Gartner, Inc. has identified seven emerging security and risk management trends that will impact security, privacy and risk managers over time. Gartner defines the top trends as ongoing strategic changes in the security ecosystem that are not yet widely recognized, but are expected to have a broad impact on the industry and a significant impact.

According to Gartner, the seven most important trends for security and risk management are for 2019 and beyond:

Trend #1: Risk appetite statements are linked to business results.

As IT strategies become more closely aligned with business objectives, the ability of Security and Risk Management (SRM) executives to effectively present security issues to key decision-makers in the organization is gaining in importance. “To avoid focusing solely on IT decision-related issues, create simple, practical, and pragmatic risk-taking statements that are related to business objectives and relevant to board level decisions,” said Peter Firstbrook, research vice president, Gartner. “This leaves no room for CEOs not to integrate security managers into strategic meetings.”

Trend #2: Security Operations Centres are implemented with a focus on threat detection and response.

Shifting investment from threat prevention to threat detection requires investment in Security Operations Centres (SOCs) as the complexity and frequency of security alerts increases. According to Gartner, by 2022, 50 percent of all SOCs will become modern SOCs with integrated incident response, threat intelligence and threat discovery capabilities, compared to less than 10 percent by 2015, “The need for SRM leaders to create or outsource an SOC that integrates threat information, consolidates security alerts and automates response cannot be overstated,” Mr. Firstbrook said.

Trend #3: Data security governance frameworks will prioritize investments in data security.

Data security is a complex issue that cannot be resolved without a deep understanding of the data itself, the context in which the data is created and used, and the way it is regulated. Instead of purchasing data security products and adapting them to the needs of the enterprise, leading companies are beginning to address data security through a Data Security Governance Framework (DSGF). “DSGF provides a data-centric blueprint that identifies and classifies data assets and defines data security policies. From this, technologies are then selected to minimize risk,” said Firstbrook. “The key to ensuring data security is to assume the business risk it addresses, not to buy technology first, as too many companies do.

Trend #4: Passwordless Authentication Achieves Market Acceptance

Passwordless authentication, such as touch ID on smartphones, is beginning to achieve real market acceptance. The technology is increasingly being used in enterprise applications for consumers and employees, as supply and demand are high. “To combat hackers who use passwords to access cloud-based applications, passwordless methods that associate users with their devices offer greater security and ease of use, which is a rare win for security,” said Firstbrook.

Trend #5: Security vendors are increasingly offering premium capabilities and training services.

According to Gartner, the number of unoccupied cyber security roles will increase from 1 million in 2018 to 1.5 million by the end of 2020. While advances in artificial intelligence and automation certainly reduce the need for people to analyze standard security alerts, sensitive and complex alerts require the human eye. “We’re beginning to see vendors offering solutions that merge products and operational services to accelerate product adoption. Services range from full management to partial support aimed at improving administrators’ skill levels and reducing day-to-day workload,” said Mr. Firstbrook.

Trend #6: Investing in Cloud Security Capabilities as a Mainstream Computing Platform

The move to the cloud means that security teams are becoming thinner as skilled workers may not be available and businesses may simply not be prepared. Gartner estimates that the majority of cloud security outages by 2023 will be due to customer blame. “Public cloud is a secure and viable option for many businesses, but security is a shared responsibility,” said Firstbrook. “Companies need to invest in security skills and governance tools that build the knowledge base necessary to keep pace with the rapid pace of cloud development and innovation.

Trend No. 7: Gartner’s CARTA to strengthen its presence in traditional security markets.

Gartner’s Continuous Adaptive Risk and Trust Assessment (CARTA) is a strategy for dealing with the ambiguity of digital business trust assessments. “Even if it is a multi-year journey, the idea behind CARTA is a strategic approach to security. A key component of CARTA is the continuous assessment of risk and trust even after access has been extended,” said Mr. Firstbrook. “Email and network security are two examples of security areas moving towards a CARTA approach as solutions increasingly focus on detecting anomalies after authentication of users and devices.