partial support aimed at improving administrators’ skill levels and reducing the daily workload.”

Cloud security competency grows in importance

“The shift to cloud means stretching security teams thin, as talent may be unavailable and organizations are simply not prepared for it,” Flintbrook says. “Gartner estimates that the majority of cloud security failures will be the fault of the customers through 2023. Public cloud is a secure and viable option for many organizations, but keeping it secure is a shared responsibility. Organizations must invest in security skills and governance tools that build the necessary knowledge base to keep up with the rapid pace of cloud development and innovation.”

Gartner’s CARTA to grow in traditional security markets

“Gartner’s continuous adaptive risk and trust assessment (CARTA) is a strategy for dealing with the ambiguity of digital business trust assessments,” Firstbrook explains. “Even though it’s a multiyear journey, the idea behind CARTA is a strategic approach to security that balances security friction with transaction risk. A key component to CARTA is to continuously assess risk and trust even after access is extended. Email and network security are two examples of security domains that are moving toward a CARTA approach as solutions increasingly focus on detecting anomalies even after users and devices are authenticated.”