Generative AI is the technology of the moment — and the future — but cybersecurity leaders have yet to truly put it to work. It’s difficult to identify “best practices,” when so many are grasping at “new practices” that haven’t yet been proven to deliver outcomes and ROI.
Vendors are increasingly making overtures and promises around AI’s benefits — fostering innovation, offering gains in speed and productivity — but the revolutionary technology has yet to offer real viability when it comes to cybersecurity.
However, according to Gartner, 2024 will be the year that gen AI-driven security products finally emerge, and 2025 will see those tools delivering real risk-management outcomes.
This prediction is among the IT consulting firm’s top cybersecurity trends for 2024 (among others explored below).
VB Event
The AI Impact Tour – NYC
We’ll be in New York on February 29 in partnership with Microsoft to discuss how to balance risks and rewards of AI applications. Request an invite to the exclusive event below.
“CISOs are concerned about how to enable their organization to safely, securely and ethically introduce gen AI and leverage the technology to help achieve or accelerate the achievement of their strategic objectives,” Richard Addiscott, Gartner senior director analyst, told VentureBeat.
CISOs are both skeptical and hopeful about generative AI
In the not-so-distant future, gen AI can help security departments increase their defensive capabilities, including in areas such as vulnerability management and threat intelligence and response, Addiscott pointed out.
“Gen AI also has the potential for a security team to increase operational efficiency — something that is a key business driver given the current global cybersecurity talent shortages,” he said.
As of now, however, employees are more likely to experience prompt fatigue rather than productivity growth, he noted. However, organizations should still encourage experiments and manage expectations — both inside the security department and out.
Ultimately, while many organizations are initially skeptical, there’s “solid long-term hope for the technology,” said Addiscott.
Security Behavior and Culture Programs taking root
Culture is critical to any cybersecurity program. According to Gartner, CISOs are increasingly embracing this idea and adopting security behavior and culture programs (SBCPs).
The firm predicts that by 2027, 50% of CISOs at large enterprises will have adopted human-centric security practices.
“SBCPs represent a more comprehensive and integrated approach, where the intent is to foster and embed more secure behaviors and work practices across the breadth of the organization,” explained Addiscott.
This tactic takes a more holistic view across all enterprise roles and functions, rather than merely focusing on the actions of the end-user employee.
To support organizations in their move to this model, Garter has developed PIPE (practices, influences, platforms, enablers), a framework guiding practices not traditionally used in security awareness programs — such as organizational change management, human-centric design practices, marketing and PR and security coaching.
PIPE also encourages organizations to incorporate employee demographics, enterprise budgets, executive risk cultures and digital and cyber literacy into their cybersecurity programs. Furthermore, these should be personalized by incorporating employee use data from various security tools (and gen AI can help out here).
Addiscott pointed out that SBCPs allow organizations to do deep dives on data to determine what employee behaviors caused certain security incidents. For example, if they compromised credentials, clicked on unsafe links or misused email. They can then take a more balanced approach moving forward.
Executive support is fundamental, he said, as is having a vision of what ‘good looks like’ that employees can understand. Leaders should realize there is no “one-size-fits-all” approach to learning and should also regularly evaluate program efficacy.
“SBCPs are a much larger undertaking than traditional security awareness training programs,” Addiscott acknowledged, “and not all organizations have the capabilities, maturity or capacity to scale beyond what they are currently doing.”
Still, he emphasized, it doesn’t have to be an “all or nothing” approach, either.
Bridging boardroom communications gaps with metrics
As regulators around the globe look to strengthen rules around cybersecurity, boards of directors must become more familiar with organizational risks in 2024, Gartner emphasizes. The challenge, however, is that boards often do not have “deep-level cybersecurity expertise,” Addiscott said.
“Technology-centric, operationally focused and backward-looking/lagging” cybersecurity performance indicators are gibberish to them, he pointed out, and don’t help them truly understand company risk and how to address it.
This is giving rise to outcome-driven metrics (ODMs), which essentially draw a straight line between cybersecurity investments and the protections they deliver. Security leaders can demonstrate their program’s performance in a “line-of-sight” and show results being achieved (or not) based on an organization’s risk appetite.
“ODMs are central to creating a defensible cybersecurity investment strategy, reflecting agreed protection levels with powerful properties, and in simple language that is explainable to non-IT executives,” Gartner says.
Third-party risk management a must
The software supply chain is under constant attack — so it’s pretty much inevitable that third parties will experience a cybersecurity incident sooner or later.
As a result, CISOs are focusing more on “resilience-oriented investment” rather than “front loaded due diligence,” Addiscott noted.
He advised strengthening contingency plans for third-party engagements that pose high cybersecurity risk. Also, create third-party-specific incident playbooks, conduct tabletop exercises and define a clear offboarding strategy (such as timely access revocation and data destruction).
“Establishing a robust and resilient supply chain for your digital capabilities is critical to broader organizational resilience,” said Addiscott.
Cybersecurity reskilling
There’s no question that there’s a cybersecurity talent shortage. Gartner reports that in the U.S. alone, there are only enough qualified cybersecurity professionals to meet 70% of the current demand.
Cloud migration, generative AI adoption, operating model transformation, an expanding threat landscape and vendor consolidation only exacerbate this trend and demand a multitude of new skills.
As a result, cybersecurity leaders need to move away from legacy practices stipulating ‘X’ years of experience or specific types of skills (as these can be learned). They should instead look to hire for “adjacent skills”; “soft skills” such as business acumen, verbal communication and empathy; and new skills that will be part of entirely new cybersecurity roles.
Gartner advises organizations to develop a cybersecurity workforce plan that documents needed skills and shows how roles will evolve. They should also foster learning cultures that incorporate hands-on skills development via “iterative, short bursts” as opposed to “waterfall-based” training.
Notably, “hire for the future, not the past,” Gartner emphasizes. Job descriptions should remove language that describes ‘unicorns’ — or “ideal applicants that do not exist or are nearly impossible to find, hire and retain.”
IAM evolving; continuous threat exposure management (CTEM) gaining momentum
With attack surfaces expanding enormously in recent years — driven by accelerated SaaS adoption, widening digital supply chains, remote working and other factors — organizations are left with many blind spots. They have limited visibility and their technologies are often siloed.
To address this, many enterprises are adopting continuous threat exposure management (CTEM), Gartner says. Instead of trying to find and patch every vulnerability, CTEM helps security teams assess and manage exposure on an ongoing basis. This allows them to remediate based on their organization’s specific threat landscape.
Gartner predicts that by 2026, organizations that prioritize CTEM will see a two-thirds reduction in breaches.
At the same time, identity access management (IAM) is becoming ever more critical. Gartner advises organizations to “redouble efforts to implement property identity hygiene.” They should also expand identity threat detection and response (IDTR), implement security posture assessments and “refactor” identity infrastructure by “evolving toward an identity fabric.”
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.
