Gartner has identified seven emerging trends in security and risk management that will have a long-term impact on security, privacy and risk professionals in the business.

The research firm defines these trends as “ongoing strategic changes in the security ecosystem that are not yet widely recognized, but which are expected to have a significant impact on the sector and a significant potential for disruption”. “External factors and security-specific threats converge to influence the overall security and risk landscape. Industry leaders need to be well prepared to improve resilience and support business objectives, “said Peter Firstbrook, vice president of research at Gartner.

First Trend: Gartner finds that interest in risk is increasingly tied to the company’s bottom line. As IT strategies become more aligned with business goals, the ability of security and risk managers to effectively present security issues to key decision-makers in the organization becomes more important, says the firm.

“To avoid focusing exclusively on issues related to IT decision-making, create simple, practical and pragmatic risk reports, linked to business objectives and relevant to board decisions,” says Peter Firstbrook recommends that business leaders accept the presence of security officials at strategic meetings.

Second Trend: a shift from security investment to threat prevention to threat detection, which requires investing in SOCs (Security Operations Centers) as the complexity and frequency of security alerts increase. According to Gartner, by 2022, half of the SOCs will have integrated incident response, threat intelligence, and threat detection capabilities, compared with less than 10% in 2015. “The need for SRMs creating or outsourcing a SOC that integrates threat information, consolidates security alerts and automates responses cannot be overestimated, “says the analyst.

Third Trend: companies will prioritize data security and implement a data security governance framework (DSGF).

Data security is a complex problem that can not be solved without a thorough understanding of the data itself, the context in which it is created and used, and how it is subject to regulation. “The DSGF provides a data-centric blueprint that identifies and classifies data and defines their security policies. This is then used to select technologies to minimize risk, “said Peter Firstbrook, who explains that the best solution is to start with the business risk that is at stake rather than acquire technology first, as do too much business.

Fourth Trend: the identification without the password, such as Touch ID on smartphones, will gain ground. “In order to combat hackers who target passwords to access applications in cloud mode, the password-free methods that bring users to their devices offer increased security and usability, which is a rare advantage in security, “says the analyst.

Fifth Trend: security providers are offering a richer offer and training, but the specialist shortage is likely to get worse. According to Gartner, the number of unfilled cybersecurity positions is expected to grow from 1 million in 2018 to 1.5 million by the end of 2020. “Although advances in artificial intelligence and automation are reducing the need for Human analysis for standard security alerts, sensitive and complex alerts require a human eye, “says the analyst firm.

Sixth Trend: The majority of breaches in cloud security will be attributable to customers because of a lack of preparation and the thinness of their security teams.

“The public cloud is a secure and interesting option for many organizations, but its security is a shared responsibility,” says Peter Firstbrook. “Businesses need to invest in security skills and governance tools to create the knowledge base needed to keep up with the rapid pace of cloud development and innovation. “

Latest Trend: the progression of the Carta approach (Continuous Adaptive Risk and Trust Assessment) in companies. Defined by Gartner, Carta is a predictive approach to security, based in particular on analytics, machine learning and constant risk assessment depending on the context. Peter Firstbook cites the security of e-mails and networks as an example.

“These are two examples of security domains that are moving towards a Carta approach, as solutions are increasingly focused on anomaly detection, even after the user and device authentication. “